AZ-104 (AZ-104) — Questions 9761050

1170 questions total · 16pages · All types, answers revealed

Page 13

Page 14 of 16

Page 15
976
MCQmedium

A subnet has a user-defined route for 0.0.0.0/0 that sends all outbound traffic to a network virtual appliance for inspection. The business now attaches a NAT gateway to the subnet and wants internet-bound traffic to use the NAT gateway's public IP, while traffic to private corporate prefixes should still go to the appliance. What should the administrator change?

A.Leave the route table unchanged because the NAT gateway always overrides a default UDR.
B.Remove the 0.0.0.0/0 UDR and add only the specific private-prefix routes that must go to the appliance.
C.Disable source NAT on the network virtual appliance.
D.Create a private endpoint for internet traffic so outbound packets stay in Azure.
AnswerB

A NAT gateway provides outbound internet translation when the subnet uses the default internet route. If a 0.0.0.0/0 UDR sends traffic to an appliance, that route wins and the NAT gateway is bypassed. To meet both requirements, keep specific routes for corporate/private prefixes toward the appliance and let internet-bound traffic follow the system route, where the NAT gateway can provide stable outbound IPs.

Why this answer

The 0.0.0.0/0 user-defined route (UDR) sends all outbound traffic to the network virtual appliance (NVA). A NAT gateway provides outbound connectivity with a public IP, but it only takes effect when there is no explicit 0.0.0.0/0 route overriding it. By removing the 0.0.0.0/0 UDR and adding only specific private-prefix routes (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) pointing to the NVA, internet-bound traffic will use the NAT gateway (via its default route), while corporate traffic is still forced through the appliance.

Exam trap

The trap here is that candidates assume a NAT gateway automatically overrides any existing default route, but in Azure, a user-defined route (UDR) for 0.0.0.0/0 takes precedence over the NAT gateway's implicit default, so the UDR must be removed or made less specific to allow the NAT gateway to handle internet-bound traffic.

How to eliminate wrong answers

Option A is wrong because a NAT gateway does not override a UDR; the most specific route wins, and a 0.0.0.0/0 UDR will take precedence over the NAT gateway's implicit default, causing all traffic to still go to the NVA. Option C is wrong because disabling source NAT (SNAT) on the NVA would break its ability to forward traffic to the internet (if it were used), but the goal is to bypass the NVA for internet traffic entirely, not to modify its SNAT behavior. Option D is wrong because a private endpoint is used for inbound access to Azure PaaS services from a virtual network, not for outbound internet traffic; it does not provide a public IP or route internet-bound packets.

977
Drag & Dropmedium

Arrange the steps to create a virtual network in Azure with a subnet and deploy a VM.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the VNet with address space, then add a subnet, associate NSG, deploy VM, then verify.

978
MCQmedium

New Azure subscriptions are created every month. Production subscriptions require stricter governance than sandbox subscriptions, and central IT wants those rules to apply automatically to any future production subscription without reconfiguring each one. What should they set up?

A.Separate resource groups for production and sandbox workloads in each subscription.
B.A management group hierarchy with production and sandbox child management groups, then assign governance at the appropriate scope.
C.A CanNotDelete lock on each subscription.
D.A custom role assigned to each subscription owner.
AnswerB

Management groups provide a hierarchy for organizing subscriptions and applying governance that inherits to child scopes. Placing production and sandbox subscriptions under different child management groups lets central IT target different controls once, and the settings flow automatically to future subscriptions placed in those groups.

Why this answer

Management groups allow you to build a hierarchy that reflects your organizational structure and apply governance policies (e.g., Azure Policy, RBAC) at the management group scope. By creating a 'Production' child management group under the root, any new subscription placed in that group automatically inherits the assigned policies and role assignments, eliminating the need to reconfigure each subscription individually.

Exam trap

The trap here is that candidates confuse resource groups or locks with management groups, failing to realize that only management groups provide hierarchical inheritance of governance across multiple subscriptions without per-subscription configuration.

How to eliminate wrong answers

Option A is wrong because resource groups are containers within a single subscription and cannot apply governance across multiple subscriptions or automatically enforce rules on new subscriptions. Option C is wrong because a CanNotDelete lock prevents accidental deletion of a subscription but does not enforce governance policies like allowed regions, SKU restrictions, or tagging requirements. Option D is wrong because a custom role assigned to each subscription owner delegates permissions but does not automatically apply governance rules to new subscriptions; it requires manual assignment per subscription and does not enforce policies.

979
MCQmedium

A development team runs Windows and Linux VMs in a single Azure subnet. The VMs must access an Azure Storage account, and the security team wants to restrict the storage account so only that subnet can reach it. The team does not want to create a private IP for the storage account or change DNS records. What should the administrator configure?

A.A private endpoint for the storage account and a private DNS zone.
B.A service endpoint on the subnet and a storage account network rule allowing that subnet.
C.A site-to-site VPN between the subnet and the storage account.
D.A user-defined route that sends storage traffic to the default internet next hop.
AnswerB

Service endpoints extend the subnet identity to the Azure Storage service without assigning a private IP to the storage account. This allows the administrator to restrict access to the specific Azure subnet while keeping the service reachable through its normal public DNS name. It fits the requirement to avoid DNS changes and private IP creation.

Why this answer

Option B is correct because a service endpoint extends the subnet's identity to the storage account, allowing the storage firewall to accept traffic from that subnet without assigning a private IP. This meets the security requirement of restricting access to only that subnet while avoiding private IPs or DNS changes.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming both require private IPs and DNS changes, but service endpoints operate at the network layer without altering the storage account's public endpoint.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP to the storage account and requires a private DNS zone to resolve the storage account's FQDN to that IP, which contradicts the requirement to avoid private IPs and DNS changes. Option C is wrong because a site-to-site VPN connects on-premises networks to Azure, not a subnet within Azure to an Azure service; it would add unnecessary complexity and does not restrict access at the subnet level. Option D is wrong because a user-defined route sending storage traffic to the default internet next hop does not enforce access control; it merely directs traffic and does not restrict which subnet can reach the storage account.

980
MCQmedium

Based on the exhibit, which feature should you enable so the subnet can access the storage account without creating a private IP address in the VNet?

A.Private endpoint
B.Service endpoint
C.VPN Gateway
D.Azure Firewall
AnswerB

A service endpoint allows the subnet to reach the storage service over its public endpoint while restricting access by VNet identity.

Why this answer

Service endpoints allow a subnet to securely and privately connect to Azure PaaS services (like Storage Accounts) over the Azure backbone network without requiring a private IP address in the VNet. They extend the VNet identity to the service, enabling access via the service's public endpoint while restricting traffic to the subnet. This matches the requirement exactly: no private IP is created in the VNet, and the storage account is accessed directly.

Exam trap

The trap here is that candidates confuse Private Endpoint (which creates a private IP) with Service Endpoint (which does not), often assuming any 'private' access requires a private IP, but Service Endpoint provides private access over the Microsoft backbone without allocating an IP in the VNet.

How to eliminate wrong answers

Option A is wrong because a Private Endpoint creates a private IP address in the VNet (a NIC with a private IP from the subnet) to access the storage account, which contradicts the requirement of not creating a private IP. Option C is wrong because a VPN Gateway establishes encrypted connectivity between on-premises networks and Azure VNets, not between a subnet and a PaaS service like a storage account. Option D is wrong because Azure Firewall is a managed network security service that filters traffic, but it does not provide direct, private access to a storage account without a private IP; it would still route traffic through the storage account's public endpoint unless combined with other features.

981
Multi-Selectmedium

An operations team must enforce two rules across all subscriptions in a department: new resources must include a CostCenter tag, and deployments are allowed only in East US and West US. The team wants one assignment and automatic blocking of noncompliant deployments. Which three actions should the administrator take? Select three.

Select 3 answers
A.Create an Azure Policy initiative that contains both policy definitions.
B.Assign the initiative at the management group scope that contains the department subscriptions.
C.Use the Deny effect for both policy definitions.
D.Grant Contributor at the subscription scope.
E.Apply a CanNotDelete lock to each resource group.
AnswersA, B, C

An initiative bundles multiple related policy definitions into a single assignable unit. That allows the team to manage the tag requirement and allowed-location requirement together as one governance package.

Why this answer

Option A is correct because an Azure Policy initiative (a set of policy definitions) allows combining the CostCenter tag requirement and the allowed region restriction into a single assignment, simplifying management. This ensures both rules are enforced together across all subscriptions in the department.

Exam trap

The trap here is that candidates often confuse RBAC roles (like Contributor) with Azure Policy effects, mistakenly thinking granting permissions can enforce compliance, or they confuse resource locks with policy enforcement.

982
MCQmedium

You need to prevent accidental deletion of a resource group while still allowing administrators to create and modify resources inside it. Which lock should you apply?

A.ReadOnly
B.CanNotDelete
C.Delete lock
D.No lock and a budget alert
AnswerB

A CanNotDelete lock blocks deletion but still permits updates.

Why this answer

The CanNotDelete lock prevents the resource group from being deleted while still allowing all operations (including create and modify) on resources within it. This is the correct choice because the requirement is specifically to block deletion, not to restrict modifications or read access.

Exam trap

The trap here is that candidates confuse the non-existent 'Delete lock' with the actual CanNotDelete lock, or assume a ReadOnly lock is needed when only deletion prevention is required.

How to eliminate wrong answers

Option A is wrong because ReadOnly lock prevents all modifications to resources, including create and modify operations, which contradicts the requirement to allow administrators to create and modify resources. Option C is wrong because 'Delete lock' is not a valid Azure lock type; Azure supports only CanNotDelete and ReadOnly locks. Option D is wrong because a budget alert only sends notifications when spending exceeds a threshold and does not prevent deletion of the resource group.

983
MCQeasy

An administrator wants to run a one-time Azure CLI command from inside a VM to create a resource in Azure, but the administrator does not want to store credentials on the VM. What should be used for authentication?

A.The VM's managed identity
B.A local administrator password
C.A network security group rule
D.An Azure region paired with the VM
AnswerA

The VM’s managed identity lets scripts or Azure CLI commands authenticate to Azure without storing secrets on the machine. After the identity is enabled and granted the needed role, the command can sign in by using the identity instead of a password or service principal secret. This is the secure and practical approach.

Why this answer

Azure Managed Identity provides an automatically managed identity in Azure AD that allows a VM to authenticate to any service that supports Azure AD authentication, including Azure Resource Manager, without storing any credentials on the VM. When the administrator runs the Azure CLI command from within the VM, the CLI can use the managed identity's token endpoint (169.254.169.254/metadata/identity/oauth2/token) to obtain an access token, enabling secure, credential-free resource creation.

Exam trap

The trap here is that candidates may confuse authentication with authorization or network controls, thinking a local password or NSG rule can somehow grant Azure resource creation permissions, when only an Azure AD-backed identity like a managed identity can provide credential-free authentication to ARM.

How to eliminate wrong answers

Option B is wrong because a local administrator password is stored on the VM and would be exposed if the VM is compromised; it also cannot authenticate to Azure Resource Manager for creating resources. Option C is wrong because a network security group (NSG) rule controls inbound/outbound traffic at the subnet or NIC level and has no role in authentication or authorization to create Azure resources. Option D is wrong because an Azure paired region is a disaster recovery and replication concept that provides no authentication mechanism for running Azure CLI commands from a VM.

984
MCQmedium

A subnet NSG contains a deny inbound rule for TCP 3389 from Any at priority 100 and an allow inbound rule for TCP 3389 from 10.4.1.0/24 at priority 200. Admin workstations in 10.4.1.0/24 cannot connect by RDP. What change should the administrator make?

A.Replace the source IP range with an application security group in the allow rule.
B.Change the protocol from TCP to Any in the allow rule.
C.Lower the allow rule priority number so it is evaluated before the deny rule.
D.Add a user-defined route to the subnet so RDP traffic bypasses the NSG.
AnswerC

NSG rules are evaluated from lowest number to highest, so the allow must come first.

Why this answer

The correct answer is C because NSG rules are evaluated in priority order, with lower numbers having higher priority. The deny rule at priority 100 blocks all TCP 3389 traffic from Any, and the allow rule at priority 200 is never reached. Lowering the allow rule's priority number (e.g., to 90) ensures it is evaluated before the deny rule, allowing RDP traffic from 10.4.1.0/24.

Exam trap

The trap here is that candidates often assume allow rules automatically override deny rules, but Azure NSGs use first-match evaluation based on priority numbers, not rule type.

How to eliminate wrong answers

Option A is wrong because replacing the source IP range with an application security group does not change the evaluation order; the deny rule at priority 100 would still block traffic before the allow rule is evaluated. Option B is wrong because changing the protocol from TCP to Any in the allow rule would not resolve the priority issue; the deny rule at priority 100 still blocks all TCP 3389 traffic, and the allow rule would only apply to non-TCP protocols, which is irrelevant for RDP. Option D is wrong because user-defined routes (UDRs) control traffic routing, not NSG rule evaluation; NSGs are stateful and apply to all traffic entering or leaving a subnet regardless of routing, so a UDR cannot bypass NSG rules.

985
MCQhard

Your company stores departmental documents in an Azure file share. Users need to be able to recover previous versions of files that were deleted or modified accidentally. You need a solution that supports recovery at the file share level without deploying additional virtual machines. What should you configure?

A.Enable blob versioning.
B.Configure Azure File Sync cloud tiering.
C.Create share snapshots for the Azure file share.
D.Enable immutable blob storage.
AnswerC

Share snapshots provide point-in-time recovery for Azure Files without adding extra infrastructure.

Why this answer

Option C is correct because Azure file share snapshots provide point-in-time, read-only copies of the entire file share, allowing users to recover previous versions of files that were deleted or modified accidentally. This feature operates at the file share level without requiring any additional virtual machines, making it a straightforward and cost-effective solution for version recovery.

Exam trap

The trap here is that candidates often confuse blob versioning (a Blob Storage feature) with file share snapshots (an Azure Files feature), or they mistakenly think cloud tiering or immutable storage can serve as a version recovery mechanism, when in fact they serve entirely different purposes.

How to eliminate wrong answers

Option A is wrong because blob versioning is a feature of Azure Blob Storage, not Azure Files; it cannot be applied to an Azure file share. Option B is wrong because Azure File Sync cloud tiering is designed to optimize storage by caching frequently accessed files locally and tiering cold data to the cloud, not for providing version recovery capabilities. Option D is wrong because immutable blob storage is used to prevent data from being deleted or modified for a specified retention period (WORM policy), which does not support recovery of previous versions after accidental deletion or modification.

986
MCQhard

A project team has 12 operators who need to read resource properties and restart only the virtual machines in one application resource group. Access should be removed automatically when an operator leaves the team, and any new VMs added to that resource group should inherit the same access without further changes. What should the administrator configure?

A.Assign the role directly to each operator at the resource group scope.
B.Create an Entra ID group, add the operators to it, and assign a custom least-privilege role to the group at the resource group scope.
C.Assign Virtual Machine Contributor to the team at the subscription scope.
D.Use a resource lock and add the operators as lock owners.
AnswerB

Using a group makes access management dynamic, because removing someone from the group immediately removes their effective permissions. Assigning the role at the resource group scope also ensures any new VM in that group inherits the access automatically, while a custom role can keep permissions limited to read and restart actions.

Why this answer

Option B is correct because it uses an Entra ID group to manage access, which allows automatic removal of operators from the group when they leave the team, and any new VMs added to the resource group will inherit the role assignment at the resource group scope. A custom least-privilege role ensures operators can only read resource properties and restart VMs, meeting the specific requirements without over-permissioning.

Exam trap

The trap here is that candidates often confuse resource locks with RBAC permissions, thinking locks can control access, or they overlook the need for a group-based approach to meet the automatic access removal requirement, instead choosing direct assignments or overly broad subscription-level roles.

How to eliminate wrong answers

Option A is wrong because assigning the role directly to each operator requires manual updates when an operator leaves or joins, failing the automatic access removal requirement. Option C is wrong because assigning Virtual Machine Contributor at the subscription scope grants excessive permissions to all VMs in the subscription, not just the application resource group, and does not provide a least-privilege custom role. Option D is wrong because a resource lock prevents accidental deletion or modification of resources but does not grant any permissions to read properties or restart VMs; lock owners only manage the lock itself, not access to the VMs.

987
Multi-Selecthard

A contractor is a member of an Entra security group that has a PIM-eligible Contributor assignment on a resource group. The contractor sees the role in the portal, but deployment fails with a role not active message. The activation policy requires justification, MFA, and manager approval. Which two actions are required before the deployment succeeds? Select two.

Select 2 answers
A.Activate the eligible role assignment in Privileged Identity Management.
B.Complete the configured activation requirements, such as justification, MFA, and manager approval.
C.Add the contractor directly to the subscription Owner role to bypass the eligibility workflow.
D.Wait for Azure Policy compliance evaluation to finish before trying again.
E.Remove the user from the security group and add them back so the role becomes active.
AnswersA, B

An eligible assignment does not grant active access until the user activates it. Seeing the role in the portal only means the assignment exists; it does not mean it is currently effective. Activation is the first required step to make the permissions usable.

Why this answer

Option A is correct because the contractor has a PIM-eligible role assignment, which means the role is not active until the user activates it through Privileged Identity Management. Activation is a prerequisite for the role to be effective, and without it, any deployment requiring the Contributor role will fail with a 'role not active' message.

Exam trap

The trap here is that candidates often assume an eligible role assignment is immediately usable, but PIM requires explicit activation with all configured requirements before the role becomes effective for deployments.

988
MCQmedium

A web tier must use identical VMs, keep the desired instance count if one instance becomes unhealthy, and allow future horizontal expansion without creating VMs one by one. What should the administrator deploy?

A.An availability set because it automatically replaces unhealthy instances.
B.A virtual machine scale set with health-based instance management.
C.An Azure Dedicated Host to keep the VMs on one physical server.
D.A proximity placement group to ensure the VMs are distributed evenly.
AnswerB

A virtual machine scale set provides a managed pool of identical VMs and is the right choice when you want Azure to maintain instance count and support horizontal growth. It works well for web tiers because the platform can replace unhealthy instances and let you scale up or down as demand changes. This removes the need to create and maintain each VM individually.

Why this answer

A virtual machine scale set with health-based instance management is correct because it automatically maintains a desired number of identical VM instances, replaces unhealthy instances based on health probes, and supports horizontal scaling without manual VM creation. This aligns with the requirements for identical VMs, automatic instance replacement, and future expansion.

Exam trap

The trap here is that candidates often confuse an availability set's fault domain protection with automatic instance replacement, not realizing that availability sets only provide redundancy, not health-based remediation.

How to eliminate wrong answers

Option A is wrong because an availability set does not automatically replace unhealthy instances; it only provides high availability by distributing VMs across fault domains and update domains, but instance replacement requires manual intervention or additional automation. Option C is wrong because an Azure Dedicated Host places VMs on a single physical server for compliance or licensing, but it does not provide automatic instance replacement or scaling capabilities. Option D is wrong because a proximity placement group ensures VMs are physically close for low latency, but it does not manage instance health or enable horizontal scaling without manual VM creation.

989
MCQmedium

You need to reduce compute cost for a development virtual machine that is used only during business hours on weekdays. Which option provides the most direct built-in cost optimization?

A.Place the VM in an availability set.
B.Enable auto-shutdown on the VM.
C.Convert the OS disk to premium SSD v2.
D.Create a site-to-site VPN.
AnswerB

Auto-shutdown stops the VM on a schedule and directly reduces unnecessary runtime cost.

Why this answer

B is correct because enabling auto-shutdown on the VM directly stops the VM during non-business hours (e.g., evenings and weekends), eliminating compute costs (which are billed per second while the VM is running). This is a built-in Azure feature that requires no additional infrastructure or manual intervention, making it the most direct cost-optimization method for a development VM with a predictable usage schedule.

Exam trap

The trap here is that candidates may confuse high-availability features (availability sets) or connectivity features (VPN) with cost optimization, or mistakenly think upgrading to premium storage reduces costs, when in fact the most direct built-in method for compute cost reduction is stopping the VM during idle periods via auto-shutdown.

How to eliminate wrong answers

Option A is wrong because placing the VM in an availability set provides high availability by distributing VMs across fault and update domains, but it does not reduce compute costs—it may even increase costs if multiple VMs are required. Option C is wrong because converting the OS disk to premium SSD v2 increases storage cost (premium SSD v2 is more expensive per GB than standard HDD/SSD) and does not affect compute (vCPU/memory) billing; it is a performance upgrade, not a cost-saving measure. Option D is wrong because creating a site-to-site VPN establishes encrypted connectivity between on-premises and Azure, incurring VPN gateway hourly charges and data transfer costs, with no impact on the VM's compute billing.

990
MCQmedium

A company has a hub VNet and two peered spoke VNets, AppSpoke and DataSpoke. Both spokes can reach on-premises networks through the hub gateway. The app VM in AppSpoke must connect privately to the data VM in DataSpoke without using the internet or sending traffic on-premises first. What should the administrator do?

A.Add an NSG rule that allows traffic from AppSpoke to DataSpoke.
B.Enable gateway transit on both spoke peerings.
C.Create a direct VNet peering between AppSpoke and DataSpoke.
D.Add a user-defined route in AppSpoke pointing DataSpoke traffic to the hub gateway.
AnswerC

Azure VNet peering is not transitive. If two spoke VNets must communicate directly, they need a direct peering between them or another routing design such as an appliance. Because the requirement is simply private connectivity between the app and data VNets, direct peering is the simplest and correct fix. The existing hub peering does not provide that spoke-to-spoke path.

Why this answer

Option C is correct because a direct VNet peering between AppSpoke and DataSpoke establishes a private, low-latency connection between the two VNets without routing traffic through the hub gateway or on-premises networks. This satisfies the requirement for a private connection that does not use the internet or traverse on-premises, as VNet peering uses the Microsoft backbone infrastructure.

Exam trap

The trap here is that candidates often assume gateway transit (Option B) enables direct spoke-to-spoke communication, but it only allows spokes to use the hub’s gateway for on-premises connectivity, not for inter-spoke traffic without going through the hub.

How to eliminate wrong answers

Option A is wrong because NSG rules only filter traffic at the subnet or NIC level; they do not enable connectivity between VNets. Without a routing path, an NSG rule cannot allow traffic that has no route. Option B is wrong because enabling gateway transit on spoke peerings allows spokes to use the hub’s VPN gateway to reach on-premises networks, but it does not create a direct path between spokes; traffic would still flow through the hub, which may route it on-premises.

Option D is wrong because adding a user-defined route pointing DataSpoke traffic to the hub gateway forces traffic through the hub, which could then route it on-premises, violating the requirement to avoid sending traffic on-premises first.

991
MCQeasy

A team has an approved Windows VM that already includes patches, a monitoring agent, and line-of-business software. They want future VMs to start from that same build. What should they use?

A.A custom image
B.A snapshot of the OS disk
C.An availability set
D.A larger VM size
AnswerA

A custom image is the best option when you want future VMs to start from an approved, preconfigured build. The image captures the operating system plus installed software and settings so you can deploy consistent new VMs from the same baseline. This is a common way to standardize environments and speed up repeat deployments.

Why this answer

A custom image captures the exact state of a VM, including installed patches, monitoring agents, and line-of-business software, allowing you to create multiple identical VMs from that golden image. Unlike a snapshot, which is tied to a specific disk and requires manual steps to create a VM, a custom image is stored as a managed image resource that can be used directly during VM provisioning via the Azure portal, CLI, or ARM templates.

Exam trap

The trap here is confusing a snapshot (which is a disk-level backup) with a custom image (which is a deployable template that includes the OS and all software), leading candidates to choose the snapshot option because they think it can be used directly to create a VM with the same configuration.

How to eliminate wrong answers

Option B is wrong because a snapshot of the OS disk is a point-in-time copy of a disk, not a deployable image; you would need to create a managed disk from the snapshot and then attach it to a new VM, which does not provide the streamlined, repeatable deployment process of a custom image. Option C is wrong because an availability set is a logical grouping of VMs for high availability and fault tolerance, not a mechanism to capture or replicate a VM configuration or software state. Option D is wrong because a larger VM size changes the hardware resources (vCPUs, memory) but does not capture or replicate the software configuration, patches, or agents installed on the original VM.

992
MCQmedium

A web application on a VM is failing on TCP 8443. The administrator wants to capture packets on the VM NIC to inspect retransmissions and handshake details after the test run. Which Network Watcher capability should be used?

A.IP flow verify
B.Connection troubleshoot
C.Packet capture
D.Effective routes
AnswerC

Packet capture records network traffic on the VM NIC so the administrator can analyze the exchange later. It is the right choice when the problem may involve retransmissions, handshake failures, or other packet-level behavior rather than only a routing or NSG question.

Why this answer

Packet capture in Network Watcher allows you to capture network traffic to and from a VM, including TCP retransmissions and handshake details (SYN, SYN-ACK, ACK). This is the correct tool for inspecting raw packets after a test run to diagnose issues like failed connections on TCP 8443.

Exam trap

The trap here is that candidates confuse IP flow verify or Connection troubleshoot with packet capture, not realizing that only packet capture provides raw packet data for analyzing retransmissions and handshake details.

How to eliminate wrong answers

Option A is wrong because IP flow verify checks if traffic is allowed or denied by NSG rules for a specific 5-tuple, but it does not capture packets or inspect retransmissions or handshake details. Option B is wrong because Connection troubleshoot tests connectivity and latency between a VM and a destination, but it does not provide packet-level capture for post-run analysis of retransmissions or handshake details. Option D is wrong because Effective routes shows the effective routing table for a VM, which is useful for routing issues but irrelevant for inspecting packet retransmissions or TCP handshake details.

993
MCQhard

A legal department keeps signed contract scans in a blob container. The files are almost never opened, but when a reviewer requests one, it must be available later the same day and then stay online for about three days while the review is completed. The team wants the lowest ongoing storage cost during that review window. What should the administrator do?

A.Leave the blob in Archive and download it directly when needed
B.Rehydrate the blob to the Cool tier with standard priority
C.Copy the blob to the Hot tier permanently before the review starts
D.Change the storage account replication to GZRS to make archived data readable
AnswerB

Rehydrating to Cool makes the blob online again while keeping read costs lower than Hot for a short-term review period. Standard priority is appropriate when the request can wait several hours and does not require expedited restoration. This choice balances availability and cost for a blob that will be accessed briefly and infrequently.

Why this answer

Option B is correct because rehydrating the blob from Archive to the Cool tier with standard priority meets the requirement of making the file available later the same day (standard priority rehydration completes within 1–15 hours) and provides the lowest ongoing storage cost during the three-day review window, as Cool tier is cheaper than Hot tier for data that is infrequently accessed.

Exam trap

The trap here is that candidates may think Archive blobs can be directly downloaded or that changing replication settings makes archived data accessible, but in reality, Archive blobs must be explicitly rehydrated to an online tier before any read operation is possible.

How to eliminate wrong answers

Option A is wrong because downloading a blob directly from the Archive tier is not possible; the blob must first be rehydrated (changed to an online tier like Cool or Hot) before it can be read or downloaded. Option C is wrong because copying the blob to the Hot tier permanently incurs higher storage costs than necessary; the Cool tier is sufficient for the three-day review window and costs less. Option D is wrong because changing the storage account replication to GZRS does not make archived data readable; GZRS provides geo-redundancy for online tiers, but Archive blobs remain offline and must be rehydrated regardless of replication setting.

994
MCQmedium

An administrator is deploying a site-to-site VPN gateway in the Azure portal. The deployment fails validation because the gateway does not have a public-facing address to terminate the tunnel. What must be created and associated with the VPN gateway?

A.A load balancer frontend IP configuration in front of the gateway subnet.
B.A public IP address resource associated with the VPN gateway.
C.A NAT gateway attached to GatewaySubnet.
D.A private endpoint for the virtual network gateway resource.
AnswerB

Azure VPN gateways require a public IP address resource so the on-premises VPN device can establish the tunnel to a known public endpoint. The gateway is deployed in GatewaySubnet, and the public IP is attached as part of the gateway configuration. Without that resource, the VPN gateway cannot be created successfully.

Why this answer

A site-to-site VPN gateway in Azure requires a public IP address to terminate the IPSec tunnel from the on-premises device. The public IP address resource must be created and associated with the VPN gateway during deployment; without it, the gateway has no routable endpoint for the tunnel, causing validation to fail.

Exam trap

The trap here is that candidates often confuse the public IP requirement with other networking components like load balancers or NAT gateways, mistakenly thinking those can provide the necessary public endpoint for VPN tunnel termination.

How to eliminate wrong answers

Option A is wrong because a load balancer frontend IP configuration is used for distributing traffic to backend pools, not for terminating VPN tunnels; VPN gateways require a dedicated public IP, not a load balancer. Option C is wrong because a NAT gateway is used for outbound SNAT of virtual network traffic, not for providing a public endpoint for VPN tunnel termination; attaching a NAT gateway to GatewaySubnet does not satisfy the public IP requirement for the VPN gateway. Option D is wrong because a private endpoint is used to privately connect to Azure PaaS services over a private IP, not to provide a public-facing address; the VPN gateway needs a public IP, not a private endpoint.

995
MCQhard

You need to suppress alert notifications for a group of virtual machines every Sunday during a planned maintenance window, without deleting the underlying alert rules. What should you configure?

A.Disable diagnostic settings during the maintenance window.
B.Create an alert processing rule for the maintenance window.
C.Delete and recreate the alert rules every week.
D.Move the VMs to a different subscription on Sundays.
AnswerB

This suppresses notifications on schedule while keeping the alert rules intact.

Why this answer

An alert processing rule (formerly action rule) allows you to apply actions or suppress notifications for specific alert rules during defined time windows without modifying the underlying alert rules. By configuring a suppression action rule for the maintenance window (every Sunday), you can prevent notifications from being sent while the alert rules remain active and continue to evaluate conditions.

Exam trap

The trap here is that candidates may confuse disabling diagnostic settings (which stops data collection) with suppressing notifications, or think that modifying the underlying alert rule is required, when Azure provides a dedicated alert processing rule feature for this exact scenario.

How to eliminate wrong answers

Option A is wrong because disabling diagnostic settings would stop the collection of metrics and logs, which would prevent alert rules from evaluating conditions at all, rather than just suppressing notifications. Option C is wrong because deleting and recreating alert rules every week is inefficient, error-prone, and unnecessary; alert processing rules provide a native, automated way to suppress notifications without touching the rules themselves. Option D is wrong because moving VMs to a different subscription would change the resource scope and potentially break existing alert rules, and it is not a practical or supported method for temporarily suppressing notifications.

996
MCQhard

An enterprise has a management group named Corp. Corp contains two child management groups: Prod and Sandbox. A compliance auditor is a member of an Entra ID group and must have read-only access to every current and future resource in all subscriptions that are under Prod. The auditor must not see resources in Sandbox, and the admin does not want to maintain separate assignments for each new subscription. What should the administrator do?

A.Assign the Reader role to the group at each subscription scope under Prod.
B.Assign the Reader role to the group at the Corp management group scope.
C.Assign the Reader role to the group at the Prod management group scope.
D.Assign the Reader role to the group at one resource group in each Prod subscription.
AnswerC

A role assignment at the Prod management group scope inherits to all subscriptions, resource groups, and resources beneath that management group, including future subscriptions placed there later. It also stays limited to Prod, so Sandbox remains outside the auditor's visibility.

Why this answer

Option C is correct because assigning the Reader role at the Prod management group scope applies that permission to all current and future subscriptions and resources within Prod, satisfying the requirement for read-only access without needing separate assignments. Management groups in Azure provide a hierarchical scope that inherits role assignments to all child subscriptions and resource groups, making this the most efficient and future-proof approach.

Exam trap

The trap here is that candidates may choose Option B (assign at Corp scope) thinking it covers all subscriptions, but they overlook that it would also grant access to Sandbox, failing the requirement to restrict the auditor to Prod only.

How to eliminate wrong answers

Option A is wrong because assigning the Reader role at each subscription scope under Prod would require manual maintenance for every new subscription, violating the requirement to avoid separate assignments. Option B is wrong because assigning the Reader role at the Corp management group scope would grant read-only access to all subscriptions under both Prod and Sandbox, which the auditor must not see. Option D is wrong because assigning the Reader role at one resource group in each Prod subscription would only grant access to that specific resource group, not to all resources in the subscription, and would still require separate assignments for each subscription.

997
MCQhard

An analytics team keeps quarterly telemetry exports in Azure Blob Storage. The files are accessed only a few times per year, but when they are needed they must remain online and immediately readable without any rehydration delay. Which access tier should you use?

A.Hot, because it is optimized for frequent reads and writes.
B.Cool, because it is designed for infrequently accessed data that still stays online.
C.Cold, because it is intended for rarely accessed online data with lower storage cost.
D.Archive, because it is the cheapest tier and can be opened directly in the portal.
AnswerC

Cold is the best match because the data must remain online and readable immediately, yet is accessed only a few times per year. That makes Archive inappropriate because Archive requires rehydration before reading. Cold gives the team an online tier with lower storage cost than the hotter tiers, while preserving immediate access when an analyst needs the files.

Why this answer

The Cold tier is designed for data that is rarely accessed but must remain online with immediate read access, offering lower storage costs than Cool or Hot tiers while avoiding the rehydration delay of Archive. The scenario specifies files are accessed only a few times per year but must be immediately readable without any rehydration delay, which matches Cold tier's purpose of providing online access with no latency for infrequent reads.

Exam trap

The trap here is that candidates confuse 'rarely accessed' with 'Archive tier,' forgetting that Archive requires rehydration and is not immediately readable, while Cold tier provides online access with lower storage cost for data accessed only a few times per year.

How to eliminate wrong answers

Option A is wrong because the Hot tier is optimized for frequent reads and writes, which would incur higher storage costs for data accessed only a few times per year. Option B is wrong because the Cool tier is designed for infrequently accessed data (typically accessed every 30 days or so), but its storage cost is higher than Cold, making it suboptimal for quarterly access patterns. Option D is wrong because the Archive tier, while cheapest, requires rehydration (taking hours) before data can be read, violating the requirement for immediate readability without delay.

998
MCQmedium

An operations team must administer Windows and Linux VMs that have no public IP addresses. They want to connect from a browser without installing a VPN client and without exposing RDP or SSH to the internet. Which Azure service should they deploy?

A.Azure Load Balancer
B.Azure Bastion
C.VPN Gateway point-to-site only
D.Application Gateway
AnswerB

Azure Bastion provides secure browser-based RDP and SSH access to VMs in a virtual network without needing public IP addresses on the VMs. It also avoids exposing management ports directly to the internet and does not require the user to install a VPN client. This makes it a strong fit for controlled administrative access in locked-down environments.

Why this answer

Azure Bastion provides secure, seamless RDP and SSH connectivity to virtual machines directly from the Azure portal over TLS, without requiring a public IP address on the VM, a VPN client, or exposing RDP/SSH ports to the internet. It uses a hardened bastion host inside the virtual network, proxying connections via the browser, which satisfies the requirement for browser-based access without additional client software.

Exam trap

The trap here is that candidates often confuse Azure Bastion with a VPN gateway or jump box, mistakenly thinking a VPN client or public IP is required for administrative access, when Bastion eliminates both by proxying connections directly from the Azure portal.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer distributes inbound traffic across backend resources but does not provide secure administrative access to VMs; it operates at Layer 4 (TCP/UDP) and cannot proxy RDP/SSH sessions through a browser. Option C is wrong because VPN Gateway point-to-site requires installing a VPN client on each connecting device and does not offer browser-based access; it also exposes the VPN endpoint to the internet. Option D is wrong because Application Gateway is a Layer 7 HTTP/HTTPS load balancer and web application firewall, not designed for RDP/SSH proxying; it cannot provide browser-based administrative connectivity to VMs.

999
MCQmedium

A platform team runs an internal automation tool that must restart VMs and read network interface settings in one resource group. Built-in roles available to the team are broader than the access they want to grant. What should the administrator create?

A.A custom role with only the required compute and read permissions, assigned at the resource group scope.
B.The Contributor role assigned at the subscription scope.
C.The Reader role assigned at the resource group scope.
D.The Network Contributor role assigned at the resource group scope.
AnswerA

A custom role lets the admin grant only the specific actions the tool needs, and only in one resource group.

Why this answer

Option A is correct because the team needs only specific actions (restart VMs and read network interface settings) within a single resource group. Creating a custom role with only the required compute and read permissions, assigned at the resource group scope, follows the principle of least privilege and avoids granting broader access than necessary. Built-in roles like Contributor or Network Contributor include extra permissions (e.g., write, delete) that are not needed.

Exam trap

The trap here is that candidates often choose a built-in role like Contributor or Network Contributor because they see 'restart' or 'network' in the name, without realizing these roles include excessive permissions that violate the principle of least privilege.

How to eliminate wrong answers

Option B is wrong because the Contributor role at subscription scope grants write and delete permissions on all resources in the subscription, far exceeding the required actions and violating least privilege. Option C is wrong because the Reader role at resource group scope provides read-only access to all resources but does not include the 'Microsoft.Compute/virtualMachines/restart/action' permission needed to restart VMs. Option D is wrong because the Network Contributor role at resource group scope includes write permissions for network resources (e.g., create/delete network interfaces) but lacks the compute restart action, and it also grants broader network permissions than needed.

1000
MCQmedium

An application team plans to store block blobs for application logs, lifecycle them to cooler tiers over time, and use Azure Monitor diagnostic exports from several Azure resources into the same storage account. They also want access tier controls and general-purpose features in one place. Which storage account type should the administrator create?

A.BlobStorage account, because it is optimized for storing only unstructured blobs.
B.StorageV2 general-purpose account, because it supports blobs, tiering, and broad Azure integrations.
C.FileStorage account, because it supports any Azure diagnostic data format and access tiers.
D.BlockBlobStorage account, because it is required whenever logs are exported from Azure Monitor.
AnswerB

A StorageV2 account is the standard choice when you need blob capabilities, access tiers, lifecycle policies, and broad service integration. It supports common operational tasks without limiting the team to a specialized storage type.

Why this answer

A StorageV2 general-purpose account (B) is the correct choice because it supports block blobs, lifecycle management policies for tiering to cool, cold, and archive tiers, and integrates seamlessly with Azure Monitor diagnostic exports. Unlike specialized accounts, StorageV2 provides a unified platform for blobs, files, queues, and tables, meeting the team's need for access tier controls and general-purpose features in one place.

Exam trap

The trap here is that candidates often assume any blob-specific account (like BlobStorage or BlockBlobStorage) is sufficient for diagnostic exports, but Azure Monitor requires a general-purpose v2 account to properly create the necessary containers and support lifecycle management policies.

How to eliminate wrong answers

Option A is wrong because a BlobStorage account is a legacy account type that lacks support for Azure Monitor diagnostic exports and does not offer the full set of general-purpose features like queues or tables. Option C is wrong because a FileStorage account is optimized exclusively for Azure Files SMB shares and does not support blob storage, access tiers, or diagnostic log exports. Option D is wrong because a BlockBlobStorage account is a premium-performance account for low-latency workloads and does not support lifecycle management policies or the broad Azure integrations required for diagnostic exports.

1001
MCQmedium

A VM in a virtual network must access an Azure Storage account over a private IP address, and the storage account's public endpoint must be disabled. Name resolution from the VM should resolve the storage name to the private IP. Which configuration should you use?

A.Service endpoint on the subnet plus public DNS, because the storage account will expose a private IP automatically.
B.Private endpoint with a private DNS zone linked to the virtual network.
C.Network security group rules only, because they can force traffic to use private addressing.
D.Storage account firewall rules with Allow trusted Microsoft services, because that gives a private address path.
AnswerB

A private endpoint places the storage service behind a private IP address in your virtual network, which is exactly what the scenario requires. Linking a private DNS zone ensures the storage account name resolves to that private IP from resources inside the VNet. Together, these settings provide private network access and allow you to disable the public endpoint safely.

Why this answer

Option B is correct because a private endpoint assigns a private IP from the virtual network to the storage account, effectively bringing the service into the VNet. By linking a private DNS zone to the virtual network, the VM's DNS resolution for the storage account name returns the private IP instead of the public endpoint, satisfying both the private connectivity and public endpoint disablement requirements.

Exam trap

The trap here is confusing service endpoints (which only provide source IP preservation and routing via the public endpoint) with private endpoints (which provide a true private IP and can disable the public endpoint), leading candidates to choose option A.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP to the storage account; it only extends the VNet's identity to the service, and the storage account still uses its public endpoint, which cannot be disabled in this configuration. Option C is wrong because NSG rules control traffic filtering, not IP address assignment or DNS resolution; they cannot force the storage account to use a private IP or disable its public endpoint. Option D is wrong because storage account firewall rules with 'Allow trusted Microsoft services' only permit specific traffic to the public endpoint, but do not provide a private IP path or disable the public endpoint; the VM would still resolve the storage name to the public IP.

1002
Multi-Selecteasy

Which two statements about Azure route tables and user-defined routes are correct? Select two.

Select 2 answers
A.You can associate a route table with a subnet.
B.A user-defined route can send traffic to a virtual appliance as the next hop.
C.Route tables can be associated directly to a single virtual machine without using its subnet.
D.A user-defined route automatically overrides a network security group deny rule.
E.System routes are never used when a route table exists.
AnswersA, B

Correct because Azure attaches user-defined routes to subnets, not directly to individual virtual machines.

Why this answer

Option A is correct because route tables in Azure are associated at the subnet level, not directly to a virtual machine. This association allows the route table's user-defined routes (UDRs) to override system default routes for traffic leaving that subnet. The subnet must be in the same region as the route table, and a single route table can be associated with multiple subnets.

Exam trap

The trap here is that candidates often confuse the scope of route table association (subnet vs. VM) and assume UDRs can override NSG rules, when in fact routing and firewall filtering are separate layers in Azure's networking stack.

1003
Matchingeasy

Match each Azure Storage redundancy option to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stores three copies of data within one Azure datacenter.

Stores copies across multiple availability zones in one region.

Replicates data to a secondary region, but the secondary copy is not readable.

Replicates data to a secondary region and allows read access to that secondary copy.

Combines zone redundancy in the primary region with geo-replication to a secondary region.

Combines zone redundancy and geo-replication, with readable access to the secondary region.

Why these pairings

Each redundancy option provides increasing durability and availability: LRS is lowest cost, ZRS protects against zone failure, GRS adds geo-replication, RA-GRS allows read from secondary, GZRS combines zone and geo, RA-GZRS adds read access to secondary.

1004
Multi-Selecteasy

A VM was corrupted and the team wants to recover it from Azure Backup without using the original damaged disks. Which two restore targets are supported? Select two.

Select 2 answers
A.Create a new virtual machine
B.Restore the managed disks
C.Change the subscription automatically
D.Replace the Recovery Services vault name
E.Rebuild the virtual network
AnswersA, B

Azure Backup can restore a protected VM as a new VM during recovery.

Why this answer

Option A is correct because Azure Backup supports restoring a VM to a new virtual machine directly from the recovery point, which creates a new VM with the same configuration and data without using the original damaged disks. This is a common restore workflow when the original VM is corrupted or inaccessible.

Exam trap

The trap here is that candidates often assume 'Replace existing VM' is an option, but Azure Backup does not support in-place restoration of a corrupted VM; you must restore to a new VM or to managed disks, then manually swap disks or reconfigure.

1005
MCQhard

A Windows VM and a Linux VM in the same on-premises Active Directory Domain Services domain must mount the same Azure Files share over SMB. Security policy forbids storage account keys and long-lived SAS tokens. What should the administrator configure?

A.Use Azure Files with Active Directory Domain Services authentication and grant permissions to the required AD group.
B.Use a private endpoint and rely on network isolation instead of authentication.
C.Use the storage account access key because SMB requires shared-key authentication.
D.Use Azure Files NFS authentication because Linux and Windows workloads can both mount it.
AnswerA

This provides password-based domain authentication for SMB access without using storage keys or SAS. Both Windows and Linux clients can mount the share when they are domain joined and the share permissions are assigned correctly.

Why this answer

Option A is correct because Azure Files supports identity-based authentication over SMB using on-premises Active Directory Domain Services (AD DS). By enabling AD DS authentication for the storage account and granting share-level permissions to an AD group that includes both the Windows and Linux VMs, the administrator can mount the Azure Files share without using storage account keys or SAS tokens. This satisfies the security policy while allowing SMB access from both operating systems.

Exam trap

The trap here is that candidates may assume NFS is the only cross-platform option for Linux and Windows, overlooking that Azure Files SMB with AD DS authentication supports both operating systems when domain-joined.

How to eliminate wrong answers

Option B is wrong because a private endpoint provides network isolation but does not replace authentication; the share still requires an authentication mechanism such as AD DS, keys, or SAS tokens. Option C is wrong because using the storage account access key violates the security policy that explicitly forbids storage account keys and long-lived SAS tokens. Option D is wrong because Azure Files NFS does not support SMB protocol; NFS and SMB are different protocols, and the question specifies SMB mounting, so NFS authentication is irrelevant.

1006
MCQhard

A stateless web app runs on two Ubuntu VMs behind an Azure Load Balancer. The region supports availability zones. The business wants the app to survive a full datacenter outage and also avoid having both VMs on the same maintenance boundary. Which deployment should you choose?

A.Place both VMs in a single availability set.
B.Deploy one VM and rely on Azure Backup for recovery.
C.Place the VMs in separate availability zones in the same region.
D.Deploy both VMs without any fault-domain configuration.
AnswerC

Availability zones place workloads in physically separate datacenters within the same region. That design protects against a full zone or datacenter outage and also gives you a stronger isolation boundary than an availability set. Because the app has two VMs behind a load balancer, you can distribute them across zones and maintain service if one zone becomes unavailable.

Why this answer

Option C is correct because deploying the VMs in separate availability zones ensures they are placed in physically distinct datacenters within the same region, protecting against a full datacenter outage. Additionally, each availability zone has its own fault and update domains, so the VMs will never share the same maintenance boundary, meeting both business requirements.

Exam trap

The trap here is that candidates often confuse availability sets (which protect within a datacenter) with availability zones (which protect across datacenters), and fail to recognize that only zones can survive a full datacenter outage while also avoiding shared maintenance boundaries.

How to eliminate wrong answers

Option A is wrong because an availability set only protects against failures within a single datacenter by distributing VMs across fault domains and update domains, but it cannot survive a full datacenter outage. Option B is wrong because relying on Azure Backup for recovery does not provide high availability; it only enables data recovery after a failure, resulting in significant downtime and potential data loss. Option D is wrong because deploying both VMs without any fault-domain configuration means they could be placed on the same physical host or rack, making them vulnerable to simultaneous failure from a single hardware or maintenance event.

1007
MCQeasy

Based on the exhibit, which lock should the administrator apply so resources can still be updated but cannot be deleted by mistake?

A.ReadOnly lock
B.CanNotDelete lock
C.Subscription lock
D.Management group lock
AnswerB

CanNotDelete is the correct lock when the organization wants to allow configuration changes but prevent accidental deletion. It protects the resource group and its resources from delete operations while still letting administrators update settings and perform normal management tasks.

Why this answer

The CanNotDelete lock (option B) is correct because it allows all operations including updates and reads, but explicitly prevents deletion of the resource. This meets the requirement that resources can still be updated but cannot be deleted by mistake. Azure resource locks operate at the scope level and override any role-based permissions, ensuring that even users with Contributor or Owner roles cannot delete the resource while the lock is active.

Exam trap

The trap here is that candidates often confuse the ReadOnly lock with the CanNotDelete lock, mistakenly thinking that a ReadOnly lock still allows updates, when in fact it blocks all write operations including updates, making it unsuitable for the stated requirement.

How to eliminate wrong answers

Option A is wrong because the ReadOnly lock prevents all write operations, including updates, which directly contradicts the requirement that resources must still be updatable. Option C is wrong because a Subscription lock applies to the entire subscription scope, which is overly broad and would affect all resources in the subscription, not just the specific resources the administrator intends to protect. Option D is wrong because a Management group lock applies to all subscriptions within that management group hierarchy, which is also too broad and does not target the specific resources that need to be protected from deletion while allowing updates.

1008
Matchinghard

Match each routing situation to the next-hop or route-selection behavior Azure will use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Add a more specific /32 UDR for that public IP with next hop Internet.

The system route for the peered VNet prefix is more specific than the /8 UDR, so it wins unless a longer UDR is added.

The /24 route wins because Azure chooses the longest matching prefix.

Only resources in Subnet-A are affected; other subnets keep their own system or custom routes.

The /32 host route takes precedence over the broader prefix.

Why these pairings

Azure routing uses system and user-defined routes. Next hop types determine where traffic goes: virtual appliance, VPN gateway, peering, local VNet, or internet. Route selection follows longest prefix match.

1009
MCQmedium

A company has 25 remote employees who need to connect from their laptops to Azure VMs that have only private IP addresses. No on-premises VPN appliance exists, and the VMs must not be assigned public IP addresses. Which solution should the administrator deploy?

A.Site-to-site VPN Gateway
B.Point-to-site VPN Gateway
C.ExpressRoute circuit
D.Public load balancer with inbound NAT rules
AnswerB

Point-to-site VPN is designed for individual client devices connecting securely to Azure over encrypted tunnels without a branch appliance. It fits remote users who need access to private Azure resources.

Why this answer

A Point-to-Site (P2S) VPN Gateway is the correct solution because it allows individual remote clients (laptops) to establish a secure VPN connection from anywhere to Azure VMs with private IP addresses, without requiring a public IP on the VMs or an on-premises VPN appliance. P2S uses SSTP, IKEv2, or OpenVPN protocols to create a tunnel from each client to the Azure virtual network, enabling access to private resources.

Exam trap

The trap here is that candidates often confuse Point-to-Site with Site-to-Site VPN, assuming a Site-to-Site VPN can work without an on-premises VPN appliance, or they mistakenly think a public load balancer can provide private access without public IPs on the VMs.

How to eliminate wrong answers

Option A is wrong because a Site-to-Site VPN Gateway requires a VPN appliance on-premises with a public IP address, which the company does not have. Option C is wrong because an ExpressRoute circuit is a dedicated private connection between an on-premises network and Azure, requiring a physical or virtual router at the customer site, and it does not support individual remote client connections without additional VPN components. Option D is wrong because a Public load balancer with inbound NAT rules would require the VMs to have public IP addresses (or be behind a public IP) to receive traffic, which violates the requirement that VMs must not be assigned public IP addresses.

1010
MCQeasy

A subnet NSG contains a deny RDP rule from Any at priority 200. The administrator must allow RDP from 10.8.0.0/24 to the virtual machines in that subnet. What should the administrator do?

A.Create an allow rule with a higher priority number than 200.
B.Create an allow rule with a lower priority number than 200.
C.Add a route table entry for TCP 3389.
D.Disable the default security rules on the NSG.
AnswerB

NSG rules are processed in priority order, and the lowest number wins. The allow rule must come before the deny rule.

Why this answer

B is correct because NSG rules are evaluated in priority order, with lower numbers having higher priority. The existing deny rule at priority 200 blocks all RDP traffic. To allow RDP from 10.8.0.0/24, a new allow rule must be created with a priority lower than 200 (e.g., 150) so it is evaluated before the deny rule, permitting the specific traffic.

Exam trap

The trap here is that candidates often confuse priority numbers, thinking a higher number means higher priority, and incorrectly choose option A, or they mistakenly believe route tables can override NSG rules, leading them to option C.

How to eliminate wrong answers

Option A is wrong because a higher priority number (e.g., 300) means lower priority, so the deny rule at 200 would still be evaluated first and block the traffic. Option C is wrong because route tables control traffic routing between subnets or networks, not traffic filtering; NSGs are stateful firewalls that filter traffic based on rules, and adding a route table entry for TCP 3389 does not override NSG deny rules. Option D is wrong because disabling default security rules (e.g., AllowVNetInBound, DenyAllInBound) would remove baseline protections and is unnecessary; the solution is to add a specific allow rule with appropriate priority.

1011
MCQmedium

An Azure administrator deploys a Linux VM that runs an application needing to read secrets from Azure Key Vault. The security policy forbids storing passwords, certificates, or access tokens on the VM. The application will run only on this single VM. What should be enabled on the VM?

A.Store a service principal secret in a protected file and use it at startup.
B.Enable a system-assigned managed identity on the VM.
C.Create a user-assigned managed identity and avoid assigning it to the VM.
D.Use an SSH certificate to authenticate the app to Key Vault.
AnswerB

A system-assigned managed identity lets the VM authenticate to Azure resources without storing secrets.

Why this answer

A system-assigned managed identity enables the VM to authenticate to Azure Key Vault without storing any credentials on the VM. Azure automatically creates a service principal in Azure AD for the VM, and the application can obtain an access token from the Azure Instance Metadata Service (IMDS) endpoint (169.254.169.254) using that identity. This satisfies the security policy forbidding stored secrets because the identity is managed entirely by Azure and no passwords, certificates, or tokens are stored locally.

Exam trap

The trap here is that candidates may confuse SSH certificates (used for VM access) with Azure AD authentication tokens, or incorrectly assume that a user-assigned managed identity can be used without assignment to the VM.

How to eliminate wrong answers

Option A is wrong because storing a service principal secret in a protected file on the VM violates the explicit security policy forbidding storing passwords, certificates, or access tokens on the VM. Option C is wrong because a user-assigned managed identity must be assigned to the VM to be used by the application; creating it without assignment provides no authentication capability. Option D is wrong because SSH certificates are used for SSH authentication to the VM itself, not for authenticating an application to Azure Key Vault, and they do not integrate with Azure AD token-based access.

1012
MCQeasy

Based on the exhibit, the business wants two Azure VMs to stay available if a host is patched or fails. A full datacenter outage is not part of the requirement. What should you use?

A.Deploy the VMs in an availability set.
B.Deploy the VMs in the same availability zone.
C.Use a virtual machine scale set with autoscale only.
D.Place both VMs on a dedicated host.
AnswerA

An availability set is designed to protect VMs from host-level issues such as planned maintenance and individual hardware failures. It spreads VMs across update and fault domains, which fits the requirement exactly when datacenter-level protection is not needed.

Why this answer

An availability set protects against failures within a single datacenter by distributing VMs across multiple fault domains (physical racks with separate power and network) and update domains (groups that are patched sequentially). This ensures that during host patching or a host failure, at least one VM remains available, meeting the requirement without needing to survive a full datacenter outage.

Exam trap

The trap here is that candidates often confuse availability zones (which protect against datacenter-level failures) with availability sets (which protect against host-level failures), leading them to choose zones even when the requirement explicitly excludes a full datacenter outage.

How to eliminate wrong answers

Option B is wrong because deploying VMs in the same availability zone places them in the same physical datacenter within a region, which does not protect against a host failure or patching event within that zone; availability zones are designed for datacenter-level redundancy, not host-level. Option C is wrong because a virtual machine scale set with autoscale only provides scaling based on demand but does not inherently distribute VMs across fault or update domains unless configured with an availability set or zones, and autoscale alone does not guarantee availability during host patching or failure. Option D is wrong because placing both VMs on a dedicated host means they share the same physical server; if that host is patched or fails, both VMs go down, violating the availability requirement.

1013
MCQeasy

A VM named VM01 stopped sending Heartbeat records to Log Analytics 15 minutes ago. Which KQL query should you run to confirm the VM's recent heartbeat entries?

A.Heartbeat | where Computer == "VM01" and TimeGenerated > ago(15m)
B.AzureActivity | where ResourceProviderValue == "Microsoft.Compute/virtualMachines"
C.Heartbeat | summarize count() by Computer
D.Perf | where CounterName == "% Processor Time"
AnswerA

This query filters the Heartbeat table for VM01 entries from the last 15 minutes.

Why this answer

The Heartbeat table in Log Analytics stores records sent by the Azure Monitor Agent (AMA) or Log Analytics agent every 5 minutes by default. Querying Heartbeat with a filter for Computer == 'VM01' and TimeGenerated > ago(15m) directly checks if any heartbeat records were generated in the last 15 minutes, confirming whether the VM is still reporting. This is the correct approach because Heartbeat is the dedicated table for agent health, and the time filter matches the 15-minute window specified in the question.

Exam trap

The trap here is that candidates confuse the Heartbeat table (agent health) with AzureActivity (resource operations) or Perf (performance metrics), assuming any log data can confirm agent connectivity, but only Heartbeat provides the direct, time-stamped signal of agent liveness.

How to eliminate wrong answers

Option B is wrong because AzureActivity logs control-plane operations (e.g., VM start/stop) and does not contain agent heartbeat data; it cannot confirm the VM's recent heartbeat entries. Option C is wrong because it summarizes heartbeat counts by computer without a time filter, so it does not check for records within the last 15 minutes and provides no confirmation of recent activity. Option D is wrong because the Perf table stores performance counters like CPU usage, not heartbeat signals; it cannot verify whether the agent is sending health records.

1014
MCQhard

Based on the exhibit, where should you assign the Reader role so the Auditors group can read every current and future resource in the Sales subscription, including resource groups created later, while not granting access to the Research subscription?

A.Assign Reader to RG-Web, because the group can then inherit access to resources in that resource group only.
B.Assign Reader to the Sales subscription, because subscription-level scope includes all current and future resource groups and resources in that subscription.
C.Assign Reader to the Corp management group, because that is the only scope that can cover multiple subscriptions.
D.Assign Reader to each resource individually, because that avoids inheritance and limits visibility to selected items.
AnswerB

Subscription scope is the narrowest scope that satisfies the requirement. RBAC inheritance flows downward, so a Reader assignment at the Sales subscription applies to all current and future resource groups and resources inside Sales, but it does not grant access to the Research subscription.

Why this answer

Assigning the Reader role at the Sales subscription scope grants the Auditors group read access to all current and future resource groups and resources within that subscription. This is because Azure RBAC roles assigned at a subscription level are inherited by all child resource groups and resources, including those created later. The requirement explicitly excludes the Research subscription, so a subscription-level assignment is the correct and most efficient approach.

Exam trap

The trap here is that candidates often choose the management group scope (Option C) thinking it is necessary to cover multiple subscriptions, but they overlook the requirement to exclude the Research subscription, making the subscription-level scope the only correct choice.

How to eliminate wrong answers

Option A is wrong because assigning Reader to RG-Web only grants access to that specific resource group and its resources, not to all current and future resource groups in the Sales subscription. Option C is wrong because assigning Reader at the Corp management group would grant access to both the Sales and Research subscriptions, violating the requirement to not grant access to Research. Option D is wrong because assigning Reader to each resource individually is impractical and does not cover future resources, and it violates the principle of using inheritance for scalable access management.

1015
MCQmedium

A company uses one management group for all production subscriptions. A compliance analyst is a member of an Entra ID group and must view every current and future resource in all production subscriptions, but must not make any changes. Where should you assign the Reader role?

A.Assign Reader to the compliance analyst's user account at each resource group.
B.Assign Reader to the Entra ID group at the management group scope.
C.Assign Reader to one production subscription and rely on inheritance to cover the others.
D.Assign Reader directly to each resource because resource-level assignments always override broader scopes.
AnswerB

This is the best choice because role assignments inherit from management groups down to subscriptions, resource groups, and resources. By assigning Reader to the Entra ID group at the management group level, every current and future production subscription under that hierarchy will inherit read-only access. Using the group also makes access easier to manage when analysts join or leave the team.

Why this answer

Assigning the Reader role to the Entra ID group at the management group scope ensures that all current and future resources in all production subscriptions inherit the role via Azure RBAC inheritance. This meets the requirement to view every resource without making changes, as the management group encompasses all production subscriptions and the group membership automatically grants permissions to the compliance analyst.

Exam trap

The trap here is that candidates often assume they must assign roles at the subscription or resource group level, overlooking the management group scope which provides inheritance across multiple subscriptions and future resources without manual intervention.

How to eliminate wrong answers

Option A is wrong because assigning Reader at each resource group is inefficient, does not cover future resources automatically, and requires manual updates as resources are added. Option C is wrong because assigning Reader to only one subscription does not cover other production subscriptions; RBAC assignments do not inherit across subscriptions, only down within a scope. Option D is wrong because assigning Reader directly to each resource is impractical and unnecessary; resource-level assignments do not override broader scopes but rather add permissions, and the requirement is for a broad, inheritable assignment.

1016
MCQeasy

You already created a metric alert rule. You want the alert to send email and call a webhook when it fires. Which component should you link to the alert rule?

A.A diagnostic setting
B.A Log Analytics workspace
C.An action group
D.An Azure Policy initiative
AnswerC

An action group is the notification and automation target for Azure alerts. It can send email, trigger webhooks, and start other actions when the alert fires.

Why this answer

An action group is the correct component because it defines the notification and automation actions (such as sending an email or invoking a webhook) that are triggered when a metric alert rule fires. In Azure Monitor, alert rules are linked to action groups to execute these responses; without an action group, the alert can only log the event but cannot perform any external notification or automation.

Exam trap

The trap here is that candidates often confuse diagnostic settings (which export data) with action groups (which define alert responses), leading them to select A instead of C.

How to eliminate wrong answers

Option A is wrong because a diagnostic setting is used to stream platform logs and metrics to destinations like Log Analytics, Storage, or Event Hubs, not to define alert actions like email or webhook. Option B is wrong because a Log Analytics workspace is a data repository for logs and metrics, not a mechanism for sending notifications or invoking webhooks when an alert fires. Option D is wrong because an Azure Policy initiative is a set of policies for enforcing governance and compliance rules, unrelated to alert notification actions.

1017
Multi-Selectmedium

You manage an Azure virtual network with multiple subnets, including a subnet named 'AppSubnet' that hosts critical application servers. You need to monitor and log network traffic to and from AppSubnet for security analysis. The solution must capture all flow logs without impacting application performance. Which three of the following should you implement? (Choose three.)

Select 3 answers
.Enable Network Watcher flow logs for AppSubnet.
.Deploy a network virtual appliance (NVA) in a transit subnet and route all traffic through it.
.Store the flow logs in an Azure Storage account.
.Enable diagnostic settings on each virtual machine in AppSubnet to log network traffic.
.Configure a retention policy for the flow logs to manage storage costs.
.Install a third-party packet capture agent on each application server.

Why this answer

Network Watcher flow logs capture IP traffic flowing through a subnet, providing security analysis without impacting performance because they are processed by the Azure network fabric, not by the VMs. Storing logs in an Azure Storage account ensures durable, cost-effective retention. Configuring a retention policy is essential to manage storage costs and comply with data lifecycle requirements.

Exam trap

The trap here is that candidates often confuse VM-level diagnostic settings (which log guest OS metrics) with subnet-level flow logs, or they mistakenly believe that deploying an NVA is required for traffic monitoring, when in fact Azure's native Network Watcher flow logs provide a performance-neutral solution.

1018
MCQmedium

A development team stores build artifacts in Azure Blob Storage. The artifacts must remain available if one datacenter in the Azure region fails, but the business does not want to pay for replication to another region. Which redundancy option should the administrator select?

A.LRS, because it keeps multiple copies in the same zone and is the cheapest option.
B.ZRS, because it distributes copies across availability zones within the same region.
C.GRS, because it keeps the workload available in two regions at all times.
D.RA-GRS, because it provides zone redundancy and read access in the secondary region.
AnswerB

ZRS is the right choice when you want resilience to a datacenter or zone failure within a region without paying for geo-replication. It stores copies across multiple availability zones, which improves availability while keeping the data in a single region. That matches the requirement to stay regional but survive a datacenter outage.

Why this answer

B is correct because Zone-Redundant Storage (ZRS) synchronously replicates data across three Azure availability zones within the same region, ensuring durability even if one entire datacenter (zone) fails. This meets the requirement of intra-region resilience without incurring the cost of geo-replication to another region.

Exam trap

The trap here is that candidates often confuse ZRS with LRS, thinking LRS provides zone-level redundancy because it uses three copies, but LRS copies are within a single datacenter, not across zones.

How to eliminate wrong answers

Option A is wrong because Locally Redundant Storage (LRS) replicates data three times within a single physical datacenter (one zone), so a full datacenter failure would cause data loss. Option C is wrong because Geo-Redundant Storage (GRS) replicates to a paired secondary region, which violates the requirement to avoid paying for cross-region replication. Option D is wrong because Read-Access Geo-Redundant Storage (RA-GRS) also replicates to a secondary region (like GRS) and adds read access there; it is not a zone-redundant option and incurs cross-region costs.

1019
MCQhard

A legal department keeps evidence files in Azure Blob Storage. The files are accessed only a few times per year, but they must stay online and be immediately readable when requested. The team wants the lowest-cost online tier and does not want a rehydration step. Which tier should you choose?

A.Hot, because it prioritizes immediate access over storage cost.
B.Cool, because it is an online tier for infrequent access.
C.Cold, because it keeps data online and is intended for rarely accessed content.
D.Archive, because it has the lowest cost and can be opened instantly from the portal.
AnswerC

Cold is the right tier because the files must remain immediately readable and cannot be placed into an offline state. The scenario says the data is accessed only a few times per year, so a lower-cost online tier is appropriate. Archive would introduce rehydration delay, which the business explicitly does not want. Cold preserves online availability while reducing storage cost compared with hotter tiers.

Why this answer

The Cold tier is the correct choice because it is an online tier designed for rarely accessed data that must remain immediately readable without a rehydration step. It offers lower storage costs than Hot or Cool while still providing instant access, meeting the requirement for the lowest-cost online tier.

Exam trap

The trap here is that candidates confuse 'lowest cost' with the Archive tier, forgetting that Archive is offline and requires a rehydration step, which violates the requirement for immediate readability without a rehydration step.

How to eliminate wrong answers

Option A is wrong because the Hot tier, while providing immediate access, has the highest storage cost and is intended for frequently accessed data, not the lowest-cost online option. Option B is wrong because the Cool tier is an online tier for infrequent access but has higher storage costs than Cold and is optimized for data accessed more than a few times per year. Option D is wrong because the Archive tier, although the lowest-cost, is an offline tier that requires a rehydration step (which can take hours) before data is readable, violating the requirement for immediate readability without a rehydration step.

1020
Multi-Selectmedium

You are designing a highly available application on Azure that will run on multiple virtual machines. The solution must meet the following requirements: • Distribute VMs across multiple fault domains and update domains within a single Azure region. • Guarantee that at least one VM instance is available during planned maintenance. • Support automatic recovery of VMs if a physical server fails. • Keep the VMs in the same datacenter to minimize latency. Which three options should you configure? (Choose three.)

Select 4 answers
.Place the VMs in an availability set.
.Place the VMs in an availability zone.
.Configure the VMs to use managed disks.
.Configure the VMs to use unmanaged disks stored in a single storage account.
.Configure the application to use an Azure Load Balancer with a health probe.
.Configure the VMs to use a proximity placement group.

Why this answer

An availability set distributes VMs across multiple fault domains and update domains within a single Azure region, ensuring that at least one VM instance is available during planned maintenance and that VMs are in the same datacenter to minimize latency. Managed disks are required for VMs in an availability set to support automatic recovery if a physical server fails, as they provide higher durability and independent fault domains. A proximity placement group is needed to guarantee that VMs in the availability set are placed in the same datacenter, minimizing latency between them.

Exam trap

The trap here is that candidates often confuse availability zones with availability sets, not realizing that availability zones separate VMs across different datacenters (increasing latency), while availability sets keep VMs in the same datacenter but across different fault and update domains.

1021
MCQhard

Your company deploys a network virtual appliance (NVA) in a hub subnet. All outbound internet traffic from Subnet-App in a spoke VNet must pass through the NVA for inspection. What should you configure on Subnet-App?

A.A private DNS zone
B.A user-defined route with a next hop of Virtual Appliance
C.A service endpoint for Microsoft.Storage
D.A NAT gateway on the NVA subnet only
AnswerB

This explicitly steers traffic from the subnet to the NVA for inspection.

Why this answer

A user-defined route (UDR) with a next hop of Virtual Appliance forces all outbound traffic from Subnet-App to be forwarded to the NVA for inspection. This overrides Azure's default system route for 0.0.0.0/0, which normally sends internet-bound traffic directly to the internet. By specifying the NVA's private IP as the next hop, you ensure traffic is routed through the hub subnet for inspection before leaving the network.

Exam trap

The trap here is that candidates often confuse a NAT gateway (which translates source IPs) with a route-based forced tunneling solution, or they assume a service endpoint can redirect traffic through an NVA, when in fact service endpoints bypass forced tunneling by design.

How to eliminate wrong answers

Option A is wrong because a private DNS zone is used for custom DNS resolution within a virtual network, not for routing traffic; it does not influence the path of outbound internet traffic. Option C is wrong because a service endpoint for Microsoft.Storage provides direct, optimized connectivity to Azure Storage over the Microsoft backbone, but it does not redirect traffic through an NVA; in fact, it bypasses forced tunneling. Option D is wrong because a NAT gateway on the NVA subnet only provides source network address translation for outbound traffic from that subnet, but it does not force traffic from Subnet-App to route through the NVA; it would only affect the NVA subnet's own outbound traffic.

1022
MCQeasy

The platform team wants to block deployment of Azure resources in any region except East US and West US. What should they configure?

A.An Azure Policy assignment that uses an allowed locations policy
B.A Reader role assignment at the management group
C.A CanNotDelete lock on the subscription
D.A tag requirement enforced only by resource group naming
AnswerA

Azure Policy is designed to enforce configuration rules such as approved regions. An allowed locations policy can deny deployments outside East US and West US, which directly matches the requirement. This is governance, not authorization, so RBAC is not the right tool for controlling where resources can be created.

Why this answer

Azure Policy's 'allowed locations' built-in policy definition enables you to restrict the regions where resources can be deployed. By assigning this policy at a management group or subscription scope with a parameter list containing only 'East US' and 'West US', any attempt to deploy resources in other regions will be denied at the Azure Resource Manager level, effectively blocking non-compliant deployments.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure RBAC roles or resource locks, mistakenly thinking that a Reader role or a CanNotDelete lock can restrict where resources can be deployed, when in fact only Azure Policy can enforce such location-based governance rules.

How to eliminate wrong answers

Option B is wrong because a Reader role assignment grants read-only access to resources but does not enforce any deployment restrictions or location controls. Option C is wrong because a CanNotDelete lock prevents deletion of resources but does not block creation or modification of resources in disallowed regions. Option D is wrong because a tag requirement enforced only by resource group naming is not a native Azure governance feature; tags are metadata and do not prevent deployment in unauthorized regions.

1023
MCQeasy

A storage account must be reachable only from resources in one Azure subnet, and traffic must use a private IP rather than the public endpoint. Which configuration should the administrator implement?

A.A service endpoint on the subnet
B.A private endpoint in the subnet
C.A shared access signature scoped to the subnet
D.Allow trusted Microsoft services on the storage firewall
AnswerB

A private endpoint gives the storage service a private IP in the subnet and removes reliance on the public endpoint.

Why this answer

A private endpoint assigns a private IP address from the subnet to the storage account, making it accessible only via that private IP within the virtual network. This ensures traffic never traverses the public endpoint, meeting both the reachability and private IP requirements.

Exam trap

The trap here is confusing service endpoints with private endpoints: both restrict access to a subnet, but only a private endpoint provides a private IP and fully removes traffic from the public endpoint.

How to eliminate wrong answers

Option A is wrong because a service endpoint only extends the public endpoint's route to the subnet but does not provide a private IP; traffic still uses the public endpoint. Option C is wrong because a shared access signature (SAS) is a delegation token for specific resources or operations, not a network access control mechanism, and cannot restrict access to a subnet. Option D is wrong because allowing trusted Microsoft services bypasses the firewall for specific Azure platform services, but does not restrict access to a single subnet or use a private IP.

1024
MCQmedium

A company creates new Azure subscriptions every month. Central IT wants all production subscriptions to inherit the same governance baseline automatically, while sandbox subscriptions remain separate. What should the administrator implement?

A.Apply all governance controls individually to each new subscription after it is created.
B.Organize subscriptions under management groups and assign the baseline at the appropriate management group.
C.Use a resource lock on the subscription root.
D.Place all resources into one shared resource group per business unit.
AnswerB

Management groups provide inheritance so new subscriptions automatically receive the assigned governance controls.

Why this answer

Management groups allow hierarchical organization of Azure subscriptions, enabling the assignment of Azure Policy and RBAC at the management group level. By placing all production subscriptions under a dedicated management group and assigning the governance baseline (e.g., Azure Policy initiatives) to that group, new subscriptions automatically inherit the baseline without manual intervention. Sandbox subscriptions remain separate by being placed in a different management group or at the root level without the baseline.

Exam trap

The trap here is confusing resource locks (which protect against accidental deletion/modification) with governance baselines (which enforce compliance via Azure Policy), leading candidates to incorrectly select resource locks as a solution for automatic policy inheritance.

How to eliminate wrong answers

Option A is wrong because manually applying governance controls to each new subscription is inefficient, error-prone, and does not scale, contradicting the requirement for automatic inheritance. Option C is wrong because resource locks prevent accidental deletion or modification of resources but do not enforce governance baselines like policies or RBAC; they are not inherited by new subscriptions automatically. Option D is wrong because placing all resources into one shared resource group per business unit does not enforce governance at the subscription level, does not scale across multiple subscriptions, and fails to provide automatic inheritance for new subscriptions.

1025
Multi-Selectmedium

An administrator assigned a policy definition with the Modify effect to add tag Environment=Prod to resources in a subscription. Existing VMs still do not show the tag. Which two actions should the administrator take to bring the existing VMs into compliance? Select two.

Select 2 answers
A.Create a remediation task for the policy assignment.
B.Verify that the policy assignment identity has permission to modify tags at the assigned scope.
C.Reassign the policy at the resource group scope only.
D.Switch the policy effect to AuditIfNotExists.
E.Manually tag only the newest virtual machines.
AnswersA, B

A remediation task tells Azure Policy to apply the modify operation to resources that already exist. Without remediation, existing noncompliant resources may remain unchanged.

Why this answer

A is correct because a policy with the Modify effect does not automatically apply to existing non-compliant resources; a remediation task must be triggered to evaluate and update those resources. Remediation uses the managed identity assigned to the policy to perform the modification, which is why verifying that identity has the necessary permissions (option B) is also required. Without remediation, only new resources created after the policy assignment will have the tag applied.

Exam trap

The trap here is that candidates assume the Modify effect automatically applies to existing resources, but in reality, it only affects new resources unless a remediation task is explicitly created.

1026
MCQmedium

A company wants to stop users from creating resources in any Azure region except East US and West US across all subscriptions. Which Azure feature should be used to enforce this requirement?

A.An Azure RBAC role assignment
B.An Azure Policy assignment with a Deny effect at the management group scope
C.A CanNotDelete resource lock on the subscriptions
D.A tag inheritance rule on the management group
AnswerB

Azure Policy with a Deny effect can block noncompliant deployments, and management group scope applies the rule across subscriptions in the hierarchy.

Why this answer

Azure Policy with a Deny effect at the management group scope is the correct choice because it can enforce a location constraint across all subscriptions under that management group. The Deny effect prevents the creation of resources in non-compliant regions at the time of deployment, ensuring that only East US and West US are allowed. This is a governance control that applies to all subscriptions within the scope, making it the ideal solution for this requirement.

Exam trap

The trap here is that candidates often confuse Azure RBAC (who can do what) with Azure Policy (what can be done), leading them to select RBAC role assignments instead of the correct policy-based governance control.

How to eliminate wrong answers

Option A is wrong because Azure RBAC role assignments control who can perform actions (authorization), not what resources can be created or where they can be created; they cannot restrict resource locations. Option C is wrong because a CanNotDelete resource lock prevents deletion of a subscription or resource but does not restrict the creation of resources in specific regions. Option D is wrong because tag inheritance rules propagate tags from a management group to subscriptions or resources but do not enforce any location restrictions.

1027
Multi-Selecteasy

A managed data disk was accidentally deleted from a VM. A snapshot taken the day before is still available. Which two actions should the administrator perform to recover the data? Select two.

Select 2 answers
A.Create a new managed disk from the snapshot.
B.Attach the new managed disk to the VM.
C.Mount the snapshot directly as a data disk.
D.Redeploy the VM and reinstall the operating system.
E.Delete the snapshot after verifying it exists.
AnswersA, B

A snapshot must be turned into a managed disk before it can be attached to a running VM.

Why this answer

Option A is correct because a snapshot is a point-in-time, read-only copy of a managed disk. To recover the data, you must create a new managed disk from the snapshot using the `az disk create --source` command or the Azure portal. This new disk will contain the exact data as it existed when the snapshot was taken.

Exam trap

The trap here is that candidates confuse snapshots with disks, assuming a snapshot can be directly attached to a VM, when in fact Azure requires an explicit disk creation step from the snapshot before attachment.

1028
MCQmedium

Remote administrators work from home laptops and need secure access to Azure VMs in a virtual network. There is no branch office device to configure, and each administrator should connect individually using Azure-side VPN authentication. Which option should be implemented?

A.VNet peering between the administrators' home networks and Azure.
B.A point-to-site VPN connection to an Azure VPN gateway.
C.An ExpressRoute circuit from each administrator's home internet connection.
D.A service endpoint enabled on the VM subnet.
AnswerB

Point-to-site VPN is designed for individual client devices such as administrator laptops. It does not require a branch router or firewall, and it provides encrypted access into the Azure virtual network over the internet. This matches the need for per-user remote access to Azure VMs without standing up an on-premises VPN device.

Why this answer

A point-to-site (P2S) VPN connection allows individual remote clients to connect securely to an Azure virtual network using an Azure VPN gateway. This solution requires no on-premises device, supports per-user authentication (e.g., Azure AD, certificate, or RADIUS), and is ideal for ad-hoc remote access from home laptops.

Exam trap

The trap here is that candidates confuse point-to-site VPN with site-to-site VPN or VNet peering, assuming any 'connection' between networks works, but only point-to-site supports individual client authentication without a branch device.

How to eliminate wrong answers

Option A is wrong because VNet peering connects two Azure virtual networks, not remote client devices; it cannot provide VPN access from home laptops. Option C is wrong because ExpressRoute requires a dedicated private connection from a physical location (e.g., branch office or co-location facility) and cannot be established from a home internet connection without a partner provider. Option D is wrong because a service endpoint only secures access to Azure PaaS services (e.g., Storage, SQL) from within a VNet; it does not provide remote VPN connectivity to VMs.

1029
Drag & Dropmedium

Order the steps to recover an Azure VM using Azure Backup.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Go to vault, select VM, choose restore point, configure, and verify.

1030
Multi-Selecthard

A finance archive stores critical blobs in an Azure region that supports availability zones. The data must survive a single zone failure and also remain available if the primary region becomes unavailable. The team does not need a read-only endpoint in the secondary region during normal operations. Which two redundancy models satisfy the requirement? Select two.

Select 2 answers
A.LRS
B.ZRS
C.GRS
D.GZRS
E.RA-GZRS
AnswersD, E

GZRS combines zone redundancy in the primary region with geo-replication to the paired region, meeting both resilience goals.

Why this answer

D (GZRS) is correct because it combines zone-redundant storage (ZRS) within the primary region to survive a single zone failure with geo-redundancy (GRS) to replicate data asynchronously to a secondary region, ensuring availability if the primary region becomes unavailable. Since the team does not need a read-only endpoint in the secondary region during normal operations, GZRS (which does not provide read access to the secondary region unless a failover occurs) meets the requirement without the extra cost or feature of RA-GZRS.

Exam trap

The trap here is that candidates often confuse GZRS with RA-GZRS, assuming that geo-redundancy always provides read access to the secondary region, or they overlook that ZRS alone cannot handle a regional outage, leading them to incorrectly select ZRS or GRS instead of the correct combination of zone and geo redundancy.

1031
MCQeasy

Before changing a managed data disk on a production VM, you want a point-in-time copy that you can keep and restore later if needed. What should you create?

A.A managed disk snapshot
B.An availability set
C.A load balancer backend pool
D.A resource lock
AnswerA

A snapshot captures a point-in-time copy of a managed disk. It is the right choice when you want a recoverable copy before making changes. You can create it for an OS disk or data disk and use it later to restore or create a new disk if the original change does not work as expected.

Why this answer

A managed disk snapshot captures a point-in-time, read-only copy of a managed disk. You can use it to restore the VM to that exact state by creating a new disk from the snapshot and attaching it to the VM. Snapshots are independent of the source disk's lifecycle, so you can keep them indefinitely for backup or recovery purposes.

Exam trap

The trap here is that candidates may confuse a resource lock (which protects against deletion but does not create a copy) with a backup mechanism, or think an availability set provides data redundancy, when in fact only a snapshot or backup service captures a point-in-time copy of the disk.

How to eliminate wrong answers

Option B is wrong because an availability set is a logical grouping of VMs that provides high availability by distributing them across fault domains and update domains; it does not create a point-in-time copy of a disk. Option C is wrong because a load balancer backend pool defines the set of VMs or instances that receive traffic from the load balancer; it has nothing to do with disk backups or snapshots. Option D is wrong because a resource lock prevents accidental deletion or modification of a resource at the Azure Resource Manager level; it does not create a copy of the disk data.

1032
MCQmedium

You create a private endpoint for an Azure SQL Database server. Virtual machines in VNet-Prod must resolve the server name to the private IP address of the endpoint. What should you configure?

A.A private DNS zone linked to VNet-Prod
B.A user-defined route on the subnet
C.An additional public IP address
D.A Recovery Services vault
AnswerA

A private DNS zone provides the required name resolution to the private endpoint address.

Why this answer

A private endpoint uses a private IP address from your VNet, but DNS resolution must be configured to map the Azure SQL Database server name (e.g., `server.database.windows.net`) to that private IP. By creating a private DNS zone (privatelink.database.windows.net) and linking it to VNet-Prod, Azure automatically creates an A record for the private endpoint, ensuring VMs resolve the server name to the private IP instead of the public IP. This is the standard and required configuration for private endpoint name resolution.

Exam trap

The trap here is that candidates assume private endpoints automatically update DNS without additional configuration, but Azure requires a private DNS zone (or custom DNS server) to override public resolution—otherwise, the server name still resolves to the public IP.

How to eliminate wrong answers

Option B is wrong because a user-defined route (UDR) controls network traffic flow (next hop) and does not affect DNS resolution; it cannot map a hostname to an IP address. Option C is wrong because an additional public IP address is irrelevant—private endpoints use private IPs, and adding a public IP would not change DNS resolution behavior for VMs inside the VNet. Option D is wrong because a Recovery Services vault is used for Azure Backup and Site Recovery, not for DNS configuration or private endpoint connectivity.

1033
MCQeasy

Based on the exhibit, which Azure service is preventing deployment because the resource is missing a required tag?

A.Azure Policy
B.Azure RBAC
C.Resource locks
D.Azure Monitor
AnswerA

Azure Policy evaluates the request against compliance rules and can deny deployment when required conditions are not met.

Why this answer

Azure Policy is the correct answer because it enforces organizational standards and compliance rules, such as requiring specific tags on resources. When a policy is defined to require a tag (e.g., 'CostCenter') and a deployment attempts to create a resource without that tag, Azure Policy evaluates the request against the policy assignment and denies the deployment. This is a built-in capability of Azure Policy, not a permission or lock mechanism.

Exam trap

The trap here is that candidates often confuse Azure Policy (which enforces rules on resource properties like tags) with Azure RBAC (which controls user permissions), leading them to incorrectly select RBAC when the issue is about missing configuration, not insufficient access rights.

How to eliminate wrong answers

Option B (Azure RBAC) is wrong because RBAC controls who can perform actions on resources (authorization via role assignments), not what tags or configurations those resources must have. Option C (Resource locks) is wrong because resource locks prevent accidental deletion or modification of resources at the resource, resource group, or subscription level, but they do not enforce tagging requirements. Option D (Azure Monitor) is wrong because Azure Monitor collects and analyzes telemetry data (metrics, logs) for performance and health; it does not enforce compliance rules or block deployments based on missing tags.

1034
Multi-Selectmedium

Your organization has an Azure Active Directory (Azure AD) tenant with 500 users. You need to ensure that users can reset their own passwords without IT support, but only if they have registered for multi-factor authentication (MFA). Additionally, you want to prevent users from reusing their last 10 passwords. Which three of the following should you configure? (Choose three.)

Select 3 answers
.Enable the 'Self-service password reset' feature in Azure AD.
.Configure 'Password protection' with a custom banned password list.
.Set the 'Number of passwords remembered' policy to 10 in the 'Password reset' blade.
.Configure the 'Number of methods required to reset' to 2 and require MFA registration.
.Enable 'Combined registration' for security info to simplify MFA and SSPR registration.
.Assign the 'Global Administrator' role to all users to allow password reset.

Why this answer

To allow users to reset their own passwords without IT support, you must enable the 'Self-service password reset' (SSPR) feature in Azure AD. To prevent password reuse, you set the 'Number of passwords remembered' policy to 10 in the Password reset blade, which enforces a password history of 10 unique passwords. Finally, to ensure that only users registered for MFA can reset their passwords, you configure the 'Number of methods required to reset' to 2 and require MFA registration, which forces users to provide two authentication methods (including MFA) before resetting.

Exam trap

The trap here is that candidates often confuse 'Combined registration' with enforcing MFA registration for SSPR, but combined registration only simplifies the user interface, not the policy requirement; the actual enforcement comes from setting the number of methods required to reset and ensuring MFA is one of those methods.

1035
Multi-Selecteasy

A help desk analyst needs to find Azure VM heartbeat records in Log Analytics and limit results to the last 30 minutes. Which two KQL elements should be used? Select two.

Select 2 answers
A.where
B.ago()
C.summarize
D.join
E.extend
AnswersA, B

The where clause filters rows, such as limiting records by time or status.

Why this answer

The `where` operator filters the result set based on a specified condition, which is essential for limiting records to those with a timestamp within the last 30 minutes. The `ago()` function returns a datetime value representing the current time minus a given timespan, allowing you to create a dynamic filter like `where TimeGenerated > ago(30m)`. Together, they enable precise time-based filtering in Kusto Query Language (KQL) for Log Analytics.

Exam trap

Microsoft often tests the misconception that `summarize` or `extend` can filter data by time, but only `where` with a time-based condition like `ago()` actually removes rows from the result set.

1036
MCQeasy

Based on the exhibit, what configuration should the administrator change so VMs in the spoke can resolve internal names from the hub?

A.Add a route table entry that points to the hub DNS server.
B.Set the spoke VNet custom DNS server to 10.50.0.4.
C.Enable a service endpoint for Microsoft.Storage on the spoke subnet.
D.Create a private endpoint for the spoke VM subnet.
AnswerB

The spoke is still using Azure-provided DNS, which cannot resolve the hub's internal records. Pointing the spoke VNet to the hub DNS server lets its VMs query the same internal namespace and resolve names correctly.

Why this answer

The hub VNet has a DNS server at 10.50.0.4 that is configured to resolve internal names. By setting the spoke VNet's custom DNS server to 10.50.0.4, VMs in the spoke will forward DNS queries to that server, enabling resolution of internal names from the hub. This overrides the default Azure-provided DNS and directs name resolution to the hub's DNS infrastructure.

Exam trap

The trap here is confusing network routing (route tables) with DNS resolution; candidates often think adding a route to the hub DNS server's IP will fix name resolution, but DNS queries are sent to the configured DNS server address, not routed based on destination IP.

How to eliminate wrong answers

Option A is wrong because adding a route table entry controls network traffic routing, not DNS resolution; it cannot direct DNS queries to a specific server. Option C is wrong because enabling a service endpoint for Microsoft.Storage allows private access to Azure Storage from the spoke subnet but does not affect DNS resolution for internal names. Option D is wrong because creating a private endpoint for the spoke VM subnet provides private connectivity to a specific Azure service (e.g., Storage, SQL) but does not configure DNS servers for the VNet.

1037
Multi-Selecthard

A backend subnet contains 18 Linux VMs that must install updates from the internet. Security requires all outbound traffic to use one static public IP, and none of the VMs may have their own public IP addresses. Which two changes meet the requirement? Select two.

Select 2 answers
A.Associate a NAT gateway with the backend subnet and provide it with a public IP address or prefix.
B.Ensure the VMs do not have individual public IP addresses assigned.
C.Create a public load balancer and add the VMs to its backend pool.
D.Use a private endpoint for internet updates so outbound traffic remains private.
E.Attach a route table with 0.0.0.0/0 to Virtual network gateway.
AnswersA, B

NAT gateway gives the subnet a predictable outbound public IP without assigning public IPs to the VMs.

Why this answer

A NAT gateway provides outbound internet connectivity for VMs in a subnet while using a single static public IP address. By associating a NAT gateway with the backend subnet and assigning it a public IP, all outbound traffic from the 18 Linux VMs will source NAT to that static IP, meeting the security requirement without assigning public IPs to individual VMs.

Exam trap

The trap here is confusing a public load balancer (inbound) with a NAT gateway (outbound), or assuming a route table alone can provide internet access without a NAT device or Azure Firewall.

1038
Multi-Selecteasy

A customer wants official information about whether an Azure service issue is affecting their subscription or the wider Azure platform. Which two sources should they check? Select two.

Select 2 answers
A.Azure Advisor
B.Azure Service Health
C.Backup center
D.Azure Status
E.Resource Graph
AnswersB, D

Azure Service Health shows incidents and advisories relevant to the customer's subscriptions.

Why this answer

Azure Service Health (B) provides personalized alerts and guidance when Azure service issues affect your subscription, including planned maintenance and health advisories. Azure Status (D) offers a global view of the health of all Azure services across regions, which is the official source for widespread platform issues. Together, they cover both subscription-specific and platform-wide service incidents.

Exam trap

The trap here is that candidates often confuse Azure Service Health (subscription-specific) with Azure Status (global platform health) and may pick Azure Advisor or Backup center because they sound like they could provide health information, but they serve entirely different monitoring and maintenance functions.

1039
MCQeasy

Based on the exhibit, what should the administrator change so outbound internet traffic uses the NAT gateway?

A.Detach the subnet from the NAT gateway.
B.Remove the 0.0.0.0/0 user-defined route to the virtual appliance.
C.Change the route table source address to 10.1.0.4.
D.Enable a service endpoint on the subnet.
AnswerB

A user-defined default route overrides the subnet's normal internet egress behavior and sends traffic to the appliance instead. Removing that route lets the NAT gateway handle outbound connections from the subnet.

Why this answer

The correct answer is B because the user-defined route (UDR) with destination 0.0.0.0/0 pointing to the virtual appliance is overriding the default route to the NAT gateway. For outbound internet traffic to use the NAT gateway, the 0.0.0.0/0 route must point to the NAT gateway's private IP address or be removed entirely so the system route to the NAT gateway takes precedence. Removing this UDR allows the NAT gateway to handle all outbound traffic from the subnet.

Exam trap

The trap here is that candidates often assume a NAT gateway automatically handles all outbound traffic without considering that a conflicting user-defined route (0.0.0.0/0) to a virtual appliance will override the NAT gateway's default route, causing traffic to bypass the NAT gateway entirely.

How to eliminate wrong answers

Option A is wrong because detaching the subnet from the NAT gateway would prevent the NAT gateway from processing any outbound traffic from that subnet, which is the opposite of the desired outcome. Option C is wrong because changing the route table source address to 10.1.0.4 is not a valid configuration; route tables use destination prefixes, not source addresses, and this would not resolve the routing conflict. Option D is wrong because enabling a service endpoint on the subnet allows direct private connectivity to Azure PaaS services (e.g., Storage, SQL) but does not affect general outbound internet traffic routing to the NAT gateway.

1040
MCQhard

An Azure VM backup job starts failing immediately after protection is enabled. The error states that the VM agent is not ready. The VM was created from a custom image and no extensions have ever installed successfully. What should the administrator verify first?

A.That the Recovery Services vault is in the same resource group as the VM.
B.That the Azure VM Agent service is installed and running inside the guest OS.
C.That soft delete is enabled on the vault.
D.That the subscription has enough free Azure Backup storage capacity.
AnswerB

Azure VM Backup depends on the VM guest agent to coordinate extensions and backup integration. If the agent is missing, stopped, or unhealthy, backup jobs can fail immediately with a readiness message. Verifying the agent state is the correct first troubleshooting step before looking at policy, retention, or vault configuration.

Why this answer

The error 'VM agent not ready' indicates that the Azure Backup extension cannot communicate with the VM agent inside the guest OS. Since the VM was created from a custom image and no extensions have ever installed successfully, the most likely cause is that the Azure VM Agent service is not installed or not running. The agent is required for backup extensions to function, so verifying its status inside the guest OS is the first troubleshooting step.

Exam trap

The trap here is that candidates often assume the issue is a vault configuration or capacity problem, but the 'VM agent not ready' error specifically points to a missing or non-functional guest agent, which is a common oversight when using custom images.

How to eliminate wrong answers

Option A is wrong because the Recovery Services vault does not need to be in the same resource group as the VM; it only needs to be in the same region and subscription. Option C is wrong because soft delete is a data protection feature for backup items, not a prerequisite for backup job initiation or agent readiness. Option D is wrong because insufficient backup storage capacity would cause a different error (e.g., 'Insufficient storage quota'), not a 'VM agent not ready' error.

1041
MCQhard

Your company wants to query performance and event data from multiple Azure virtual machines by using Kusto Query Language. The operations team also wants to centralize retention and analysis of this data. What should you deploy?

A.A Log Analytics workspace.
B.Azure Advisor.
C.Azure Network Watcher only.
D.A network security group.
AnswerA

This provides centralized collection, retention, and KQL-based querying for Azure Monitor Logs.

Why this answer

A Log Analytics workspace is the correct choice because it is the central repository in Azure Monitor for collecting telemetry and log data from Azure virtual machines. It supports Kusto Query Language (KQL) for querying performance and event data, and it provides centralized retention, analysis, and alerting capabilities, meeting both requirements.

Exam trap

The trap here is that candidates often confuse Azure Advisor or Network Watcher as monitoring tools, but neither provides the centralized log storage and KQL querying required for VM performance and event data analysis.

How to eliminate wrong answers

Option B is wrong because Azure Advisor is a personalized cloud consultant that provides recommendations on best practices for cost, security, reliability, and performance; it does not ingest, store, or query performance and event data from VMs using KQL. Option C is wrong because Azure Network Watcher only provides network-level monitoring and diagnostics (e.g., packet capture, NSG flow logs, connection troubleshoot) and does not collect VM performance counters or event logs, nor does it support KQL queries for such data. Option D is wrong because a network security group (NSG) is a firewall rule set that filters traffic to and from Azure resources; it does not collect, store, or query performance or event data, and it has no querying or analysis capabilities.

1042
MCQmedium

Based on the exhibit, which subnet prefix should you create for the workload subnet so it has enough usable IP addresses for all listed resources?

A./27
B./26
C./25
D./28
AnswerB

A /26 provides 64 total addresses and 59 usable addresses, which satisfies the requirement.

Why this answer

The workload subnet must support 30 VMs, 5 internal load balancer frontend IPs, and 5 backend pool instances, totaling 40 IP addresses. A /26 subnet provides 64 total IPs, with 62 usable (after reserving network and broadcast addresses), which is sufficient. Smaller prefixes like /27 (30 usable) or /28 (14 usable) lack capacity, while /25 (126 usable) is excessive and wastes IP space.

Exam trap

The trap here is that candidates often forget to count all resource types (VMs, load balancer frontends, backend pools) and mistakenly choose /27 based on VM count alone, overlooking the additional IP requirements from the load balancer components.

How to eliminate wrong answers

Option A is wrong because /27 provides only 30 usable IP addresses (32 total minus 2 reserved), which is insufficient for 40 required IPs. Option C is wrong because /25 provides 126 usable IP addresses, which far exceeds the requirement and wastes address space unnecessarily. Option D is wrong because /28 provides only 14 usable IP addresses (16 total minus 2 reserved), which is far too few for 40 IPs.

1043
Multi-Selecthard

A reporting server must be resized from 4 vCPU to 8 vCPU for a four-hour batch window. The VM name, NIC, private IP, and attached managed disks must stay the same, and the team accepts a brief outage during the change. Which two actions should you choose? Select two.

Select 2 answers
A.Deallocate the VM before changing its size.
B.Resize the VM to a larger supported size.
C.Delete the VM and recreate it with a new size.
D.Generalize the VM first to preserve the existing configuration.
E.Take a snapshot of the OS disk instead of resizing.
AnswersA, B

Most VM size changes require the VM to be deallocated first. This step preserves the VM resource and attached managed disks while allowing Azure to move the compute allocation.

Why this answer

Option A is correct because deallocating the VM (stopping it in the Azure portal) releases the underlying hardware reservation, which is required before changing the VM size to a different SKU. This ensures the VM can be resized to a supported size without conflicts, and the brief outage is acceptable as stated in the scenario.

Exam trap

The trap here is that candidates may think resizing a VM can be done while it is running (hot resize) for all sizes, but Azure only supports hot resize for certain VM series; for most size changes, deallocation is required, and the question explicitly states a brief outage is acceptable, making deallocation the correct approach.

1044
MCQhard

A legacy application still authenticates to Azure Blob Storage by using the account key. Security now requires preventing any new requests that use shared key authorization, while leaving the storage account itself and Microsoft Entra-based access unchanged. Which setting should the administrator enable?

A.Rotate the storage account keys every 24 hours
B.Disable shared key access on the storage account
C.Require secure transfer for the storage account
D.Create a private endpoint for the storage account
AnswerB

This blocks requests authenticated with account keys while still allowing identity-based access paths.

Why this answer

Option B is correct because disabling shared key access on the storage account enforces that all incoming requests must use Microsoft Entra ID (formerly Azure AD) authorization instead of the account key. This directly meets the security requirement to block new requests using shared key authorization while leaving the storage account itself and Entra-based access unchanged. The setting is available under the storage account's Configuration blade as 'Allow storage account key access'.

Exam trap

The trap here is that candidates often confuse disabling shared key access with rotating keys or enabling secure transfer, not realizing that only disabling shared key access actually blocks the authorization method itself, while the other options address key freshness or transport encryption, not authorization.

How to eliminate wrong answers

Option A is wrong because rotating keys every 24 hours does not prevent new requests using shared key authorization; it only changes the key value periodically, which still allows key-based access. Option C is wrong because requiring secure transfer enforces HTTPS for all requests but does not restrict the authorization method; shared key access remains possible over HTTPS. Option D is wrong because creating a private endpoint restricts network access to the storage account via a private IP in a virtual network, but it does not block shared key authorization; requests using the account key can still be sent through the private endpoint.

1045
Multi-Selecthard

A stateless web service runs on identical VMs and must keep serving traffic if Microsoft takes one datacenter out of service in the region. The load must also scale out automatically during peak hours, and instances should be spread across independent zone boundaries. Which two configurations should the administrator use? Select two.

Select 2 answers
A.Virtual machine scale set
B.Availability zones
C.Availability set
D.Proximity placement group
E.Dedicated host
AnswersA, B

This supports automatic scale-out and simplifies running multiple identical VM instances.

Why this answer

A is correct because Virtual Machine Scale Sets (VMSS) provide built-in autoscaling capabilities that automatically adjust the number of VM instances based on demand (e.g., CPU or memory metrics), ensuring the web service scales out during peak hours. Additionally, VMSS supports spreading instances across availability zones, which protects against a single datacenter failure by distributing VMs across independent zone boundaries within a region.

Exam trap

The trap here is that candidates often confuse Availability Sets (which protect against rack-level failures within one datacenter) with Availability Zones (which protect against full datacenter outages), leading them to select Availability Set instead of Availability Zones for cross-datacenter resilience.

1046
Multi-Selecthard

Your company has multiple applications deployed across separate production and nonproduction subscriptions. Finance wants cost reporting by application, and each app team should manage only its own resources. Which two design choices best satisfy both requirements? Select two.

Select 2 answers
A.Place each application's Azure resources in a dedicated resource group.
B.Tag each resource with an application or cost-center identifier.
C.Create one subscription per virtual machine to simplify chargeback reporting.
D.Use resource names only for cost reporting because names are always unique and queryable.
E.Place all applications in one management group and use it as the access boundary for each app team.
AnswersA, B

Resource groups are the correct administrative boundary for delegating access to a specific application’s resources.

Why this answer

Option A is correct because resource groups are the logical container for grouping Azure resources by application, enabling each app team to manage its own resources via Azure RBAC at the resource group scope. Option B is correct because tagging resources with an application or cost-center identifier allows Azure Cost Management to filter and report costs by application, satisfying the finance requirement for cost reporting by application.

Exam trap

The trap here is that candidates often confuse management groups with resource groups for access control, assuming a single management group can isolate app teams, but management groups do not provide RBAC boundaries for individual applications—they are for hierarchical policy management, not resource isolation.

1047
MCQhard

A virtual machine scale set must increase instance count when average CPU exceeds 75 percent and decrease when it stays below 30 percent. What Azure feature should you configure?

A.Availability zones
B.Autoscale settings
C.Azure Policy
D.Update management
AnswerB

Autoscale handles metric-based scale-out and scale-in for a VM scale set.

Why this answer

Autoscale settings are the correct feature because they allow you to define scale-out and scale-in rules based on performance metrics like average CPU percentage. In this scenario, you would configure a scale-out rule to increase the instance count when average CPU exceeds 75% and a scale-in rule to decrease it when CPU stays below 30%.

Exam trap

The trap here is that candidates may confuse Autoscale with Availability zones, thinking that distributing instances across zones automatically handles scaling, but zones only provide redundancy, not dynamic capacity adjustment based on load.

How to eliminate wrong answers

Option A is wrong because Availability zones are a high-availability feature that distributes instances across physically separate datacenters within a region, not a mechanism for scaling based on CPU thresholds. Option C is wrong because Azure Policy is used to enforce organizational standards and compliance rules on resources, not to dynamically adjust instance counts based on performance metrics. Option D is wrong because Update management is a feature for managing OS updates and patches on VMs, not for scaling instances based on CPU utilization.

1048
MCQmedium

You need to run a script on VM-App02 immediately after deployment to install a custom monitoring agent. The solution should not require opening additional inbound management ports. What should you use?

A.Boot diagnostics
B.Custom Script Extension
C.An inbound NSG rule for WinRM
D.A proximity placement group
AnswerB

This is designed to run post-deployment scripts on the VM.

Why this answer

The Custom Script Extension (CSE) is the correct choice because it allows you to run a script on a VM immediately after deployment without opening any inbound management ports. CSE downloads and executes scripts on the VM via the Azure fabric, using the VM's outbound connectivity to Azure storage or GitHub, and does not require any inbound port (like RDP or WinRM) to be open. This meets the requirement of not opening additional inbound management ports while enabling post-deployment configuration.

Exam trap

The trap here is that candidates often confuse the Custom Script Extension with other VM management features like boot diagnostics or inbound port rules, mistakenly thinking they need to open a port (like WinRM or SSH) to run a script, when the extension uses the VM's outbound-only communication channel.

How to eliminate wrong answers

Option A is wrong because Boot diagnostics captures serial console output and screenshots for troubleshooting boot failures, but it cannot execute scripts or install software on the VM. Option C is wrong because an inbound NSG rule for WinRM would open port 5985/5986, which is an inbound management port, directly violating the requirement to not open additional inbound management ports. Option D is wrong because a proximity placement group is used to reduce network latency between VMs by placing them close together in an Azure datacenter; it has no capability to run scripts or install software.

1049
MCQmedium

A virtual machine is already protected by Azure Backup. The business wants the VM backed up every day at 11:00 PM and wants daily recovery points retained for 30 days, without re-onboarding the VM. What should the administrator modify?

A.Create a new Recovery Services vault and re-register the VM
B.Modify the backup policy associated with the protected VM
C.Install a new VM extension to change retention behavior
D.Take a manual snapshot of the VM disk every night
AnswerB

Backup schedule and retention are controlled by the backup policy in the Recovery Services vault. Updating that policy changes how future recovery points are created and retained for the protected VM. This is the correct operational object to edit because the VM is already onboarded and the requirement is to adjust policy settings, not the vault itself.

Why this answer

Option B is correct because Azure Backup uses backup policies to define the backup schedule and retention rules for protected resources. By modifying the existing policy associated with the VM, you can change the backup time to 11:00 PM and set daily recovery point retention to 30 days without needing to re-onboard the VM or create a new vault.

Exam trap

The trap here is that candidates may think changing the backup schedule or retention requires re-onboarding the VM or creating a new vault, but Azure Backup allows in-place policy modification for already protected resources.

How to eliminate wrong answers

Option A is wrong because creating a new Recovery Services vault and re-registering the VM is unnecessary; you can modify the existing backup policy without re-onboarding. Option C is wrong because the VM extension for backup (AzureBackupWindowsWorkload or AzureBackupLinux) is automatically managed by the Azure Backup service and does not control retention behavior; retention is a policy-level setting. Option D is wrong because manual snapshots are not integrated with Azure Backup's automated retention and scheduling, and they would require separate management, defeating the purpose of using the backup service.

1050
MCQhard

A contractor needs to upload files into one blob container for six hours. The administrator must avoid sharing the storage account key, and the access token should keep working even if the storage account keys are rotated later. Which access mechanism should be issued?

A.An account SAS signed with the storage account key
B.A service SAS signed with the storage account key
C.A user delegation SAS signed through Microsoft Entra authentication
D.The storage account access key itself in a temporary script variable
AnswerC

User delegation SAS avoids exposing the account key and is signed with identity-based authorization.

Why this answer

A user delegation SAS is signed with Microsoft Entra credentials rather than the storage account key, so it remains valid even if the storage account keys are rotated. This meets the requirement to avoid sharing the account key while providing temporary, scoped access for exactly six hours. The contractor can upload files without the administrator exposing the account key or needing to manage key rotation.

Exam trap

The trap here is that candidates often confuse service SAS and user delegation SAS, assuming both are tied to the account key, but only service SAS is; user delegation SAS uses Entra ID and survives key rotation.

How to eliminate wrong answers

Option A is wrong because an account SAS is signed with the storage account key, so if the key is rotated, the SAS token becomes invalid, and it also exposes the key indirectly. Option B is wrong because a service SAS is also signed with the storage account key, making it subject to key rotation invalidation and still relying on the account key. Option D is wrong because sharing the storage account access key itself directly violates the requirement to avoid sharing the key, and it provides full, unrestricted access to the entire storage account, not just the blob container.

Page 13

Page 14 of 16

Page 15