AZ-104 (AZ-104) — Questions 901975

1170 questions total · 16pages · All types, answers revealed

Page 12

Page 13 of 16

Page 14
901
Matchinghard

Match each NSG or ASG scenario to the most accurate Azure security behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The priority 200 deny is evaluated first and blocks the flow.

The destination NIC must be added to ASG-Api for the rule to match.

The service tag does not represent the workstation's IP; a rule for the real source or a VPN path is needed.

NSGs are stateful, so the return traffic is allowed automatically.

The lower-number deny rule wins because NSGs stop at the first matching rule.

Why these pairings

NSGs filter traffic at subnet or NIC level, while ASGs group VMs for scalable rule application. Service tags simplify rules for Azure services.

902
MCQmedium

A network engineer wants device logs from routers and switches sent to a central server for long-term retention and analysis. Which service should be configured?

A.NTP
B.DNS
C.Syslog
D.NetFlow
AnswerC

Syslog provides centralized event logging.

Why this answer

Syslog is the standard protocol for sending device logs (e.g., from routers and switches) to a central server for long-term retention and analysis. It operates over UDP port 514 (or TCP 6514 for reliable delivery) and allows network devices to forward event messages to a syslog collector, which can store, filter, and analyze them. This directly meets the requirement for centralized logging and analysis.

Exam trap

The trap here is confusing NetFlow with syslog — both involve network data, but NetFlow is for traffic flow statistics (e.g., who talked to whom, how much bandwidth), not for device event logs, so candidates often pick NetFlow thinking it covers 'analysis' without realizing it doesn't handle log messages.

Why the other options are wrong

A

NTP (Network Time Protocol) is used for synchronizing the clocks of network devices, not for collecting or sending logs. Therefore, it does not fulfill the requirement of sending device logs for analysis.

B

DNS (Domain Name System) is used for resolving domain names to IP addresses and does not facilitate the collection or centralization of device logs from routers and switches.

D

NetFlow is primarily used for monitoring and analyzing network traffic flows rather than collecting device logs. It does not provide the capability to send logs from routers and switches to a central server for retention and analysis.

903
MCQhard

A Windows VM must install IIS after provisioning and then run a script that registers the server with an internal API by using the VM's managed identity. The same steps must run automatically whenever the VM is deployed from Bicep. What should be added to the deployment?

A.A read-only resource lock on the VM resource group
B.A Custom Script Extension on the VM
C.An availability set containing the VM
D.A proximity placement group for the VM
AnswerB

The Custom Script Extension runs scripted configuration during deployment and is suitable for post-provisioning setup.

Why this answer

The Custom Script Extension (CSE) is the correct choice because it allows you to run PowerShell or Bash scripts on an Azure VM after provisioning, enabling the installation of IIS and execution of a registration script that leverages the VM's managed identity. Since the requirement specifies that these steps must run automatically whenever the VM is deployed from Bicep, the CSE can be declared as a resource in the Bicep template, ensuring it executes on every deployment. This directly addresses the need for post-deployment configuration without manual intervention.

Exam trap

The trap here is that candidates often confuse resource locks or availability sets with automation capabilities, mistakenly thinking they can trigger scripts, when in reality only extensions like Custom Script Extension or Desired State Configuration can perform post-deployment configuration tasks.

How to eliminate wrong answers

Option A is wrong because a read-only resource lock prevents modifications or deletions of the resource group but does not execute any scripts or install software on the VM. Option C is wrong because an availability set is a logical grouping for high availability across fault and update domains, not a mechanism for running post-deployment scripts. Option D is wrong because a proximity placement group reduces network latency between VMs by ensuring they are physically close, but it has no capability to install IIS or run scripts.

904
MCQmedium

An employee accidentally deletes a critical document from an Azure file share. You need to restore only that file to its earlier state without restoring the entire share or using a vault-based backup job. Which feature should you use?

A.A file share snapshot, because it captures a point-in-time copy of the share for granular recovery.
B.A storage account access key, because it can retrieve deleted files from any share version.
C.An Azure VM snapshot, because it captures the file share state automatically.
D.A private endpoint to the file share, because it enables restore operations.
AnswerA

A snapshot is the right recovery tool when you need a point-in-time copy of an Azure file share and want to restore only a specific file. It allows granular recovery without rolling back the entire share, which keeps the impact small and the process simple. This is a common operational use of Azure Files snapshots.

Why this answer

File share snapshots are point-in-time, read-only copies of Azure file shares that allow you to recover individual files or folders without restoring the entire share. When a file is accidentally deleted, you can mount a previous snapshot, copy the deleted file from it, and restore it to the live share—no vault-based backup job or full share restore required.

Exam trap

The trap here is that candidates confuse file share snapshots with Azure Backup (vault-based recovery) or assume that access keys or private endpoints can somehow restore deleted files, when in fact only snapshots provide the granular, point-in-time restore capability for individual files.

How to eliminate wrong answers

Option B is wrong because a storage account access key provides full administrative access to the storage account but cannot retrieve deleted files from a previous version; it does not create or restore snapshots. Option C is wrong because an Azure VM snapshot captures the entire VM's disk state, not the file share data; it is unrelated to file-level recovery in Azure Files. Option D is wrong because a private endpoint secures network traffic to the file share via a private IP address but has no capability to restore deleted files or manage snapshots.

905
MCQmedium

A team manages 20 web VMs and 15 app VMs that scale independently. The administrator needs an NSG rule that allows only the web tier to reach the app tier on TCP 8443, and future VM additions must be included automatically without editing IP addresses. What should the administrator use in the NSG rule?

A.A source application security group for the web tier and a destination application security group for the app tier.
B.A service endpoint on the subnet where the app VMs are deployed.
C.A user-defined route between the web subnet and app subnet.
D.A load balancer backend pool for both tiers.
AnswerA

Application security groups let you group VMs by function rather than by individual IP addresses. An NSG rule can reference a source ASG and a destination ASG, so newly added web or app VMs are automatically governed as long as they are added to the correct ASG. This is ideal for scalable tier-to-tier access control.

Why this answer

Application security groups (ASGs) allow you to define network security rules based on logical groupings of VMs, regardless of their IP addresses. By assigning the web tier VMs to a source ASG and the app tier VMs to a destination ASG, the NSG rule automatically includes any new VMs added to those groups, meeting the requirement for dynamic inclusion without manual IP edits.

Exam trap

The trap here is that candidates often confuse ASGs with network security groups (NSGs) themselves or think that service endpoints or UDRs can provide application-layer filtering, when in fact only ASGs enable IP-agnostic, dynamic grouping for NSG rules.

How to eliminate wrong answers

Option B is wrong because a service endpoint extends your virtual network to Azure services (e.g., Azure SQL, Storage) over a direct connection, not for VM-to-VM traffic filtering. Option C is wrong because a user-defined route (UDR) controls traffic routing between subnets, not access control; it cannot filter traffic based on protocol or port like an NSG rule. Option D is wrong because a load balancer backend pool distributes incoming traffic to VMs for load balancing and high availability, but it does not enforce network security rules or automatically include new VMs in access control policies.

906
MCQmedium

A VM in a subnet must send traffic to 10.50.0.0/16 through an on-premises VPN gateway, while all other destinations should use the Internet. Which route should be added to the subnet's route table?

A.Destination 10.50.0.0/16 with next hop type Virtual network gateway.
B.Destination 0.0.0.0/0 with next hop type Virtual network gateway.
C.Destination 10.50.0.0/16 with next hop type Service endpoint.
D.Destination 10.50.0.0/16 with next hop type Internet.
AnswerA

This specific route overrides the default system route only for the on-premises prefix.

Why this answer

Option A is correct because the VM needs to send traffic destined for 10.50.0.0/16 through the on-premises VPN gateway. Adding a user-defined route (UDR) with destination 10.50.0.0/16 and next hop type 'Virtual network gateway' forces that specific traffic to be routed over the VPN tunnel, while the default route (0.0.0.0/0) to the Internet remains unchanged, allowing all other traffic to egress via the Internet.

Exam trap

The trap here is that candidates often confuse the default route (0.0.0.0/0) with a specific destination route, mistakenly thinking that forcing all traffic through the VPN gateway is required, when only the specific on-premises network range needs to be routed that way.

How to eliminate wrong answers

Option B is wrong because setting destination 0.0.0.0/0 with next hop type Virtual network gateway would force all internet-bound traffic through the VPN gateway, which contradicts the requirement that all other destinations should use the Internet. Option C is wrong because Service endpoint next hop type is used for routing traffic to Azure service endpoints (e.g., Azure Storage, SQL) over the Microsoft backbone, not for directing traffic to an on-premises network via VPN. Option D is wrong because next hop type Internet would route 10.50.0.0/16 traffic to the public internet, which would not reach the on-premises network and would bypass the VPN gateway entirely.

907
MCQeasy

A Windows VM must install an agent and copy a configuration file automatically after provisioning. The administrator wants Azure to run the setup step without logging into the VM manually. Which feature should be used?

A.Boot diagnostics
B.VM extension
C.Managed disk encryption
D.Availability set
AnswerB

VM extensions are designed to perform post-deployment configuration tasks on Azure VMs. A custom script extension can install software, run commands, and place files on the machine without requiring the administrator to sign in manually. This makes it a practical choice for first-boot setup, configuration hardening, and lightweight automation tasks.

Why this answer

VM extensions are the correct Azure feature to automatically install agents and apply configurations during or after provisioning without manual login. The Custom Script Extension (CSE) specifically can execute a PowerShell or Bash script to install the agent and copy the configuration file, running as a post-deployment task via Azure Resource Manager (ARM) templates, Azure CLI, or PowerShell.

Exam trap

The trap here is that candidates confuse Boot diagnostics (which is for troubleshooting) with a feature that can run scripts, or assume that Managed disk encryption or Availability sets can perform automated setup tasks, when only VM extensions are designed for post-deployment configuration and software installation.

How to eliminate wrong answers

Option A is wrong because Boot diagnostics captures serial console output and screenshots for troubleshooting boot failures, not for executing post-provisioning setup scripts. Option C is wrong because Managed disk encryption (Azure Disk Encryption) uses BitLocker or DM-Crypt to encrypt OS/data disks, not to install agents or copy configuration files. Option D is wrong because an Availability set is a logical grouping of VMs to protect against rack-level failures and provide higher SLA, not a mechanism for running setup steps.

908
Multi-Selecthard

An application runs on two identical VMs in a region that does not support availability zones. The app must keep running through planned maintenance and a single hardware fault, and the team does not want to add a second region. Which two deployment choices are appropriate? Select two.

Select 2 answers
A.Place the VMs in an availability set.
B.Use a standard virtual machine scale set in the same region.
C.Put both VMs in the same fault domain to simplify patching.
D.Deploy the workload in availability zones anyway.
E.Use a second Azure region for the primary failover design.
AnswersA, B

An availability set spreads VMs across fault and update domains within the same datacenter scale unit, which protects against planned maintenance and single hardware failures. That matches the region’s lack of zones and the no-second-region requirement.

Why this answer

A is correct because an availability set distributes VMs across multiple fault domains (up to 3) and update domains (up to 20) within the same datacenter. This ensures that during planned maintenance (update domain isolation) or a hardware fault (fault domain isolation), at least one VM remains available, meeting the requirement without needing availability zones or a second region.

Exam trap

The trap here is that candidates might think an availability set is only for legacy scenarios, but it is the correct choice when availability zones are not supported, and a scale set is also valid because it inherently provides fault and update domain isolation without requiring zones.

909
MCQeasy

An operations team wants to deploy the same set of Azure VMs every month from source control. The deployment should be readable, repeatable, and stored as code. What should they use?

A.Bicep template
B.Manual portal deployment
C.Azure Advisor recommendation
D.Azure Resource Explorer
AnswerA

Bicep is a declarative infrastructure-as-code language that is easier to read than raw ARM JSON. It is well suited for storing deployment definitions in source control and reusing them consistently across environments. Because it compiles to ARM templates, it still uses the Azure-native deployment engine while improving maintainability.

Why this answer

Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources as code. It provides readability, repeatability, and version control integration, making it ideal for deploying the same set of VMs monthly from source control. Unlike ARM templates, Bicep offers cleaner syntax and modularity, but both are valid infrastructure-as-code solutions.

Exam trap

The trap here is that candidates may confuse Azure Advisor (a recommendation engine) or Resource Explorer (a read-only browser) with deployment tools, or assume manual portal deployment is acceptable despite the explicit 'stored as code' requirement.

How to eliminate wrong answers

Option B is wrong because manual portal deployment is not repeatable, not stored as code, and introduces human error, violating the requirements for readability and source control. Option C is wrong because Azure Advisor provides optimization recommendations (e.g., cost, performance) but cannot deploy or manage infrastructure as code. Option D is wrong because Azure Resource Explorer is a read-only tool for browsing existing resources and their properties; it cannot create or deploy new resources.

910
Multi-Selecteasy

A finance team stores documents in Azure Storage. The account must survive a failure of one availability zone in the primary region and also remain available if the primary region becomes unavailable. Which two replication options meet this requirement? Select two.

Select 2 answers
A.LRS, because it keeps copies only within one datacenter and does not provide zone or geo protection.
B.ZRS, because it replicates across zones in one region but does not add secondary-region replication.
C.GZRS, because it combines zone redundancy in the primary region with geo-replication to a secondary region.
D.RA-GZRS, because it provides the same protection as GZRS and also allows read access to the secondary region.
E.RA-GRS, because it allows reading from the secondary region but does not use zone-redundant storage in the primary region.
AnswersC, D

GZRS is designed for both requirements: zone resilience in the primary region and geo-replication for regional recovery.

Why this answer

Option C (GZRS) is correct because it provides both zone-redundant storage (ZRS) within the primary region, ensuring survival of an availability zone failure, and geo-replication (GRS) to a secondary region, ensuring availability if the entire primary region becomes unavailable. This meets both requirements of the question.

Exam trap

The trap here is that candidates often overlook the requirement to survive a zone failure and focus only on regional disaster recovery, leading them to pick RA-GRS (which lacks zone redundancy) or ZRS (which lacks geo-replication).

911
Multi-Selecteasy

A security team wants platform logs from a storage account sent for long-term retention and later analysis. Which three destinations can an Azure diagnostic setting send data to? Select three.

Select 3 answers
A.A Log Analytics workspace
B.A storage account
C.An Event Hub
D.A Recovery Services vault
E.An availability zone
AnswersA, B, C

A workspace stores logs and makes them searchable with KQL queries.

Why this answer

Azure Diagnostic Settings can stream platform logs and metrics to three destinations: a Log Analytics workspace for query-based analysis, a storage account for archival and long-term retention, and an Event Hub for real-time ingestion into SIEM or third-party tools. This is defined in the Azure Monitor diagnostic settings configuration, which supports these three outputs natively.

Exam trap

The trap here is that candidates may confuse a Recovery Services vault (used for backup) with a Log Analytics workspace or storage account, or mistakenly think availability zones can store log data, when in fact they are purely a high-availability construct.

912
MCQeasy

A developer has the Reader role assigned at the subscription scope. Later, the developer is assigned Contributor at the RG-Web resource group scope. Which permission is inherited by a storage account inside RG-Web?

A.Only the Reader role from the subscription scope is inherited by the storage account.
B.The Contributor role from RG-Web is inherited by the storage account.
C.Neither role is inherited because storage accounts require a direct assignment.
D.Both roles are merged into a new custom role automatically.
AnswerB

Permissions assigned at the resource group scope are inherited by resources in that group.

Why this answer

In Azure RBAC, permissions are inherited from higher scopes to lower scopes. The Contributor role assigned at the RG-Web resource group scope is inherited by all resources within that resource group, including the storage account. The Reader role from the subscription scope is also inherited, but the more permissive Contributor role at the resource group scope takes precedence for actions allowed by Contributor.

Therefore, the storage account effectively has Contributor permissions.

Exam trap

The trap here is that candidates often think only the most specific scope (resource group) applies and forget that roles from higher scopes (subscription) are also inherited, leading them to incorrectly choose Option A.

How to eliminate wrong answers

Option A is wrong because it ignores that the Contributor role assigned at the resource group scope is also inherited by the storage account, not just the Reader role from the subscription. Option C is wrong because Azure RBAC roles are inherited by child resources; storage accounts do not require a direct assignment and automatically inherit roles from their parent resource group. Option D is wrong because Azure RBAC does not automatically merge roles into a custom role; instead, effective permissions are the union of all assigned roles, with the most permissive role granting the highest level of access.

913
MCQeasy

A finance team stores monthly reports in Azure Blob Storage. The data must remain available if one datacenter in the Azure region fails, but the company does not need read access from a secondary region. Which redundancy option should the administrator choose?

A.Locally redundant storage (LRS)
B.Zone-redundant storage (ZRS)
C.Geo-redundant storage (GRS)
D.Read-access geo-redundant storage (RA-GRS)
AnswerB

ZRS stores replicas across availability zones in the same region, which matches this availability requirement.

Why this answer

Zone-redundant storage (ZRS) replicates data synchronously across three Azure availability zones within a single region, ensuring durability even if one datacenter (zone) fails. Since the requirement specifies no need for read access from a secondary region, ZRS meets the high-availability need without the cost or complexity of geo-replication.

Exam trap

The trap here is that candidates often choose GRS or RA-GRS because they assume any datacenter failure requires a secondary region, but ZRS within a single region is sufficient and more cost-effective when only one datacenter (zone) fails and secondary read access is not needed.

How to eliminate wrong answers

Option A is wrong because locally redundant storage (LRS) replicates data only within a single datacenter, so a full datacenter failure would cause data loss. Option C is wrong because geo-redundant storage (GRS) replicates data to a secondary region, which is unnecessary and more expensive given the requirement does not need secondary region read access. Option D is wrong because read-access geo-redundant storage (RA-GRS) adds read access to the secondary region, which is explicitly not required and incurs additional cost.

914
MCQmedium

An operations team wants all internet-bound traffic from a workload subnet to pass through a network virtual appliance at 10.1.0.4 for inspection. Which next hop type should be used in a user-defined route for destination 0.0.0.0/0?

A.Internet
B.Virtual appliance
C.Virtual network gateway
D.None
AnswerB

Virtual appliance is the correct next hop when you want traffic sent to an NVA or firewall IP. Combined with a 0.0.0.0/0 route, it enables forced tunneling through the inspection device.

Why this answer

To force all internet-bound traffic from a subnet through a network virtual appliance (NVA) at 10.1.0.4, you must create a user-defined route (UDR) with destination 0.0.0.0/0 and next hop type 'Virtual appliance'. This directs traffic to the NVA's private IP for inspection, overriding Azure's default system route that would otherwise send 0.0.0.0/0 traffic directly to the Internet via the Azure backbone.

Exam trap

The trap here is that candidates often confuse 'Virtual appliance' with 'Virtual network gateway', mistakenly thinking a VPN gateway is required to route internet traffic, when in fact the NVA is a simple VM or firewall appliance with IP forwarding enabled.

How to eliminate wrong answers

Option A is wrong because 'Internet' as a next hop type would send traffic directly to the public internet without inspection, bypassing the NVA entirely. Option C is wrong because 'Virtual network gateway' is used for site-to-site VPN or ExpressRoute traffic, not for routing internet-bound traffic through an NVA. Option D is wrong because 'None' would drop all traffic matching the route, effectively blackholing internet-bound packets instead of forwarding them to the NVA.

915
Multi-Selecthard

A finance application stores monthly invoice PDFs in Azure Blob Storage. The data must survive a single availability zone outage in the region, and the storage account must be reachable only through a private IP from AppSubnet. Public network access must not be available. Which three actions should the administrator take? Select three.

Select 3 answers
A.Create the storage account with zone-redundant storage (ZRS).
B.Create a private endpoint in AppSubnet for the storage account.
C.Disable public network access on the storage account.
D.Use locally redundant storage (LRS) because it stays inside one datacenter.
E.Enable a service endpoint on AppSubnet instead of using a private endpoint.
AnswersA, B, C

ZRS keeps copies across multiple availability zones in the region, so one zone outage will not interrupt access.

Why this answer

Option A is correct because Zone-Redundant Storage (ZRS) synchronously replicates data across three Azure availability zones within the same region, ensuring data durability even if one entire zone fails. This meets the requirement to survive a single availability zone outage.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, thinking a service endpoint alone provides private IP-only access, but it does not disable the public endpoint and still relies on the storage account's public DNS name.

916
MCQmedium

An application on a VM in subnet AppSubnet must access a storage account over the public endpoint. The security team wants to allow traffic only from AppSubnet and does not want to deploy a private endpoint. What should the administrator configure?

A.Disable the storage account firewall and rely on the VM's source IP address.
B.Enable the Microsoft.Storage service endpoint on AppSubnet and allow that virtual network in the storage account firewall.
C.Create a private endpoint and leave the firewall set to allow all networks.
D.Grant the VM Contributor access to the storage account and the network rule will be enforced automatically.
AnswerB

A service endpoint extends the subnet identity to the storage service while still using the public endpoint, which matches the requirement to avoid a private endpoint. After enabling the endpoint on AppSubnet, you can allow that virtual network in the storage account firewall so only traffic from the approved subnet can reach the account. This is a common network-control pattern for Azure Storage.

Why this answer

Option B is correct because enabling a Microsoft.Storage service endpoint on AppSubnet allows traffic from that subnet to the storage account over the Azure backbone network, while still using the public endpoint. Then, configuring the storage account firewall to allow that virtual network restricts access exclusively to AppSubnet, meeting the security requirement without deploying a private endpoint.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that only private endpoints can restrict access, when in fact service endpoints combined with the storage account firewall can achieve subnet-level restriction over the public endpoint.

How to eliminate wrong answers

Option A is wrong because disabling the storage account firewall would allow all traffic from any source, violating the security requirement to restrict access only to AppSubnet; relying on the VM's source IP address is unreliable due to dynamic IPs and does not enforce subnet-level isolation. Option C is wrong because creating a private endpoint contradicts the explicit requirement to not deploy a private endpoint, and leaving the firewall set to allow all networks would bypass the intended restriction. Option D is wrong because granting the VM Contributor access to the storage account does not enforce network-level restrictions; Azure RBAC controls data plane permissions, not network access, and network rules are not automatically enforced by role assignments.

917
MCQmedium

A Windows file server VM in Azure needs to mount an Azure file share by using existing Active Directory Domain Services credentials. The security team does not want to use storage account keys. Which authentication option should be configured for Azure Files?

A.Shared key authorization, because it is the only method supported by Azure Files.
B.Azure Files identity-based authentication using Active Directory Domain Services.
C.A user delegation SAS, because it maps the share automatically to domain accounts.
D.Anonymous access, because Windows file servers can mount Azure shares without authentication.
AnswerB

Azure Files can use AD DS-based identity authentication so Windows users and servers can access the share with domain credentials. This avoids storing or distributing storage account keys and fits the requirement to use existing directory identities.

Why this answer

Azure Files supports identity-based authentication using Active Directory Domain Services (AD DS), which allows domain-joined VMs to mount Azure file shares using existing AD credentials without exposing storage account keys. This method leverages Kerberos authentication and enables fine-grained access control via NTFS permissions, meeting the security team's requirement to avoid storage account keys.

Exam trap

The trap here is that candidates often assume Azure Files only supports shared key or SAS-based access, overlooking the identity-based authentication option that integrates with on-premises AD DS for seamless credential reuse.

How to eliminate wrong answers

Option A is wrong because Azure Files supports multiple authentication methods, including identity-based authentication via AD DS, not just shared key authorization. Option C is wrong because a user delegation SAS (shared access signature) is used for delegated access to specific resources with temporary permissions, but it does not map shares automatically to domain accounts nor does it integrate with AD DS for credential-based mounting. Option D is wrong because anonymous access is not supported for Azure file shares; mounting requires authentication, and Windows file servers cannot mount Azure shares without valid credentials.

918
Multi-Selectmedium

A team moved blob data to the Archive tier to minimize cost. They now need to restore a few files for an audit. Which two statements are true about accessing archived blobs? Select two.

Select 2 answers
A.Archived blobs can be read immediately through normal blob reads.
B.Rehydration is required before the blob can be read or copied.
C.Rehydration can target Hot or Cool access tier.
D.Archive tier provides the fastest retrieval time.
E.Changing a blob from Archive to Hot completes instantly and synchronously.
AnswersB, C

Correct. Archive blobs must be rehydrated before they become readable or available for copy operations.

Why this answer

Archived blobs are in an offline state and cannot be read or copied directly. They must first be rehydrated to an online tier (Hot or Cool) through a process that changes the blob's tier or copies it to a new online blob. This rehydration process is asynchronous and takes time, depending on the priority set.

Exam trap

The trap here is that candidates assume archived blobs can be read immediately or that tier changes are instant, confusing the Archive tier's offline state with the online Cool or Hot tiers.

919
MCQmedium

A project team adds and removes contractors every month. The team wants Azure role assignments to stay the same when individual contractors leave or join, and access should be granted to everyone on the team through one control point. What should the administrator assign the Azure role to?

A.A Microsoft Entra security group
B.A Microsoft 365 group
C.A guest user account
D.A managed identity
AnswerA

Security groups are the right choice for Azure RBAC delegation because membership can change without editing the role assignment itself.

Why this answer

Assigning an Azure role to a Microsoft Entra security group provides a single control point for managing permissions. When contractors join or leave, the administrator only needs to add or remove their user accounts from the group, and the role assignments remain intact. This decouples access from individual user accounts and ensures consistent permissions for the entire team.

Exam trap

The trap here is that candidates may confuse Microsoft 365 groups with security groups, assuming both are equally suitable for Azure RBAC, but Microsoft 365 groups are optimized for collaboration features and are not the default or most efficient choice for managing Azure resource access.

How to eliminate wrong answers

Option B is wrong because a Microsoft 365 group is primarily designed for collaboration (e.g., shared mailboxes, calendars, and Teams) and, while it can be assigned Azure roles, it is not the recommended or most straightforward control point for managing Azure resource access; security groups are the standard for role-based access control. Option C is wrong because a guest user account represents a single external user, not a team, and would require individual role assignments for each contractor, defeating the purpose of a single control point. Option D is wrong because a managed identity is an Azure service principal used for authenticating to Azure resources from code or services, not for granting access to human users or groups.

920
MCQmedium

An administrator creates a new spoke virtual network with address space 10.100.1.0/24 and tries to peer it to an existing hub virtual network that already uses 10.100.0.0/16. The peering fails. The business wants private connectivity between the hub and spoke. What action should the administrator take first?

A.Add a route table to the spoke and point the default route to the hub.
B.Change the spoke VNet to a non-overlapping address range before attempting peering again.
C.Enable gateway transit on the hub and use the remote gateway from the spoke.
D.Deploy a private DNS zone and link it to both VNets.
AnswerB

Azure virtual network peering requires non-overlapping address spaces. The spoke currently sits inside the hub's 10.100.0.0/16 range, so the overlap must be removed first. After the address space is changed to a unique range, peering can succeed and private connectivity can be established.

Why this answer

VNet peering requires that the address spaces of the peered virtual networks do not overlap. The hub already uses 10.100.0.0/16, which includes the spoke's 10.100.1.0/24 range, causing a conflict. Changing the spoke to a non-overlapping address range, such as 10.200.1.0/24, resolves this and allows the peering to succeed.

Exam trap

The trap here is that candidates often assume routing or DNS configuration can fix peering failures, overlooking the fundamental requirement that VNet address spaces must not overlap.

How to eliminate wrong answers

Option A is wrong because adding a route table to the spoke does not resolve the fundamental address overlap issue; peering itself will still fail due to conflicting IP ranges. Option C is wrong because gateway transit is used for connecting on-premises networks or enabling spoke-to-spoke routing through the hub, but it does not fix overlapping address spaces required for peering. Option D is wrong because private DNS zones are for name resolution, not for resolving IP address conflicts that prevent VNet peering from being established.

921
MCQmedium

Based on the exhibit, the operations team says the alert is too noisy because short CPU spikes after nightly maintenance trigger notifications. They want an alert only when VM1's average CPU stays above 80% for at least 10 minutes. What should you change?

A.Lower the threshold to 70% so the alert becomes less sensitive.
B.Increase the window size to 10 minutes and keep the evaluation frequency at 1 minute.
C.Replace the metric alert with a Log Analytics query alert against the activity log.
D.Move the alert scope from the VM to the resource group.
AnswerB

A longer evaluation window requires CPU to remain elevated over a longer period before the rule triggers. That directly addresses short maintenance spikes while still checking frequently enough to detect sustained pressure.

Why this answer

Option B is correct because increasing the window size to 10 minutes while keeping the evaluation frequency at 1 minute means the alert will only fire when the average CPU over the last 10 minutes exceeds 80%. This filters out transient spikes from nightly maintenance, as the alert requires sustained high CPU for the full duration. The evaluation frequency of 1 minute ensures the alert is checked every minute, but the condition is based on the 10-minute rolling average.

Exam trap

The trap here is that candidates often confuse 'window size' with 'evaluation frequency' and think increasing the evaluation frequency alone would solve the noise, but it is the window size that controls the duration over which the metric must remain above the threshold.

How to eliminate wrong answers

Option A is wrong because lowering the threshold to 70% would make the alert more sensitive, not less, and would still trigger on short spikes. Option C is wrong because a Log Analytics query alert against the activity log cannot monitor VM CPU performance metrics; the activity log tracks administrative events, not resource performance counters. Option D is wrong because moving the alert scope to the resource group would apply the same alert rule to all VMs in the group, potentially increasing noise, and does not address the issue of transient spikes.

922
MCQeasy

You need to resize a VM to a larger size, but Azure says the target size is not available while the VM is running. What should you do first?

A.Delete the VM and recreate it from the image.
B.Deallocate the VM, then retry the resize.
C.Attach a new data disk first.
D.Create an availability set for the VM.
AnswerB

Deallocating releases the VM from the current host cluster and often allows Azure to place it on hardware that supports the new size.

Why this answer

When a VM is running, Azure may not have the target VM size available in the cluster hosting the VM. Deallocating the VM releases the underlying hardware resources and removes the VM from its current cluster, allowing Azure to select a new cluster that supports the desired size. After deallocation, the resize operation can succeed because the VM is no longer pinned to a specific host or cluster.

Exam trap

The trap here is that candidates often think they must delete and recreate the VM or perform complex workarounds, when the simple and correct first step is to deallocate the VM to free it from its current cluster constraint.

How to eliminate wrong answers

Option A is wrong because deleting the VM and recreating it from an image is unnecessarily destructive and time-consuming; it would lose the VM's current state, disks, and configurations, whereas a simple deallocation and resize preserves all settings. Option C is wrong because attaching a new data disk does not change the VM's size or the availability of the target size in the current cluster; it is unrelated to the resize constraint. Option D is wrong because creating an availability set does not resolve the cluster-level size unavailability; availability sets are for high availability across fault domains, not for changing the VM's hardware configuration.

923
MCQmedium

A team wants to restrict a storage account so only one Azure subnet can reach it. They do not need a private IP address, and they are fine with the storage account still using its public endpoint. Which configuration should the administrator use?

A.Create a private endpoint and disable public network access.
B.Enable a service endpoint on the subnet and allow that subnet in the storage account firewall.
C.Generate a user delegation SAS token and distribute it only to the subnet.
D.Change the redundancy setting to ZRS and enable soft delete.
AnswerB

A service endpoint extends the subnet identity to the storage service while traffic still reaches the public endpoint. Adding the subnet to the storage firewall then limits access to that subnet. This matches the requirement exactly because the team does not need a private IP, only subnet-restricted access.

Why this answer

Option B is correct because a service endpoint extends the virtual network identity to the storage account over the public endpoint, allowing the administrator to restrict access to only traffic originating from that specific subnet via the storage account firewall. This meets the requirement of using the public endpoint while limiting access to a single Azure subnet without needing a private IP address.

Exam trap

The trap here is that candidates confuse private endpoints (which require a private IP and can disable the public endpoint) with service endpoints (which keep the public endpoint but restrict access by subnet), leading them to incorrectly choose Option A.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP address to the storage account and disabling public network access removes the public endpoint, contradicting the requirement to keep the public endpoint. Option C is wrong because a user delegation SAS token grants access based on the token holder's identity and permissions, not on network source; distributing it to a subnet does not restrict access to only that subnet, as the token can be used from any network location. Option D is wrong because changing redundancy to ZRS and enabling soft delete are data protection and availability features, not network access control mechanisms, and do not restrict access to a specific subnet.

924
MCQeasy

Based on the exhibit, what should the administrator create so VMs in AppSubnet can access the storage account over a private IP address?

A.A service endpoint for Microsoft.Storage on AppSubnet.
B.A private endpoint for the storage account in AppSubnet.
C.A site-to-site VPN gateway between AppVNet and the storage account.
D.An application security group for the storage account and subnet.
AnswerB

A private endpoint assigns the storage account a private IP address in the VNet, which is exactly what the exhibit requires. With public access disabled, the private endpoint is the correct way for the VMs to reach the storage service privately from AppSubnet.

Why this answer

A private endpoint assigns a private IP address from AppSubnet to the storage account, enabling VMs in that subnet to access the storage account over a private IP within the VNet. This eliminates exposure to the public internet and uses Azure Private Link for secure, direct connectivity.

Exam trap

The trap here is confusing service endpoints (which still use the public endpoint but with source subnet restriction) with private endpoints (which provide a true private IP address), leading candidates to incorrectly choose A when the question explicitly requires access over a private IP address.

How to eliminate wrong answers

Option A is wrong because a service endpoint for Microsoft.Storage on AppSubnet allows access to the storage account over the Azure backbone but still uses the storage account's public endpoint, not a private IP address from the subnet. Option C is wrong because a site-to-site VPN gateway connects on-premises networks to Azure VNets, not between a VNet and a PaaS service like a storage account. Option D is wrong because an application security group is a logical grouping of VMs for network security rules, not a mechanism to provide private IP connectivity to a storage account.

925
MCQeasy

An NSG on a subnet has these inbound rules: Deny-All-Inbound at priority 100 and Allow-RDP-from-AdminSubnet at priority 200. Administrators on AdminSubnet still cannot RDP to a VM in the subnet. What should the network administrator change?

A.Delete the deny rule so only the allow rule remains.
B.Move the allow rule to a lower priority number than 100.
C.Change the VM to a different availability zone.
D.Create a private endpoint for the VM.
AnswerB

NSG rules are processed in priority order, and the lowest number wins. The allow rule must be evaluated before the deny rule.

Why this answer

The NSG rules are evaluated in priority order, with lower numbers having higher precedence. The Deny-All-Inbound rule at priority 100 blocks all traffic, including RDP from AdminSubnet, before the Allow-RDP-from-AdminSubnet rule at priority 200 is evaluated. To allow RDP traffic, the allow rule must have a lower priority number (e.g., 90) than the deny rule (100), ensuring it is evaluated first and permits the traffic before the deny rule blocks it.

Exam trap

The trap here is that candidates assume allow rules override deny rules regardless of priority, but Azure NSGs use priority-based evaluation where the first matching rule (lowest priority number) wins, so a higher-priority deny rule will block traffic even if a lower-priority allow rule exists.

How to eliminate wrong answers

Option A is wrong because deleting the deny rule would remove all inbound traffic blocking, exposing the subnet to unrestricted inbound access, which is a security risk and not a targeted fix for the RDP issue. Option C is wrong because changing the VM to a different availability zone does not affect NSG rule evaluation or priority; availability zones are for fault tolerance, not network security rule processing. Option D is wrong because a private endpoint is used for secure access to Azure PaaS services (e.g., Storage, SQL) over a private IP, not for enabling RDP to a VM; it does not alter NSG rule priority or allow RDP traffic.

926
MCQhard

You need to collect Windows event logs and performance counters from multiple Azure virtual machines and query the data by using Kusto Query Language. Which Azure resource should you use?

A.A Log Analytics workspace
B.A Recovery Services vault
C.Azure Network Watcher
D.A load balancer
AnswerA

Log Analytics workspaces store and enable KQL queries over collected monitoring data.

Why this answer

A Log Analytics workspace is the correct Azure resource for collecting Windows event logs and performance counters from Azure VMs and querying them using Kusto Query Language (KQL). It serves as the central repository where diagnostic data is ingested via the Azure Diagnostics extension or the Log Analytics agent, enabling rich log analytics and custom KQL queries.

Exam trap

The trap here is that candidates often confuse a Log Analytics workspace with Azure Monitor itself, but the workspace is the specific resource that stores and queries the data, while Azure Monitor is the overarching service; the question explicitly asks for the resource that collects and queries the data, which is the workspace.

How to eliminate wrong answers

Option B is wrong because a Recovery Services vault is used for backup and disaster recovery (e.g., Azure Backup, Site Recovery), not for collecting and querying operational logs or performance data. Option C is wrong because Azure Network Watcher provides network-level monitoring and diagnostics (e.g., packet capture, NSG flow logs), but it does not collect Windows event logs or performance counters, nor does it support KQL queries. Option D is wrong because a load balancer distributes incoming traffic across VMs and does not ingest, store, or query log data; it is a networking component, not a data analytics resource.

927
MCQeasy

You want to preview what a Bicep deployment will change before you apply it to a resource group. Which command should you use?

A.az deployment group what-if
B.az vm create
C.az monitor metrics list
D.az deployment group create --mode Complete
AnswerA

The what-if command shows the planned create, modify, and delete operations before you run the deployment.

Why this answer

The `az deployment group what-if` command allows you to preview the changes a Bicep deployment will make to a resource group before actually applying them. It returns a list of resources that will be created, modified, or deleted, enabling you to validate the deployment's impact without committing any changes. This is the correct tool for a dry-run or validation scenario.

Exam trap

The trap here is that candidates may confuse `az deployment group what-if` with `az deployment group validate` (which checks template syntax but does not show resource-level changes), or they might think `az deployment group create --mode Complete` provides a preview, when in fact it executes the deployment immediately.

How to eliminate wrong answers

Option B is wrong because `az vm create` is used to provision a new virtual machine, not to preview deployment changes. Option C is wrong because `az monitor metrics list` retrieves metric data for Azure resources, which is unrelated to deployment previews. Option D is wrong because `az deployment group create --mode Complete` performs an actual deployment in Complete mode, which can delete resources not in the template, and does not provide a preview before applying changes.

928
MCQmedium

A container group runs a nightly processing job in Azure Container Instances. The job should exit after completing successfully and should not restart automatically. Which restart policy should you configure?

A.Always
B.Never
C.OnFailure
D.Automatic
AnswerB

Never lets the container exit and stay stopped, which matches a completed batch workload.

Why this answer

The 'Never' restart policy ensures that the container group runs once and does not restart after it exits, regardless of the exit code. This is ideal for a nightly batch job that should complete and then stop permanently without automatic restarts.

Exam trap

The trap here is that candidates may confuse 'OnFailure' with 'Never' for successful jobs, not realizing that 'OnFailure' still restarts on failure, while the question requires no restart at all after successful completion.

How to eliminate wrong answers

Option A is wrong because 'Always' restarts the container indefinitely regardless of exit code, which would cause the job to run repeatedly instead of stopping after completion. Option C is wrong because 'OnFailure' restarts the container only if it exits with a non-zero exit code, but the question specifies the job should exit after completing successfully and not restart at all. Option D is wrong because 'Automatic' is not a valid restart policy in Azure Container Instances; the valid policies are Always, Never, and OnFailure.

929
MCQmedium

An administrator must centralize Azure Activity log events and diagnostic logs from several storage accounts into a single workspace so the team can query them with KQL. What should be configured on each resource?

A.A backup policy in Recovery Services vault to copy logs into the workspace.
B.Diagnostic settings to send logs to a Log Analytics workspace.
C.A private endpoint for each storage account so the logs remain internal to Azure.
D.A management group lock to prevent log deletion.
AnswerB

Diagnostic settings are the standard way to export platform logs and resource logs from Azure resources into Log Analytics for centralized querying. Once the data reaches the workspace, the team can use KQL to search and correlate events across resources. For Azure Activity logs, the subscription diagnostic setting is used; for storage accounts, resource diagnostic settings are configured on each account.

Why this answer

Diagnostic settings are the Azure mechanism for streaming resource logs and metrics to various destinations, including Log Analytics workspaces. By configuring diagnostic settings on each storage account to send its Activity Log and diagnostic logs to a single Log Analytics workspace, the administrator centralizes the logs for KQL querying. This is the only option that directly enables log ingestion into the workspace.

Exam trap

The trap here is confusing Azure Monitor diagnostic settings with backup or security features, leading candidates to select options that manage data protection or network isolation instead of log streaming.

How to eliminate wrong answers

Option A is wrong because a backup policy in a Recovery Services vault is designed for backup and restore of Azure resources, not for streaming or copying logs to a Log Analytics workspace. Option C is wrong because a private endpoint secures network traffic to the storage account but does not send logs to a Log Analytics workspace. Option D is wrong because a management group lock prevents accidental deletion or modification of resources but does not configure log forwarding or ingestion.

930
Multi-Selectmedium

Your company has two Azure virtual networks in the same region: VNetA (10.0.0.0/16) and VNetB (10.1.0.0/16). You need to enable communication between resources in VNetA and VNetB while ensuring that traffic is encrypted and passes over the Microsoft backbone network. Which three of the following must be configured? (Choose three.)

Select 3 answers
.Establish a site-to-site VPN connection between the two virtual networks.
.Configure virtual network peering between VNetA and VNetB.
.Enable 'Allow gateway transit' on both virtual networks.
.Verify that the virtual network address spaces do not overlap.
.Create a private endpoint for each resource that needs to communicate.
.Ensure that the virtual networks are in the same Azure region.

Why this answer

Virtual network peering is required to enable direct connectivity between VNetA and VNetB, allowing resources in both networks to communicate over the Microsoft backbone network. Verifying that the address spaces do not overlap (10.0.0.0/16 and 10.1.0.0/16) is a prerequisite for successful peering, as overlapping ranges would cause routing conflicts. Ensuring the virtual networks are in the same Azure region is necessary because standard virtual network peering only works within the same region; global peering would be required for cross-region connectivity, but the question specifies the same region.

Exam trap

The trap here is that candidates often confuse virtual network peering with site-to-site VPN or gateway transit, mistakenly thinking encryption or gateway configuration is required for intra-region peering, when in fact peering itself uses the Microsoft backbone and is inherently secure without additional VPN setup.

931
Multi-Selecthard

Your company wants one governance baseline to apply automatically to all current and future production subscriptions, and finance wants cost reporting by application across many resource groups. Which two design choices best satisfy the requirements? Select two.

Select 2 answers
A.Place the production subscriptions under a dedicated management group so inherited policy and RBAC can be applied once.
B.Use tags such as Application or CostCenter on resources or resource groups for chargeback and reporting.
C.Place all production workloads into one shared resource group so governance and reporting are simpler.
D.Use management groups instead of tags because tags are not useful for cost reporting.
E.Assign the baseline only at one subscription and copy the settings manually to every new subscription.
AnswersA, B

Management groups are the right abstraction for organizing subscriptions that share governance requirements. Assigning policy and RBAC at that level lets the enterprise apply a baseline once and have it flow to child subscriptions automatically. This is the strongest fit for enterprise-wide production governance.

Why this answer

Option A is correct because placing production subscriptions under a dedicated management group allows you to apply Azure Policy and Azure RBAC at the management group scope, which automatically inherits to all current and future subscriptions within that hierarchy. This ensures a consistent governance baseline without manual intervention for new subscriptions.

Exam trap

The trap here is that candidates may confuse management groups and tags as mutually exclusive, when in fact they are complementary: management groups enforce governance inheritance, while tags enable granular cost reporting and chargeback.

932
MCQmedium

A reporting server will run an in-memory analytics workload that needs 8 vCPUs and 64 GiB RAM. CPU usage is expected to stay moderate, but the application benefits most from memory capacity. Which VM family should the administrator choose as the starting point?

A.B-series
B.D-series
C.F-series
D.E-series
AnswerD

E-series provides memory-optimized VM sizes that better match workloads needing high RAM relative to CPU.

Why this answer

The E-series (memory-optimized) VM family is designed for in-memory analytics workloads that require high memory-to-CPU ratios. With 8 vCPUs and 64 GiB RAM, the workload demands 8 GiB per vCPU, which aligns with E-series specifications (typically 8–16 GiB per vCPU). D-series offers a balanced ratio (4 GiB per vCPU) and would not provide sufficient memory capacity for this workload.

Exam trap

The trap here is that candidates often default to D-series (general purpose) for any 'moderate CPU' workload, overlooking the specific memory requirement that dictates the need for a memory-optimized family like E-series.

How to eliminate wrong answers

Option A is wrong because B-series (burstable) VMs are intended for workloads with low average CPU usage and occasional spikes, not for sustained in-memory analytics requiring consistent high memory capacity. Option B is wrong because D-series (general purpose) provides a balanced vCPU-to-memory ratio (4 GiB per vCPU), which would yield only 32 GiB RAM for 8 vCPUs, half the required 64 GiB. Option C is wrong because F-series (compute optimized) prioritizes high CPU performance with a low memory ratio (2 GiB per vCPU), offering only 16 GiB RAM for 8 vCPUs, far below the 64 GiB requirement.

933
MCQeasy

A central audit group must have Reader access for every current and future subscription in the company hierarchy. You want one assignment that will apply broadly as new subscriptions are added. Where should the role be assigned?

A.At the management group that contains the subscriptions
B.At one resource group in each subscription
C.At a single resource
D.At the tenant root only for one application
AnswerA

A management group assignment flows down to current and future subscriptions under it.

Why this answer

Assigning the Reader role at the management group level ensures that the central audit group inherits the role to all current and future subscriptions within that management group hierarchy. This is the most efficient and scalable approach because Azure RBAC assignments on a management group are inherited by all child subscriptions and resource groups, eliminating the need to manually update permissions as new subscriptions are added.

Exam trap

The trap here is that candidates may think assigning at the tenant root is possible for subscription-level access, but Azure does not support role assignments at the tenant root scope for resource management; the correct hierarchical scope for broad inheritance is the management group.

How to eliminate wrong answers

Option B is wrong because assigning the Reader role at a resource group in each subscription would require manual updates for every new subscription and does not cover the entire subscription scope, leaving other resource groups without the required access. Option C is wrong because assigning at a single resource provides the narrowest scope, granting access only to that specific resource, not to any subscription or resource group. Option D is wrong because the tenant root scope (/) is not a valid assignment target for role-based access control; role assignments must be made at management group, subscription, resource group, or resource scopes, and the tenant root is only used for administrative units or directory-level roles, not for granting Reader access to subscriptions.

934
MCQmedium

A change-freeze requires that no one can modify the settings of a subscription's resource group for six hours. Deletion is not the main concern; the priority is to block changes to existing resources during the freeze. Which lock should you apply?

A.CanNotDelete
B.ReadOnly
C.Reader
D.DeployIfNotExists
AnswerB

ReadOnly blocks write operations, which is the appropriate choice when all configuration changes must be prevented during a freeze.

Why this answer

The ReadOnly lock prevents any modification to existing resources, including configuration changes, while still allowing read operations. This directly satisfies the change-freeze requirement to block changes for six hours, as it denies all write operations at the resource group scope.

Exam trap

The trap here is confusing Azure RBAC roles (like Reader) with resource locks, as both can restrict changes but locks are applied at the resource scope and override all permissions, while RBAC roles are identity-based and can be bypassed by privileged users.

How to eliminate wrong answers

Option A is wrong because CanNotDelete only prevents deletion of resources but still allows modifications like updating settings, scaling, or changing configurations, which violates the change-freeze. Option C is wrong because Reader is an Azure RBAC role, not a lock; it controls access via role assignments but does not enforce a resource-level lock that can be applied independently of user permissions. Option D is wrong because DeployIfNotExists is a policy effect used in Azure Policy to deploy resources when a condition is not met, not a lock for blocking modifications.

935
Multi-Selecteasy

A department wants three related policies grouped together and assigned as one unit to a set of subscriptions. Which two statements about an Azure Policy initiative are correct? Select two.

Select 2 answers
A.An initiative groups multiple policy definitions into one assignment.
B.An initiative can be assigned at management group scope to cover child subscriptions.
C.An initiative grants Azure permissions to users.
D.An initiative replaces resource group locks.
E.An initiative is used to create a new resource group.
AnswersA, B

An initiative is used to bundle related policy definitions so they can be managed together. This reduces administrative effort because you assign and review one control set instead of handling each policy separately.

Why this answer

Option A is correct because an Azure Policy initiative is specifically designed to group multiple policy definitions into a single assignment. This allows you to apply a set of related compliance rules as one unit, simplifying management and ensuring consistent enforcement across subscriptions.

Exam trap

The trap here is that candidates often confuse Azure Policy initiatives with RBAC roles or resource locks, mistakenly thinking initiatives manage permissions or protect resources, when in fact they only enforce compliance rules.

936
MCQmedium

An online transaction app uses two identical VMs in an Azure region that supports availability zones. The business wants the app to stay available if an entire datacenter in the region fails. What should the administrator deploy?

A.An availability set with the VMs placed in different update domains.
B.Two VMs placed in different availability zones within the region.
C.A proximity placement group so both VMs stay physically close together.
D.A single VM with Premium SSD storage and automatic restart.
AnswerB

Availability zones place resources in separate datacenters inside the same region, so the workload can survive a complete zone or datacenter failure. For a requirement that explicitly includes datacenter-level resilience, zones are the correct choice. They provide stronger isolation than availability sets, which only protect against update domain and fault domain issues within a datacenter.

Why this answer

Option B is correct because deploying VMs in different availability zones protects against an entire datacenter failure. Each availability zone is a physically separate datacenter within an Azure region, with independent power, cooling, and networking. If one zone fails, the VM in the other zone remains available, ensuring business continuity for the app.

Exam trap

The trap here is that candidates confuse availability sets (which protect against rack-level failures within a single datacenter) with availability zones (which protect against entire datacenter failures), leading them to choose Option A instead of B.

How to eliminate wrong answers

Option A is wrong because an availability set with different update domains only protects against planned maintenance and some hardware failures within a single datacenter, not against an entire datacenter failure. Option C is wrong because a proximity placement group keeps VMs physically close to reduce latency, which actually increases the risk of both VMs failing if that single location fails. Option D is wrong because a single VM with Premium SSD and automatic restart cannot survive a datacenter failure; it still represents a single point of failure at the datacenter level.

937
MCQhard

A Windows VM fails to start after a configuration change. You need to capture screenshots and serial console output to troubleshoot the boot problem. Which feature should you use?

A.Azure Backup
B.Boot diagnostics
C.Just-in-Time VM access
D.Autoscale
AnswerB

Boot diagnostics provides screenshots and serial console output to troubleshoot startup issues.

Why this answer

Boot diagnostics captures serial console output and screenshots of a VM during boot, which is essential for troubleshooting boot failures after a configuration change. This feature provides logs and visual data from the VM's boot process, accessible via the Azure portal or CLI, without requiring guest OS access.

Exam trap

The trap here is that candidates confuse boot diagnostics with Azure Backup or recovery services, assuming that restoring from a backup is the primary troubleshooting step for boot failures, rather than using the built-in diagnostic feature that captures real-time boot data.

How to eliminate wrong answers

Option A is wrong because Azure Backup is a disaster recovery and data protection service that creates recovery point snapshots, not a tool for real-time boot troubleshooting or capturing serial console output. Option C is wrong because Just-in-Time (JIT) VM access is a security feature that controls inbound traffic to VMs via network security groups, unrelated to boot diagnostics. Option D is wrong because Autoscale is a scaling feature for VM scale sets or App Service plans that adjusts capacity based on metrics, not a diagnostic tool for individual VM boot issues.

938
MCQmedium

A company stores contract PDFs in Azure Blob Storage. The application must keep working if one datacenter in the primary region has an outage, and auditors also want read-only access to the replicated data from the secondary region during a regional outage. Which redundancy option should the administrator choose?

A.LRS
B.ZRS
C.GZRS
D.RA-GZRS
AnswerD

RA-GZRS combines zone redundancy in the primary region with geo-replication and read access to the secondary endpoint.

Why this answer

RA-GZRS (Read-Access Geo-Zone-Redundant Storage) is the correct choice because it combines zone-redundant storage (ZRS) across availability zones in the primary region with geo-replication to a secondary region, and crucially enables read access to the secondary region data during a regional outage. This ensures the application remains available if one datacenter fails (via ZRS) and satisfies the auditors' requirement for read-only access to replicated data during a regional outage (via the read-access flag).

Exam trap

The trap here is that candidates often confuse GZRS with RA-GZRS, forgetting that GZRS alone does not grant read access to the secondary region during an outage; the 'RA' prefix is required to enable that read-only access.

How to eliminate wrong answers

Option A (LRS) is wrong because it replicates data only within a single datacenter, so a datacenter outage would cause data loss or unavailability, failing the requirement for continued operation. Option B (ZRS) is wrong because while it protects against a datacenter failure by replicating across availability zones in the primary region, it does not provide geo-replication to a secondary region, so auditors cannot access replicated data during a regional outage. Option C (GZRS) is wrong because although it provides geo-replication to a secondary region, it does not enable read access to the secondary region data during an outage; that requires the 'RA' (Read-Access) prefix, which is only available with RA-GZRS.

939
MCQmedium

You need to deploy 30 identical Azure virtual machines for a web application and scale the instance count automatically based on CPU demand. Which Azure compute feature should you use?

A.An availability set
B.A Virtual Machine Scale Set
C.A Recovery Services vault
D.Boot diagnostics
AnswerB

Scale Sets provide grouped deployment and autoscaling.

Why this answer

Virtual Machine Scale Sets (VMSS) are designed specifically to deploy and manage a group of identical, load-balanced VMs that can automatically scale in or out based on CPU demand or other metrics. This matches the requirement for 30 identical VMs and autoscaling, making B the correct choice.

Exam trap

The trap here is that candidates often confuse availability sets (which provide high availability) with scale sets (which provide both high availability and autoscaling), leading them to pick A when the question explicitly requires automatic scaling based on demand.

How to eliminate wrong answers

Option A is wrong because an availability set only provides high availability by distributing VMs across fault and update domains; it does not support autoscaling or deployment of identical VMs as a group. Option C is wrong because a Recovery Services vault is used for backup and disaster recovery, not for deploying or scaling compute resources. Option D is wrong because boot diagnostics captures serial console output and screenshots for troubleshooting VM boot failures; it has no role in scaling or deploying multiple VMs.

940
Multi-Selecthard

A finance VM is backed up daily. The team wants short-lived snapshots so recently changed files can be recovered quickly, but they also need daily recovery points retained for 30 days. Which two backup policy settings should be configured? Select two.

Select 2 answers
A.Retain instant restore snapshots for 2 days
B.Retain daily recovery points for 30 days
C.Run the backup job every 12 hours
D.Retain weekly recovery points for 30 days
E.Move backup data to Archive tier
AnswersA, B

Short snapshot retention keeps recent restore points available for fast file recovery.

Why this answer

Option A is correct because instant restore snapshots are short-lived, locally stored snapshots that allow quick recovery of recently changed files. Setting 'Retain instant restore snapshots for 2 days' ensures these snapshots are available for immediate restores without consuming long-term backup storage. Option B is correct because 'Retain daily recovery points for 30 days' meets the requirement for daily recovery points to be kept for the specified retention period, allowing recovery from any of the last 30 daily backups.

Exam trap

The trap here is that candidates often confuse 'instant restore snapshots' with 'recovery points' and may select options like 'Run the backup job every 12 hours' thinking more frequent backups improve recovery speed, when in fact the instant restore snapshot retention setting directly controls the availability of quick file-level restores.

941
MCQmedium

Two VNets are peered. AppVNet contains VMs that access a private endpoint in DataVNet successfully by IP, but name resolution fails for the storage FQDN. The private DNS zone is linked only to DataVNet. What should you do?

A.Create another peering connection from AppVNet to DataVNet.
B.Add a virtual network link from the private DNS zone to AppVNet.
C.Create a public DNS zone with the same name as the private zone.
D.Assign a public IP address to the private endpoint.
AnswerB

Private endpoint name resolution depends on the private DNS zone being linked to the VNet where the clients reside. Because AppVNet is not linked to the zone, its VMs cannot resolve the private endpoint FQDN even though IP connectivity exists. Adding a virtual network link from the private DNS zone to AppVNet makes the private records available to those clients.

Why this answer

The private DNS zone is linked only to DataVNet, so VMs in AppVNet cannot resolve the storage FQDN even though IP connectivity works via the VNet peering. By adding a virtual network link from the private DNS zone to AppVNet, you enable DNS resolution for the private endpoint's FQDN across the peered VNet. This is required because private DNS zones are scoped to the VNets they are linked to, and peering alone does not propagate DNS resolution.

Exam trap

The trap here is that candidates assume VNet peering automatically extends DNS resolution for private endpoints, but peering only provides IP connectivity—DNS resolution requires explicit virtual network links to the private DNS zone.

How to eliminate wrong answers

Option A is wrong because a VNet peering already exists between AppVNet and DataVNet (IP connectivity works), so creating another peering does not address DNS resolution. Option C is wrong because creating a public DNS zone with the same name would conflict with the private zone and is unnecessary; the private endpoint requires private DNS resolution, not public. Option D is wrong because assigning a public IP to the private endpoint defeats its purpose (private connectivity) and does not resolve the FQDN within the private DNS zone.

942
MCQmedium

A storage account is accessed from a VM in VNet A through a private endpoint. A VM in peered VNet B can connect to the storage account by IP, but when it uses the storage account name, it resolves to the public endpoint. What should the administrator configure?

A.Enable a service endpoint on VNet B for Microsoft.Storage.
B.Link the private DNS zone for the storage account to VNet B.
C.Assign the VM in VNet B a managed identity.
D.Create a route table that points storage traffic to the private endpoint subnet.
AnswerB

The name resolution problem indicates that VNet B does not know to resolve the storage FQDN to the private endpoint address. Linking the correct private DNS zone to VNet B lets machines in that network resolve the name to the private IP instead of the public endpoint. This is a common requirement when private endpoints are accessed from peered networks or additional VNets.

Why this answer

The VM in VNet B can reach the storage account by IP because the private endpoint is accessible over the VNet peering, but DNS resolution still returns the public IP because the private DNS zone (privatelink.blob.core.windows.net) is not linked to VNet B. By linking the private DNS zone to VNet B, the VM will resolve the storage account name to the private endpoint IP, ensuring connectivity over the Microsoft backbone instead of the public internet.

Exam trap

The trap here is that candidates assume VNet peering automatically provides DNS resolution for private endpoints, but the private DNS zone must be explicitly linked to each peered VNet for name resolution to work.

How to eliminate wrong answers

Option A is wrong because a service endpoint would expose the storage account to VNet B via its public endpoint, not the private endpoint, and would not fix DNS resolution to the private IP; it also bypasses the private endpoint's isolation benefits. Option C is wrong because a managed identity provides authentication (Azure AD tokens) but does not affect DNS resolution or network routing to the private endpoint. Option D is wrong because a route table can direct traffic to the private endpoint subnet, but without proper DNS resolution, the VM will still attempt to connect to the public IP, and the route table cannot override DNS behavior.

943
MCQeasy

Three VMs run the same batch app and should use the same Azure identity to read blobs. The identity should remain available even if one VM is deleted. Which identity should you use?

A.Shared access signature (SAS) token
B.System-assigned managed identity
C.User-assigned managed identity
D.Storage account shared key
AnswerC

A user-assigned managed identity can be attached to multiple VMs and continues to exist even if one VM is deleted.

Why this answer

C is correct because a user-assigned managed identity is an independent Azure resource that persists even if a specific VM is deleted. This allows multiple VMs to share the same identity to authenticate to Azure Blob Storage, ensuring continuous access to blobs as long as at least one VM remains.

Exam trap

The trap here is that candidates often choose system-assigned managed identity (Option B) because it is simpler to set up, but they overlook the requirement that the identity must survive VM deletion, which only a user-assigned identity guarantees.

How to eliminate wrong answers

Option A is wrong because a SAS token is a URL-based delegation of access that must be stored and rotated manually; it is not an Azure AD identity and cannot be shared across VMs without exposing the token. Option B is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM—if that VM is deleted, the identity is also deleted, breaking access for other VMs. Option D is wrong because a storage account shared key is a static, high-privilege credential that must be stored in code or configuration, violating the principle of using an Azure AD identity and introducing security risks if leaked.

944
MCQmedium

Based on the exhibit, what should the administrator change so the web tier can reach the database tier on TCP 443 without opening the subnet more broadly?

A.Move the allow rule for WebTierASG to a priority lower than 100.
B.Delete the deny rule because default rules already block unwanted traffic.
C.Change the deny rule source from VirtualNetwork to Internet.
D.Change the default inbound rule to AllowVnetInBound.
AnswerA

The allow rule must be evaluated before the broader deny rule so the intended traffic is permitted.

Why this answer

Option A is correct because the administrator must ensure the allow rule for WebTierASG is evaluated before the deny-all rule. In Azure Network Security Groups (NSGs), rules are processed in priority order (lower numbers first). The current deny rule at priority 100 blocks all traffic from VirtualNetwork, including TCP 443 from the web tier.

By moving the allow rule to a priority lower than 100 (e.g., 90), it will be evaluated first, permitting TCP 443 traffic from WebTierASG to the database tier, while the deny rule still blocks all other traffic from the virtual network.

Exam trap

The trap here is that candidates often assume default rules block unwanted traffic, but Azure NSG default rules are permissive for virtual network traffic, so an explicit deny rule is necessary to restrict access, and priority order must be managed carefully to ensure allow rules are evaluated before deny rules.

How to eliminate wrong answers

Option B is wrong because default rules in Azure NSGs only allow inbound traffic from within the virtual network and Azure load balancer; they do not block unwanted traffic by default—they are permissive, and a deny rule is required to explicitly block traffic. Option C is wrong because changing the deny rule source from VirtualNetwork to Internet would block all internet traffic but still allow all virtual network traffic (including unwanted traffic), which does not solve the requirement to restrict access to only the web tier. Option D is wrong because changing the default inbound rule 'AllowVnetInBound' to a deny rule would block all virtual network traffic, including the desired TCP 443 traffic from the web tier, and default rules cannot be modified (only overridden with higher-priority custom rules).

945
MCQhard

Diagnostic settings on an Azure storage account must send logs to a destination storage account that has its firewall set to deny all public network access. The team cannot create a private endpoint, but the destination service is one of the Azure services that can bypass the firewall as a trusted Microsoft service. What should the administrator enable?

A.A service endpoint on the destination storage account subnet
B.The Allow trusted Microsoft services to bypass this firewall setting
C.A shared access signature with read permission
D.A private DNS zone linked to the workspace virtual network
AnswerB

This setting is designed for supported Microsoft services that need to reach a storage account even when public network access is denied. It allows the service to deliver data without opening the firewall broadly and without requiring a private endpoint. Because the scenario explicitly says the destination is a trusted Microsoft service, this is the correct and minimal change.

Why this answer

Option B is correct because the 'Allow trusted Microsoft services to bypass this firewall' setting enables specific Azure services, such as Azure Monitor or Azure Backup, to write diagnostic logs to a storage account even when the storage account's firewall blocks all public network access. This bypass is controlled at the Azure platform level and does not require a private endpoint or public IP, making it the only viable solution when the destination storage account denies all public traffic.

Exam trap

The trap here is that candidates often confuse service endpoints (Option A) with the trusted Microsoft services bypass, mistakenly thinking a service endpoint on the source subnet can grant access, when in fact the bypass is a distinct firewall exception that does not require any virtual network integration.

How to eliminate wrong answers

Option A is wrong because a service endpoint on the destination storage account subnet would allow traffic from a specific virtual network, but the source (the storage account generating logs) is not in a subnet; service endpoints are used for client-to-service connectivity, not for service-to-service log delivery. Option C is wrong because a shared access signature (SAS) with read permission provides delegated access to a specific resource but does not bypass the storage account firewall; the firewall denies all public traffic, so SAS tokens are ineffective unless the request originates from an allowed network. Option D is wrong because a private DNS zone linked to the workspace virtual network is used for resolving private endpoint IP addresses, but the scenario explicitly states that a private endpoint cannot be created, and DNS zones do not grant network access or bypass firewall rules.

946
MCQmedium

Based on the exhibit, which lock should the administrator apply to protect the resource group from accidental deletion while still allowing normal updates to the resources inside it?

A.Apply a CanNotDelete lock to rg-payroll-prod.
B.Apply a ReadOnly lock to rg-payroll-prod.
C.Apply a tag named Protected=True to rg-payroll-prod.
D.Create an Azure Policy assignment that denies all delete operations.
AnswerA

CanNotDelete blocks deletion of the locked scope while still allowing normal management operations such as updates, restarts, and configuration changes.

Why this answer

The CanNotDelete lock (also known as Delete lock) prevents the resource group itself from being deleted while still allowing all updates (including create, modify, and delete operations) on the resources within it. This is the correct choice because the requirement is to protect only the resource group from accidental deletion, not to restrict changes to the resources inside.

Exam trap

The trap here is that candidates often confuse the CanNotDelete lock with a ReadOnly lock, mistakenly thinking that preventing deletion also requires blocking updates, or they assume a tag or policy can substitute for a resource lock.

How to eliminate wrong answers

Option B is wrong because a ReadOnly lock prevents all write and delete operations on the resource group and its resources, which would block normal updates to the resources inside. Option C is wrong because a tag is a metadata label and does not enforce any access control or deletion protection; it cannot prevent deletion. Option D is wrong because an Azure Policy assignment that denies all delete operations would block deletion of both the resource group and all resources within it, which is overly restrictive and does not allow normal updates.

947
MCQeasy

Based on the exhibit, where should the administrator go to see which resources are non-compliant with the assigned policy?

A.Azure Policy compliance view.
B.Entra ID users and groups.
C.Azure Activity log only.
D.Resource locks blade.
AnswerA

The compliance view lists policy results and shows which resources are compliant or non-compliant.

Why this answer

The Azure Policy compliance view is the correct place to see which resources are non-compliant with assigned policies. This view aggregates compliance states across all policies and initiatives, showing a per-resource breakdown of compliant, non-compliant, and exempt statuses. It directly reflects the evaluation results from the Azure Policy engine, which runs periodic scans and on-demand evaluations.

Exam trap

The trap here is that candidates confuse the Azure Activity log (which records who did what) with the Azure Policy compliance view (which shows what is out of compliance), leading them to pick the Activity log instead of the dedicated compliance dashboard.

How to eliminate wrong answers

Option B is wrong because Entra ID users and groups is an identity management blade for managing users, groups, and roles, not for viewing policy compliance of Azure resources. Option C is wrong because the Azure Activity log only records operational events (e.g., create, delete, update) and does not provide a compliance state summary for policy assignments. Option D is wrong because the Resource locks blade is used to manage delete/read-only locks on resources to prevent accidental changes, not to display policy compliance results.

948
Multi-Selecteasy

An archived blob must be read tomorrow morning. Which two actions are required before the blob can be opened? Select two.

Select 2 answers
A.Change the blob access tier from Archive to Hot or Cool so the data becomes online again.
B.Wait for the rehydration process to finish before opening the blob in a client or portal.
C.Enable a private endpoint, because archive blobs can only be read through private connectivity.
D.Convert the storage account to GZRS, because geo-replication automatically restores archived blobs.
E.Set the container ACL to public so archived blobs can be read without rehydration.
AnswersA, B

Archived data must be moved back to an online tier before it can be read.

Why this answer

Option A is correct because an archived blob is in an offline state and must be rehydrated to the Hot or Cool tier before it can be read. Changing the access tier initiates the rehydration process, which makes the blob data online and accessible.

Exam trap

The trap here is that candidates may think archive blobs can be read directly with special network settings or permissions, but the core requirement is always rehydration to an online tier before any read operation.

949
MCQhard

Three Azure VMs in separate resource groups run the same data-processing agent. The agent must read blobs from a storage account, and the access must continue to work if any VM is rebuilt or replaced. The operations team also wants one identity they can reassign to future VMs without creating another credential. Which identity approach should be used?

A.A system-assigned managed identity on each VM.
B.A storage account shared key embedded in the application settings.
C.A service principal credential stored in a Key Vault secret.
D.A user-assigned managed identity attached to the VMs.
AnswerD

A user-assigned managed identity is the right choice when the same Azure identity must be shared across multiple VMs and survive VM replacement. You can grant it access once, attach it to current and future VMs, and avoid storing passwords or access keys in the workload.

Why this answer

A user-assigned managed identity (D) is the correct choice because it is a standalone Azure resource that can be created independently and then attached to multiple VMs. If a VM is rebuilt or replaced, the same user-assigned identity can be reassigned to the new VM without any credential rotation or secret management. This ensures continuous blob access via Azure AD authentication, meeting the requirement for a single, reusable identity.

Exam trap

The trap here is that candidates confuse system-assigned and user-assigned managed identities, assuming both are equally reusable, but system-assigned identities are deleted with the VM, making them unsuitable for scenarios requiring identity persistence across VM rebuilds.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM; if that VM is deleted, the identity is also deleted, requiring a new identity and role assignment for any replacement VM. Option B is wrong because a storage account shared key is a static, high-privilege credential that must be securely stored and rotated, and it cannot be reassigned to future VMs without exposing the key in application settings, violating the 'no new credential' requirement. Option C is wrong because a service principal credential stored in Key Vault still requires managing a secret (the client secret or certificate), which must be rotated and securely retrieved by each VM, adding complexity and a potential single point of failure; it does not provide the seamless, credential-less reassignment that a managed identity offers.

950
MCQmedium

Based on the exhibit, which redundancy setting should you choose before deploying the storage account?

A.LRS, because it keeps three copies within one datacenter and is the least expensive option.
B.ZRS, because it replicates data across availability zones in the primary region.
C.GZRS, because it combines zone redundancy with geo-replication to another region.
D.RA-GZRS, because it provides zone redundancy and read access to the secondary region.
AnswerD

RA-GZRS is the only option listed that meets both business requirements. It protects the primary region with zone-redundant storage and also allows read access to the geo-replicated secondary endpoint. That means the workload can continue reading data during regional recovery scenarios while still benefiting from zone-level resiliency in the primary region.

Why this answer

RA-GRS (Read-Access Geo-Redundant Storage) is the correct choice because the exhibit shows a requirement for read access to the secondary region in the event of a primary region outage. RA-GRS provides zone-level redundancy within the primary region (using LRS for three copies) and asynchronously replicates data to a secondary region, where it is also stored with LRS. The 'RA' prefix enables read access to the secondary endpoint, allowing applications to serve read requests from the secondary region even when the primary is unavailable.

Exam trap

The trap here is that candidates often confuse GZRS with RA-GZRS, assuming that geo-replication automatically provides read access to the secondary region, but only the 'RA' prefix enables that read-access capability.

How to eliminate wrong answers

Option A is wrong because LRS (Locally Redundant Storage) only keeps three copies within a single datacenter and does not provide any geo-replication or read access to a secondary region, which the exhibit requires. Option B is wrong because ZRS (Zone-Redundant Storage) replicates data across availability zones within the primary region but does not provide geo-replication to a secondary region, so it cannot satisfy the requirement for secondary region read access. Option C is wrong because GZRS (Geo-Zone-Redundant Storage) combines zone redundancy with geo-replication, but it does not enable read access to the secondary region by default; RA-GZRS would be needed for that capability, and the exhibit specifically requires read access to the secondary region.

951
MCQmedium

A Recovery Services vault currently keeps daily Azure VM recovery points for 7 days. The business changes the requirement to keep daily recovery points for 30 days. Where should the administrator change the setting?

A.In the VM's network interface settings, because backup retention follows the NIC configuration.
B.In the backup policy associated with the Recovery Services vault.
C.In Azure Policy, by assigning a retention compliance initiative to the subscription.
D.In a storage account lifecycle rule attached to the VM disks.
AnswerB

Retention settings for Azure VM backups are controlled in the backup policy within the Recovery Services vault. The policy defines how often backups occur and how long recovery points are retained. To move from 7 days to 30 days of daily retention, the administrator updates the backup policy and applies it to the protected VM. This is the correct place because retention is a vault-level backup behavior, not a VM networking or storage setting.

Why this answer

The retention duration for Azure VM backups is configured within the backup policy that is associated with the Recovery Services vault. By modifying the backup policy (either the default policy or a custom policy), the administrator can change the retention setting from 7 days to 30 days for daily recovery points. This policy directly controls how long backup snapshots are retained, and the change takes effect for all VMs linked to that policy.

Exam trap

The trap here is that candidates often confuse backup retention settings with storage lifecycle management or Azure Policy, assuming that retention can be controlled at the disk or subscription level, when in fact it is exclusively managed through the backup policy linked to the Recovery Services vault.

How to eliminate wrong answers

Option A is wrong because backup retention is not tied to the VM's network interface (NIC) settings; NIC settings control IP addressing, DNS, and network security, not backup lifecycle. Option C is wrong because Azure Policy is used for enforcing compliance rules (e.g., requiring backups to be enabled) but cannot directly modify retention durations within an existing backup policy. Option D is wrong because storage account lifecycle rules manage the tiering or deletion of blob data (e.g., VM disks) but do not control backup recovery points, which are stored separately in the Recovery Services vault.

952
MCQeasy

Based on the exhibit, the operations team wants to store the VM deployment definition in source control and deploy the same group of Azure VMs every sprint. The code should be readable and easy to review. What should they use?

A.Bicep template files stored in source control.
B.Manual creation in the Azure portal.
C.A one-time Azure CLI command typed into Cloud Shell.
D.A resource lock on the subscription.
AnswerA

Bicep is a declarative infrastructure-as-code format that is concise, readable, and easy to review in pull requests. It is well suited to repeatable Azure deployments from source control and supports modular design for VM infrastructure. This matches the team’s requirement for a readable, versioned deployment definition.

Why this answer

Bicep is a domain-specific language (DSL) for deploying Azure resources that provides a cleaner, more readable syntax compared to ARM JSON templates. Storing Bicep files in source control enables versioning, code review, and repeatable deployments via CI/CD pipelines, which aligns with the requirement to deploy the same VM group every sprint. The declarative nature of Bicep ensures the deployment definition is both human-readable and machine-executable.

Exam trap

The trap here is that candidates may confuse a deployment tool (like Bicep or ARM templates) with a management tool (like resource locks) or assume that a one-time CLI command is sufficient for repeatable deployments, overlooking the need for version-controlled, reviewable infrastructure-as-code.

How to eliminate wrong answers

Option B is wrong because manual creation in the Azure portal is not repeatable, not version-controlled, and introduces human error, making it unsuitable for deploying the same group of VMs every sprint. Option C is wrong because a one-time Azure CLI command is not stored in source control and cannot be easily reviewed or reused across sprints without manual re-entry or scripting, which defeats the purpose of a version-controlled deployment definition. Option D is wrong because a resource lock on the subscription prevents accidental deletion or modification but does not define or deploy any VM infrastructure; it is a governance tool, not a deployment mechanism.

953
MCQmedium

Based on the exhibit, which Azure Policy construct should the administrator use to deploy and manage these guardrails as one unit across the department?

A.Create an Azure Policy initiative and assign it at the management group scope.
B.Create an Azure RBAC role assignment at the management group scope.
C.Apply a ReadOnly lock to each subscription.
D.Move all resources into one resource group.
AnswerA

An initiative groups multiple related policies into one assignable unit, which is ideal when several guardrails must be managed together across many subscriptions.

Why this answer

An Azure Policy initiative is a collection of policy definitions designed to group related policies together for deployment as a single unit. By assigning the initiative at the management group scope, the administrator can enforce consistent guardrails across all subscriptions within that management group, ensuring centralized governance and compliance for the entire department.

Exam trap

The trap here is confusing Azure Policy initiatives with RBAC roles or resource locks, as candidates often think access control or resource protection alone can enforce governance guardrails, but only policy initiatives provide the unified, rule-based deployment and management of compliance requirements.

How to eliminate wrong answers

Option B is wrong because Azure RBAC role assignments control access permissions (who can do what), not the deployment and management of guardrails (what is allowed or denied). Option C is wrong because a ReadOnly lock prevents resource modification but does not enforce compliance rules or deploy policies as a unit. Option D is wrong because moving all resources into one resource group does not provide governance guardrails; it only consolidates resources without any policy enforcement.

954
MCQhard

A storage account becomes unavailable because Azure has a regional platform issue. The operations team wants a notification whenever Azure marks the resource or region unhealthy, and they want to avoid continuous log ingestion just to detect the outage. What should they configure?

A.A metric alert on storage capacity with an action group.
B.A log alert on storage diagnostic logs that watches for 503 responses.
C.A Service Health alert based on the Activity log, scoped appropriately.
D.An Azure Policy assignment that audits the storage account state.
AnswerC

Service Health alerts are the right choice when you need to know about Azure platform incidents, regional issues, or service degradations that affect a resource or region. They are generated from the Activity log and do not require you to ingest operational logs continuously just to detect an outage. This makes them both efficient and appropriate for platform availability monitoring.

Why this answer

Option C is correct because a Service Health alert, configured from the Azure Activity log, provides proactive notifications when Azure services or regions experience an outage or degradation. This alert is triggered by Azure's own health signals, eliminating the need for continuous log ingestion or custom metric monitoring to detect platform-level issues.

Exam trap

The trap here is that candidates confuse application-level monitoring (e.g., log alerts on HTTP 503 errors) with Azure's own platform health signals, leading them to choose a log-based solution that requires continuous ingestion and misses the native Service Health alert capability.

How to eliminate wrong answers

Option A is wrong because a metric alert on storage capacity monitors usage thresholds (e.g., percentage used), not service availability or regional health; it cannot detect an Azure platform outage. Option B is wrong because a log alert on storage diagnostic logs watching for 503 responses requires continuous log ingestion and custom query setup, which contradicts the requirement to avoid continuous log ingestion; it also only detects application-level errors, not Azure-declared regional unhealthiness. Option D is wrong because an Azure Policy assignment audits compliance with rules (e.g., encryption settings) and cannot trigger real-time notifications for service health events; it is a governance tool, not an alerting mechanism.

955
MCQeasy

Based on the exhibit, which KQL operator should replace the blank to return only those columns?

A.where, because it filters rows and also selects the visible columns.
B.summarize, because it groups the failed records into a smaller result set.
C.project, because it returns only the named columns in the result.
D.extend, because it creates new output columns for the selected fields.
AnswerC

project is the KQL operator used to shape the output and keep only the columns listed. In this query, it returns TimeGenerated, VaultName, and OperationName for easier reading.

Why this answer

The `project` operator in Kusto Query Language (KQL) is specifically designed to select a subset of columns from the input table, returning only the named columns in the result set. This matches the requirement to 'return only those columns,' making option C correct.

Exam trap

The trap here is confusing row-filtering operators (like `where`) with column-selection operators (like `project`), leading candidates to choose `where` because they think it controls visible columns, when in fact it only filters rows.

How to eliminate wrong answers

Option A is wrong because `where` filters rows based on a predicate, not columns; it does not select or limit visible columns. Option B is wrong because `summarize` groups rows and produces aggregations, often reducing the number of rows but not directly selecting specific columns. Option D is wrong because `extend` adds new computed columns to the result set, but it does not remove or select only existing columns.

956
MCQhard

Two virtual machines named VM-Web01 and VM-Web02 host the same public web application. Users on the internet must connect through a single public IP address, and incoming requests should be distributed across both VMs. What should you deploy?

A.An internal load balancer
B.A public load balancer
C.A private DNS zone
D.A Recovery Services vault
AnswerB

This fits the requirement for a single public IP and traffic distribution.

Why this answer

A public load balancer (Azure Load Balancer with a public frontend IP) is required because it provides a single public IP address for internet clients and distributes incoming traffic across the backend VMs (VM-Web01 and VM-Web02) using a configured load-balancing rule. This ensures high availability and scalability for the web application.

Exam trap

The trap here is that candidates often confuse an internal load balancer with a public load balancer, mistakenly thinking any load balancer can provide internet-facing access, but only a public load balancer exposes a public IP address for external clients.

How to eliminate wrong answers

Option A is wrong because an internal load balancer uses a private IP address from the virtual network, which is not accessible from the internet, so it cannot provide a single public IP for external users. Option C is wrong because a private DNS zone is used for name resolution within a virtual network, not for distributing incoming traffic or providing a public IP address. Option D is wrong because a Recovery Services vault is used for backup and disaster recovery (Azure Backup and Site Recovery), not for load balancing or public IP addressing.

957
MCQmedium

A PowerShell script runs on an Azure VM every night and uses Azure CLI commands to create tags and VM resources in another subscription. The script cannot store a password or client secret. What should it use to authenticate to Azure?

A.az login with a username and password.
B.az login --identity.
C.Connect-AzAccount with device code authentication.
D.An app registration secret stored in a PowerShell variable.
AnswerB

The Azure CLI can sign in with the VM's managed identity by using az login --identity. That allows the script to authenticate without storing a password or client secret. After sign-in, the identity can be granted access to the target subscription or resource group, which makes the solution both secure and automation-friendly for nightly jobs.

Why this answer

Option B is correct because the script runs on an Azure VM and can use a managed identity to authenticate without storing any secrets. The `az login --identity` command uses the VM's system-assigned or user-assigned managed identity to obtain an Azure AD access token via the Azure Instance Metadata Service (IMDS) endpoint. This satisfies the requirement of no password or client secret storage.

Exam trap

The trap here is that candidates often confuse managed identity with service principal secrets or device code authentication, assuming any non-interactive method requires a stored secret, but `az login --identity` provides secretless authentication for Azure resources.

How to eliminate wrong answers

Option A is wrong because `az login` with a username and password requires interactive input or storing credentials, and it does not support non-interactive automation without a service principal or device code flow. Option C is wrong because `Connect-AzAccount` with device code authentication requires a user to manually open a browser and enter a code, which is not suitable for an unattended nightly script. Option D is wrong because storing an app registration secret in a PowerShell variable still requires the secret to be present in the script or environment, violating the requirement of no stored password or client secret.

958
MCQmedium

A stateless Linux API should start with 2 instances, scale out to 6 when average CPU stays above 75 percent for 10 minutes, and scale back in when load drops. Which Azure compute resource should the administrator deploy?

A.An availability set with manual VM resizing.
B.A virtual machine scale set with autoscale rules.
C.A single Standard D-series VM with scheduled shutdown.
D.A load balancer in front of two unmanaged VMs.
AnswerB

A virtual machine scale set is built for identical compute instances that need to scale horizontally. Autoscale rules can watch CPU, adjust the instance count automatically, and maintain the minimum and maximum capacity you define. This fits stateless services very well because any instance can handle incoming requests once traffic is distributed across the set.

Why this answer

A virtual machine scale set (VMSS) with autoscale rules is the correct choice because it natively supports scaling out and scaling in based on performance metrics like average CPU percentage. The requirement for a stateless Linux API with a minimum of 2 instances, scaling to 6 when CPU exceeds 75% for 10 minutes, and scaling back in when load drops is exactly the use case VMSS is designed for. Autoscale rules can be configured to use a scale-out and scale-in policy with a cool-down period, ensuring the application remains responsive while optimizing cost.

Exam trap

The trap here is that candidates may confuse an availability set with autoscaling, not realizing that availability sets only provide redundancy and fault tolerance, not dynamic scaling, or they may think a load balancer with two VMs is sufficient, overlooking the requirement for automatic scaling based on CPU thresholds.

How to eliminate wrong answers

Option A is wrong because an availability set provides high availability through fault and update domains but does not include any autoscaling capability; manual VM resizing requires administrator intervention and cannot automatically scale out or in based on CPU thresholds. Option C is wrong because a single Standard D-series VM with scheduled shutdown cannot scale out to multiple instances; it only provides a fixed compute capacity and cannot handle variable load by adding or removing instances. Option D is wrong because a load balancer in front of two unmanaged VMs provides load distribution and some redundancy but lacks autoscaling; scaling would require manual provisioning of additional VMs and updating the load balancer backend pool, which does not meet the requirement for automatic scaling based on CPU metrics.

959
MCQmedium

You need to deploy several identical virtual machines and ensure that the failure of a single Azure host does not affect all of them. Which feature should you use?

A.An availability set
B.A proximity placement group
C.A private endpoint
D.A custom script extension
AnswerA

Availability sets distribute VMs across fault and update domains to improve resilience.

Why this answer

An availability set distributes virtual machines across multiple fault domains (physical hosts) and update domains within an Azure datacenter. By placing VMs in an availability set, you ensure that a failure of a single Azure host (fault domain) does not affect all VMs, as each VM is placed on a different physical host. This meets the requirement for isolation from a single host failure.

Exam trap

The trap here is that candidates often confuse availability sets with availability zones, thinking zones are required for host failure isolation, but availability sets provide fault domain isolation within a single datacenter, which is sufficient for the stated requirement.

How to eliminate wrong answers

Option B is wrong because a proximity placement group is used to reduce network latency by placing VMs close together, not to isolate them from host failures. Option C is wrong because a private endpoint provides a private IP address for a service within a virtual network, and has no impact on VM placement or host failure resilience. Option D is wrong because a custom script extension is used to run scripts on a VM after deployment for configuration purposes, and does not affect the physical placement or fault tolerance of the VMs.

960
MCQmedium

A development environment uses temporary test VMs that can be rebuilt at any time. The administrator wants the operating system disk to provide the lowest practical latency and does not need the disk data to survive a deallocate operation. Which OS disk option should be selected?

A.Standard HDD managed disk.
B.Premium SSD managed disk.
C.Ephemeral OS disk.
D.Ultra Disk managed disk.
AnswerC

Ephemeral OS disks are intended for transient VMs and use local storage for very fast OS disk performance.

Why this answer

Ephemeral OS disks use the local VM storage (temporary disk) rather than remote managed storage, which provides the lowest possible latency because data is stored directly on the host node. Since the test VMs can be rebuilt at any time and the disk data does not need to survive a deallocate operation, the ephemeral disk is ideal—it is automatically deleted when the VM is deallocated or deleted, and it avoids the cost and performance overhead of managed disks.

Exam trap

The trap here is that candidates often choose Premium SSD (B) because they associate 'lowest latency' with premium managed disks, forgetting that ephemeral OS disks use local storage which is inherently faster and also meets the 'no persistence' requirement, while managed disks always persist data across deallocations.

How to eliminate wrong answers

Option A is wrong because Standard HDD managed disks are remote storage with high latency and are not optimized for low-latency workloads; they also persist data across deallocations, which is unnecessary here. Option B is wrong because Premium SSD managed disks, while low-latency, are still remote managed disks that persist data across deallocations and incur higher cost without providing the absolute lowest latency of local storage. Option D is wrong because Ultra Disk managed disks are remote, high-performance storage designed for extreme IOPS/latency but are overkill for temporary test VMs, persist data across deallocations, and are significantly more expensive than ephemeral disks.

961
MCQeasy

A line-of-business app will run on a single Azure virtual machine in a region that supports availability zones. The business wants the VM to keep running if one datacenter in the region fails. Which deployment choice should you use?

A.Place the VM in an availability set
B.Deploy the VM in an availability zone
C.Use a larger VM size
D.Use a custom image
AnswerB

An availability zone places the VM in a physically separate datacenter within the same Azure region. That design gives better resilience against a datacenter-level failure than an availability set. For a single VM, choosing a zone is the direct way to improve protection from one zone or datacenter going offline. It is the right operational choice when the region supports zones and the requirement is survivability during a datacenter outage.

Why this answer

Availability zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying the VM in an an availability zone ensures that if one datacenter fails, the VM remains operational because it is hosted in a different zone. This directly meets the requirement for resilience against a single datacenter failure.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack-level failures within a datacenter) with availability zones (which protect against entire datacenter failures), leading them to incorrectly select availability set as the answer.

How to eliminate wrong answers

Option A is wrong because an availability set protects against failures within a single datacenter (e.g., rack or update domain failures) but does not protect against an entire datacenter outage. Option C is wrong because increasing the VM size only provides more compute resources (CPU/RAM) and has no impact on availability or fault tolerance. Option D is wrong because using a custom image affects the VM's operating system configuration but does not provide any redundancy or protection against datacenter failures.

962
MCQeasy

Two application VMs are in the same Azure region. They must stay available during planned host maintenance, but the business does not require protection from a full datacenter outage. Which placement option should you use?

A.Availability set
B.Availability zone
C.Shared disk
D.Snapshot set
AnswerA

An availability set spreads VMs across fault and update domains so planned maintenance affects only part of the group at a time.

Why this answer

An availability set distributes VMs across multiple fault domains (up to 3) and update domains (up to 20) within a single Azure datacenter. This ensures that during planned host maintenance, only one update domain is taken offline at a time, keeping the application VMs available. Since the requirement does not include protection from a full datacenter outage, an availability set is the correct and cost-effective placement option.

Exam trap

The trap here is that candidates often choose Availability zones because they see 'high availability' and assume it's always the best option, missing the explicit constraint that only planned host maintenance needs to be covered, not a full datacenter outage.

How to eliminate wrong answers

Option B (Availability zone) is wrong because it protects against a full datacenter outage by placing VMs in physically separate zones within a region, which is overkill and incurs additional inter-zone data transfer costs when the stated requirement only needs protection from planned host maintenance. Option C (Shared disk) is wrong because it is a storage configuration that allows multiple VMs to attach the same managed disk concurrently, not a placement option that controls fault or update domain isolation. Option D (Snapshot set) is wrong because Azure has no such concept as a 'snapshot set' for VM placement; snapshots are point-in-time copies of disks used for backup or recovery, not for high availability during maintenance.

963
MCQmedium

Based on the exhibit, where should the Reader role be assigned so the audit team automatically has access to every current and future subscription under Corp?

A.Assign Reader at the Corp management group scope.
B.Assign Reader at the subscription scope for Sub-001.
C.Assign Reader at the resource group scope in each subscription.
D.Assign Reader directly to each resource that the audit team might review.
AnswerA

A management group assignment inherits to all child subscriptions, so new subscriptions placed under Corp also receive the access automatically.

Why this answer

Assigning the Reader role at the Corp management group scope uses Azure RBAC inheritance to grant the audit team read-only access to all current and future subscriptions under that management group. Because management group scope propagates role assignments to all child subscriptions and resource groups, this ensures automatic coverage without manual updates.

Exam trap

The trap here is that candidates often choose subscription-level assignment (Option B) because they think it covers all resources in that subscription, but they overlook that the question requires access to every current and future subscription under Corp, which only management group inheritance can provide.

How to eliminate wrong answers

Option B is wrong because assigning Reader at the subscription scope for Sub-001 would only grant access to that single subscription, not to any future subscriptions added under Corp. Option C is wrong because assigning Reader at the resource group scope in each subscription would require manual assignment for every resource group and would not cover new subscriptions or resource groups automatically. Option D is wrong because assigning Reader directly to each resource is impractical and does not scale; it also fails to grant access to resources created in the future unless the assignment is repeated.

964
MCQmedium

Two application VNets are deployed in different Azure regions. Each VNet uses a unique, non-overlapping address space. The application teams want private IP connectivity over the Microsoft backbone with the lowest possible latency between the regions. Which design should the administrator choose?

A.Global VNet peering.
B.A site-to-site VPN between the two VNets.
C.Azure Traffic Manager with two public endpoints.
D.A service endpoint for each application subnet.
AnswerA

Global VNet peering is the correct choice for private connectivity between VNets in different Azure regions. It keeps traffic on the Microsoft backbone, uses private IP addressing, and avoids the added latency and overhead of an external VPN tunnel. Because the VNets already have non-overlapping address spaces, they meet the peering prerequisites. This design is commonly used when multiple regional workloads need fast, private communication without introducing a gateway-based path.

Why this answer

Global VNet peering provides direct, private IP connectivity between two VNets in different Azure regions over the Microsoft backbone, ensuring the lowest possible latency by bypassing the public internet and any intermediate gateways. It uses the Azure infrastructure to route traffic efficiently between the peered VNets, meeting the requirement for private, low-latency communication.

Exam trap

The trap here is that candidates often confuse site-to-site VPN (Option B) as a private connectivity method, overlooking that its encryption overhead and gateway processing introduce higher latency compared to the direct, unencrypted path of Global VNet peering.

How to eliminate wrong answers

Option B is wrong because a site-to-site VPN between the two VNets introduces additional latency due to encryption/decryption overhead and traffic traversing a VPN gateway, which is not the lowest-latency option compared to direct peering. Option C is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that directs public endpoints, not a private connectivity solution; it does not provide private IP connectivity between VNets. Option D is wrong because a service endpoint provides private connectivity from a VNet to specific Azure PaaS services (e.g., Azure Storage) over the Microsoft backbone, but it does not enable private IP connectivity between two application VNets.

965
MCQmedium

Based on the exhibit, a user accidentally deleted one file from the VM and you need to restore only that file without recovering the entire virtual machine. What should you use?

A.Run file recovery from the available recovery point.
B.Restore the entire VM to the original resource group.
C.Create a new backup policy with longer retention and wait for the next backup.
D.Use Azure Monitor alerts to trigger an automatic file restore.
AnswerA

Azure VM backup supports file-level recovery from a restore point. Because only one file is needed, file recovery is the least disruptive and most efficient choice. It mounts the recovery point and lets you copy back the missing file without restoring the entire VM or its disks.

Why this answer

Azure Backup for Azure VMs supports file-level recovery from VM backup snapshots without restoring the entire VM. By selecting 'File Recovery' from the backup item's recovery point, you can mount the backup as a drive on the VM or a recovery machine, browse the file system, and copy the deleted file back to its original location. This avoids the overhead and downtime of a full VM restore.

Exam trap

The trap here is that candidates may confuse 'file recovery' with 'full VM restore' or assume that only a full restore can recover data, overlooking the granular file-level recovery capability built into Azure Backup.

How to eliminate wrong answers

Option B is wrong because restoring the entire VM to the original resource group would overwrite the current VM state, cause downtime, and is unnecessary when only a single file needs recovery. Option C is wrong because creating a new backup policy with longer retention does not help recover a file that was already deleted; it only affects future backups and does not provide access to existing recovery points. Option D is wrong because Azure Monitor alerts are used for monitoring and notification, not for triggering file-level restore operations; file recovery must be initiated manually or via Azure Backup APIs.

966
MCQmedium

A subnet has these inbound NSG rules: Rule 100 denies TCP 3389 from Internet, Rule 200 allows TCP 3389 from 10.0.0.0/8, and Rule 300 allows TCP 3389 from AzureLoadBalancer. An administrator in 10.20.5.4 cannot RDP to a VM in the subnet. Why is the connection denied?

A.The deny rule at priority 100 matches before the allow rule at priority 200.
B.The AzureLoadBalancer service tag blocks all other inbound traffic on that port.
C.The VM needs a public IP address for RDP to work from a private source.
D.NSG rules are processed by longest prefix match, so the /8 source loses to the /32 VM address.
AnswerA

NSG rules are evaluated in priority order, and the lowest number is processed first. Even though 10.20.5.4 is inside 10.0.0.0/8, the deny rule for Internet at priority 100 can still be the effective match if the packet is classified through a broader source condition that fits earlier evaluation logic in the rule set. The key lesson is that priority order determines which rule wins, not how desirable the allow rule looks later in the list.

Why this answer

Option A is correct because Network Security Group (NSG) rules are evaluated in priority order, from lowest number to highest. Rule 100 with priority 100 denies TCP port 3389 from the Internet source, which includes all IP addresses not explicitly part of Azure virtual networks, such as the 10.20.5.4 address (since it is not in the 10.0.0.0/8 range). The deny rule matches first, so the connection is blocked before the allow rule at priority 200 can be evaluated.

Exam trap

The trap here is that candidates often assume NSG rules are evaluated using longest prefix match (like routing tables) or that a more specific allow rule will override a broader deny rule, but in reality, NSG rules are evaluated strictly by priority number, and the first matching rule is applied regardless of specificity.

How to eliminate wrong answers

Option B is wrong because the AzureLoadBalancer service tag only allows traffic from the Azure load balancer health probes; it does not block other inbound traffic on that port. Option C is wrong because RDP from a private source (10.20.5.4) does not require a public IP address on the VM; a private IP is sufficient for internal connectivity. Option D is wrong because NSG rules do not use longest prefix match for rule evaluation; they are evaluated strictly by priority number, not by the specificity of the source or destination address.

967
MCQmedium

Based on the exhibit, an administrator is trying to peer two VNets so workloads can communicate privately. The peering creation fails. What should the administrator do first?

A.Create a user-defined route in VNet-Prod to force traffic through a firewall.
B.Readdress one of the VNets so the address spaces no longer overlap.
C.Enable gateway transit on both VNets and retry the peering.
D.Add an NSG rule that allows traffic from the other VNet.
AnswerB

Azure VNet peering requires non-overlapping address spaces. The correct first step is to change one VNet to a unique, non-conflicting prefix before attempting peering again. Once the overlap is removed, the peering can be created and traffic can flow privately between the networks.

Why this answer

VNet peering requires that the address spaces of the two virtual networks do not overlap. Overlapping address spaces cause routing conflicts and prevent the peering from being established. The administrator must readdress one of the VNets so their IP ranges are unique before retrying the peering.

Exam trap

The trap here is that candidates often focus on network security or traffic control (NSGs, UDRs, gateway transit) instead of recognizing that VNet peering has a strict prerequisite of non-overlapping address spaces, which is a common misconfiguration in real-world scenarios.

How to eliminate wrong answers

Option A is wrong because creating a user-defined route (UDR) to force traffic through a firewall does not resolve the underlying address space overlap; UDRs are used to control traffic flow, not to fix peering prerequisites. Option C is wrong because gateway transit is a feature that allows a peered VNet to use the other VNet's VPN/ExpressRoute gateway, but it does not address overlapping address spaces and is not required for basic VNet peering. Option D is wrong because adding an NSG rule to allow traffic from the other VNet is irrelevant when the peering itself fails due to overlapping address spaces; NSGs control traffic after peering is established, not the peering creation.

968
MCQeasy

A newly created VM must read secrets from Azure Key Vault. The solution must not store credentials on the VM, and the identity should disappear automatically when the VM is deleted. What should the administrator enable?

A.User-assigned managed identity
B.System-assigned managed identity
C.A service principal with a stored client secret
D.A storage account access key
AnswerB

A system-assigned managed identity is tied directly to one VM. Azure creates and manages the identity for that resource, so no passwords or client secrets need to be stored on the server. When the VM is deleted, the identity is removed automatically, which satisfies both security and lifecycle requirements.

Why this answer

A system-assigned managed identity is automatically created and tied to the lifecycle of the Azure VM. When the VM is deleted, the identity is automatically removed, satisfying the requirement that the identity disappears. This identity can be granted access to Key Vault secrets via Azure RBAC or access policies, without storing any credentials on the VM.

Exam trap

The trap here is that candidates often confuse user-assigned and system-assigned managed identities, assuming both are tied to the VM lifecycle, but only the system-assigned identity is automatically deleted with the VM.

How to eliminate wrong answers

Option A is wrong because a user-assigned managed identity is created as a standalone Azure resource and persists independently of the VM; it will not be automatically deleted when the VM is deleted. Option C is wrong because a service principal with a stored client secret requires the secret to be stored on the VM (e.g., in a configuration file or environment variable), violating the requirement that no credentials be stored on the VM. Option D is wrong because a storage account access key is used for authenticating to Azure Storage, not for accessing Key Vault secrets, and it would need to be stored on the VM, again violating the no-credentials-on-VM requirement.

969
Multi-Selecteasy

A records team stores blobs that are read often during the first month and then rarely accessed later, but the files must stay online the whole time. Which two access tiers should they use for the active and inactive data sets? Select two.

Select 2 answers
A.Hot, because it is optimized for frequent reads and online access to active data.
B.Cool, because it is designed for infrequent access while still keeping blobs online.
C.Archive, because it is best for data that must be opened immediately by users.
D.Premium block blob, because it is the standard tier for long-term retention and low-cost storage.
E.Cold, because it is intended for data that can stay offline until someone requests it.
AnswersA, B

Hot is the best fit for data that is accessed often and needs immediate online availability.

Why this answer

Option A is correct because the Hot access tier is optimized for frequent reads and provides low-latency online access, making it ideal for the active data set that is read often during the first month. Option B is correct because the Cool access tier is designed for infrequently accessed data that must remain online, with lower storage costs but higher access costs, perfectly matching the rarely accessed but always online requirement.

Exam trap

The trap here is that candidates often confuse the Cool tier with the Archive tier, assuming 'infrequent access' means offline, or they mistakenly think the Cold tier (which is offline) satisfies the 'online' requirement, but the question explicitly states files must stay online the whole time.

970
MCQmedium

A subnet has a route table with these user-defined routes: 172.16.0.0/16 -> Virtual appliance 10.1.1.4 and 172.16.1.0/24 -> Internet. A VM in the subnet sends traffic to 172.16.1.20. Which next hop is used?

A.Virtual appliance 10.1.1.4, because the broader route was added first.
B.Internet, because the most specific route prefix always wins.
C.Virtual network gateway, because all traffic to private IP addresses uses the gateway by default.
D.No next hop, because conflicting user-defined routes disable routing for that destination.
AnswerB

Azure chooses the longest matching prefix. The /24 route is more specific than the /16 route.

Why this answer

Azure route selection uses the longest prefix match (most specific route) to determine the next hop. The route 172.16.1.0/24 is more specific than 172.16.0.0/16, so traffic to 172.16.1.20 uses the Internet next hop, not the virtual appliance. This is consistent with how Azure evaluates user-defined routes (UDRs) and system routes.

Exam trap

The trap here is that candidates assume route priority is based on the order routes are added (first match wins) rather than the longest prefix match, leading them to incorrectly choose the virtual appliance route.

How to eliminate wrong answers

Option A is wrong because Azure does not use route creation order to resolve conflicts; it always uses the most specific prefix match, regardless of when the route was added. Option C is wrong because a virtual network gateway is only used for routes learned via BGP or as a default system route for gateway subnets, not for all private IP traffic; the explicit UDRs override any default behavior. Option D is wrong because conflicting UDRs do not disable routing; Azure selects the most specific matching route, and if no match exists, it falls back to system routes.

971
MCQmedium

A VM in a subnet must access an Azure Storage account without creating a private endpoint. The organization is fine with the storage account remaining on its public endpoint, but traffic should stay on the Azure backbone rather than the public internet. Which feature should you use?

A.A service endpoint for Microsoft.Storage on the subnet.
B.A private endpoint and a private DNS zone.
C.A NAT gateway attached to the subnet.
D.A VPN gateway connection to the storage account resource group.
AnswerA

A service endpoint extends the VNet identity to the supported Azure service and keeps traffic on the Microsoft backbone. It does not create a private IP or require DNS changes, which matches this requirement. The storage account can remain on its public endpoint while still accepting traffic only from the allowed subnet.

Why this answer

A service endpoint for Microsoft.Storage on the subnet extends the virtual network identity to the storage account, allowing traffic from the subnet to the storage account's public endpoint to traverse the Azure backbone network instead of the public internet. This meets the requirement of keeping traffic on the Azure backbone without creating a private endpoint, as service endpoints use the public endpoint but route traffic through Microsoft's network.

Exam trap

The trap here is that candidates confuse service endpoints with private endpoints, assuming both require private IPs, but service endpoints keep the public endpoint while routing traffic over the Azure backbone.

How to eliminate wrong answers

Option B is wrong because a private endpoint creates a private IP address in the subnet for the storage account, which the organization explicitly wants to avoid. Option C is wrong because a NAT gateway provides outbound internet connectivity for the subnet but does not route traffic to Azure Storage over the backbone; it still uses the public internet path. Option D is wrong because a VPN gateway connects on-premises networks to Azure, not a subnet to a storage account, and it does not affect routing between a VM and a storage account within Azure.

972
MCQeasy

Based on the exhibit, what should the administrator create to let Alex restart one VM and read its properties without giving broader permissions?

A.Create a custom role that includes only the required VM read and restart actions.
B.Create an Azure Policy assignment that allows restart operations on the VM.
C.Apply a CanNotDelete lock to the VM resource.
D.Move the VM to a management group so the permissions become more specific.
AnswerA

A custom role lets the administrator define only the actions needed for the task, such as reading VM properties and restarting the VM. That is the cleanest least-privilege solution when built-in roles are broader than necessary.

Why this answer

Option A is correct because Azure custom roles allow you to define granular permissions by specifying only the required actions in the `Actions` field of the role definition. For Alex to restart a VM (`Microsoft.Compute/virtualMachines/restart/action`) and read its properties (`Microsoft.Compute/virtualMachines/read`), a custom role with exactly these two actions provides the least-privilege access without granting broader permissions like VM write or delete.

Exam trap

The trap here is that candidates confuse Azure Policy (which enforces configurations) with RBAC (which controls permissions), or they mistakenly think locks or management groups can grant specific actions like restart.

How to eliminate wrong answers

Option B is wrong because Azure Policy is used to enforce compliance rules (e.g., requiring specific tags or SKUs) and cannot grant or deny permissions; it evaluates resource configurations but does not control RBAC actions like restart. Option C is wrong because a CanNotDelete lock only prevents deletion of the VM resource; it does not grant any permissions to read properties or perform restart actions. Option D is wrong because moving a VM to a management group does not make permissions more specific; management groups are used for hierarchical organization and policy inheritance, not for granting granular RBAC permissions.

973
MCQhard

An administrator accidentally stopped protection for a critical VM and then deleted its backup item. The mistake was discovered a day later, and the organization wants deleted backup data to remain recoverable for a grace period. Which feature should be enabled on the Recovery Services vault?

A.Soft delete on the Recovery Services vault.
B.An action group attached to the vault alerts.
C.Diagnostic settings that export vault events to Log Analytics.
D.Cross-region restore for the vault.
AnswerA

Soft delete keeps deleted backup items recoverable for a retention window after deletion. That gives administrators time to reverse a mistaken stop-protection or delete action before the data is permanently lost. It is specifically designed for this sort of operational recovery scenario and is a vault-level protection setting. Because the question asks for recoverability after deletion, soft delete is the feature that directly addresses the requirement.

Why this answer

Soft delete on the Recovery Services vault provides a grace period (default 14 days) during which deleted backup data is retained in a soft-deleted state, allowing recovery even after a backup item is deleted. This feature is specifically designed to protect against accidental deletion, as it prevents permanent removal of backup data until the soft-delete period expires or is manually purged.

Exam trap

The trap here is that candidates may confuse soft delete with cross-region restore or diagnostic settings, thinking that logging or alerts can recover deleted data, when in fact only soft delete provides a grace period for recovery after accidental deletion.

How to eliminate wrong answers

Option B is wrong because an action group attached to vault alerts only sends notifications (e.g., email, SMS) when certain events occur; it does not retain or protect deleted backup data. Option C is wrong because diagnostic settings that export vault events to Log Analytics enable auditing and monitoring of vault operations, but they do not preserve deleted backup data or provide a recovery grace period. Option D is wrong because cross-region restore (CRR) allows restoring backups to a paired Azure region for disaster recovery, but it does not prevent permanent deletion of backup items or offer a grace period for accidental deletions.

974
MCQmedium

A media archive contains video files that are accessed only a few times per year, but they must remain online and readable immediately whenever an investigator requests them. Which blob access tier should the administrator choose to minimize storage cost?

A.Hot
B.Cool
C.Cold
D.Archive
AnswerC

Cold is intended for very infrequently accessed data that still needs to stay online and readable immediately.

Why this answer

The Cold tier is the correct choice because it provides online, immediately readable storage for data accessed only a few times per year, while offering lower storage costs than the Cool tier. Unlike the Archive tier, Cold tier data does not require a rehydration delay, ensuring instant access for investigators.

Exam trap

The trap here is that candidates often confuse the Archive tier's 'immediate online access' with its actual requirement for rehydration, leading them to choose Archive for cost savings without considering the access latency constraint.

How to eliminate wrong answers

Option A is wrong because the Hot tier is optimized for frequent access (multiple times per month) and has the highest storage cost, making it unsuitable for rarely accessed data. Option B is wrong because the Cool tier is designed for data accessed infrequently (about once per month) and has higher storage costs than Cold tier, leading to unnecessary expense for data accessed only a few times per year. Option D is wrong because the Archive tier requires a rehydration process (taking up to 15 hours) before data can be read, violating the requirement that files remain 'online and readable immediately' upon request.

975
MCQmedium

You plan to store backup files that are written once per week and are rarely accessed except during an audit. The company wants the lowest storage cost but still needs online access within hours, not days. Which blob access tier should you choose?

A.Hot
B.Cool
C.Archive
D.Premium
AnswerB

Cool is appropriate for infrequently accessed data that still needs to remain online.

Why this answer

The Cool tier is the correct choice because it is designed for data that is infrequently accessed and stored for at least 30 days, offering lower storage costs than Hot while still providing millisecond latency for online access. Since backups are written once per week and rarely accessed except during an audit, Cool tier meets the requirement of online access within hours at the lowest storage cost among the online tiers.

Exam trap

The trap here is that candidates often choose Archive for the lowest storage cost without considering the rehydration time requirement, mistakenly assuming 'online access within hours' is satisfied by Archive's standard rehydration priority of up to 15 hours.

How to eliminate wrong answers

Option A is wrong because the Hot tier has the highest storage cost and is optimized for frequent access, which does not align with the rarely accessed backup data. Option C is wrong because the Archive tier, while having the lowest storage cost, requires a rehydration process that can take up to 15 hours to make data accessible online, violating the requirement of access within hours. Option D is wrong because the Premium tier is designed for high-performance workloads with low latency and high transaction costs, making it unnecessarily expensive for backup files that are rarely accessed.

Page 12

Page 13 of 16

Page 14