AZ-104 (AZ-104) — Questions 10511125

1170 questions total · 16pages · All types, answers revealed

Page 14

Page 15 of 16

Page 16
1051
MCQmedium

An on-premises application connects to Azure through an existing site-to-site VPN. The application must access an Azure Blob Storage account over a private IP, and the storage account must not accept public network traffic. Which configuration should the administrator deploy?

A.A service endpoint on the on-premises network and a storage account firewall exception.
B.A private endpoint for the storage account in an Azure VNet reachable through the VPN.
C.A NAT gateway on the subnet that hosts the storage account.
D.An application security group applied to the storage account.
AnswerB

A private endpoint gives the storage account a private IP address inside a VNet. Because the on-premises network already reaches Azure through a site-to-site VPN, on-prem clients can reach that private IP over the encrypted tunnel, provided DNS is also configured to resolve the private name correctly. This satisfies both goals: private connectivity and no public network access to the storage account.

Why this answer

Option B is correct because a private endpoint assigns the storage account a private IP from an Azure VNet, making it accessible over the site-to-site VPN without traversing the public internet. This satisfies the requirement for private IP access and allows the storage account to block all public network traffic by disabling public network access in the firewall settings.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming both provide private IP access, but only private endpoints remove the public endpoint entirely, which is necessary when public network access must be disabled.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP to the storage account; it only extends the VNet identity to the service, and the storage account still uses a public endpoint, which conflicts with the requirement to not accept public network traffic. Option C is wrong because a NAT gateway provides outbound internet connectivity for a subnet, not inbound private access to a storage account, and it does not affect the storage account's public endpoint. Option D is wrong because an application security group (ASG) is a network security group (NSG) filter for VMs or NICs, not a resource that can be applied to a storage account to control network access.

1052
MCQhard

An Azure CLI script runs on a utility VM every night to create and tag resources in another subscription. The script cannot store a password or client secret, and the VM is regularly redeployed from a standard image. What is the best identity design?

A.Assign a system-assigned managed identity to the utility VM
B.Create a user-assigned managed identity and attach it to the utility VM
C.Create a service principal and store its secret in the VM configuration
D.Use a shared access signature to sign the Azure CLI session
AnswerB

A user-assigned identity persists independently of the VM and can be reused after redeployment.

Why this answer

Option B is correct because a user-assigned managed identity can be created once, assigned to the utility VM, and used across redeployments without storing any credentials. The script can authenticate via Azure CLI using the managed identity's client ID, and the identity persists independently of the VM's lifecycle, satisfying the requirement of no password or client secret storage.

Exam trap

The trap here is that candidates often choose system-assigned managed identity (Option A) without realizing that redeploying the VM from a standard image destroys the identity, breaking any cross-subscription role assignments that were configured for the original identity.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the VM's lifecycle; when the VM is redeployed from a standard image, the identity is deleted and a new one is created, breaking any role assignments or resource tags that depend on the previous identity. Option C is wrong because storing a service principal secret in the VM configuration violates the requirement that the script cannot store a password or client secret, and it introduces a security risk. Option D is wrong because a shared access signature (SAS) is used for delegated access to Azure Storage resources, not for authenticating an Azure CLI session to manage resources across subscriptions.

1053
Multi-Selectmedium

A contractor from a partner company needs read-only access to one application resource group for 14 days. When the contractor leaves the project, access should be removed immediately by removing a single identity from a group. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create an Entra ID security group for the contractor team.
B.Assign the Reader role to that group at the application resource group scope.
C.Assign Reader directly to the contractor's user object at the subscription scope.
D.Assign Contributor at the resource group scope and rely on discipline.
E.Use a resource lock to limit the contractor to read-only access.
AnswersA, B

Using a group gives the administrator one identity to manage instead of many individual user assignments. Removing a person from the group immediately removes their inherited access.

Why this answer

Creating an Entra ID security group for the contractor team (Option A) allows the administrator to manage access centrally. By assigning the Reader role to that group at the application resource group scope (Option B), all members inherit read-only permissions. When the contractor leaves, removing their user object from the group immediately revokes access without needing to modify role assignments, satisfying the requirement for a single identity removal.

Exam trap

The trap here is that candidates often confuse resource locks with RBAC roles, thinking a lock can enforce read-only access, but locks only prevent accidental deletion or modification and do not affect permissions granted by role assignments.

1054
MCQmedium

You plan to deploy two virtual machines that run the same line-of-business application. The VMs must remain available during planned maintenance of the Azure platform, but autoscaling is not required. What should you use?

A.A Virtual Machine Scale Set.
B.An availability set.
C.Azure Container Apps.
D.A private endpoint.
AnswerB

This is the classic fit for a small set of highly available VMs.

Why this answer

An availability set ensures that VMs are distributed across multiple fault domains and update domains within an Azure datacenter. This protects against both hardware failures (fault domains) and planned Azure platform maintenance (update domains), as only one update domain is rebooted at a time. Since autoscaling is not required, an availability set is the correct choice for high availability during planned maintenance.

Exam trap

The trap here is that candidates often confuse availability sets (for planned maintenance and hardware fault tolerance) with Virtual Machine Scale Sets (for autoscaling and load balancing), leading them to select the scale set even when autoscaling is explicitly not required.

How to eliminate wrong answers

Option A is wrong because a Virtual Machine Scale Set provides autoscaling and load balancing capabilities, which are explicitly not required here, and it is overkill for simply ensuring availability during planned maintenance. Option C is wrong because Azure Container Apps is a serverless container platform for microservices, not designed for running traditional VMs with a line-of-business application that requires VM-level availability during maintenance. Option D is wrong because a private endpoint provides secure, private connectivity to Azure PaaS services over a private IP address; it does not provide any availability or redundancy for VMs during platform maintenance.

1055
MCQhard

An administrator enabled diagnostic settings on an Azure Storage account using the resource-specific schema. A coworker then ran a query against AzureDiagnostics and got no rows, even though failed blob writes occurred during the last hour. What is the best fix?

A.Switch the diagnostic setting back to the legacy AzureDiagnostics schema so all logs land there.
B.Query the storage account's dedicated resource-specific log table and filter for failed write operations.
C.Use the Azure Activity log because blob write failures are always control-plane events.
D.Create a metric alert on storage capacity because that metric includes failed requests.
AnswerB

When resource-specific diagnostic mode is enabled, logs no longer land in AzureDiagnostics for that resource. The correct action is to query the dedicated storage log table produced by the diagnostic setting, then filter for the failed write status and time window. This aligns the query with the actual schema that is collecting the data.

Why this answer

When a diagnostic setting is configured with the resource-specific schema, Azure routes logs to dedicated tables (e.g., StorageBlobLogs) rather than the legacy AzureDiagnostics table. Querying AzureDiagnostics returns no rows because the logs are not stored there. The correct fix is to query the appropriate resource-specific log table (e.g., StorageBlobLogs) and filter for failed write operations, as this table contains the detailed, schema-specific data for the storage account's blob operations.

Exam trap

The trap here is that candidates assume all diagnostic logs land in the AzureDiagnostics table by default, overlooking that the resource-specific schema redirects logs to dedicated tables, leading them to incorrectly choose Option A or fail to query the correct table.

How to eliminate wrong answers

Option A is wrong because switching back to the legacy AzureDiagnostics schema is unnecessary and defeats the purpose of the resource-specific schema, which provides better performance and schema alignment; the logs are already being collected, just in a different table. Option C is wrong because blob write failures are data-plane events, not control-plane events; the Azure Activity log only captures control-plane operations (e.g., creating a storage account), not data-plane operations like blob writes. Option D is wrong because a metric alert on storage capacity does not include failed requests; capacity metrics track storage usage, not request failures, and metric alerts cannot query log data for failed operations.

1056
MCQmedium

A Windows Azure VM must download configuration data from Azure Key Vault during first boot. Security policy forbids storing passwords, certificates, or client secrets on the VM. What should the administrator configure?

A.Create a service principal and place its secret in the VM's startup script.
B.Enable a system-assigned managed identity on the VM and grant it Key Vault access.
C.Attach a custom script extension that embeds the Key Vault password in plain text.
D.Use an Entra ID user account and sign in interactively after deployment.
AnswerB

A system-assigned managed identity gives the VM an automatically managed identity with no stored credentials. The VM can authenticate to Key Vault through Azure AD and receive only the permissions it needs. Because the identity is tied to the VM lifecycle, it is ideal for first-boot configuration tasks that must avoid passwords, certificates, and client secrets.

Why this answer

A system-assigned managed identity provides an automatically managed service principal in Entra ID, tied to the VM's lifecycle. Granting this identity the appropriate Key Vault access policy (e.g., Get, List secrets) allows the VM to authenticate to Key Vault without any stored credentials, satisfying the security policy. The VM can then retrieve configuration data during first boot using the Azure Instance Metadata Service (IMDS) endpoint.

Exam trap

The trap here is that candidates may think a service principal with a stored secret (Option A) is required for automated access, overlooking that managed identities eliminate the need for any stored credentials.

How to eliminate wrong answers

Option A is wrong because placing a service principal secret in the VM's startup script violates the security policy that forbids storing passwords, certificates, or client secrets on the VM, and the secret would be exposed in the script. Option C is wrong because embedding the Key Vault password in plain text within a custom script extension directly violates the security policy and exposes the credential in the script and potentially in logs. Option D is wrong because using an Entra ID user account for interactive sign-in is not automated for first-boot configuration and would require manual intervention, defeating the purpose of unattended deployment.

1057
Matchinghard

Match each storage or PaaS access requirement to the correct Azure networking approach or DNS action.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Create a private endpoint and link the correct private DNS zone to the VNet.

Use a service endpoint on the subnet and allow that subnet in the storage account network rules.

The private DNS zone is missing, not linked to the VNet, or the record has not been populated.

Use a service endpoint with a network rule on the SQL server.

Use the storage firewall with a virtual network rule for AppSubnet; if the on-premises source also needs access, allow its public IP separately. No private endpoint is required.

Why these pairings

VPN and ExpressRoute provide private connectivity, Private Link ensures private IP access, and DNS CNAME records map custom domains to Azure endpoints.

1058
Multi-Selecthard

A user deleted a nested folder tree from an Azure file share yesterday. Other folders in the share were updated after the deletion and must not be rolled back. Which two actions should the administrator take? Select two.

Select 2 answers
A.Restore the entire file share from the latest snapshot.
B.Open a snapshot taken before the deletion.
C.Copy only the deleted folder tree back into the live share.
D.Convert the file share to the Hot access tier.
E.Delete the newer folders so the share matches the snapshot exactly.
AnswersB, C

A snapshot from before the deletion contains the missing folder tree in its prior state and is the correct recovery source.

Why this answer

Option B is correct because Azure file share snapshots provide a point-in-time, read-only copy of the entire share. By opening a snapshot taken before the deletion, the administrator can browse the exact folder tree as it existed at that time. Option C is correct because the administrator can copy only the deleted folder tree from the snapshot back into the live share, leaving all other folders (including those updated after the deletion) intact.

Exam trap

The trap here is that candidates often assume the only way to recover deleted data is to restore the entire share from a snapshot, overlooking the ability to mount the snapshot and perform a granular copy of only the deleted items.

1059
MCQeasy

After applying a custom image, a VM restarts to a black screen and never reaches the sign-in prompt. The administrator wants the fastest way to inspect the boot process without connecting to the guest OS. What should be used?

A.Azure Advisor
B.Boot diagnostics
C.Managed identity
D.Azure Policy
AnswerB

Boot diagnostics captures console output and screenshots from the VM startup process. When a VM fails before reaching the sign-in screen, this is often the fastest place to look for boot errors, driver issues, or configuration problems. It gives administrators visibility into what happened before the operating system completed startup, without requiring guest access.

Why this answer

Boot diagnostics captures serial console output and screenshots of the VM during the boot process, allowing you to inspect boot failures like a black screen without needing to connect to the guest OS. This is the fastest method because it provides immediate, out-of-band access to boot logs and visual state, even when the OS is unresponsive.

Exam trap

The trap here is that candidates may confuse Azure Advisor's 'diagnostic' recommendations with actual boot diagnostics, or assume Managed Identity can somehow 'log in' to inspect the OS, when only Boot Diagnostics provides host-level, out-of-band boot visibility.

How to eliminate wrong answers

Option A is wrong because Azure Advisor provides recommendations for cost, security, reliability, and performance, but it does not capture or expose boot-time logs or screenshots. Option C is wrong because Managed Identity is an Azure Active Directory feature for authenticating to Azure resources without secrets; it has no capability to inspect VM boot processes. Option D is wrong because Azure Policy enforces compliance rules on resource configurations (e.g., tagging, allowed SKUs) and cannot access or display boot diagnostics data.

1060
MCQeasy

Based on the exhibit, what should the administrator configure so storage logs can be queried later with KQL?

A.Create a backup policy for the storage account so the logs are retained automatically.
B.Enable a resource lock on the storage account so no logs are lost.
C.Turn on blob versioning so every change to the storage account is searchable.
D.Configure diagnostic settings to send logs to a Log Analytics workspace.
AnswerD

Diagnostic settings are used to export resource logs and metrics from Azure resources. Sending those logs to Log Analytics makes them available for KQL queries, filtering, and investigation.

Why this answer

Diagnostic settings in Azure allow you to stream platform logs, including storage logs, to a Log Analytics workspace. Once the logs are in Log Analytics, you can query them using Kusto Query Language (KQL) to analyze storage operations, errors, and metrics. This is the only option that directly enables querying storage logs with KQL.

Exam trap

The trap here is that candidates confuse data protection features (backup, locks, versioning) with logging and monitoring capabilities, failing to recognize that only diagnostic settings can route logs to a Log Analytics workspace for KQL queries.

How to eliminate wrong answers

Option A is wrong because a backup policy retains snapshots or copies of data for recovery purposes, not logs; it does not send logs to a queryable store like Log Analytics. Option B is wrong because a resource lock prevents accidental deletion or modification of the storage account, but it does not capture, retain, or make logs available for KQL queries. Option C is wrong because blob versioning tracks changes to blob objects for data protection and recovery, but it does not generate or store operational or diagnostic logs that can be queried with KQL.

1061
MCQhard

A team needs one Azure Files share that can be mounted by both Windows and Linux VMs. The VMs are joined to the same on-premises Active Directory Domain Services domain, and the security team forbids storage account keys. The team also wants to manage access with existing AD group memberships. What should the administrator configure?

A.Use Azure Files over SMB and enable AD DS authentication
B.Use a blob container and mount it through the Blob API
C.Use anonymous access on an Azure File share
D.Use a premium NFS file share with a shared access signature
AnswerA

Azure Files over SMB supports both Windows and Linux clients, and AD DS authentication lets the team use existing domain identities and groups instead of storage keys. This keeps permissions centralized and avoids embedding secrets in scripts or mount commands. It is the most appropriate choice when both operating systems must share the same file data and access control should come from the established directory service.

Why this answer

Option A is correct because Azure Files supports SMB protocol, which can be mounted by both Windows and Linux VMs. By enabling AD DS authentication, the administrator can use existing on-premises Active Directory group memberships to control access to the file share without requiring storage account keys, satisfying the security team's requirement.

Exam trap

The trap here is that candidates may confuse NFS with SMB, assuming NFS is the only option for Linux, but Azure Files supports SMB for both Windows and Linux, and AD DS authentication is only available for SMB shares, not NFS.

How to eliminate wrong answers

Option B is wrong because a blob container accessed via the Blob API does not support SMB mounting and cannot be mounted as a file system by both Windows and Linux VMs; it is designed for object storage, not file sharing. Option C is wrong because anonymous access on an Azure File share would bypass authentication entirely, violating the security team's requirement to manage access with AD group memberships and forbidding storage account keys. Option D is wrong because a premium NFS file share does not support AD DS authentication; it relies on network-level security or export policies, and shared access signatures (SAS) are not supported for NFS shares, making it incompatible with the requirement to use existing AD group memberships.

1062
MCQeasy

A storage account should accept traffic only from one subnet, but the team does not want to create a private IP address for the service in the virtual network. What should they enable?

A.Private endpoint, because it is the only way to allow one subnet.
B.Service endpoint, because it allows the subnet to access the storage service securely over the Azure backbone.
C.User-assigned managed identity, because it controls subnet access.
D.Blob soft delete, because it helps restrict where traffic comes from.
AnswerB

A service endpoint lets you restrict storage access to a specific subnet without creating a private IP for the service in the virtual network.

Why this answer

Service endpoints allow a subnet to access Azure PaaS services (like Storage) over the Azure backbone without requiring a private IP address. By enabling a Microsoft.Storage service endpoint on the subnet and configuring the storage account firewall to allow traffic only from that subnet, the team meets the requirement securely and cost-effectively.

Exam trap

The trap here is confusing private endpoints (which assign a private IP) with service endpoints (which do not), leading candidates to incorrectly choose private endpoint when the question explicitly prohibits creating a private IP address.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP address to the service within the virtual network, which the team explicitly wants to avoid. Option C is wrong because a user-assigned managed identity controls authentication and authorization (who can access the resource), not network-level subnet access. Option D is wrong because blob soft delete is a data protection feature that recovers accidentally deleted blobs; it has no mechanism to restrict traffic sources.

1063
MCQeasy

Based on the exhibit, which KQL clause should replace the blank to show only heartbeat records from the last 30 minutes?

A.project Computer, TimeGenerated
B.where TimeGenerated >= ago(30m)
C.extend TimeWindow = 30m
D.sort by TimeGenerated desc
AnswerB

The where clause filters rows before summarizing, and ago(30m) is the KQL function that represents the last 30 minutes from the current time. This is the correct way to restrict the Heartbeat table to recent records before calculating the most recent check-in for each computer. It is a standard operational troubleshooting pattern in Log Analytics.

Why this answer

The KQL clause `where TimeGenerated >= ago(30m)` filters the results to include only records where the `TimeGenerated` timestamp is within the last 30 minutes. The `ago()` function calculates a datetime value relative to the current time, and the `>=` operator ensures only records from that point forward are returned. This directly satisfies the requirement to show heartbeat records from the last 30 minutes.

Exam trap

The trap here is that candidates often confuse filtering (`where`) with projection (`project`), sorting (`sort`), or extending (`extend`), and may choose a clause that manipulates the output format or order instead of actually restricting the rows based on a time condition.

How to eliminate wrong answers

Option A is wrong because `project Computer, TimeGenerated` only selects (projects) those two columns, but does not filter any rows based on time; it would return all heartbeat records regardless of age. Option C is wrong because `extend TimeWindow = 30m` creates a new column with a constant value of 30 minutes, but does not filter the data; it simply adds a calculated field to each row. Option D is wrong because `sort by TimeGenerated desc` orders the results by time descending, but does not restrict the time range; it would still include all records, not just those from the last 30 minutes.

1064
MCQhard

A virtual machine is already protected by Azure Backup. The current policy runs daily at 23:00 and keeps daily recovery points for 30 days. The business now wants the same schedule but wants new daily recovery points retained for 90 days. No new vault or re-registration should occur. What should the administrator do?

A.Create a new Recovery Services vault and enable backup again with the longer retention period.
B.Edit the existing backup policy and change the daily retention for future recovery points.
C.Take nightly managed disk snapshots because snapshots automatically inherit the Recovery Services vault retention period.
D.Change the vault redundancy setting to increase the number of retained recovery points.
AnswerB

Backup retention is controlled by the backup policy attached to the protected VM. Updating the policy to retain daily recovery points for 90 days changes how future backups are kept without re-registering the workload or creating a new vault. Existing recovery points keep their original retention behavior, while newly created recovery points follow the updated rule. This is the normal, low-impact administrative change.

Why this answer

Option B is correct because Azure Backup allows you to modify an existing backup policy to change the retention duration for future recovery points without creating a new vault or re-registering the VM. By editing the policy and setting the daily retention to 90 days, all new daily recovery points will be retained for the longer period, while existing recovery points remain unaffected by the change.

Exam trap

The trap here is that candidates may confuse vault redundancy settings with retention duration, or assume that a new vault is required to change retention, when in fact Azure Backup policies can be edited in place to adjust retention for future recovery points.

How to eliminate wrong answers

Option A is wrong because creating a new Recovery Services vault would require re-registering the VM, which violates the requirement that no new vault or re-registration should occur. Option C is wrong because managed disk snapshots are independent of Recovery Services vault retention policies; they do not automatically inherit vault retention settings and are managed separately. Option D is wrong because vault redundancy settings (e.g., LRS vs.

GRS) control data replication, not the number of retained recovery points; retention duration is configured in the backup policy, not via redundancy.

1065
MCQeasy

You are deploying a new Windows VM and want it to start with the same custom software and configuration that already exist on an approved production VM. What should you use as the source for the new VM?

A.A marketplace image
B.A custom image
C.A snapshot of the OS disk
D.An availability set
AnswerB

A custom image captures the OS and approved configuration so new VMs can be deployed with the same baseline.

Why this answer

A custom image captures the exact OS configuration, installed software, and settings from a source VM, allowing you to deploy new VMs with identical customizations. Unlike a marketplace image, which provides only a generic OS, a custom image preserves all modifications made to the approved production VM, including applications and system tweaks.

Exam trap

The trap here is that candidates often confuse a snapshot with a custom image, not realizing that a snapshot is a disk-level backup requiring additional steps to create a deployable VM, whereas a custom image is directly usable for VM creation with the exact software and configuration.

How to eliminate wrong answers

Option A is wrong because a marketplace image provides only a generic, unmodified OS or pre-configured template from Azure, not the specific custom software and configuration from your production VM. Option C is wrong because a snapshot of the OS disk captures a point-in-time copy of the disk but cannot be directly used as a source for deploying a new VM; it must first be converted into a managed disk or custom image. Option D is wrong because an availability set is a logical grouping for high availability and fault tolerance, not a source for VM deployment or configuration.

1066
MCQeasy

An administrator wants a script running on an Azure VM to create a resource in Azure without storing any passwords or client secrets on the VM. What should the administrator configure first?

A.A shared local account on the VM
B.A system-assigned managed identity on the VM
C.An Azure Policy exemption
D.A public IP address on the VM
AnswerB

A managed identity lets the VM authenticate to Azure directly, so the script can use Azure CLI or PowerShell without secrets.

Why this answer

A system-assigned managed identity enables an Azure VM to authenticate to Azure services (e.g., Azure Resource Manager) without storing any credentials in the VM. The identity is automatically created and managed by Azure, and the VM can obtain an access token from Azure AD via the Instance Metadata Service (IMDS) endpoint (169.254.169.254) using a simple HTTP call. This allows the script to securely create resources without hardcoding passwords or client secrets.

Exam trap

The trap here is that candidates may confuse managed identities with service principals or think a public IP is needed for outbound authentication, but the IMDS endpoint works entirely within the Azure network without requiring a public IP.

How to eliminate wrong answers

Option A is wrong because a shared local account on the VM is a local user account that cannot authenticate to Azure AD or Azure Resource Manager; it provides no mechanism to create Azure resources without credentials. Option C is wrong because an Azure Policy exemption only excludes a resource from policy evaluation; it does not provide any authentication or authorization to create resources. Option D is wrong because a public IP address on the VM only enables inbound/outbound network connectivity; it does not grant any identity or permissions to interact with Azure services.

1067
MCQmedium

Which statement best explains why centralized logging is valuable in security operations?

A.It improves visibility by collecting events from multiple devices in one place for review and investigation.
B.It guarantees that no unauthorized action can occur.
C.It replaces the need for NTP and authentication.
D.It automatically assigns IP addresses to monitoring systems.
AnswerA

This is correct because centralized collection is the main value of centralized logging.

Why this answer

Centralized logging aggregates security events (e.g., Windows Event Log, syslog, Azure Activity Log) from multiple sources into a single repository like Azure Log Analytics or a SIEM. This consolidation enables security analysts to correlate events across devices, detect patterns indicative of attacks, and perform efficient forensic investigations without needing to access each device individually.

Exam trap

The trap here is that candidates may think centralized logging actively prevents security incidents (like a firewall or IDS), when in fact it is a passive detective control that improves visibility and post-incident analysis.

Why the other options are wrong

B

This option is wrong because centralized logging does not prevent unauthorized actions; it merely collects and stores logs for analysis. Security operations rely on other measures, such as access controls and monitoring, to prevent unauthorized activities.

C

This option is wrong because centralized logging does not replace the need for Network Time Protocol (NTP) or authentication; these are separate functions that ensure accurate time synchronization and secure access to systems, respectively.

D

This option is wrong because centralized logging does not involve the automatic assignment of IP addresses; it focuses on aggregating logs for analysis rather than managing network configurations.

1068
MCQhard

You need to ensure that a virtual machine is protected by Azure Backup and can be restored from centralized backup data if the VM is deleted. Which Azure resource should you configure first?

A.A Recovery Services vault
B.An availability set
C.A network security group
D.A public IP address
AnswerA

A Recovery Services vault is required to centrally manage Azure VM backups.

Why this answer

A Recovery Services vault is the foundational Azure resource for Azure Backup. It stores backup data and recovery points, enabling centralized backup management and restoration even if the original VM is deleted. Without first configuring a Recovery Services vault, you cannot define backup policies or initiate backups for the VM.

Exam trap

The trap here is that candidates may confuse high-availability resources (like availability sets) with backup/recovery resources, failing to recognize that a Recovery Services vault is the prerequisite for any Azure Backup operation.

How to eliminate wrong answers

Option B is wrong because an availability set is a logical grouping of VMs to ensure high availability across fault domains and update domains, not a backup or recovery resource. Option C is wrong because a network security group (NSG) filters inbound and outbound traffic to a VM or subnet, providing network security but no backup or restore capabilities. Option D is wrong because a public IP address is a networking resource for internet-facing communication, unrelated to backup or recovery operations.

1069
MCQmedium

A Virtual Machine Scale Set must add instances automatically when average CPU usage is above 75 percent and remove instances when CPU drops below 30 percent. Which feature should you configure?

A.Autoscale rules in Azure Monitor
B.A Recovery Services vault policy
C.Boot diagnostics
D.Azure Advisor only
AnswerA

This directly implements metric-based scaling logic for the VM Scale Set.

Why this answer

Autoscale rules in Azure Monitor allow you to define conditions for automatically scaling a Virtual Machine Scale Set (VMSS) based on metrics like average CPU usage. You can set a scale-out rule to add instances when CPU exceeds 75% and a scale-in rule to remove instances when CPU drops below 30%, with a cool-down period to prevent flapping. This is the native Azure feature designed for such metric-based auto-scaling scenarios.

Exam trap

The trap here is that candidates may confuse Azure Advisor (which gives recommendations) with the actual implementation of autoscale rules, or mistakenly think Recovery Services vault policies or boot diagnostics are involved in scaling decisions.

How to eliminate wrong answers

Option B is wrong because a Recovery Services vault policy is used for configuring backup and disaster recovery settings, not for auto-scaling based on performance metrics. Option C is wrong because boot diagnostics captures serial console output and screenshots for troubleshooting VM boot failures, not for scaling decisions. Option D is wrong because Azure Advisor provides proactive recommendations for cost, security, reliability, and performance, but it does not implement or configure auto-scaling rules itself.

1070
MCQeasy

Based on the exhibit, what should the administrator check first to resolve the backup failure for the Azure VM?

A.Increase the backup retention period in the vault policy.
B.Verify that the Azure VM Agent is installed and running on the VM.
C.Move the VM to a different availability zone.
D.Change the storage account redundancy to ZRS.
AnswerB

Azure VM backups depend on a healthy VM agent so Azure can coordinate snapshot and extension operations. If the job reports that the agent is not in a ready state, the first troubleshooting step is to confirm the agent is installed, running, and up to date. Custom images sometimes miss the agent or contain a broken installation, which causes backup jobs to fail immediately.

Why this answer

The Azure VM backup failure is most commonly caused by the Azure VM Agent (also known as the Windows Guest Agent or Linux Agent) not being installed, outdated, or in a non-responsive state. The backup extension relies on the VM Agent to execute snapshots and coordinate with the Azure Backup service; without a healthy agent, the backup process cannot initiate. Therefore, verifying the agent's installation and status is the first troubleshooting step.

Exam trap

The trap here is that candidates often jump to storage or networking changes (like redundancy or availability zones) when the real issue is a missing or broken VM Agent, which is a prerequisite for any guest-level operation including backup extensions.

How to eliminate wrong answers

Option A is wrong because increasing the backup retention period does not resolve a failure to take a backup; retention only affects how long existing recovery points are kept, not the ability to create new ones. Option C is wrong because moving the VM to a different availability zone does not address the underlying cause of backup failure, which is typically related to the VM Agent or extension state, not the physical placement of the VM. Option D is wrong because changing the storage account redundancy to ZRS affects data durability and replication, but does not impact the backup operation itself, which uses the Azure Backup vault and its own storage infrastructure, not the VM's attached disks.

1071
Multi-Selectmedium

You are responsible for managing Azure resources in a hybrid environment. Your on-premises Active Directory Domain Services (AD DS) is synced to Azure AD using Azure AD Connect. You need to ensure that administrative units (AUs) are used to delegate administration of specific groups of users to help desk staff. Which three of the following are true regarding administrative units in Azure AD? (Choose three.)

Select 3 answers
.Administrative units can contain users, groups, and devices.
.An administrative unit can span multiple Azure AD tenants.
.You can assign Azure AD roles scoped to an administrative unit.
.Administrative units are available in all editions of Azure AD, including Free.
.Users synced from on-premises AD DS can be added to administrative units.
.Administrative units can be created only via the Azure portal and not via PowerShell.

Why this answer

Administrative units (AUs) in Azure AD are containers that can hold users, groups, and devices, allowing you to delegate administrative permissions over a subset of resources. You can assign Azure AD roles scoped to an AU, which limits the role's permissions to only the members of that AU. Users synced from on-premises AD DS via Azure AD Connect can be added to AUs because they become Azure AD user objects after synchronization, making them eligible for AU membership.

Exam trap

The trap here is that candidates often assume administrative units are available in all Azure AD editions (including Free) because they are a basic delegation feature, but in reality they require Azure AD Premium P1 or higher.

1072
MCQeasy

A Linux VM restarts after a configuration change and now stops before the sign-in prompt. The administrator cannot use SSH. Which Azure feature should be checked first to inspect the startup process?

A.Boot diagnostics
B.Network Watcher packet capture
C.Azure Advisor
D.Managed identity
AnswerA

Boot diagnostics provides a screenshot and console log for early VM startup troubleshooting.

Why this answer

Boot diagnostics captures serial console output and screenshots of the VM, allowing you to view kernel messages, boot logs, and the exact point where the startup process halts. Since SSH is unavailable and the VM stops before the sign-in prompt, this is the first Azure feature to check for troubleshooting the boot sequence.

Exam trap

The trap here is that candidates often confuse Boot diagnostics with Network Watcher or assume Azure Advisor can provide real-time troubleshooting, but only Boot diagnostics gives direct access to the VM's serial console and boot logs when SSH is unavailable.

How to eliminate wrong answers

Option B is wrong because Network Watcher packet capture is used for analyzing network traffic to and from the VM, not for inspecting the OS startup process or boot logs. Option C is wrong because Azure Advisor provides recommendations for cost, security, reliability, and performance, but it does not offer real-time boot-level diagnostics or access to serial console output. Option D is wrong because managed identity is an Azure Active Directory feature for authenticating to Azure resources without credentials; it has no role in inspecting the VM's boot sequence or startup logs.

1073
MCQmedium

A subnet is connected to a NAT gateway, but outbound connections to a public software update site are still leaving through a network virtual appliance. The route table contains a 0.0.0.0/0 user-defined route to the appliance, and the business wants the NAT gateway to handle internet traffic while preserving private routes to the appliance. What is the best fix?

A.Increase the priority of the NSG rules on the subnet.
B.Remove the default UDR to the appliance and leave only the private-prefix routes in place.
C.Associate the NAT gateway with the virtual network instead of the subnet.
D.Enable service endpoints on the subnet to bypass the appliance.
AnswerB

The 0.0.0.0/0 UDR is forcing all outbound traffic to the appliance, which prevents the NAT gateway from handling internet destinations. Removing that default route lets Azure use the system internet route, where the NAT gateway can provide outbound SNAT. Specific routes for private prefixes can remain and continue to send internal traffic to the appliance.

Why this answer

The 0.0.0.0/0 user-defined route (UDR) to the network virtual appliance (NVA) has a higher priority than the NAT gateway's default route, so all internet-bound traffic is forced through the appliance. Removing that UDR while keeping private-prefix routes (e.g., 10.0.0.0/8) ensures that only private traffic uses the appliance, and internet traffic follows the NAT gateway's default route. This satisfies the business requirement of using the NAT gateway for internet traffic while preserving private routes through the NVA.

Exam trap

The trap here is that candidates assume a NAT gateway automatically overrides a 0.0.0.0/0 UDR, but in Azure, UDRs always take precedence over system routes, so the explicit route to the NVA must be removed to allow the NAT gateway to handle internet traffic.

How to eliminate wrong answers

Option A is wrong because NSG rules control inbound/outbound traffic filtering at Layer 4, not routing decisions; increasing their priority does not change which path traffic takes to reach the internet. Option C is wrong because NAT gateways are associated at the subnet level, not the virtual network level; associating with the VNet is not supported and would not resolve the routing conflict. Option D is wrong because service endpoints allow private access to Azure PaaS services over the Microsoft backbone, but they do not override a 0.0.0.0/0 UDR or redirect general internet traffic away from the NVA.

1074
MCQmedium

A team manages three backend servers in one subnet. The servers are replaced periodically, so their private IP addresses change. The NSG must allow inbound traffic from the web tier without updating individual IP addresses each time. Which destination object should be used in the NSG rule?

A.Application security group
B.Service tag
C.Route table
D.Private endpoint
AnswerA

An application security group lets you group VMs by application role rather than by fixed IP address. NSG rules can reference the ASG so the rule continues to work even when the VM IPs change.

Why this answer

An Application Security Group (ASG) allows you to group backend servers logically, regardless of their private IP addresses, and reference that group as the destination in an NSG rule. When servers are replaced and their IPs change, the ASG membership is automatically updated, so the NSG rule continues to apply without manual intervention. This is the correct approach for dynamic workloads where IP addresses are not static.

Exam trap

The trap here is that candidates often confuse Application Security Groups with Network Security Groups themselves, or mistakenly think Service Tags can be used to group their own VMs, when Service Tags are only for Azure platform services or well-known IP ranges.

How to eliminate wrong answers

Option B is wrong because a Service Tag (e.g., AzureLoadBalancer, Internet) represents a predefined group of IP ranges for Azure services or the internet, not a dynamic group of your own VMs in a subnet. Option C is wrong because a Route Table controls network traffic routing (next hop decisions) at the subnet level, not inbound traffic filtering or destination grouping in NSG rules. Option D is wrong because a Private Endpoint is used to securely connect to Azure PaaS services over a private IP, not to group backend servers for NSG destination rules.

1075
MCQmedium

A branch office has a single edge device with a static public IP and must connect securely to Azure so users can reach private VMs in a virtual network. The company wants traffic encrypted across the internet and does not need point-to-site access from individual laptops. Which solution should the administrator deploy?

A.A point-to-site VPN configuration for each user laptop.
B.A site-to-site VPN gateway connection.
C.A private endpoint to each virtual machine in Azure.
D.VNet peering between the branch and Azure.
AnswerB

Site-to-site VPN is the standard option for connecting an on-premises branch network to Azure through a VPN device or edge appliance. It uses the branch's static public IP, encrypts traffic over the internet, and allows users on the branch network to reach private Azure resources such as VMs inside the VNet.

Why this answer

A site-to-site VPN gateway connection (Option B) is correct because it creates an encrypted tunnel over the internet between the branch office's edge device with a static public IP and an Azure VPN gateway, allowing users to securely access private VMs in the virtual network. This solution meets the requirement for encrypted traffic across the internet without needing point-to-site access for individual laptops, as the entire branch network is connected via the VPN tunnel.

Exam trap

The trap here is that candidates often confuse private endpoints (Option C) with site-to-site VPNs, thinking private endpoints provide secure connectivity from on-premises, but private endpoints only work for PaaS services within Azure and do not create an encrypted tunnel from a branch office to VMs.

How to eliminate wrong answers

Option A is wrong because a point-to-site VPN configuration is designed for individual user laptops to connect remotely, not for a branch office with a single edge device, and the question explicitly states point-to-site access is not needed. Option C is wrong because a private endpoint is used to securely access Azure PaaS services (e.g., Azure Storage, SQL Database) over a private IP within the virtual network, not to connect a branch office to private VMs; it does not provide encrypted site-to-site connectivity over the internet. Option D is wrong because VNet peering connects two virtual networks within Azure or across regions, not a branch office on-premises network to Azure; it requires both sides to be Azure VNets and does not support on-premises connectivity.

1076
MCQeasy

Based on the exhibit, where should the new subscription be placed so it inherits the production governance baseline automatically?

A.Place the subscription under Prod-MG.
B.Place the subscription under Sandbox-MG.
C.Create a resource group named Finance-Prod instead of assigning a management group.
D.Move the subscription to the tenant root and assign policies later.
AnswerA

Putting the subscription under Prod-MG ensures it inherits the production governance controls assigned there. Management group inheritance is the right tool when central IT wants future subscriptions to receive the same baseline automatically.

Why this answer

Option A is correct because placing the new subscription under the Prod-MG management group ensures it automatically inherits the Azure Policy and RBAC assignments applied at that level. Management groups in Azure allow hierarchical governance, and any subscription within a management group inherits policies and role assignments from that group and all parent groups. This enables consistent enforcement of the production governance baseline without manual configuration.

Exam trap

The trap here is that candidates may think creating a resource group with a descriptive name (like Finance-Prod) is sufficient to apply governance, but Azure governance inheritance only flows through management group hierarchy, not through resource group naming conventions.

How to eliminate wrong answers

Option B is wrong because placing the subscription under Sandbox-MG would inherit the sandbox governance baseline, which typically has relaxed policies and is not intended for production workloads. Option C is wrong because creating a resource group named Finance-Prod does not cause inheritance of management group-level policies; resource groups are containers within a subscription and do not inherit policies from management groups unless the subscription itself is placed under the correct management group. Option D is wrong because moving the subscription to the tenant root would place it directly under the root management group, which may not have the production governance baseline applied, and assigning policies later would require manual effort and would not provide automatic inheritance.

1077
MCQmedium

Based on the exhibit, a VM is protected by Azure Backup. The business wants daily backups at 11:00 PM, retention of daily recovery points for 30 days, and no changes to the existing vault or VM. The current policy already backs up every day but keeps recovery points for only 7 days. What should the administrator modify?

A.Create a new VM and attach the existing backup vault to it.
B.Edit the backup policy and change daily retention to 30 days.
C.Enable soft delete on the vault.
D.Move the VM to another availability zone.
AnswerB

The schedule is already correct, so the only missing setting is retention. Updating the backup policy to keep daily recovery points for 30 days satisfies the requirement without changing the vault or protected item.

Why this answer

Option B is correct because the existing backup policy already performs daily backups at 11:00 PM, but its retention setting for daily recovery points is only 7 days. By editing the policy and changing the daily retention to 30 days, the administrator meets the business requirement without creating a new VM, altering the vault, or modifying the VM itself. Azure Backup policies allow modification of retention durations independently of backup frequency, so this is a straightforward configuration change.

Exam trap

The trap here is that candidates may think they need to create a new policy or modify the VM (e.g., move it to another zone) to change retention, when in fact Azure Backup allows direct editing of the existing policy's retention duration without any other infrastructure changes.

How to eliminate wrong answers

Option A is wrong because creating a new VM and attaching the existing backup vault does not change the retention period of the current backup policy; it would only add a new VM to the same vault, leaving the original VM's retention at 7 days. Option C is wrong because enabling soft delete on the vault protects against accidental deletion of recovery points but does not extend the retention duration of daily backups from 7 to 30 days. Option D is wrong because moving the VM to another availability zone has no effect on backup retention settings; availability zones are for high availability and disaster recovery, not backup policy configuration.

1078
MCQmedium

A three-tier application uses separate web and app VMs. The requirement is to allow only the web tier to reach the app tier on TCP 8080. The app subnet NSG already contains a DenyAllInbound rule at priority 200. What should the administrator do?

A.Create an inbound allow rule for the web ASG to the app ASG on TCP 8080 with priority 150.
B.Move the DenyAllInbound rule to priority 300 so all traffic is blocked first.
C.Add a user-defined route from the web subnet to the app subnet.
D.Associate the web and app NICs with the same application security group.
AnswerA

NSG rules are processed in priority order, where the lowest number wins. To permit only web-tier traffic to the app tier while preserving the deny rule, the allow rule must have a higher precedence than the DenyAllInbound entry. Using application security groups keeps the rule maintainable as VMs scale in or out, and the specific source, destination, and port limit access to exactly the required flow.

Why this answer

Option A is correct because the existing DenyAllInbound rule at priority 200 will block all traffic to the app subnet unless a higher-priority (lower number) allow rule is created. By creating an inbound allow rule for the web Application Security Group (ASG) to the app ASG on TCP 8080 with priority 150, the administrator ensures that traffic from the web tier is explicitly permitted before the deny rule is evaluated, satisfying the requirement.

Exam trap

The trap here is that candidates may think moving the deny rule to a higher priority number (lower priority) will fix the issue, but without an explicit allow rule, traffic remains blocked; or they may confuse user-defined routes (which control routing) with NSG rules (which control filtering).

How to eliminate wrong answers

Option B is wrong because moving the DenyAllInbound rule to priority 300 would make it lower priority, but it would still block all traffic after any higher-priority allow rules; however, this does not solve the problem because no allow rule exists for the web tier, so traffic would still be denied. Option C is wrong because a user-defined route (UDR) controls the next hop for traffic between subnets, not firewall filtering; it does not allow or deny traffic based on port or protocol, so it cannot permit TCP 8080. Option D is wrong because associating both NICs with the same ASG does not create any allow rule; ASGs are used to group VMs for NSG rule application, but without a corresponding allow rule in the NSG, traffic remains blocked by the DenyAllInbound rule.

1079
MCQeasy

Based on the exhibit, what should the administrator configure to meet the storage access requirement?

A.Enable the Microsoft.Storage service endpoint on AppSubnet and allow that subnet on the storage account.
B.Create a private endpoint and disable all public network access.
C.Create a VPN gateway between the subnet and the storage account.
D.Attach a NAT gateway to the subnet and add a route table entry.
AnswerA

A service endpoint lets the subnet reach the storage service over the Azure backbone while the storage account still uses its public endpoint. Combined with the storage account's network rules, access can be restricted to AppSubnet only.

Why this answer

Option A is correct because enabling the Microsoft.Storage service endpoint on AppSubnet allows traffic from that subnet to be routed directly to the storage account over the Azure backbone network, bypassing the internet. By then configuring the storage account firewall to allow access only from that subnet, the administrator ensures that only resources within AppSubnet can access the storage account, meeting the requirement for restricted access.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming private endpoints are always required for secure access, when in fact service endpoints are simpler and sufficient for scenarios where only subnet-level restriction is needed without full network isolation.

How to eliminate wrong answers

Option B is wrong because creating a private endpoint assigns the storage account a private IP address within the virtual network, but disabling all public network access would block any traffic not originating from the private endpoint, which is overly restrictive and not required by the scenario. Option C is wrong because a VPN gateway is used for site-to-site or point-to-site connectivity between on-premises networks and Azure, not for connecting a subnet to a storage account within the same region. Option D is wrong because a NAT gateway provides outbound internet connectivity for a subnet, and adding a route table entry does not restrict inbound access to the storage account; it only controls traffic routing, not access control.

1080
MCQeasy

Based on the exhibit, where should the administrator assign the role so the contractor can start and stop virtual machines only in RG-App and nothing else?

A.Assign the role at the subscription scope so it covers the contractor's work area.
B.Assign the role at the resource group scope for RG-App.
C.Assign the role at the management group scope above the subscription.
D.Assign the role directly to one virtual machine only, because that is always the best scope.
AnswerB

This is the narrowest scope that still reaches all virtual machines inside RG-App. RBAC permissions assigned at the resource group level apply only to resources in that group, which fits the requirement to manage VMs there without affecting RG-Data or RG-Net.

Why this answer

The contractor needs to manage virtual machines only within RG-App. Azure RBAC allows you to assign the Virtual Machine Contributor role at the resource group scope, which grants permissions to start and stop VMs within that specific resource group while preventing access to resources in other resource groups or at higher scopes. Assigning at the subscription or management group level would grant permissions across all resource groups, violating the principle of least privilege.

Exam trap

The trap here is that candidates often assume assigning at the subscription scope is simpler and still 'covers the work area,' failing to recognize that it violates least privilege by granting access to all resource groups, not just RG-App.

How to eliminate wrong answers

Option A is wrong because assigning the role at the subscription scope would grant the contractor permissions to start and stop VMs in all resource groups within the subscription, not just RG-App. Option C is wrong because assigning at the management group scope would apply the role to all subscriptions under that management group, granting far broader access than intended. Option D is wrong because assigning the role directly to a single VM is overly restrictive and impractical for managing multiple VMs, and it is not 'always the best scope'—resource group scope is the appropriate level for this requirement.

1081
MCQeasy

A company has 12 subscriptions under one management group. An external auditor needs Reader access to resources in every current and future subscription under that management group. Where should you assign the role?

A.At each resource group in each subscription
B.At the management group scope
C.At one subscription scope only
D.At one resource scope in the first subscription
AnswerB

A role assignment at the management group scope inherits to all subscriptions and resources below it. Because the requirement includes both current and future subscriptions, the management group is the right place to assign Reader. This centralizes access management and avoids creating separate assignments for each subscription or resource group.

Why this answer

Assigning the Reader role at the management group scope ensures that the external auditor inherits read-only access to all current and future subscriptions under that management group. Role assignments at the management group scope are inherited by all child subscriptions and resource groups, making it the single, scalable solution for the requirement.

Exam trap

The trap here is that candidates may think assigning the role at the subscription scope is sufficient, overlooking the requirement for future subscriptions, or they may incorrectly believe that management group scope assignments do not propagate to child subscriptions.

How to eliminate wrong answers

Option A is wrong because assigning the role at each resource group would require manual updates for every new resource group and does not cover future subscriptions, violating the requirement for automatic inheritance. Option C is wrong because assigning the role at one subscription scope only grants access to that single subscription, not to all current and future subscriptions under the management group. Option D is wrong because assigning the role at one resource scope in the first subscription provides access only to that specific resource, failing to cover any other resources, subscriptions, or future subscriptions.

1082
MCQhard

An administrator is deploying a route-based site-to-site VPN gateway. The GatewaySubnet already exists, but validation fails because the public IP configuration is incompatible with the chosen gateway. Which public IP setup is required for the gateway?

A.A Basic SKU public IP with dynamic allocation.
B.A Basic SKU public IP with static allocation.
C.A Standard SKU public IP with static allocation.
D.A private IP address assigned directly from GatewaySubnet.
AnswerC

Azure VPN gateways require a Standard public IP configuration, and the address must be statically allocated. This is part of the gateway's external-facing connectivity requirement and is validated during deployment. If a Basic or dynamically assigned public IP is selected, gateway creation can fail even when GatewaySubnet already exists and is sized correctly.

Why this answer

For a route-based site-to-site VPN gateway in Azure, the gateway must use a Standard SKU public IP address with static allocation. This is because route-based VPN gateways require the public IP to be statically assigned and the Standard SKU provides the necessary features like availability zones and zone resiliency, which are not supported by the Basic SKU. The Basic SKU public IP is incompatible with route-based VPN gateways, and a private IP from the GatewaySubnet cannot serve as the public endpoint for the VPN connection.

Exam trap

The trap here is that candidates often assume any static public IP will work, overlooking the SKU requirement—Azure specifically mandates Standard SKU for route-based VPN gateways, and Basic SKU is only valid for policy-based gateways or other services like basic load balancers.

How to eliminate wrong answers

Option A is wrong because a Basic SKU public IP with dynamic allocation is not supported for route-based VPN gateways; dynamic allocation can cause the IP to change, breaking the VPN connection, and Basic SKU lacks zone resiliency. Option B is wrong because while static allocation is required, the Basic SKU public IP is still incompatible with route-based VPN gateways due to missing support for active-active mode and availability zones. Option D is wrong because a private IP address from the GatewaySubnet cannot be used as the public endpoint for a site-to-site VPN; the VPN gateway requires a public IP address to establish connectivity over the internet.

1083
Multi-Selectmedium

You are an Azure administrator for a company that is planning to implement a new Azure environment. The company has the following requirements: - Users must be able to sign in using their on-premises Active Directory credentials. - Multi-factor authentication (MFA) must be enforced for all administrative users. - Access to Azure resources must be controlled using role-based access control (RBAC) with custom roles. - Audit logs must be retained for a minimum of three years. Which four of the following solutions should you implement to meet these requirements? Choose all that apply. (There are four correct answers.)

Select 4 answers
.Deploy Azure AD Connect to synchronize identities from on-premises Active Directory to Azure AD.
.Configure Azure AD Conditional Access policy to require MFA for all users in the Global Administrator role.
.Create a custom RBAC role in Azure AD to control access to Azure resources.
.Create a custom RBAC role in Azure Resource Manager to control access to Azure resources.
.Configure diagnostic settings for the Azure AD audit logs to send them to a Log Analytics workspace with a retention policy of 1095 days.
.Configure Azure AD Privileged Identity Management (PIM) to require approval for role activation.

Why this answer

Azure AD Connect synchronizes on-premises Active Directory identities to Azure AD, enabling users to sign in with their on-premises credentials. This meets the requirement for single sign-on using existing directory credentials.

Exam trap

The trap here is confusing Azure AD roles (which manage Azure AD itself) with Azure RBAC roles (which manage Azure resources), leading candidates to incorrectly select 'Create a custom RBAC role in Azure AD' instead of the Azure Resource Manager option.

1084
MCQmedium

The platform team wants every resource deployed in a subscription to include an Environment tag. New resources that do not meet the rule must be blocked, and existing noncompliant resources should appear in compliance reports. What should be configured?

A.An Azure Policy assignment at the subscription scope with a deny effect.
B.A Contributor role assignment at the subscription scope.
C.A resource lock on the subscription.
D.A custom RBAC role that includes tag write permissions.
AnswerA

Azure Policy is the governance feature that evaluates resources against rules, reports compliance, and can block noncompliant deployments when the deny effect is used. Assigning it at the subscription scope applies the rule to all resources in that subscription. This matches the requirement to enforce tagging and to show existing noncompliant resources in compliance views.

Why this answer

Azure Policy with a deny effect at the subscription scope is the correct choice because it enforces a rule that blocks the creation or update of any resource that does not include the required 'Environment' tag. The deny effect actively prevents noncompliant deployments, while the policy itself evaluates existing resources and marks them as noncompliant in compliance reports, meeting both requirements.

Exam trap

The trap here is that candidates often confuse Azure Policy (which enforces rules and blocks noncompliant resources) with RBAC roles (which control permissions) or resource locks (which prevent accidental deletion), failing to recognize that only Azure Policy can both block new noncompliant resources and report on existing ones.

How to eliminate wrong answers

Option B is wrong because a Contributor role assignment grants permissions to create and manage resources but does not enforce any tagging rule or block noncompliant resources; it only provides access control. Option C is wrong because a resource lock on the subscription prevents deletion or modification of the subscription itself, not individual resources, and does not enforce tagging requirements or generate compliance reports. Option D is wrong because a custom RBAC role with tag write permissions allows users to add or modify tags but does not block the creation of resources without the required tag or provide compliance reporting; it only grants the ability to write tags.

1085
MCQeasy

A VM-hosted application must read blobs from an Azure Storage account without storing any secret in code or configuration. Which identity should you enable on the VM?

A.A storage account access key
B.A system-assigned managed identity
C.A shared access signature (SAS) token
D.A local administrator account on the VM
AnswerB

A system-assigned managed identity is tied to the VM and lets the application authenticate to Azure services without storing credentials. Azure can issue tokens for the identity automatically, and the identity is removed when the VM is deleted. This is the simplest credential-free option for a single VM that needs access to Storage or other Azure resources.

Why this answer

A system-assigned managed identity (B) is the correct choice because it allows the VM to authenticate to Azure Storage without storing any credentials in code or configuration. Azure automatically manages the identity's lifecycle and provides a token that the VM can use to access the storage account via Azure AD authentication, eliminating the need for secrets.

Exam trap

The trap here is that candidates may confuse managed identities with SAS tokens or access keys, thinking they need a shared secret for authentication, but Azure AD authentication with managed identities eliminates the need for any stored credentials.

How to eliminate wrong answers

Option A is wrong because a storage account access key is a static secret that must be stored in code or configuration, violating the requirement to avoid storing secrets. Option C is wrong because a shared access signature (SAS) token is a URI-based credential that must be generated and stored, again requiring secret management in code or configuration. Option D is wrong because a local administrator account on the VM is a local credential unrelated to Azure Storage access and cannot authenticate to Azure Storage without storing a password or key.

1086
MCQhard

Your hub virtual network uses 10.40.0.0/16 and the corporate on-premises network uses 10.41.0.0/16. A new spoke VNet must be peered to the hub now and connected to on-premises later. It needs a workload subnet for about 180 hosts and a management subnet for about 50 hosts. Which address space is the best choice for the new spoke?

A.10.40.128.0/17
B.10.41.64.0/18
C.10.42.0.0/23
D.10.42.0.0/24
AnswerC

This avoids overlap and provides enough space to split into one /24 and one smaller subnet cleanly.

Why this answer

Option C (10.42.0.0/23) is correct because it provides 512 total IP addresses (510 usable), which is sufficient for the 180-host workload subnet and 50-host management subnet, while avoiding overlap with both the hub VNet (10.40.0.0/16) and the on-premises network (10.41.0.0/16). The /23 prefix allows splitting into two /24 subnets (e.g., 10.42.0.0/24 for workload and 10.42.1.0/24 for management), meeting the host requirements without wasting address space.

Exam trap

The trap here is that candidates often choose a /24 (Option D) thinking it is sufficient for 230 hosts, forgetting that Azure reserves 5 IPs per subnet and that two separate subnets are needed, making the /24 too small for both workload and management subnets combined.

How to eliminate wrong answers

Option A is wrong because 10.40.128.0/17 overlaps with the hub VNet's 10.40.0.0/16 address space, which would cause a peering conflict since Azure VNet peering requires non-overlapping address spaces. Option B is wrong because 10.41.64.0/18 overlaps with the on-premises network's 10.41.0.0/16, which would prevent future VPN/ExpressRoute connectivity due to overlapping IP ranges. Option D is wrong because 10.42.0.0/24 provides only 256 total IP addresses (251 usable after Azure reserved addresses), which is insufficient for 180 + 50 = 230 hosts, leaving no room for growth or subnetting.

1087
MCQmedium

A public web application runs on two Windows Server VMs in Azure. Users connect through a single public IP on TCP 443, and the solution must distribute traffic only to healthy VMs without requiring Layer 7 features such as URL-based routing. Which Azure service should the administrator deploy?

A.Azure Application Gateway.
B.Azure Load Balancer Standard.
C.Azure Traffic Manager.
D.Azure Front Door.
AnswerB

A Standard Load Balancer is the right fit for distributing TCP 443 traffic to healthy backend VMs using a single public IP at Layer 4. It supports health probes and works well for internet-facing workloads that do not need application-level routing. Because the scenario specifically excludes Layer 7 features, the load balancer provides the simplest and most cost-effective design while still meeting availability and traffic distribution requirements.

Why this answer

Azure Load Balancer Standard is the correct choice because it operates at Layer 4 (TCP/UDP) and distributes incoming traffic across healthy VM instances based on a single public IP address and port (TCP 443). It performs health probes to ensure traffic is only sent to healthy backend VMs, and it does not require any Layer 7 features like URL-based routing, making it ideal for this scenario.

Exam trap

The trap here is that candidates often confuse Azure Application Gateway with Azure Load Balancer, assuming that any web traffic requires Layer 7 features, but the question explicitly states no Layer 7 features are needed, making the Layer 4 Load Balancer the correct and simpler choice.

How to eliminate wrong answers

Option A is wrong because Azure Application Gateway is a Layer 7 load balancer that provides URL-based routing, SSL termination, and web application firewall features, which are not required and add unnecessary complexity for simple TCP 443 traffic distribution. Option C is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that routes traffic based on DNS resolution and does not distribute traffic directly to VMs via a single public IP; it operates at the DNS level, not at the network layer for real-time health-based distribution. Option D is wrong because Azure Front Door is a global Layer 7 load balancer and application delivery network that provides URL-based routing, SSL offload, and web application firewall capabilities, which are overkill for a simple Layer 4 load-balancing requirement and do not fit the constraint of avoiding Layer 7 features.

1088
MCQmedium

A company plans a new spoke virtual network that must be peered to an existing hub VNet using 10.0.0.0/16. The spoke will need two subnets: one sized for about 120 VMs and another for about 40 VMs. The new address space must not overlap the hub or the on-premises range 10.1.0.0/16. Which VNet address space is the best choice?

A.10.0.1.0/24
B.10.1.0.0/22
C.10.2.0.0/22
D.10.0.0.0/24
AnswerC

This address space does not overlap the hub or on-premises ranges and is large enough to carve out two usable subnets for the workload. A /22 gives room for multiple subnets and future growth, which is important when planning a spoke that needs to host dozens or hundreds of VMs. It is a practical choice for peering compatibility and capacity.

Why this answer

Option C (10.2.0.0/22) is correct because it provides a non-overlapping address space with the hub VNet (10.0.0.0/16) and on-premises (10.1.0.0/16). The /22 prefix offers 1024 IP addresses, which is sufficient for subnets supporting 120 VMs and 40 VMs, while avoiding any overlap with the existing ranges.

Exam trap

The trap here is that candidates often overlook the hub VNet's address space (10.0.0.0/16) and incorrectly assume a smaller subnet like 10.0.1.0/24 is safe, not realizing it falls within the hub's larger CIDR range.

How to eliminate wrong answers

Option A is wrong because 10.0.1.0/24 overlaps with the hub VNet 10.0.0.0/16 (since 10.0.1.0 is within the 10.0.0.0/16 range), violating the non-overlap requirement. Option B is wrong because 10.1.0.0/22 overlaps with the on-premises range 10.1.0.0/16, which is explicitly prohibited. Option D is wrong because 10.0.0.0/24 overlaps with the hub VNet 10.0.0.0/16, and it is too small (only 256 addresses) to accommodate the required 160+ VMs across two subnets.

1089
MCQmedium

Based on the exhibit, which deployment change best meets the resilience requirement for the application VMs?

A.Keep both VMs in the same availability set to spread them across update domains only.
B.Place each VM in a different availability zone and keep the load balancer in front.
C.Deploy both VMs into a proximity placement group to reduce latency between them.
D.Move the VMs into a single availability set and add more managed disks for redundancy.
AnswerB

Availability zones provide isolation across datacenters within the same region. By placing the two VMs in different zones, the workload can continue if one zone or datacenter becomes unavailable. The load balancer can direct traffic to the surviving VM. This design matches the stated requirement more closely than an availability set, which only spreads VMs across fault and update domains inside a single datacenter cluster.

Why this answer

Option B is correct because deploying each VM into a different availability zone ensures that the VMs are physically separated across distinct data centers within an Azure region, protecting against zone-level failures. The load balancer in front distributes traffic across the VMs, providing high availability even if one zone goes offline. This meets the resilience requirement by eliminating a single point of failure at the data center level.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack-level failures within a single data center) with availability zones (which protect against full data center outages), leading them to choose Option A thinking it provides sufficient resilience.

How to eliminate wrong answers

Option A is wrong because keeping both VMs in the same availability set only spreads them across update domains (to handle planned maintenance) and fault domains (to handle rack-level failures), but it does not protect against a full data center or zone outage—both VMs could still be in the same zone. Option C is wrong because a proximity placement group is designed to reduce network latency between VMs by keeping them close together, which actually increases the risk of simultaneous failure and does not improve resilience. Option D is wrong because moving VMs into a single availability set and adding more managed disks does not provide zone-level redundancy; additional disks do not protect against VM or zone failure, and the VMs remain vulnerable to a single data center outage.

1090
Multi-Selectmedium

A data-processing app reads blobs immediately after upload, and operations do not want any rehydration delay. Which three access tiers can be read directly? Select three.

Select 3 answers
A.Hot
B.Cool
C.Cold
D.Archive
E.Premium
AnswersA, B, C

Correct. Hot blobs remain online and can be read immediately without a restore operation.

Why this answer

The Hot, Cool, and Cold access tiers are designed for online data access, meaning blobs stored in these tiers can be read immediately without any rehydration delay. This is because the data is always stored on high-throughput, low-latency media and is immediately available for read operations. In contrast, the Archive tier requires a rehydration process (which can take hours) before data can be accessed, making it unsuitable for scenarios where blobs must be read immediately after upload.

Exam trap

The trap here is that candidates often confuse the Cold tier with the Archive tier, assuming Cold also requires rehydration, or they mistakenly think the Premium tier is an access tier like Hot/Cool/Cold, when in fact it is a performance tier for premium block blob accounts and not a blob-level access tier.

1091
MCQeasy

In Log Analytics, you need to find AzureActivity records for VM stop or deallocate operations from the last 24 hours. Which query should you use?

A.AzureActivity | where TimeGenerated > ago(24h) | where OperationNameValue has_any ("Microsoft.Compute/virtualMachines/deallocate/action", "Microsoft.Compute/virtualMachines/powerOff/action")
B.AzureActivity | summarize count() by OperationNameValue
C.AzureActivity | where ResourceType == "Microsoft.Compute/virtualMachines" | project TimeGenerated, ResourceGroup
D.AzureActivity | sort by TimeGenerated asc
AnswerA

This query filters the AzureActivity table to the last 24 hours and then matches the VM stop-related operations you need to review.

Why this answer

Option A is correct because it uses the `has_any` operator to filter AzureActivity records for the exact operation names corresponding to VM stop (powerOff) and deallocate actions, and it restricts the time range to the last 24 hours using `ago(24h)`. This directly matches the requirement to find VM stop or deallocate operations within the specified timeframe.

Exam trap

The trap here is that candidates may confuse the `has_any` operator with `contains` or `in`, or forget to include the time filter, leading them to select options that either don't filter by operation type or don't restrict the time window.

How to eliminate wrong answers

Option B is wrong because it summarizes counts by OperationNameValue without any time filter or specific operation filtering, so it returns a count of all operation types, not just stop/deallocate from the last 24 hours. Option C is wrong because it filters by ResourceType and projects TimeGenerated and ResourceGroup, but does not filter for stop/deallocate operations or restrict to the last 24 hours, so it returns all VM-related activities regardless of operation. Option D is wrong because it simply sorts all AzureActivity records by TimeGenerated ascending without any filtering for operation type or time range, so it does not isolate the required records.

1092
MCQmedium

Three Azure VMs run the same scheduled script and must access both Storage and Key Vault. The team wants one identity that can be reused if a VM is rebuilt, and they do not want the identity tied to a single machine. What should the administrator create?

A.A system-assigned managed identity on each virtual machine.
B.A service principal with a certificate file copied to each VM.
C.A user-assigned managed identity attached to all three virtual machines.
D.A shared access signature for each storage account and Key Vault access policy.
AnswerC

A user-assigned managed identity can be shared across multiple VMs and reused independently of any one VM.

Why this answer

A user-assigned managed identity is the correct choice because it is an independent Azure resource that can be assigned to multiple VMs, persists independently of any single VM's lifecycle, and can be reused when a VM is rebuilt. This identity provides seamless authentication to both Storage and Key Vault without managing credentials, meeting the requirement for a reusable, non-machine-tied identity.

Exam trap

The trap here is that candidates often confuse system-assigned and user-assigned managed identities, incorrectly assuming that system-assigned identities can be shared across VMs or persist after VM deletion, when in fact only user-assigned identities are independent, reusable resources.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM—if the VM is deleted, the identity is also deleted, and it cannot be reused across multiple VMs. Option B is wrong because a service principal with a certificate file requires manual certificate management, rotation, and secure distribution to each VM, violating the 'no identity tied to a single machine' requirement and adding operational overhead. Option D is wrong because a shared access signature (SAS) provides delegated access to a specific storage account but cannot be used for Key Vault authentication, and it exposes a token that must be securely stored and rotated, not a reusable identity.

1093
MCQhard

A storage account has public network access disabled. A VM in VNet-Prod must reach Blob storage by using the storage account name, but nslookup from the VM still returns the public endpoint address. What should the administrator do?

A.Enable a service endpoint for Microsoft.Storage on the subnet and keep public network access disabled.
B.Create a private endpoint for the blob service and link the private DNS zone to VNet-Prod.
C.Add an inbound NSG rule that allows TCP 443 from the VM to the storage account.
D.Turn on the trusted Microsoft services exception for the storage account firewall.
AnswerB

A private endpoint gives Blob storage a private IP in the virtual network, and the private DNS zone ensures the storage account name resolves to that private address. Both pieces are required when public access is disabled and clients must connect by name.

Why this answer

Option B is correct because the VM's nslookup returns the public endpoint address, indicating that DNS resolution is not pointing to the private IP of the storage account. Creating a private endpoint for the blob service assigns a private IP from the VNet-Prod subnet to the storage account, and linking a private DNS zone (privatelink.blob.core.windows.net) to VNet-Prod ensures that DNS queries from the VM resolve the storage account name to that private IP, bypassing the public endpoint entirely.

Exam trap

The trap here is that candidates confuse service endpoints (which only provide source IP preservation and routing over the Azure backbone) with private endpoints (which provide a private IP and DNS resolution change), leading them to choose Option A incorrectly.

How to eliminate wrong answers

Option A is wrong because enabling a service endpoint for Microsoft.Storage on the subnet does not change DNS resolution; it only routes traffic to the public IP of the storage service via the Azure backbone, but nslookup would still return the public endpoint address, not a private IP. Option C is wrong because adding an inbound NSG rule allowing TCP 443 from the VM to the storage account is irrelevant—the issue is DNS resolution, not network security; the VM can already reach the public endpoint if allowed, but the goal is to use the storage account name with a private IP. Option D is wrong because turning on the trusted Microsoft services exception allows specific Azure services (e.g., Azure Backup) to bypass the firewall, but it does not change DNS resolution or provide a private IP for the VM to connect via the storage account name.

1094
Multi-Selecthard

An Azure Automation account is recreated periodically during a migration project. Runbooks must authenticate to Azure resources without embedded secrets, and the identity must continue to work after the account is rebuilt. Which two choices should you make? Select two.

Select 2 answers
A.Use a user-assigned managed identity so the identity is independent of the Automation account lifecycle.
B.Grant the managed identity the required Azure RBAC roles on the target resources or resource groups.
C.Use a service principal with a client secret stored in an encrypted Automation variable.
D.Use a system-assigned managed identity attached to the Automation account because it is always reusable after recreation.
E.Store a storage account key in a runbook asset and retrieve it at runtime.
AnswersA, B

A user-assigned managed identity is not tied to one specific Automation account instance. That makes it resilient when the account is recreated during migration or recovery activities. It also avoids storing passwords or secrets in the runbook, which satisfies the secure automation requirement.

Why this answer

Option A is correct because a user-assigned managed identity exists as a standalone Azure resource independent of the Automation account's lifecycle. When the Automation account is recreated, you can reassign the same user-assigned managed identity to the new account, preserving the identity's object ID and its RBAC role assignments. This ensures that runbooks can authenticate without embedded secrets and continue to work seamlessly after the account is rebuilt.

Exam trap

The trap here is that candidates often assume a system-assigned managed identity is reusable after account recreation, but they fail to recognize that its object ID changes upon deletion and recreation, breaking existing RBAC assignments.

1095
Matchingmedium

Match each workload requirement to the Azure storage account kind that best fits it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

General-purpose v2

FileStorage

BlockBlobStorage

BlobStorage

Why these pairings

Each storage kind is tailored for specific workloads: GPv2 is the default, BlockBlobStorage for high throughput, FileStorage for premium files, and others for legacy or specialized needs.

1096
MCQeasy

A team wants an email and SMS notification whenever the average CPU on a production VM stays above 85% for 10 minutes. The same notification setup may be reused by other alerts later. Which Azure feature should you configure?

A.Metric alert rule
B.Action group
C.Diagnostic setting
D.Resource lock
AnswerB

An action group sends the email and SMS notifications and can be reused across multiple alerts.

Why this answer

B is correct because an Action Group is the Azure component that defines the notification actions (email, SMS, webhook, etc.) to be triggered when an alert fires. The question specifies that the same notification setup should be reusable by other alerts later, which is exactly the purpose of an Action Group: it decouples the notification configuration from the alert rule itself. You would create a Metric Alert Rule to monitor the CPU metric, but that rule references an Action Group to send the email and SMS.

Exam trap

The trap here is that candidates confuse the alert rule (which detects the condition) with the action group (which handles the notification), often selecting Metric Alert Rule thinking it directly sends emails/SMS, when in fact it only triggers the action group.

How to eliminate wrong answers

Option A is wrong because a Metric Alert Rule defines the condition (average CPU > 85% for 10 minutes) and the scope, but it does not itself send notifications; it must reference an Action Group to perform the email/SMS actions. Option C is wrong because a Diagnostic Setting is used to stream platform logs and metrics to destinations like Log Analytics, Storage, or Event Hubs, not to send real-time notifications for threshold breaches. Option D is wrong because a Resource Lock prevents accidental deletion or modification of a resource, and has no role in monitoring or alerting.

1097
MCQmedium

An Azure virtual machine was moved to a host that is experiencing intermittent issues. You need to move the VM to a different Azure host while keeping the existing managed disks and configuration. Which action should you perform?

A.Stop
B.Restart
C.Redeploy
D.Capture
AnswerC

Redeploy moves the VM to a new host while preserving its disks and configuration.

Why this answer

Redeploying the VM (Option C) is the correct action because it moves the VM to a new Azure host node while preserving the existing managed disks, virtual network, and configuration. The Azure platform automatically selects a healthy host, resolves transient hardware issues, and maintains the VM's identity and associated resources.

Exam trap

The trap here is that candidates confuse 'Stop' (which deallocates but may not change the host) with 'Redeploy' (which explicitly forces a host migration), or they mistakenly think 'Restart' is sufficient to fix hardware issues when it only reboots the OS on the same faulty host.

How to eliminate wrong answers

Option A (Stop) is wrong because stopping the VM only deallocates it, releasing the compute resources but not forcing a migration to a different host; the VM may be placed back on the same problematic host when started. Option B (Restart) is wrong because a restart simply reboots the OS on the same host, which does not address underlying host hardware issues. Option D (Capture) is wrong because capturing creates a generalized image of the VM, which is intended for creating new VMs from a template, not for moving an existing VM to a different host while retaining its current state and configuration.

1098
Multi-Selectmedium

A project team expects frequent joiners and leavers. The same Azure permissions are needed for all members of the team, and you want to avoid editing role assignments for each person. Which two actions best meet the requirement? Select two.

Select 2 answers
A.Create a security group for the project team.
B.Assign the Azure roles to the group instead of individual users.
C.Assign the same roles directly to every user account.
D.Use guest accounts for all team members.
E.Assign the roles to a service principal shared by the team.
AnswersA, B

A security group gives you one identity container for the whole team, so membership changes do not require role assignment changes each time.

Why this answer

Option A is correct because creating a security group allows you to manage permissions collectively rather than individually. By adding or removing users from the group as joiners and leavers occur, you avoid editing role assignments for each person. This aligns with Azure AD group-based licensing and RBAC best practices for dynamic teams.

Exam trap

The trap here is that candidates may think assigning roles directly to users (Option C) is simpler, but they overlook the administrative overhead of managing individual assignments for frequent joiners and leavers.

1099
MCQmedium

During a change freeze, the operations team wants to prevent accidental deletion of a production resource group and everything in it. They still need to update VM settings, change tags, and modify network rules. Which lock should be applied?

A.Apply a ReadOnly lock to the resource group.
B.Apply a CanNotDelete lock to the resource group.
C.Assign the Reader role to all operators.
D.Assign an Azure Policy deny assignment at the subscription.
AnswerB

CanNotDelete is the correct lock because it blocks deletion while still allowing normal update operations. That means the team can continue to change VM settings, update tags, and manage networking during the freeze, but they cannot accidentally delete the protected resource group or its child resources. It is the standard choice when preservation is required without freezing all management activity.

Why this answer

The CanNotDelete lock (Option B) prevents deletion of the resource group and all resources within it, while still allowing read and update operations such as modifying VM settings, changing tags, and updating network rules. This lock type is specifically designed to protect against accidental deletion during a change freeze without blocking management operations.

Exam trap

The trap here is that candidates often confuse ReadOnly locks with CanNotDelete locks, assuming that any lock will block all changes, but the key distinction is that ReadOnly locks block all write operations (including updates), whereas CanNotDelete locks only block deletion, allowing the required modifications.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all write operations, including the needed updates to VM settings, tags, and network rules, which would block the operations team's required changes. Option C is wrong because assigning the Reader role to all operators prevents any modifications (write operations) entirely, as Reader only allows read access, not updates. Option D is wrong because an Azure Policy deny assignment at the subscription level is a broader governance tool that can block specific resource types or configurations, but it does not provide a simple, targeted lock against deletion of a single resource group and its contents; it also requires custom policy definitions and can inadvertently block other operations.

1100
MCQmedium

You need to give a third-party auditor temporary read-only access to specific blobs in a container without sharing the storage account keys. Which feature should you use?

A.A storage account key
B.A shared access signature (SAS)
C.A resource lock
D.Blob versioning
AnswerB

A SAS provides scoped, time-limited access without exposing the account keys.

Why this answer

A shared access signature (SAS) is the correct choice because it provides delegated, time-limited, and permission-restricted access to specific Azure Storage resources—in this case, blobs—without exposing the storage account keys. You can generate a service-level SAS token scoped to individual blobs with read-only permissions and an expiration time, allowing the auditor to access only the required blobs. This meets the requirement for temporary, read-only access while maintaining security and granular control.

Exam trap

The trap here is that candidates often confuse resource locks (which prevent deletion) with access control mechanisms, or mistakenly think blob versioning provides access delegation, when in fact only SAS tokens offer granular, time-bound, and keyless access to specific blobs.

How to eliminate wrong answers

Option A is wrong because sharing a storage account key grants full administrative access to the entire storage account, including all containers, blobs, and operations, which violates the principle of least privilege and is not temporary or read-only. Option C is wrong because a resource lock prevents accidental deletion or modification of resources at the subscription, resource group, or resource level, but it does not provide any form of delegated access or authentication to data within a storage account. Option D is wrong because blob versioning maintains previous versions of blobs for data protection and recovery, but it does not grant access permissions or control who can read specific blobs.

1101
MCQeasy

A development VM is rebuilt often and does not need its operating system disk contents to survive deallocation. The team wants the lowest practical disk latency for the OS. Which disk option should the administrator choose?

A.Standard HDD managed disk
B.Ephemeral OS disk
C.Geo-redundant storage for the OS disk
D.A data disk formatted as the boot disk
AnswerB

An ephemeral OS disk is stored on the host and offers very low latency, which fits temporary or rebuildable VMs.

Why this answer

Ephemeral OS disks use the local VM storage (SSD) rather than Azure managed disks, providing the lowest latency for OS read/write operations. Since the VM is rebuilt often and disk persistence is not required, the ephemeral disk is ideal because its contents are lost when the VM is deallocated, eliminating the need for a separate managed disk.

Exam trap

The trap here is that candidates often choose Standard HDD (Option A) thinking it is the cheapest option, but they overlook that 'lowest practical disk latency' explicitly requires performance, not cost, and that Ephemeral OS disks provide both low latency and zero cost for the OS disk itself (since it uses local storage).

How to eliminate wrong answers

Option A is wrong because Standard HDD managed disks have significantly higher latency compared to local SSD storage, making them unsuitable for the lowest practical disk latency requirement. Option C is wrong because geo-redundant storage (GRS) is a replication option for managed disks that increases latency due to asynchronous replication across regions and does not address the need for low latency; it also persists data unnecessarily for a non-persistent workload. Option D is wrong because a data disk formatted as the boot disk is not a supported Azure configuration; the OS disk must be attached as the boot disk, and using a data disk for boot would require custom, unsupported setups that do not provide lower latency than an ephemeral OS disk.

1102
MCQeasy

You deploy a Windows Server VM and need to run several PowerShell commands after deployment without signing in to the VM. Which Azure feature should you use?

A.Use the Custom Script Extension on the VM.
B.Put the VM in an availability zone.
C.Attach a managed identity and rely on Azure Policy.
D.Create a snapshot before startup.
AnswerA

The Custom Script Extension runs commands inside the guest after deployment and does not require interactive sign-in.

Why this answer

The Custom Script Extension (CSE) is the correct Azure feature because it allows you to run PowerShell or Bash scripts on a VM after deployment without requiring interactive sign-in. It executes the script via the Azure VM Agent, which runs as a local system process, making it ideal for post-deployment configuration tasks like installing software or running commands.

Exam trap

The trap here is confusing post-deployment script execution with other VM management features like availability zones or managed identities, which serve entirely different purposes (high availability and authentication, respectively).

How to eliminate wrong answers

Option B is wrong because availability zones are a high-availability feature that protects VMs from datacenter failures, not a mechanism for executing scripts. Option C is wrong because managed identities provide Azure AD authentication for accessing Azure resources, not a way to run scripts on a VM; Azure Policy enforces compliance rules but does not execute scripts. Option D is wrong because a snapshot captures the disk state for backup or recovery, not for running commands after deployment.

1103
Matchingeasy

Match each image or placement term to the administrator need it supports.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Used to deploy multiple new VMs from a prepared standard build.

Used to create a new VM that keeps the source machine's existing state.

Helps protect against host or maintenance failures inside one datacenter.

Helps protect against a full datacenter outage in a region.

Why these pairings

Availability Set protects against rack failures; Availability Zone protects against datacenter failures; Proximity Placement Group reduces latency; Scale Set provides auto-scaling; VNet isolates network; Load Balancer distributes traffic.

1104
MCQmedium

A storage account has a private endpoint in VNet A. A VM in peered VNet B can reach the storage account by private IP, but when the VM resolves the storage account name it still gets the public IP address. What should be configured so the name resolves to the private IP from VNet B?

A.Create a new storage account in VNet B.
B.Link the private DNS zone for the storage service to VNet B.
C.Add an inbound NSG rule allowing DNS traffic from VNet B.
D.Replace the private endpoint with a service endpoint.
AnswerB

The private endpoint depends on DNS so clients resolve the service name to the private IP. Linking the private DNS zone to VNet B enables that name resolution from the peered network.

Why this answer

When a private endpoint is created in VNet A, a private DNS zone (e.g., `privatelink.blob.core.windows.net`) is automatically linked to VNet A, enabling name resolution to the private IP within that VNet. However, VNet B is peered but not linked to that private DNS zone, so VMs in VNet B continue to resolve the storage account name via public DNS, returning the public IP. By linking the private DNS zone to VNet B, the VM will resolve the storage account name to the private IP address of the private endpoint.

Exam trap

The trap here is that candidates assume peering automatically extends DNS resolution for private endpoints, but peering only provides network connectivity—DNS zone linking is a separate, required configuration step.

How to eliminate wrong answers

Option A is wrong because creating a new storage account in VNet B does not solve the DNS resolution issue; the VM in VNet B still needs to resolve the original storage account name to a private IP. Option C is wrong because NSG rules control network traffic filtering, not DNS resolution; DNS traffic is already allowed by default, and adding an inbound NSG rule for DNS does not change how the VM resolves the storage account name. Option D is wrong because replacing the private endpoint with a service endpoint would expose the storage account to the internet via a public IP (though restricted by service endpoint policies), and it does not provide private IP resolution across peered VNets; service endpoints do not use private DNS zones for name resolution.

1105
MCQmedium

A contractor working from home needs temporary access to internal Azure resources. There is no on-premises network to connect, and you do not want to expose the resources publicly. Which connectivity option should you deploy?

A.Site-to-site VPN, because it is the standard option for any remote access.
B.Point-to-site VPN, because it connects an individual client to the virtual network.
C.VNet peering, because it can securely connect any remote device to Azure.
D.ExpressRoute, because it is the simplest option for temporary contractor access.
AnswerB

Point-to-site is designed for individual devices and provides private access without publishing the workload publicly.

Why this answer

A Point-to-Site (P2S) VPN is the correct choice because it allows an individual client computer to establish a secure, encrypted connection to an Azure virtual network over the public internet using SSTP, IKEv2, or OpenVPN protocols. This meets the requirement of temporary remote access without exposing resources publicly, as the connection is initiated from the client and authenticated via certificates or Azure AD.

Exam trap

The trap here is that candidates often confuse Point-to-Site VPN with Site-to-Site VPN, assuming any VPN requires a physical device on-premises, or they overcomplicate the solution by choosing ExpressRoute for its perceived security, ignoring the temporary and individual nature of the access requirement.

How to eliminate wrong answers

Option A is wrong because Site-to-Site VPN requires a VPN device on a local on-premises network to establish a persistent tunnel between two networks, which does not exist in this scenario. Option C is wrong because VNet peering connects two Azure virtual networks, not individual remote devices, and requires both VNets to be in Azure. Option D is wrong because ExpressRoute is a dedicated private connection between an on-premises network and Azure, which is complex, expensive, and unsuitable for temporary individual contractor access.

1106
MCQhard

A virtual machine named VM-App01 hosts a critical internal application. You need to protect the VM so that it can be restored if the VM is deleted or corrupted. The solution must provide centralized backup management and retention policies. What should you use?

A.Azure Backup with a Recovery Services vault.
B.Managed disk snapshots only.
C.Azure Site Recovery only.
D.Boot diagnostics.
AnswerA

This provides centralized VM protection, retention policies, and restore capabilities.

Why this answer

Azure Backup with a Recovery Services vault is the correct choice because it provides centralized backup management, configurable retention policies, and the ability to restore a VM even if it is deleted or corrupted. Unlike snapshots, Azure Backup stores backups in a separate vault, supports application-consistent backups via the Volume Shadow Copy Service (VSS), and offers long-term retention with backup policies.

Exam trap

The trap here is that candidates often confuse Azure Backup (for backup and retention) with Azure Site Recovery (for disaster recovery), or assume that disk snapshots alone are sufficient for full VM recovery, ignoring the need for centralized management and retention policies.

How to eliminate wrong answers

Option B is wrong because managed disk snapshots are stored in the same region as the source disk, do not provide centralized management or retention policies, and cannot restore a VM if the VM itself is deleted (snapshots are tied to the disk, not the VM configuration). Option C is wrong because Azure Site Recovery is designed for disaster recovery and replication to a secondary region, not for backup with retention policies or restoration from accidental deletion or corruption. Option D is wrong because boot diagnostics captures serial console logs and screenshots for troubleshooting boot failures, not backup or restore capabilities.

1107
MCQmedium

You need to deploy 25 identical Azure virtual machines for a web application and scale the number of instances automatically based on CPU demand. Which Azure compute feature should you use?

A.An availability set
B.A Virtual Machine Scale Set
C.A Recovery Services vault
D.Boot diagnostics
AnswerB

VM Scale Sets provide group deployment and autoscaling for identical virtual machines.

Why this answer

A Virtual Machine Scale Set (VMSS) is the correct Azure compute feature because it allows you to deploy and manage a group of identical, load-balanced VMs whose number can automatically increase or decrease in response to CPU demand using autoscale rules. This directly meets the requirement for 25 identical VMs with automatic scaling based on CPU metrics.

Exam trap

The trap here is that candidates often confuse an availability set (which provides high availability) with a Virtual Machine Scale Set (which provides both identical deployment and autoscaling), leading them to select Option A because they focus on the 'identical VMs' requirement without recognizing that autoscaling is the key differentiator.

How to eliminate wrong answers

Option A is wrong because an availability set is a logical grouping of VMs that protects against hardware failures within a datacenter by distributing VMs across fault domains and update domains, but it does not provide any automatic scaling capability or the ability to deploy identical instances as a single unit. Option C is wrong because a Recovery Services vault is a storage entity in Azure used for backup and disaster recovery data (such as Azure Backup and Azure Site Recovery), not for deploying or scaling compute resources. Option D is wrong because boot diagnostics is a feature that enables troubleshooting of VM boot failures by capturing serial console output and screenshots; it has no role in deploying multiple VMs or scaling them automatically.

1108
MCQmedium

Why is centralized logging valuable during security incident response?

A.It makes related events from many devices easier to collect and correlate.
B.It guarantees that attacks cannot succeed.
C.It replaces access control mechanisms.
D.It forces all systems to use one VLAN.
AnswerA

This is correct because centralized visibility is the main investigative benefit.

Why this answer

Centralized logging aggregates logs from multiple sources (e.g., Azure VMs, network security groups, Azure Firewall) into a single repository like Azure Log Analytics or Azure Sentinel. This correlation enables security analysts to identify patterns across devices, such as a chain of events from an initial breach to lateral movement, which is critical for incident response. Without centralization, manually correlating timestamps and log formats from disparate systems would be impractical during an active attack.

Exam trap

The trap here is that candidates may think centralized logging is a security control that prevents attacks (like a firewall or IDS), rather than recognizing it as a detective control that aids in post-incident analysis and correlation.

Why the other options are wrong

B

This option is wrong because centralized logging does not prevent attacks; it merely helps in detecting and analyzing them after they occur. Security measures must be implemented to actually prevent attacks from succeeding.

C

This option is wrong because centralized logging does not replace access control mechanisms; rather, it complements them by providing visibility into access attempts and security events. Access control mechanisms are essential for determining who can access what resources, independent of logging.

D

Option D is incorrect because centralized logging does not dictate network architecture or enforce VLAN configurations; it focuses on aggregating log data for analysis. Centralized logging can operate across different VLANs without forcing all systems into a single VLAN.

1109
MCQmedium

A company wants to enforce three controls across all current and future subscriptions under a management group: allowed Azure regions, a required cost center tag, and approved VM SKUs. Central IT wants a single assignment and consolidated compliance reporting. What should they use?

A.Three separate policy assignments at each subscription scope.
B.One initiative assignment at the management group scope.
C.A resource lock on the management group to prevent noncompliant deployments.
D.A custom RBAC role assigned to the management group.
AnswerB

An initiative groups multiple related policies into one assignable unit. Assigning it at the management group scope ensures the controls apply to all current and future subscriptions beneath it, while keeping compliance reporting centralized and easier to manage.

Why this answer

An initiative (policy set) at the management group scope allows you to bundle multiple policy definitions (allowed regions, required tag, approved VM SKUs) into a single assignment. This ensures the controls apply to all current and future subscriptions under that management group, and Azure Policy provides consolidated compliance reporting at the management group level, meeting the requirement for a single assignment and unified view.

Exam trap

The trap here is that candidates often confuse resource locks or RBAC with policy-based governance, thinking they can enforce allowed configurations through access control or locks, but only Azure Policy (via initiatives) can evaluate and enforce resource properties like regions, tags, and SKUs.

How to eliminate wrong answers

Option A is wrong because three separate policy assignments at each subscription scope would require manual management for every subscription, fail to automatically cover future subscriptions, and would not provide consolidated compliance reporting across all subscriptions from a single view. Option C is wrong because a resource lock prevents deletion or modification of resources but does not enforce compliance controls like allowed regions, tags, or VM SKUs; it is an operational safeguard, not a governance policy. Option D is wrong because a custom RBAC role controls who can perform actions, not what resources are compliant; it cannot enforce allowed regions, required tags, or approved VM SKUs, and it does not provide compliance reporting.

1110
Multi-Selectmedium

Which three of the following are valid ways to achieve high availability for a virtual machine workload running in Azure? (Choose three.)

Select 3 answers
.Deploy the VM inside an Availability Set with two or more VMs.
.Use an Availability Zone by deploying VMs into different zones within the same region.
.Configure a VM Scale Set with a minimum instance count of 2 and spread across fault domains.
.Assign a public IP address to each VM to enable load balancing.
.Set the VM’s operating system disk to a Premium SSD tier to reduce disk latency.
.Enable Azure Backup on the VM to protect against regional disasters.

Why this answer

Deploying a VM inside an Availability Set with two or more VMs ensures high availability by placing the VMs across multiple fault domains and update domains within a single Azure datacenter. This protects against hardware failures and planned maintenance events, as at least one VM remains available during an outage or update cycle.

Exam trap

The trap here is confusing high-availability mechanisms (like redundancy and automatic failover) with performance improvements (Premium SSD) or data protection (Azure Backup), leading candidates to select options that improve speed or recovery but do not ensure continuous uptime.

1111
Multi-Selecthard

A storage account already has a private endpoint for Blob service in a VNet. Virtual machines in AppSubnet still resolve the account name to the public endpoint, so traffic never reaches the private IP. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create a private DNS zone for privatelink.blob.core.windows.net.
B.Link the private DNS zone to the VNet used by AppSubnet.
C.Enable a service endpoint for Microsoft.Storage on the subnet.
D.Set the storage account firewall to Selected networks without a private endpoint.
E.Assign a static public IP to the private endpoint.
AnswersA, B

The private DNS zone maps the blob service name to the private endpoint namespace for name resolution.

Why this answer

Option A is correct because a private DNS zone for `privatelink.blob.core.windows.net` is required to override the default public DNS resolution for the storage account. When a private endpoint is created, the storage account's FQDN (e.g., `mystorageaccount.blob.core.windows.net`) must resolve to the private IP address of the endpoint within the VNet. Without this DNS zone, the VM in AppSubnet will continue to resolve the name to the public IP via Azure's public DNS servers, bypassing the private endpoint.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that enabling a service endpoint alone will redirect traffic to the private IP, when in fact DNS resolution must be explicitly configured via a private DNS zone.

1112
MCQeasy

A storage account should accept requests only from a specific virtual network subnet in Azure. The team does not want traffic to reach the public endpoint from the internet. What should the administrator configure?

A.Enable anonymous blob access
B.Add a storage network rule for the subnet or use a private endpoint
C.Move the container to the Archive tier
D.Assign the Contributor role to the subnet
AnswerB

Network rules can restrict access to allowed virtual network locations, and a private endpoint can place the service behind a private IP. Either approach supports controlled connectivity instead of internet exposure.

Why this answer

Option B is correct because Azure storage accounts can restrict access to specific virtual network subnets using service endpoints or private endpoints. A storage network rule for the subnet allows traffic only from that subnet, while a private endpoint maps the storage account to a private IP in the VNet, completely bypassing the public endpoint. This ensures no internet traffic reaches the public endpoint, meeting the requirement.

Exam trap

The trap here is that candidates often confuse network-level access controls (like service endpoints or private endpoints) with RBAC roles or storage tier changes, mistakenly thinking that assigning a role or changing a tier can restrict network traffic.

How to eliminate wrong answers

Option A is wrong because enabling anonymous blob access allows public read access to containers and blobs without authentication, which would allow internet traffic to reach the public endpoint, contrary to the requirement. Option C is wrong because moving a container to the Archive tier changes the storage tier for cost optimization, not access control; it does not restrict network access or block internet traffic. Option D is wrong because assigning the Contributor role to the subnet grants Azure RBAC permissions for management operations, not network-level access control; it does not restrict traffic to the public endpoint.

1113
MCQeasy

A team has 20 operators who need the same Reader access to one application resource group. You want to grant access and later revoke it by changing group membership instead of editing each user's permissions. What should you use for the role assignment?

A.Individual user accounts
B.An Entra ID security group
C.A management group
D.A resource lock
AnswerB

Assigning the role to an Entra ID security group is the best practice for shared access. You manage access by adding or removing users from the group, which is easier to maintain and less error-prone than changing many separate role assignments. This also supports least privilege and makes future access reviews simpler.

Why this answer

Using an Entra ID security group allows you to assign the Reader role to the group, then add or remove the 20 operators as members. This centralizes permission management: granting or revoking access is done by changing group membership rather than editing individual role assignments, which is more efficient and less error-prone.

Exam trap

The trap here is that candidates often confuse management groups (which control policy and cost across subscriptions) with security groups (which control RBAC access at a specific scope), leading them to pick Option C incorrectly.

How to eliminate wrong answers

Option A is wrong because assigning the Reader role to each individual user account would require editing each user's permissions to revoke access, which is exactly what the question wants to avoid. Option C is wrong because a management group is a container for managing multiple subscriptions and their policies/costs, not a mechanism for assigning roles to users within a single resource group. Option D is wrong because a resource lock prevents accidental deletion or modification of resources, not granting or revoking user access permissions.

1114
MCQmedium

A compliance team keeps signed contract scans in Azure Blob Storage. The files are usually read only a few times per year, but when a reviewer needs one, it must be available immediately without waiting for rehydration. Which access tier should the administrator use?

A.Hot, because it is optimized for frequent access and immediate retrieval.
B.Cool, because it is online and suited to infrequent access while remaining immediately readable.
C.Archive, because it is the lowest-cost option and can still be read instantly.
D.Cold, because it is designed for infrequently accessed data and remains online for immediate reads.
AnswerD

Cold is the best fit for data that is rarely read but must still be available immediately when needed. It keeps the blob online, unlike Archive, so there is no waiting for rehydration. This makes it suitable for compliance documents or records that are accessed occasionally but must open quickly during reviews.

Why this answer

The Cold access tier is designed for data that is infrequently accessed but must remain online and immediately readable without any rehydration delay. Since the compliance team needs instant access to contract scans when requested, Cold tier provides low-cost storage while keeping data online, unlike Archive which requires rehydration.

Exam trap

The trap here is that candidates often confuse 'lowest cost' (Archive) with 'immediate availability,' forgetting that Archive requires a rehydration process that can take hours, making it unsuitable for on-demand access.

How to eliminate wrong answers

Option A is wrong because Hot tier is optimized for frequent access (multiple times per month) and would incur higher storage costs for data read only a few times per year. Option B is wrong because Cool tier is suited for data accessed infrequently (about once per month) but has higher storage costs than Cold tier for this very low access pattern. Option C is wrong because Archive tier requires rehydration (taking up to 15 hours) to read data, violating the 'immediately available' requirement.

1115
MCQmedium

You have two virtual networks named VNet-Hub and VNet-Spoke1 in the same Azure region. Resources in the two VNets must communicate privately over the Microsoft backbone without using a VPN gateway. What should you configure?

A.VNet peering
B.A site-to-site VPN
C.A public load balancer
D.An NSG outbound deny rule
AnswerA

This is the direct and simplest solution for private VNet connectivity in Azure.

Why this answer

VNet peering enables direct, private connectivity between two virtual networks in the same Azure region using the Microsoft backbone infrastructure. It does not require a VPN gateway, public IP addresses, or any internet transit, making it the correct choice for private communication between VNet-Hub and VNet-Spoke1.

Exam trap

The trap here is that candidates often confuse VNet peering with VPN gateway-based solutions, assuming a VPN is required for private connectivity, but VNet peering directly meets the requirement without any gateway or public internet exposure.

How to eliminate wrong answers

Option B is wrong because a site-to-site VPN requires a VPN gateway in each VNet and tunnels traffic over the public internet, which violates the requirement to communicate privately over the Microsoft backbone without a VPN gateway. Option C is wrong because a public load balancer distributes inbound traffic from the internet to backend resources and does not provide private inter-VNet connectivity. Option D is wrong because an NSG outbound deny rule blocks all outbound traffic from a subnet or NIC, which would prevent any communication rather than enabling private connectivity.

1116
MCQmedium

A contractor is a member of an Entra security group that has the Contributor role on a resource group. When the contractor tries to deploy, the portal says the role is not active. The activation request requires approver approval, and the previous activation window has expired. What should the contractor do?

A.Wait for the role assignment to propagate to Azure.
B.Create a new security group and assign Contributor directly.
C.Sign out of the portal and sign back in only.
D.Activate the eligible role through Privileged Identity Management and obtain approval if required.
AnswerD

This matches the eligible assignment and the approval-based workflow described in the problem.

Why this answer

The contractor has an eligible role assignment that requires activation through Privileged Identity Management (PIM). Since the previous activation window has expired, the role is no longer active, and the contractor must initiate a new activation request, which may require approver approval. Option D correctly describes this process, as PIM is the Azure service designed for just-in-time access to privileged roles.

Exam trap

The trap here is that candidates confuse 'eligible' role assignments with 'active' assignments, assuming the role is permanently available when it actually requires manual activation through PIM.

How to eliminate wrong answers

Option A is wrong because role assignment propagation (which typically takes a few minutes) is not the issue; the role is eligible, not active, so propagation does not apply. Option B is wrong because creating a new security group and assigning Contributor directly bypasses the PIM activation requirement and would require administrative privileges the contractor likely does not have, and it does not address the need for approval. Option C is wrong because signing out and back in does not activate an eligible role; the role must be explicitly activated through PIM, and the portal session refresh does not change the role assignment status.

1117
MCQmedium

You need to allow or deny traffic to and from resources in an Azure subnet based on source IP address, destination port, and protocol. Which Azure feature should you use?

A.A network security group
B.A route table
C.A private DNS zone
D.Azure Advisor
AnswerA

NSGs are used to allow or deny network traffic by rule.

Why this answer

A network security group (NSG) is the correct Azure feature because it acts as a stateful, distributed firewall that filters traffic to and from Azure resources in a virtual network. NSGs contain security rules that allow or deny inbound and outbound traffic based on source/destination IP address, port, and protocol (TCP, UDP, or ICMP). This directly matches the requirement to control traffic based on source IP, destination port, and protocol.

Exam trap

The trap here is that candidates often confuse route tables (which control traffic paths) with NSGs (which control traffic permissions), especially when the question mentions 'allow or deny traffic'—route tables never deny traffic, they only redirect it.

How to eliminate wrong answers

Option B is wrong because a route table controls the next hop for network traffic (e.g., directing traffic through a firewall or VPN gateway) but does not filter traffic based on source IP, port, or protocol. Option C is wrong because a private DNS zone is used for custom domain name resolution within a virtual network, not for traffic filtering or access control. Option D is wrong because Azure Advisor provides recommendations for best practices in cost, security, reliability, and performance but does not enforce traffic rules or filter packets.

1118
MCQmedium

A web app currently accesses Azure Blob Storage by using the storage account key in a connection string. Security now requires blocking any new requests that use shared key authorization, while Microsoft Entra-based access must continue to work. Which storage account setting should the administrator change?

A.Set the storage account network access to selected networks only.
B.Disable shared key authorization on the storage account.
C.Rotate the account keys and leave all authentication methods enabled.
D.Enable object replication for the storage account.
AnswerB

Disabling shared key authorization blocks new requests that rely on the account key, while still allowing Microsoft Entra-based authentication paths. This is the correct control when the goal is to stop key-based access without disabling modern identity-based access.

Why this answer

Option B is correct because disabling shared key authorization on the storage account explicitly blocks all requests that use the storage account key (shared key) for authentication, while still allowing requests authenticated via Microsoft Entra ID (formerly Azure AD). This directly meets the security requirement to block new requests using shared key authorization without affecting Entra-based access.

Exam trap

The trap here is that candidates often confuse network-level restrictions (firewall/VNet) with authentication-level controls, mistakenly thinking that limiting network access (Option A) is equivalent to blocking shared key authorization, when in fact it only controls which IPs or VNets can reach the storage account, not how they authenticate.

How to eliminate wrong answers

Option A is wrong because setting the storage account network access to selected networks only restricts access based on IP address or virtual network, not authentication method; it would block all traffic from outside the selected networks, including Entra-authenticated requests, and does not specifically block shared key authorization. Option C is wrong because rotating the account keys and leaving all authentication methods enabled does not block shared key authorization; it only changes the keys, so new requests can still use the new keys, failing the requirement. Option D is wrong because enabling object replication for the storage account is used for asynchronous replication of blobs across regions for data redundancy or disaster recovery, and has no effect on authentication methods or blocking shared key authorization.

1119
MCQhard

A Windows VM runs an application that uploads files to a blob container every hour. Security forbids storing storage account keys or long-lived SAS tokens on the VM. The application must be able to write only to that container and nothing else. What should the administrator configure?

A.Store the storage account key in an environment variable on the VM
B.Create a service SAS with write permission on the storage account
C.Assign Storage Blob Data Contributor to the VM's managed identity at the container scope
D.Assign Contributor on the storage account to the VM's system-assigned identity
AnswerC

A managed identity avoids stored credentials, and the Storage Blob Data Contributor role grants blob read/write permissions without exposing account keys. Assigning it at the container scope keeps access limited to one container instead of the whole storage account. This is the least-privilege, Azure-native approach for an app that needs ongoing upload access.

Why this answer

Option C is correct because it uses Azure RBAC to grant the VM's managed identity the Storage Blob Data Contributor role at the container scope. This allows the application to write only to that specific container without requiring any storage account keys or SAS tokens on the VM, satisfying the security requirement. Managed identities provide an automatically managed service principal in Azure AD, enabling secure authentication to Azure services without storing credentials.

Exam trap

The trap here is that candidates often confuse the Contributor role (which grants management-plane access) with the Storage Blob Data Contributor role (which grants data-plane access), and fail to realize that scoping the role to the container level is necessary to restrict access to only that container.

How to eliminate wrong answers

Option A is wrong because storing the storage account key in an environment variable violates the security policy that forbids storing keys on the VM, and the key grants full access to the storage account, not just the container. Option B is wrong because a service SAS with write permission on the storage account would allow writing to any container within that account, not just the specific container, and the SAS token would still need to be stored on the VM, violating the security constraint. Option D is wrong because assigning the Contributor role at the storage account scope grants full management access to the storage account, including the ability to read and write to all containers and manage the account itself, which exceeds the required write-only access to a single container.

1120
Multi-Selecteasy

A team wants an Azure Storage account to be reachable only from one subnet, but they do not want to use a private endpoint. Which two configurations should they use? Select two.

Select 2 answers
A.Enable a Microsoft.Storage service endpoint on the subnet so the subnet can reach the storage service privately over the Azure backbone.
B.Add the subnet to the storage account's networking rules so only that subnet is allowed through the storage firewall.
C.Create a private endpoint and leave the firewall open to all networks so the subnet can be filtered later.
D.Assign Contributor on the storage account to the subnet, because Azure roles control which networks can connect.
E.Disable the public endpoint and rely on Internet routing, because that is the only way to limit access to one subnet.
AnswersA, B

A service endpoint extends the subnet's identity to the storage service without creating a private IP address.

Why this answer

Option A is correct because enabling a Microsoft.Storage service endpoint on the subnet extends the virtual network identity to the storage service, allowing traffic from that subnet to reach the storage account over the Azure backbone network without using a public IP. This ensures private connectivity from the subnet to the storage account while keeping the storage account's public endpoint enabled but restricted.

Exam trap

The trap here is that candidates confuse Azure RBAC roles (which control management access) with network-level access controls (firewall rules and service endpoints), leading them to incorrectly select option D.

1121
MCQeasy

Based on the exhibit, which deployment choice should the administrator use to keep the application available if one datacenter in the Azure region fails?

A.Place both VMs in the same availability set.
B.Deploy the VMs across separate availability zones.
C.Use a proximity placement group for both VMs.
D.Use a larger VM size for each virtual machine.
AnswerB

Availability zones place resources in physically separate datacenters within the region. If one datacenter fails, the other zone can continue serving traffic. This matches the requirement for surviving a single datacenter outage and is the preferred Azure design when zone support is available.

Why this answer

Availability zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying VMs across separate availability zones ensures that if one datacenter fails, the application remains available in the other zone, providing resilience against datacenter-level failures.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack failures) with availability zones (which protect against datacenter failures), leading them to incorrectly choose an availability set for datacenter-level resilience.

How to eliminate wrong answers

Option A is wrong because an availability set protects against rack-level failures within a single datacenter, not against a full datacenter failure. Option C is wrong because a proximity placement group is designed to reduce network latency by co-locating VMs, which actually increases the risk of simultaneous failure if the datacenter goes down. Option D is wrong because using a larger VM size does not provide any fault tolerance or redundancy; it only increases compute capacity, not availability.

1122
MCQmedium

An on-premises datacenter must reach private IP addresses in Azure over an encrypted site-to-site tunnel. The Azure VMs must not have public IP addresses, and the connection should use the company's existing edge device. Which Azure component should be deployed?

A.Azure Bastion
B.Azure VPN Gateway
C.Azure Route Server
D.A network security group with inbound allow rules
AnswerB

VPN Gateway terminates the encrypted site-to-site tunnel and enables private connectivity from on-premises to Azure VNets. It works with the on-premises edge device and allows access to Azure private IPs without assigning public IPs to the target VMs.

Why this answer

Azure VPN Gateway is the correct component because it provides an encrypted site-to-site IPsec/IKE tunnel between an on-premises network and Azure virtual networks. It supports policy-based or route-based VPNs, works with existing edge devices, and allows Azure VMs to remain without public IP addresses by routing traffic through the gateway's private IP space.

Exam trap

The trap here is confusing Azure Bastion (a secure access service) with a VPN gateway, because both involve 'secure connections' to Azure, but Bastion does not extend the on-premises network or support site-to-site tunneling.

How to eliminate wrong answers

Option A is wrong because Azure Bastion is a PaaS service that provides secure RDP/SSH access to VMs via the Azure portal over TLS, not a site-to-site VPN tunnel for private IP reachability. Option C is wrong because Azure Route Server is a managed service that enables dynamic route exchange between network virtual appliances (NVAs) and Azure virtual networks using BGP, but it does not terminate encrypted site-to-site tunnels. Option D is wrong because a network security group (NSG) is a stateful firewall that filters traffic at the subnet or NIC level with allow/deny rules; it cannot create or terminate encrypted VPN tunnels.

1123
MCQmedium

A support engineer must restart and view the properties of virtual machines only in RG-Dev. The engineer must not gain access to other resource groups in the subscription. What should the administrator do?

A.Assign the Reader role at the subscription scope and the Virtual Machine Contributor role at RG-Dev scope.
B.Assign the Virtual Machine Contributor role at the RG-Dev scope.
C.Assign the Contributor role at the RG-Dev scope.
D.Create a custom role at the subscription scope and assign it to the engineer.
AnswerB

This limits VM management permissions to the specific resource group and avoids broader subscription access.

Why this answer

Option B is correct because the Virtual Machine Contributor role at the RG-Dev scope grants the engineer the necessary permissions to restart and view properties of virtual machines within that resource group, while restricting access to other resource groups. This role includes actions like Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/read, which cover the required tasks without granting broader management rights.

Exam trap

The trap here is that candidates often choose Option A, mistakenly thinking the Reader role at subscription scope is harmless, but it actually grants read access to all resources in the subscription, violating the explicit restriction to RG-Dev only.

How to eliminate wrong answers

Option A is wrong because assigning the Reader role at the subscription scope grants read access to all resources in the subscription, including other resource groups, violating the requirement to restrict access to RG-Dev only. Option C is wrong because the Contributor role at the RG-Dev scope includes write and delete permissions beyond what is needed (e.g., ability to delete resources), which is excessive and violates the principle of least privilege. Option D is wrong because creating a custom role at the subscription scope would apply permissions across the entire subscription, potentially granting access to other resource groups, and is unnecessary when a built-in role at the resource group scope suffices.

1124
MCQmedium

An administrator added an NSG rule named Allow-Admin-HTTPS with priority 250 to permit inbound TCP 443 from a single public IP. The NSG also contains a Deny-All-Inbound rule with priority 200. The administrator still cannot connect to the VM over HTTPS from the allowed IP. What should be changed to resolve the issue?

A.Change the allow rule priority to a number lower than 200.
B.Change the deny rule priority to 65000 so it is evaluated first.
C.Convert the allow rule to an outbound rule instead of inbound.
D.Replace the NSG with a route table so HTTPS can pass through the subnet.
AnswerA

NSG rules are evaluated in ascending priority order, so the lower number is processed first. Because Deny-All-Inbound at 200 is taking effect before the allow rule at 250, the connection is blocked. Moving the allow rule to a priority such as 150 ensures the specific HTTPS exception is matched before the broad deny rule.

Why this answer

The Deny-All-Inbound rule with priority 200 is evaluated before the Allow-Admin-HTTPS rule with priority 250 because NSG rules are processed in order of ascending priority (lower numbers are evaluated first). Since the deny rule matches all inbound traffic, it blocks the HTTPS connection before the allow rule can be evaluated. To resolve this, the allow rule must have a priority lower than 200 (e.g., 150) so it is evaluated first and permits the traffic from the specified public IP.

Exam trap

The trap here is that candidates often assume higher priority numbers mean higher precedence, but in Azure NSGs, lower priority numbers are evaluated first, so a deny rule with a lower number will block traffic before a higher-numbered allow rule can permit it.

How to eliminate wrong answers

Option B is wrong because changing the deny rule priority to 65000 would make it evaluated last, which would not block the traffic but would also not fix the issue since the allow rule at priority 250 is still evaluated after the deny rule at 200; the correct fix is to lower the allow rule's priority. Option C is wrong because the HTTPS connection is inbound to the VM, so an outbound rule would not affect incoming traffic; NSG rules are directional and must match the traffic flow. Option D is wrong because a route table controls traffic routing (next hop) and does not filter traffic; NSGs are stateful firewalls that permit or deny traffic, and replacing the NSG with a route table would remove all filtering, not selectively allow HTTPS.

1125
MCQeasy

Several Azure VMs need the same Azure identity so they can access a shared resource without storing passwords. The identity should be reusable across VMs and removable centrally. Which identity type should the administrator use?

A.System-assigned managed identity
B.User-assigned managed identity
C.Service principal with a client secret
D.Local administrator account
AnswerB

User-assigned identities can be attached to multiple resources and managed independently of the VMs.

Why this answer

A user-assigned managed identity is the correct choice because it is created as a standalone Azure resource, can be assigned to multiple VMs simultaneously, and can be centrally removed or updated without affecting the VMs themselves. This identity is reusable across VMs and eliminates the need to store passwords or secrets in code or configuration.

Exam trap

The trap here is that candidates often choose system-assigned managed identity because it is simpler to configure, but they overlook the requirement for the identity to be reusable across multiple VMs, which only user-assigned managed identities support.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to a single VM and cannot be shared across multiple VMs; it is created and deleted with the VM. Option C is wrong because a service principal with a client secret requires storing and rotating the secret, which contradicts the requirement to avoid storing passwords. Option D is wrong because a local administrator account is VM-specific, not reusable across VMs, and requires password management, violating the no-password-storage requirement.

Page 14

Page 15 of 16

Page 16