AZ-104 (AZ-104) — Questions 11261170

1170 questions total · 16pages · All types, answers revealed

Page 15

Page 16 of 16

1126
Multi-Selecthard

A data disk on VM-Data01 was corrupted after a bad patch, and you already have a snapshot taken last night. The OS disk should remain unchanged. Which two actions should you take to restore only the data disk? Select two.

Select 2 answers
A.Create a managed disk from the snapshot.
B.Attach the restored managed disk to VM-Data01.
C.Redeploy the VM and expect the data disk to revert automatically.
D.Generalize the VM and redeploy it from the snapshot.
E.Replace the snapshot with the current data disk to roll back the VM.
AnswersA, B

A snapshot is not directly attached to a VM. You must first create a managed disk from the snapshot so Azure can present it as an attachable storage object.

Why this answer

Option A is correct because a snapshot is a point-in-time copy of a disk that can be used to create a new managed disk. Since you have a snapshot of the corrupted data disk from last night, creating a managed disk from that snapshot restores the data to its state at the time of the snapshot, leaving the OS disk untouched.

Exam trap

The trap here is that candidates may confuse redeploying a VM (which only moves the VM to a new host) with restoring disk data, or mistakenly think a snapshot can be directly attached to a VM without first creating a managed disk.

1127
MCQhard

A finance team wants every resource created in one production resource group to carry CostCenter=PRD automatically. They do not want deployments blocked if a team forgets the tag, but they do want existing resources and future resources in that resource group to converge on the correct tag value. What should the administrator configure?

A.Apply a CanNotDelete lock to the production resource group.
B.Assign a modify policy for CostCenter=PRD at the production resource group scope and create a remediation task.
C.Assign Contributor on the subscription and require teams to enter the tag manually.
D.Set the tag on the management group and expect all resources to inherit it automatically.
AnswerB

A modify policy can add or correct the tag without blocking deployment, which matches the business requirement. Assigning it at the resource-group scope limits the effect to only that production workload, and remediation updates existing resources so both old and new items converge on the same tag value.

Why this answer

Option B is correct because Azure Policy with a 'modify' effect can automatically add or correct the CostCenter tag on resources within the specified scope. By assigning the policy at the production resource group scope and creating a remediation task, the policy will audit existing resources and, via a managed identity, apply the tag value to non-compliant resources without blocking deployment. This satisfies the requirement for automatic convergence without preventing creation if the tag is missing.

Exam trap

The trap here is confusing Azure Policy's 'modify' effect (which allows non-blocking correction) with 'deny' or 'append' effects (which block or add without remediation), or assuming that tags on management groups automatically propagate to resources, which they do not.

How to eliminate wrong answers

Option A is wrong because a CanNotDelete lock prevents resource deletion but does not enforce or add tags; it does not address the requirement for automatic tag convergence. Option C is wrong because assigning Contributor at the subscription level grants broad permissions but does not automatically apply tags; it relies on manual entry, which contradicts the 'automatically' requirement and does not ensure convergence. Option D is wrong because tags set on a management group are not inherited by resources; Azure Policy or Azure Resource Manager templates are required for inheritance, and tags on management groups only apply to the management group itself, not to child subscriptions or resource groups.

1128
Multi-Selecteasy

Which two statements about network security group processing are correct? Select two.

Select 2 answers
A.NSG rules are evaluated starting with the lowest priority number.
B.An NSG can be linked only to a subnet, not to a network interface card.
C.A deny rule with a lower number can block traffic even if an allow rule exists later.
D.Azure ignores NSG rules whenever a route table is attached to the subnet.
E.Security rules are processed alphabetically by name.
AnswersA, C

Correct because Azure processes NSG rules in ascending priority order, so smaller numbers are checked first.

Why this answer

Option A is correct because NSG rules are processed in order of increasing priority number, meaning the rule with the lowest priority number (e.g., 100) is evaluated first. This ensures that more specific or critical rules can be applied before broader rules with higher priority numbers.

Exam trap

The trap here is that candidates often confuse NSG rule processing order with alphabetical or sequential naming, or mistakenly believe NSGs cannot be applied to NICs, leading them to select options B or E instead of the correct priority-based evaluation logic.

1129
MCQhard

Your application stores regulatory records in Azure Blob Storage. The records must remain in a write-once-read-many state for four years and must not be altered or deleted during that time. What should you configure?

A.Blob soft delete
B.Immutable blob storage with a time-based retention policy
C.Lifecycle management to move data to Archive
D.A shared access signature
AnswerB

This enforces WORM protection for the required period.

Why this answer

Immutable blob storage with a time-based retention policy enforces a write-once-read-many (WORM) state, ensuring that blobs cannot be modified or deleted for a specified duration. This directly meets the regulatory requirement of four-year retention without alteration or deletion, as the policy locks the data at the container level and prevents any changes until the retention period expires.

Exam trap

The trap here is that candidates often confuse soft delete (which only protects against deletion) with immutable storage (which prevents both modification and deletion), leading them to choose blob soft delete when the question explicitly requires a write-once-read-many state.

How to eliminate wrong answers

Option A is wrong because blob soft delete provides protection against accidental deletion by retaining deleted blobs for a configurable period, but it does not prevent modification or enforce a WORM state; blobs can still be overwritten or altered before deletion. Option C is wrong because lifecycle management moves blobs to different tiers (e.g., Archive) based on age or conditions, but it does not prevent modification or deletion of the data; blobs in Archive can still be deleted or overwritten unless additional protection is applied. Option D is wrong because a shared access signature (SAS) grants delegated access to blobs with specific permissions (e.g., read, write) but does not enforce immutability; a SAS with write permissions would allow modification, and it cannot prevent deletion or alteration by authorized users.

1130
Multi-Selecthard

A build pipeline needs to run a Linux container for about 15 minutes whenever a request arrives. The job never needs inbound traffic, clustering, or persistent node management. A second workload is a public web app that needs built-in TLS, deployment slots, and autoscale. Which two Azure compute services should the administrator choose? Select two.

Select 2 answers
A.Azure Container Instances
B.Azure App Service
C.Azure Kubernetes Service
D.Azure Virtual Machines
E.Azure Functions
AnswersA, B

This is a serverless container host that fits short-lived, on-demand container jobs.

Why this answer

Azure Container Instances (ACI) is the correct choice for the first workload because it allows you to run a Linux container on demand without managing any underlying infrastructure, and it supports a 15-minute execution time perfectly with its per-second billing and no requirement for persistent nodes or inbound traffic. Azure App Service is correct for the second workload because it natively provides built-in TLS/SSL termination, deployment slots for staging and swapping, and autoscale capabilities out of the box, making it ideal for a public web app.

Exam trap

The trap here is that candidates often choose Azure Kubernetes Service for any container workload, overlooking that ACI is simpler and cheaper for ephemeral, single-container tasks, and they may also pick Azure Functions for the web app without realizing it lacks native deployment slots and built-in TLS management compared to App Service.

1131
MCQeasy

A contractor needs temporary access to upload files into one Azure Blob container for six hours. The administrator does not want to share the storage account key. What should the administrator create?

A.A shared access signature scoped to the container and expiration time
B.A new storage account access key
C.A management group assignment
D.A private endpoint for the contractor
AnswerA

A SAS can grant limited, time-bound access to a specific resource such as one container, without exposing the storage account key.

Why this answer

A shared access signature (SAS) scoped to the container provides time-limited, delegated access to specific operations (e.g., upload) without exposing the storage account key. By setting an expiration time of six hours, the administrator ensures the contractor can upload files only during that window, after which the token becomes invalid. This meets the requirement for temporary, secure access.

Exam trap

The trap here is that candidates may confuse a SAS with a storage account key, thinking any shared credential is unsafe, or mistakenly choose a private endpoint as a security solution for access control rather than network isolation.

How to eliminate wrong answers

Option B is wrong because creating a new storage account access key grants full administrative access to the entire storage account, not just the container, and cannot be scoped to a specific time window or operation. Option C is wrong because a management group assignment controls Azure RBAC permissions across subscriptions, not granular access to a single blob container. Option D is wrong because a private endpoint secures network connectivity to the storage account via a private IP, but does not provide authentication or authorization for the contractor to upload files.

1132
MCQmedium

Based on the exhibit, which Network Watcher tool should you use to determine whether an NSG allows or denies TCP 1433 traffic and which rule is responsible?

A.IP flow verify
B.Connection troubleshoot
C.Packet capture
D.Next hop
AnswerA

IP flow verify is built to test a specific source, destination, protocol, and port against NSG rules.

Why this answer

IP flow verify tests a specific source/destination IP, port, and protocol (TCP 1433) against the effective NSG rules to report whether traffic is allowed or denied, and it identifies the exact NSG rule (name and priority) responsible for that decision. This makes it the correct tool for determining NSG rule impact on a specific traffic flow.

Exam trap

The trap here is that candidates confuse 'Connection troubleshoot' (which tests end-to-end connectivity) with 'IP flow verify' (which specifically tests NSG rule evaluation), leading them to pick B because they think connectivity checks include rule analysis.

How to eliminate wrong answers

Option B (Connection troubleshoot) is wrong because it checks end-to-end connectivity (including routing and latency) but does not identify which specific NSG rule allows or denies traffic; it only reports connectivity success or failure. Option C (Packet capture) is wrong because it captures raw network packets for deep inspection but does not map packets to NSG rules or provide a rule-level allow/deny verdict. Option D (Next hop) is wrong because it identifies the next hop IP address and route type for a packet but does not evaluate NSG rules at all.

1133
MCQmedium

A shared resource group contains a VPN gateway and several virtual machines used by the finance department. Administrators must still be able to resize the VMs and update NSG rules, but no one should be able to delete the resource group or anything in it during the quarter-end freeze. Which lock should be applied?

A.ReadOnly lock on the resource group
B.CanNotDelete lock on the resource group
C.Management group lock on the subscription
D.Azure Policy deny effect on the resource group
AnswerB

This prevents deletion while still allowing allowed changes like resizing and configuration updates.

Why this answer

The CanNotDelete lock (option B) prevents deletion of the resource group and all resources within it, while still allowing read and update operations such as resizing VMs and modifying NSG rules. This meets the requirement to block deletions during the quarter-end freeze without hindering administrative changes. ReadOnly locks would block all write operations, including resizing and NSG rule updates, which is not desired.

Exam trap

The trap here is that candidates often confuse ReadOnly locks with CanNotDelete locks, assuming that blocking all writes is necessary to prevent deletions, but ReadOnly locks also block updates like VM resizing and NSG rule changes, which are explicitly allowed in the requirement.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock blocks all write operations, including resizing VMs and updating NSG rules, which violates the requirement that administrators must still be able to perform these actions. Option C is wrong because a management group lock on the subscription would apply to all resource groups under that management group, which is overly broad and not scoped to just the shared resource group; it could also inadvertently affect other teams. Option D is wrong because an Azure Policy deny effect can block specific actions based on conditions, but it requires policy definition and assignment, and it does not provide a simple, blanket deletion prevention like a lock; it is also more complex to configure and maintain for a temporary freeze.

1134
MCQmedium

A storage account must be reachable only from resources in a specific Azure subnet, and connections must not use the public endpoint. Which option should the administrator configure?

A.A service endpoint on the subnet, because it keeps traffic on the Azure backbone.
B.A private endpoint for the storage account in the subnet.
C.A NAT gateway attached to the subnet.
D.A storage firewall rule that allows all Azure services.
AnswerB

A private endpoint assigns the storage service a private IP address inside the selected virtual network subnet. Traffic then stays on private addressing instead of using the public endpoint, which is exactly what the requirement asks for. This also allows the administrator to restrict access to approved network locations while improving the security posture of the storage account.

Why this answer

A private endpoint assigns the storage account a private IP address from the subnet, effectively bringing the service into the virtual network. This ensures all traffic to the storage account stays within the Microsoft Azure backbone and never traverses the public internet, meeting the requirement that connections must not use the public endpoint.

Exam trap

The trap here is that candidates confuse service endpoints with private endpoints, assuming both provide the same level of isolation, but service endpoints still expose the public endpoint and do not give a private IP address.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP to the storage account; it only extends the VNet identity to the service, and traffic still reaches the public endpoint of the storage account (though it stays on the Azure backbone). Option C is wrong because a NAT gateway provides outbound internet connectivity for resources in the subnet, not inbound private connectivity to a storage account. Option D is wrong because a storage firewall rule that allows all Azure services permits connections from any Azure region's public IP ranges, not only from the specific subnet, and still uses the public endpoint.

1135
MCQhard

A platform team wants to investigate incidents involving Azure VM performance, storage failures, and subscription-level changes in one place. They want to minimize Log Analytics ingestion cost. Which telemetry approach should they use?

A.Enable full guest-level logging on every VM, send all storage logs to the workspace, and add all activity logs from every subscription
B.Use metric alerts only and avoid Log Analytics because metrics are always cheaper than logs
C.Send only the required platform diagnostic logs and Activity logs to one Log Analytics workspace, and use metric alerts for threshold-based signals
D.Export all telemetry to a storage account and query it manually when an incident occurs
AnswerC

This balances cost and troubleshooting value by collecting only the telemetry needed for investigation while using metrics for simple threshold monitoring.

Why this answer

Option C is correct because it balances the need for centralized incident investigation with cost control. By sending only required platform diagnostic logs (e.g., from Azure Storage and VM metrics) and Activity logs to a single Log Analytics workspace, the team avoids unnecessary ingestion of verbose guest-level logs. Metric alerts provide threshold-based signals without log ingestion costs, enabling efficient monitoring of performance and failures.

Exam trap

The trap here is that candidates may think full logging (Option A) is necessary for comprehensive investigation, overlooking the cost implications of ingesting verbose guest-level logs, or assume metrics alone (Option B) can replace logs for incident root cause analysis.

How to eliminate wrong answers

Option A is wrong because enabling full guest-level logging on every VM and sending all storage logs to the workspace would incur high Log Analytics ingestion costs, contradicting the goal to minimize cost. Option B is wrong because metric alerts alone cannot capture detailed incident context (e.g., storage failure logs or subscription-level changes) that require log-based analysis; metrics are cheaper but insufficient for comprehensive investigation. Option D is wrong because exporting all telemetry to a storage account and querying it manually is inefficient for real-time incident investigation and lacks the integrated querying and alerting capabilities of Log Analytics, increasing operational overhead.

1136
MCQmedium

You need to allow SSH access to only one Linux VM in a subnet that contains several application servers. The other VMs in the subnet must remain inaccessible from the internet. What is the best configuration?

A.Add an inbound allow rule on the subnet NSG for TCP 22 from your admin IP address.
B.Associate an NSG with the target VM's NIC and add an inbound allow rule for TCP 22 from your admin IP.
C.Create a public load balancer in front of the subnet and forward port 22 to the VM.
D.Enable a service endpoint on the subnet so SSH traffic is limited to that VM.
AnswerB

A NIC-level NSG can restrict access to a single VM without opening SSH for the rest of the subnet.

Why this answer

Option B is correct because Network Security Groups (NSGs) can be associated at the subnet or NIC level. By associating an NSG directly with the target VM's NIC and adding an inbound allow rule for TCP port 22 from your admin IP address, you restrict SSH access exclusively to that VM while leaving the other VMs in the subnet unaffected by the rule. This provides granular, host-level security without impacting the broader subnet traffic.

Exam trap

The trap here is that candidates often assume subnet-level NSG rules are sufficient for granular control, but they fail to recognize that a subnet NSG applies to all VMs in that subnet, whereas a NIC-level NSG provides per-VM isolation.

How to eliminate wrong answers

Option A is wrong because adding an inbound allow rule on the subnet NSG for TCP 22 from your admin IP address would allow SSH access to all VMs in the subnet, not just the target Linux VM, violating the requirement that other VMs remain inaccessible from the internet. Option C is wrong because creating a public load balancer and forwarding port 22 to the VM would expose the VM to internet traffic through the load balancer, but it does not inherently block SSH access to other VMs; additionally, load balancers are designed for distributing traffic across multiple VMs, not for restricting access to a single VM. Option D is wrong because service endpoints are used to secure Azure service resources (e.g., Azure Storage, SQL Database) to a virtual network, not to restrict SSH traffic to a specific VM; they do not filter inbound internet traffic to VMs.

1137
MCQmedium

An administrator is deploying an Azure VPN gateway for a site-to-site connection. The deployment fails because required network resources are missing. Which configuration is required before the gateway can be created?

A.A subnet named GatewaySubnet and a public IP address for the VPN gateway.
B.A subnet named AzureBastionSubnet and a static private IP address.
C.A network security group attached directly to the virtual network gateway.
D.A load balancer with a public frontend to terminate the VPN connection.
AnswerA

Azure VPN gateways require a dedicated GatewaySubnet and a public IP for external reachability.

Why this answer

A VPN gateway in Azure requires a dedicated subnet named 'GatewaySubnet' to host the gateway instances, and a public IP address resource must be allocated to the gateway to establish the site-to-site VPN tunnel over the internet. Without these two prerequisites, the deployment will fail because the gateway cannot be provisioned or addressed externally.

Exam trap

The trap here is that candidates often confuse the required subnet name 'GatewaySubnet' with other special subnets like 'AzureBastionSubnet' or 'AzureFirewallSubnet', leading them to select an incorrect option that seems plausible but serves a different purpose.

How to eliminate wrong answers

Option B is wrong because 'AzureBastionSubnet' is used for Azure Bastion, not for a VPN gateway; the VPN gateway requires a subnet named 'GatewaySubnet' with a specific address range. Option C is wrong because a network security group (NSG) cannot be attached directly to a virtual network gateway; NSGs are applied to subnets or network interfaces, and attaching one to the gateway subnet can interfere with gateway traffic. Option D is wrong because a load balancer is not required for a VPN gateway; the VPN gateway itself handles tunnel termination and does not use a load balancer for site-to-site connections.

1138
MCQhard

A VM named VM1 cannot establish TCP 1433 connectivity to VM2. The administrator wants to test the exact flow, confirm whether an NSG allows or denies it, and identify the rule that applies if the flow is blocked. Which Network Watcher tool should be used?

A.Effective routes, because it shows the exact NSG rule name for blocked traffic.
B.IP flow verify, because it evaluates the 5-tuple and reports the matching allow or deny rule.
C.Packet capture, because it automatically tells you which NSG rule denied the traffic.
D.Connection troubleshoot, because it only checks DNS name resolution.
AnswerB

IP flow verify is designed to test a specific source, destination, protocol, and port combination against NSG rules. It returns whether the flow is allowed or denied and identifies the rule that matched, which makes it the right tool when you need to prove whether TCP 1433 is blocked and why.

Why this answer

IP flow verify is the correct tool because it evaluates the 5-tuple (source IP, destination IP, source port, destination port, and protocol) against the effective Network Security Group (NSG) rules for a given virtual machine network interface. It explicitly reports whether the traffic is allowed or denied and, if denied, identifies the exact NSG rule (name and priority) that caused the denial. This directly meets the administrator's requirement to test the exact flow and identify the blocking rule.

Exam trap

The trap here is that candidates often confuse 'Connection troubleshoot' (which tests end-to-end connectivity and can indicate a block) with 'IP flow verify' (which explicitly identifies the exact NSG rule name that caused the denial), leading them to choose the less precise tool.

How to eliminate wrong answers

Option A is wrong because Effective routes show the learned routes (next hop types) for a VM, not NSG rule evaluation; they do not report NSG rule names for blocked traffic. Option C is wrong because Packet capture captures raw network packets for analysis but does not automatically interpret or report which NSG rule denied traffic; it requires manual inspection of the capture. Option D is wrong because Connection troubleshoot checks TCP connectivity and can identify issues like NSG blocking, but it does not explicitly report the exact NSG rule name that denied the traffic; IP flow verify is more precise for rule-level identification.

1139
MCQhard

A VM in VNet B can reach a blob storage account through a private endpoint that was created in peered VNet A. The storage FQDN still resolves to the public IP when queried from VNet B, so the VM does not use the private path. What should the administrator change?

A.Add a service endpoint for Microsoft.Storage to VNet B
B.Link the private DNS zone used by the private endpoint to VNet B
C.Disable the storage account firewall completely
D.Move the storage account into VNet B
AnswerB

Private endpoint connectivity depends on DNS resolution returning the private IP address. In a peered virtual network, the DNS zone for the private endpoint must be linked so clients in VNet B resolve the storage name to the private address instead of the public one. Once that DNS path is corrected, traffic follows the private endpoint.

Why this answer

The private endpoint in VNet A creates a private IP for the storage account, but DNS resolution in VNet B still returns the public IP because the private DNS zone (privatelink.blob.core.windows.net) is not linked to VNet B. By linking the private DNS zone to VNet B, the VM will resolve the storage FQDN to the private IP, ensuring traffic uses the private endpoint path through the VNet peering.

Exam trap

The trap here is that candidates assume VNet peering automatically extends DNS resolution for private endpoints, but in reality, private DNS zones must be explicitly linked to each peered VNet to enable private IP resolution.

How to eliminate wrong answers

Option A is wrong because a service endpoint provides access to the storage account via its public IP over the Microsoft backbone, not a private IP, and does not change DNS resolution to use the private endpoint. Option C is wrong because disabling the storage account firewall would allow public internet access but does not force the VM to use the private endpoint path; DNS would still resolve to the public IP. Option D is wrong because moving the storage account into VNet B is unnecessary and would not resolve the DNS resolution issue; the private endpoint already exists in peered VNet A, and the correct fix is to link the private DNS zone to VNet B.

1140
MCQeasy

Based on the exhibit, where should the administrator go next to review the failed backup job details?

A.Backup policy, because it shows the retention and schedule configuration.
B.Backup items, because it lists protected resources and recovery points.
C.Jobs, because it contains the backup job status and error details.
D.Properties, because it contains the general vault settings.
AnswerC

The Jobs blade is where Azure Backup records job execution results, including success, failure, and error details. That makes it the correct next place to investigate the failed backup job shown in the exhibit.

Why this answer

The Jobs blade in Azure Backup is the central location for reviewing the status, progress, and detailed error messages of all backup jobs, including failed ones. It provides a filtered view of backup, restore, and other operations, allowing the administrator to drill into specific job failures to see error codes and recommended actions.

Exam trap

The trap here is that candidates confuse the location of configuration data (policies, properties) with operational data (job status), leading them to select Backup policy or Properties instead of Jobs.

How to eliminate wrong answers

Option A is wrong because the Backup policy blade only shows retention rules and backup schedule configuration, not the execution results or error details of individual jobs. Option B is wrong because Backup items lists protected resources and their recovery points, but does not display job-level status or failure details. Option D is wrong because Properties contains general vault settings such as encryption and soft-delete configuration, not operational job history.

1141
Multi-Selectmedium

A department has 10 subscriptions and wants the same two governance rules applied to all current and future subscriptions. One rule audits missing tags, and the other denies unapproved locations. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create an Azure Policy initiative that contains both policy definitions.
B.Assign the initiative at the management group scope.
C.Assign each policy only to one resource group.
D.Use Azure RBAC instead of Policy for both requirements.
E.Create a read-only lock on each subscription.
AnswersA, B

An initiative groups multiple related policies into a single package, which makes it easier to manage the department's governance rules together.

Why this answer

Azure Policy Initiative allows grouping multiple policy definitions (like audit for missing tags and deny for unapproved locations) into a single set for coordinated enforcement. Assigning the initiative at the management group scope ensures it applies to all current and future subscriptions under that management group, meeting the requirement for consistent governance across all 10 subscriptions and any new ones added later.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure RBAC or resource locks, thinking they can enforce governance rules through permissions or protection mechanisms, when Policy is the only service that audits and denies resource configurations based on rules.

1142
MCQeasy

A central audit team needs Reader access on every current and future subscription under the company hierarchy. Which scope should you use for the role assignment?

A.Management group scope
B.Subscription scope
C.Resource group scope
D.Resource scope
AnswerA

A management group lets the role inherit to all child subscriptions now and later.

Why this answer

A management group scope allows role assignments to be inherited by all subscriptions and resource groups within that management group hierarchy. By assigning the Reader role at the management group level, the central audit team automatically gains read access to every current subscription and any future subscription added under that management group, ensuring consistent governance without manual updates.

Exam trap

The trap here is that candidates often default to subscription scope because they think of subscriptions as the primary boundary for access control, overlooking that management groups provide a broader, hierarchical inheritance that automatically covers future subscriptions.

How to eliminate wrong answers

Option B is wrong because assigning the Reader role at the subscription scope would only grant access to that specific subscription; any new subscriptions created under the hierarchy would not inherit the assignment, requiring manual reconfiguration. Option C is wrong because a resource group scope limits the role assignment to a single resource group, failing to cover multiple subscriptions or future resources. Option D is wrong because a resource scope applies only to a specific Azure resource (e.g., a VM or storage account), providing no access to other resources, subscriptions, or future deployments.

1143
MCQhard

A company uses Azure Blob Storage for legal documents. The documents must not be modified or deleted for seven years after upload, even by administrators. What should you configure?

A.Blob soft delete
B.Immutable blob storage with a time-based retention policy
C.Lifecycle management to move blobs to Archive
D.Blob versioning
AnswerB

Immutable storage enforces WORM protection for the required retention period.

Why this answer

Immutable blob storage with a time-based retention policy (WORM – Write Once, Read Many) ensures that blobs cannot be modified or deleted for a specified retention period, even by administrators. This is the only Azure storage feature that provides legal hold or regulatory compliance for fixed records, such as legal documents that must remain unaltered for seven years.

Exam trap

The trap here is that candidates often confuse soft delete or versioning with immutable storage, not realizing that only a time-based retention policy (WORM) provides the strict, administrator-proof immutability required for regulatory compliance.

How to eliminate wrong answers

Option A is wrong because blob soft delete only protects against accidental deletion by retaining deleted blobs for a configurable period, but it does not prevent modification or deletion by administrators during the retention period. Option C is wrong because lifecycle management moves blobs between tiers (e.g., to Archive) based on age or conditions, but it does not prevent modification or deletion of the blobs themselves. Option D is wrong because blob versioning preserves previous versions of a blob when overwritten or deleted, but it does not prevent administrators from modifying or deleting the current version or any version during the retention period.

1144
MCQeasy

A healthcare application stores files that must be protected against a single datacenter outage in the region. The team does not need a secondary region for read access, and they want the simplest resilient option. Which storage redundancy should they choose?

A.Locally redundant storage (LRS)
B.Zone-redundant storage (ZRS)
C.Geo-zone-redundant storage (GZRS)
D.Read-access geo-redundant storage (RA-GRS)
AnswerB

ZRS stores copies across multiple zones in the region, which helps the data survive a datacenter or zone-level outage without needing another region.

Why this answer

Zone-redundant storage (ZRS) replicates data synchronously across three Azure availability zones within a single region, protecting against a complete datacenter outage without requiring a secondary region. This meets the requirement for the simplest resilient option that guards against a single datacenter failure while avoiding the complexity and cost of geo-replication.

Exam trap

The trap here is that candidates often confuse 'protecting against a single datacenter outage' with needing geo-redundancy, but ZRS within a region is sufficient and simpler when no secondary region read access is required.

How to eliminate wrong answers

Option A is wrong because locally redundant storage (LRS) replicates data only within a single datacenter (three copies in one physical location), so a full datacenter outage would cause data loss. Option C is wrong because geo-zone-redundant storage (GZRS) adds geo-replication to a secondary region, which is unnecessary complexity and cost since the team does not need a secondary region for read access. Option D is wrong because read-access geo-redundant storage (RA-GRS) replicates to a secondary region and provides read access there, which is overkill and more complex than the simple zone-level protection required.

1145
MCQeasy

A blob was moved to the Archive tier last month. A user now needs to open the file within a few hours. What should the administrator do first?

A.Download the blob directly from the Archive tier
B.Change the blob to Hot or Cool and wait for rehydration to complete
C.Create a snapshot of the blob and open the snapshot instead
D.Enable versioning on the storage account
AnswerB

Archive data must be rehydrated back to an online tier such as Hot or Cool before it can be read again.

Why this answer

Blobs in the Archive tier are offline and cannot be read directly. To access the data, you must first change the blob's access tier to Hot or Cool, which initiates a rehydration process that makes the blob available for reading. Since the user needs the file within a few hours, rehydration typically completes within that timeframe (up to 15 hours for Archive to Cool/Hot).

Exam trap

The trap here is that candidates assume the Archive tier is readable like Cool or Hot, or that snapshots or versioning bypass the rehydration requirement, but Azure explicitly blocks direct access to archived blobs until they are rehydrated.

How to eliminate wrong answers

Option A is wrong because blobs in the Archive tier are offline and cannot be downloaded directly; attempting to do so results in an error (e.g., HTTP 409 or 'Blob is in Archive tier'). Option C is wrong because creating a snapshot of an archived blob does not make the data accessible; the snapshot inherits the same Archive tier and remains offline until rehydrated. Option D is wrong because enabling versioning does not change the access tier of existing blobs; it only creates new versions on writes, and archived versions would still require rehydration to read.

1146
MCQmedium

A backup job from an Azure service must write to a storage account that has the network firewall set to deny all public traffic. The team does not want to create a private endpoint for this workload. What should the administrator enable?

A.Allow trusted Microsoft services to access the storage account
B.Add the backup server's public IP address to the storage firewall
C.Create a service endpoint on the subnet that hosts the backup job
D.Disable the storage account firewall temporarily during each backup window
AnswerA

Allowing trusted Microsoft services is the correct choice when a supported Azure platform service needs to reach the storage account without opening the firewall broadly. It permits specific Microsoft-managed services to bypass the network restriction while keeping public traffic denied. This is appropriate when the workload is an Azure service rather than a customer VM or subnet.

Why this answer

Option A is correct because Azure Storage firewalls include a special exception for 'Allow trusted Microsoft services to access this storage account'. When enabled, this exception permits Azure platform services—such as Azure Backup—to bypass the public network deny rule and write to the storage account without requiring a private endpoint. This works because the backup service runs on Microsoft-owned infrastructure that is authenticated and authorized at the control plane level, not via a public IP.

Exam trap

The trap here is that candidates often confuse 'Allow trusted Microsoft services' with a generic security bypass, not realizing it is a specific, documented exception designed for Azure platform services like Backup, Log Analytics, and Azure Site Recovery.

How to eliminate wrong answers

Option B is wrong because the backup job is an Azure platform service, not a specific server with a public IP; adding a public IP would not cover the dynamic, internal source addresses used by the service. Option C is wrong because a service endpoint would require the backup job's source subnet to be explicitly configured, and the backup service does not run in a customer subnet—it runs in a Microsoft-managed environment. Option D is wrong because disabling the firewall temporarily is a manual, insecure workaround that violates the requirement to keep the firewall enabled and introduces operational risk and potential data exposure.

1147
MCQmedium

A legal department stores project video assets in Azure Blob Storage. The files are reviewed only during quarterly audits, but when someone needs a file it must open immediately without waiting for rehydration. Which access tier should the administrator use for the blobs?

A.Hot, because it is optimized for frequent access and always costs the least to retrieve.
B.Cool, because it is for infrequent access while still keeping blobs online and immediately available.
C.Archive, because it is the cheapest choice for data that is rarely used and can be restored instantly.
D.Premium, because it is intended for workload bursts and gives the best long-term storage economics.
AnswerB

Cool tier is meant for infrequently accessed data that still needs to remain online. It avoids archive rehydration delays, so users can open the file immediately during quarterly audits.

Why this answer

The Cool access tier is designed for data that is infrequently accessed but must remain immediately available (online) without any rehydration delay. Since the legal department needs instant access during quarterly audits, Cool meets the requirement of low retrieval cost while keeping blobs online, unlike Archive which requires hours-long rehydration.

Exam trap

The trap here is that candidates often choose Archive thinking it is the cheapest for rarely used data, forgetting that Archive blobs are offline and require significant rehydration time, which contradicts the 'immediately available' requirement in the question.

How to eliminate wrong answers

Option A is wrong because Hot is optimized for frequent access and has higher storage costs than Cool, making it uneconomical for data accessed only quarterly. Option C is wrong because Archive is the cheapest for rarely accessed data but requires rehydration (taking up to 15 hours) before blobs are available, violating the 'immediately available' requirement. Option D is wrong because Premium is a block blob tier for low-latency, high-frequency workloads (e.g., IoT) and has the highest storage cost, not suitable for long-term, infrequent access.

1148
Multi-Selectmedium

An administrator wants to let a help desk group start, stop, and restart virtual machines in one resource group, but the group must not be able to delete the VMs or any other resource in the group. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create a custom RBAC role with only VM start, stop, restart, and read actions.
B.Assign the custom role to the help desk group at the resource group scope.
C.Assign Virtual Machine Contributor to the help desk group.
D.Apply a CanNotDelete lock to the resource group.
E.Use Azure Policy to block VM deletion and leave RBAC unchanged.
AnswersA, B

A custom role is required because the built-in roles are broader than the help desk's task. Limiting the actions keeps the permission set aligned with the actual operational need.

Why this answer

Option A is correct because creating a custom RBAC role with only VM start, stop, restart, and read actions ensures the help desk group can perform only those specific operations without any delete permissions. This role must be assigned at the resource group scope (Option B) to limit its effect to that resource group, preventing the group from modifying or deleting resources in other scopes. Together, these two actions fulfill the requirement precisely.

Exam trap

The trap here is that candidates often choose Virtual Machine Contributor (Option C) thinking it provides only VM management, but it actually includes delete permissions and broader resource control, or they incorrectly combine a CanNotDelete lock (Option D) with an existing role, not realizing the lock does not grant the required start/stop/restart actions.

1149
MCQhard

An operations team archived monthly log exports six weeks ago. An auditor now needs one specific blob restored within a day, and the file will likely be opened several times during the audit. Which action should the administrator take first?

A.Set the blob directly to the Archive tier again
B.Rehydrate the blob to the Hot tier
C.Create a snapshot of the archived blob and open the snapshot
D.Increase the account redundancy to RA-GRS before the audit
AnswerB

The blob must be rehydrated before it can be opened, and Hot is a sensible target when repeated reads are expected during an active audit. Choosing Hot avoids repeated retrieval penalties and keeps the file immediately online for the rest of the audit window. That makes the workflow simpler for the auditor.

Why this answer

The blob is currently in the Archive tier, which is offline and cannot be read directly. To access the data, the blob must first be rehydrated to an online tier (Hot or Cool) by changing its tier or copying it to a new blob. Rehydrating to the Hot tier ensures the blob is available for multiple reads within the audit timeframe, as the rehydration process typically takes up to 15 hours for Archive tier blobs.

Exam trap

The trap here is that candidates may think snapshots can be taken of any blob regardless of tier, but Azure requires the source blob to be in an online tier (Hot, Cool, or Cold) to create a snapshot.

How to eliminate wrong answers

Option A is wrong because setting a blob directly to the Archive tier again is meaningless—the blob is already archived and offline, and this action does not bring it online for access. Option C is wrong because you cannot create a snapshot of an archived blob; snapshots require the blob to be in an online tier (Hot, Cool, or Cold), and the Archive tier is offline. Option D is wrong because increasing account redundancy to RA-GRS does not affect the offline state of an archived blob; redundancy changes apply to the storage account configuration, not to the tier of individual blobs, and the blob remains inaccessible until rehydrated.

1150
MCQeasy

You want to group subscriptions for Finance, HR, and Engineering so you can apply governance consistently at a higher level. What should you create?

A.Resource groups
B.Management groups
C.Tags
D.Resource locks
AnswerB

Management groups organize subscriptions and support consistent governance across multiple subscriptions.

Why this answer

Management groups are the correct choice because they allow you to organize Azure subscriptions into a hierarchy for applying governance policies, role-based access control (RBAC), and cost management consistently across multiple subscriptions. By creating a management group hierarchy (e.g., Finance, HR, Engineering), you can assign Azure Policy initiatives or RBAC roles at the management group level, which are inherited by all subscriptions within that group. This provides a scalable and centralized governance model without needing to configure each subscription individually.

Exam trap

The trap here is that candidates often confuse resource groups (which group resources within a subscription) with management groups (which group subscriptions themselves), leading them to select resource groups as the answer for cross-subscription governance.

How to eliminate wrong answers

Option A is wrong because resource groups are logical containers for resources within a single subscription, not for grouping multiple subscriptions; they cannot apply governance across subscriptions. Option C is wrong because tags are metadata key-value pairs used for organizing and filtering resources, but they do not enforce governance policies or RBAC inheritance across subscriptions. Option D is wrong because resource locks prevent accidental deletion or modification of resources but operate at the resource, resource group, or subscription level, not across multiple subscriptions for consistent governance.

1151
MCQeasy

Two app VMs must stay available during planned host maintenance in the same region. Datacenter-level redundancy is not required, but the VMs should be spread across update domains. What should you configure?

A.Availability set
B.Availability zone
C.Azure Backup
D.Managed disk
AnswerA

An availability set spreads VMs across fault and update domains to reduce the impact of host maintenance and hardware failure.

Why this answer

An availability set logically groups VMs to protect against planned maintenance events by distributing them across up to 3 fault domains and 20 update domains. This ensures that during host maintenance, only one update domain is taken offline at a time, keeping the other VMs available. Since datacenter-level redundancy is not required, an availability set is the correct choice.

Exam trap

The trap here is that candidates often confuse availability zones (which provide datacenter-level redundancy) with availability sets (which provide intra-datacenter fault and update domain distribution), leading them to select availability zones even when the question explicitly states datacenter-level redundancy is not required.

How to eliminate wrong answers

Option B is wrong because availability zones provide datacenter-level redundancy by placing VMs in physically separate datacenters within a region, which is explicitly not required. Option C is wrong because Azure Backup is a backup and restore service, not a high-availability or maintenance-resilience feature. Option D is wrong because managed disks are a storage management feature that simplifies disk management and provides durability, but they do not distribute VMs across update domains or protect against planned maintenance.

1152
MCQeasy

A records team wants blobs to be replicated to a secondary region, and the secondary copy must be readable if the primary region becomes unavailable. Which redundancy option should you choose?

A.Locally redundant storage (LRS)
B.Zone-redundant storage (ZRS)
C.Geo-redundant storage (GRS)
D.Read-access geo-redundant storage (RA-GRS)
AnswerD

RA-GRS replicates data to a secondary region and allows reads from that secondary copy, which fits the requirement exactly.

Why this answer

RA-GRS (Read-access geo-redundant storage) is correct because it provides geo-redundant replication (GRS) to a secondary region, plus read access to the secondary copy even if the primary region is unavailable. This ensures the blob data is replicated asynchronously to a paired secondary region, and the secondary endpoint can be read immediately during a primary outage, meeting the team's requirement for readable secondary copies.

Exam trap

The trap here is that candidates often confuse GRS with RA-GRS, assuming that geo-redundant replication automatically provides readable secondary copies, but GRS does not allow read access to the secondary region until a failover occurs, whereas RA-GRS explicitly enables read access at all times.

How to eliminate wrong answers

Option A (LRS) is wrong because it replicates data only within a single data center in the primary region, providing no replication to a secondary region and no readable copy if the primary region fails. Option B (ZRS) is wrong because it replicates data synchronously across three availability zones within a single region, but does not replicate to a secondary region, so it cannot provide a readable copy in a different region. Option C (GRS) is wrong because while it replicates data to a secondary region, the secondary copy is not readable unless a failover is initiated by Microsoft; it does not offer read access to the secondary region during a primary region outage.

1153
Multi-Selecthard

A Windows VM fails shortly after startup when a custom extension runs, and the administrator cannot use RDP to inspect the machine. The goal is to see what happened during boot and confirm whether the failure occurred before the guest OS finished loading. Which two features should be used first? Select two.

Select 2 answers
A.Boot diagnostics
B.Azure Serial Console
C.Availability set
D.Managed disk snapshots
E.Azure Monitor autoscale
AnswersA, B

This captures screenshots and serial logs that help diagnose early boot failures.

Why this answer

Boot diagnostics captures serial console output and screenshots of the VM during the boot process, allowing you to see if the OS failed to load before the guest OS finished. Azure Serial Console provides text-based, keyboard-focused access to the VM even when RDP is unavailable, enabling you to inspect boot logs and interact with the OS during startup. Together, they let you determine whether the custom extension failure occurred before or after the OS fully loaded.

Exam trap

The trap here is that candidates often choose managed disk snapshots or availability sets, thinking they can restore or inspect the VM state, but these do not provide the real-time, pre-OS boot logs needed to diagnose a startup failure before the guest OS finishes loading.

1154
MCQmedium

Your company has an on-premises office network that needs encrypted connectivity to an Azure virtual network. In addition, traveling users need secure access from their laptops when they are away from the office. Which Azure design best meets both requirements?

A.Deploy a VPN gateway and configure both site-to-site and point-to-site connections.
B.Use VNet peering between the office network and Azure, then share the same connection with remote users.
C.Create a service endpoint to the virtual network and enable private access for laptops.
D.Deploy a NAT gateway and use it for secure office and laptop connectivity.
AnswerA

A VPN gateway supports both site-to-site tunnels for the office network and point-to-site access for individual users. This single design meets the hybrid branch requirement and the remote-user requirement without exposing the VNet directly to the internet. It is the standard Azure networking choice when you need encrypted connectivity from both networks and individual clients.

Why this answer

A VPN gateway supports both site-to-site (S2S) connections for the on-premises office network and point-to-site (P2S) connections for individual traveling users. The S2S connection uses IPsec/IKE to establish encrypted tunnels between the on-premises VPN device and the Azure VPN gateway, while the P2S connection uses SSTP, OpenVPN, or IKEv2 to allow remote laptops to connect securely from anywhere. This single gateway resource can handle both connection types simultaneously, meeting both requirements efficiently.

Exam trap

The trap here is that candidates confuse VNet peering (which only works between Azure VNets) with hybrid connectivity, or assume a single-purpose service like NAT gateway or service endpoint can replace a VPN gateway for encrypted remote access.

How to eliminate wrong answers

Option B is wrong because VNet peering connects two Azure virtual networks, not an on-premises network to Azure, and it does not provide encrypted connectivity or support remote user laptops. Option C is wrong because a service endpoint provides private connectivity from a virtual network to Azure PaaS services (e.g., Storage, SQL) but does not create an encrypted tunnel for on-premises or remote user access. Option D is wrong because a NAT gateway enables outbound internet connectivity for virtual network resources and does not support inbound encrypted site-to-site or point-to-site connections.

1155
MCQeasy

A reporting server will run an in-memory analytics application that needs 8 vCPUs and 64 GiB of RAM. The administrator wants a VM family that is a good fit for memory-heavy workloads. Which VM family should be chosen?

A.Memory-optimized VM family
B.Burstable VM family
C.Compute-optimized VM family
D.Storage-optimized VM family
AnswerA

Memory-optimized sizes are designed for workloads that need a higher memory-to-vCPU ratio than general-purpose sizes. They are a practical fit for analytics engines, large caches, and in-memory databases where RAM is the main constraint. Choosing this family helps the team meet the workload requirement without paying for unnecessary specialized features that do not address the sizing need.

Why this answer

Memory-optimized VM families (e.g., Azure E-series) are designed for workloads that require a high memory-to-vCPU ratio, such as in-memory analytics applications. The requirement of 64 GiB of RAM for 8 vCPUs (8:1 ratio) aligns with the memory-optimized profile, which offers up to 8 GiB per vCPU or more, ensuring the application's data fits entirely in RAM for low-latency processing.

Exam trap

The trap here is that candidates may confuse 'memory-heavy' with 'compute-heavy' and choose compute-optimized VMs, overlooking the specific memory-to-vCPU ratio required for in-memory analytics.

How to eliminate wrong answers

Option B is wrong because burstable VM families (e.g., Azure B-series) are intended for workloads with variable CPU usage that can burst, not for consistent high-memory demands; they have limited memory per vCPU and are not suitable for memory-heavy analytics. Option C is wrong because compute-optimized VM families (e.g., Azure F-series) prioritize high CPU performance with a lower memory-to-vCPU ratio (typically 2 GiB per vCPU), which would not meet the 64 GiB requirement for 8 vCPUs. Option D is wrong because storage-optimized VM families (e.g., Azure L-series) are designed for high disk throughput and IOPS, not for large memory footprints, and they often have lower memory per vCPU compared to memory-optimized families.

1156
MCQeasy

An application on an Azure VM needs more CPU and memory. The administrator wants to keep the same OS disk and installed apps, without redeploying the server. What should be done?

A.Resize the VM to a larger size
B.Reimage the VM
C.Move the VM into a different availability zone
D.Create a new storage account
AnswerA

Resizing the VM changes the allocated compute resources while keeping the same operating system disk and data disks. This is the usual way to give an existing VM more CPU and memory without rebuilding the server. In many cases, you only need to stop the VM briefly, choose a larger size, and start it again.

Why this answer

Resizing the VM (Option A) allows you to change the VM size to a SKU with more CPU and memory while preserving the OS disk, installed applications, and all data. This operation can be performed on a stopped (deallocated) VM and does not require redeployment or reimaging, making it the correct choice for scaling up resources without disruption to the existing configuration.

Exam trap

The trap here is that candidates may confuse 'resizing' with 'reimaging' or think that changing availability zones or storage accounts can affect compute resources, when in fact only changing the VM size directly modifies CPU and memory allocation.

How to eliminate wrong answers

Option B is wrong because reimaging the VM restores the OS disk to its original image state, which would erase all installed applications and custom configurations, not preserve them. Option C is wrong because moving the VM to a different availability zone changes its physical location for high availability but does not alter the VM's CPU or memory resources. Option D is wrong because creating a new storage account provides additional storage capacity but does not increase the compute resources (CPU/memory) of the existing VM.

1157
Multi-Selecthard

A Windows file server VM in Azure must mount an Azure file share by using existing Active Directory Domain Services credentials, not the storage account key. Yesterday, a user deleted a folder tree from the share, and only that folder tree should be restored. Which two actions should the administrator take? Select two.

Select 2 answers
A.Configure identity-based authentication for Azure Files with Active Directory Domain Services.
B.Restore the deleted folders from a file share snapshot.
C.Mount the share by using the storage account key in the command line.
D.Enable anonymous access on the file share so the VM can mount it.
E.Recreate the share as a blob container and use blob snapshots.
AnswersA, B

Identity-based Azure Files authentication lets the VM mount with AD DS credentials instead of using a storage account key.

Why this answer

Option A is correct because identity-based authentication for Azure Files with Active Directory Domain Services (AD DS) allows the Windows file server VM to mount the Azure file share using existing AD DS credentials instead of the storage account key. This is required by the scenario, which specifies that the mount must use AD DS credentials. Option B is correct because Azure file share snapshots capture the state of the share at a point in time, enabling restoration of a specific deleted folder tree without affecting other data.

This directly addresses the need to restore only the deleted folder tree.

Exam trap

The trap here is that candidates may confuse file share snapshots with blob snapshots or think that mounting with the storage account key is acceptable, overlooking the explicit requirement for AD DS credentials and the need for granular folder-level recovery.

1158
MCQmedium

VNet-Hub and VNet-Spoke1 are in the same region and subscription. Resources in the two VNets must communicate over the Microsoft backbone without using a VPN gateway. What should you configure?

A.VNet peering
B.A site-to-site VPN gateway in each VNet
C.A private endpoint
D.A service endpoint
AnswerA

Peering is the standard way to connect VNets privately over the Azure backbone.

Why this answer

VNet peering enables direct connectivity between two virtual networks in the same region and subscription over the Microsoft backbone, without requiring a VPN gateway or public internet. This is the correct solution because it provides low-latency, private communication using the Azure infrastructure, and it supports resources in both VNets to communicate as if they were on the same network.

Exam trap

The trap here is that candidates often confuse VNet peering with VPN gateways or service endpoints, mistakenly thinking a VPN gateway is required for cross-VNet communication or that service endpoints can connect VNets, when in fact VNet peering is the native, gateway-free solution for direct VNet-to-VNet connectivity within the same region.

How to eliminate wrong answers

Option B is wrong because a site-to-site VPN gateway would introduce a VPN tunnel over the public internet or ExpressRoute, which is unnecessary and contradicts the requirement to avoid a VPN gateway; it also incurs additional cost and latency. Option C is wrong because a private endpoint is used to securely access a specific Azure PaaS service (e.g., Azure SQL Database) from a VNet via a private IP, not to connect two VNets together. Option D is wrong because a service endpoint extends a VNet's identity to an Azure service over the Microsoft backbone but does not enable communication between two VNets; it only allows secure access from a VNet to a specific Azure service.

1159
Multi-Selecteasy

An administrator enabled Azure VM backup yesterday and now wants to confirm whether the most recent backup job succeeded. Which two places can they check? Select two.

Select 2 answers
A.Activity log
B.Azure Advisor
C.Recovery Services vault backup jobs
D.Backup center
E.Resource Graph
AnswersC, D

The Recovery Services vault contains backup job history and detailed success or failure results.

Why this answer

The Recovery Services vault backup jobs (Option C) is correct because it provides a dedicated view of all backup jobs associated with the vault, including status, start time, and duration. Backup Center (Option D) is correct because it offers a centralized, cross-vault, cross-region dashboard to monitor backup jobs and alerts, making it ideal for confirming the success of the most recent backup.

Exam trap

The trap here is that candidates often confuse the Activity log (which shows who enabled backup) with the actual backup job status, or they mistakenly think Azure Advisor provides operational monitoring, when in fact it only offers proactive recommendations.

1160
Matchingmedium

A team is troubleshooting inbound access to Azure VMs. Match each NSG concept on the left with the most accurate behavior or troubleshooting implication on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The priority 100 rule is evaluated first, so it wins if both rules match the same traffic.

It controls traffic entering the subnet or NIC from another network location.

It filters traffic for a single VM and can be used in addition to a subnet NSG.

It matches any ephemeral source port and does not limit the sender's port selection.

It allows only HTTPS traffic that uses TCP and the specified destination port.

Why these pairings

NSG is a distributed firewall; default inbound rule denies all; UDR overrides routes; ASG groups VMs; flow logs record traffic; service tags represent Azure IPs.

1161
MCQhard

You have an Azure load balancer in front of two virtual machines. The load balancer reports both instances as unavailable even though the VMs are running. What is the most likely cause?

A.The health probe is failing.
B.The VMs are in an availability set.
C.The storage account uses the Cool tier.
D.The subscription has a budget alert.
AnswerA

A failed health probe causes the load balancer to mark backend instances as unavailable.

Why this answer

The health probe is the mechanism by which the Azure Load Balancer determines the availability of backend instances. If the probe is misconfigured (e.g., wrong port, protocol, path, or interval) or the backend VMs are not responding to the probe requests (e.g., firewall blocking the probe traffic or the application not listening on the specified port), the load balancer marks both instances as 'Unavailable' even though the VMs are running. This is the most common cause of backend pool unavailability.

Exam trap

The trap here is that candidates often assume 'VM is running' means it is automatically available to the load balancer, overlooking the critical role of the health probe configuration and the need for the probe traffic to be allowed by network security rules.

How to eliminate wrong answers

Option B is wrong because placing VMs in an availability set does not affect load balancer health probe status; availability sets provide high availability for VMs during planned or unplanned maintenance, but they do not interfere with the load balancer's ability to probe or route traffic. Option C is wrong because the storage account tier (Cool vs. Hot) is unrelated to load balancing or VM network connectivity; it only affects blob storage access costs and latency.

Option D is wrong because a subscription budget alert is a cost management feature that sends notifications when spending exceeds a threshold; it does not impact the operational state of the load balancer or its backend VMs.

1162
Multi-Selecthard

A VM suddenly stops responding, and the operations team needs to determine whether the issue is caused by a Microsoft platform problem or is isolated to that specific VM. Which two Azure portal features should be reviewed? Select two.

Select 2 answers
A.Service Health
B.Resource Health
C.Azure Advisor
D.Diagnostic setting
E.Action group
AnswersA, B

Service Health shows Azure-wide incidents, advisories, and maintenance that may impact regions.

Why this answer

Service Health (A) provides a global view of Azure platform-wide issues, such as regional outages or service degradation, that could affect multiple resources. Resource Health (B) reports the health of a specific VM instance, indicating whether the VM is available, degraded, or unavailable, and whether the issue is due to a platform event or a user-initiated action. Together, these two features allow the operations team to differentiate between a Microsoft platform problem and an isolated VM issue.

Exam trap

The trap here is that candidates often confuse 'Service Health' with 'Resource Health' or think Azure Advisor can diagnose real-time outages, but the exam expects you to know that Service Health covers platform-wide issues while Resource Health is per-resource, and neither Diagnostic settings nor Action groups provide health status.

1163
MCQmedium

You have a storage account named stlogs01. An application running on VM-App01 in Azure must access blobs in the account without storing account keys in code or configuration files. What should you use?

A.A shared access signature stored in a text file on VM-App01.
B.The storage account access key hard-coded in the application.
C.A managed identity for VM-App01 and Azure RBAC on the storage account.
D.Anonymous public access for the blob container.
AnswerC

This removes secret storage and uses identity-based access.

Why this answer

Option C is correct because using a managed identity for VM-App01 allows the application to authenticate to Azure Storage without storing any credentials in code or configuration files. The managed identity is automatically managed by Azure AD, and you grant it access to the blob container using Azure RBAC (e.g., the Storage Blob Data Contributor role). This eliminates the need for account keys or shared access signatures.

Exam trap

The trap here is that candidates may think a SAS token stored in a file is acceptable because it is not an account key, but the question explicitly prohibits storing any secrets in code or configuration files, and a SAS token is still a secret that must be protected.

How to eliminate wrong answers

Option A is wrong because storing a shared access signature (SAS) in a text file on the VM still requires storing a secret (the SAS token) in a file, which violates the requirement of not storing account keys or secrets in code or configuration files. Option B is wrong because hard-coding the storage account access key in the application directly exposes the key, which is a security risk and contradicts the requirement to avoid storing keys in code or configuration files. Option D is wrong because enabling anonymous public access for the blob container allows any unauthenticated user to read blobs, which is insecure and does not provide controlled access for the specific application on VM-App01.

1164
MCQhard

Two backend VMs must remain available if an Azure host is patched or fails. A full datacenter outage is not part of the requirement, and the team wants the VMs to stay in the same region with predictable east-west latency. Which placement option should the administrator choose?

A.Availability zones in separate datacenters
B.An availability set
C.A proximity placement group
D.A single VM scale set instance
AnswerB

Availability sets protect against host and maintenance failures while keeping the VMs in one region and close together.

Why this answer

An availability set distributes VMs across multiple fault domains (separate physical racks with independent power, cooling, and network) within a single Azure datacenter. This protects against host patching and hardware failures while keeping VMs in the same datacenter, ensuring predictable east-west latency. The requirement explicitly excludes a full datacenter outage, so availability zones (which span separate datacenters) are unnecessary.

Exam trap

The trap here is that candidates confuse availability zones (which protect against datacenter failures) with availability sets (which protect against host failures within a single datacenter), leading them to choose zones even when the requirement explicitly excludes a full datacenter outage.

How to eliminate wrong answers

Option A is wrong because availability zones place VMs in physically separate datacenters within a region, which introduces cross-datacenter latency and is overkill for a requirement that excludes full datacenter outages. Option C is wrong because a proximity placement group is designed to reduce latency by co-locating VMs as close as possible, but it does not provide fault domain isolation against host patching or failures. Option D is wrong because a single VM scale set instance offers no redundancy; it is a single VM that fails if the host fails, and scale sets require multiple instances to provide availability.

1165
Multi-Selecthard

A reporting application will run on a single Azure VM and needs 8 vCPUs, 64 GiB of RAM, and a temporary local disk for cache. The team wants a size that satisfies the requirement without oversizing memory or paying for an unnecessarily large specialty series. Which two VM sizes meet the requirement best? Select two.

Select 2 answers
A.E8as_v5
B.E8ds_v5
C.D8as_v5
D.F8s_v2
E.M8ms
AnswersA, B

This size provides 8 vCPUs and 64 GiB of memory, matching the workload requirement closely.

Why this answer

The E8as_v5 is correct because it provides 8 vCPUs and 64 GiB of RAM, matching the requirement exactly, and includes a temporary local disk (SSD) for cache. It belongs to the memory-optimized Esv5 series, which is designed for memory-intensive workloads without oversizing, and the 'as' variant includes local temporary storage.

Exam trap

The trap here is that candidates often overlook the local temporary disk requirement and select a VM size that meets vCPU and RAM but lacks local storage (e.g., D8as_v5 without 's' or F-series), or they choose an M-series VM that grossly oversizes memory, mistaking 'memory-optimized' as always appropriate for any memory need.

1166
MCQeasy

Based on the exhibit, what should the administrator use to temporarily allow the legacy storage account to remain noncompliant without changing the policy for everyone?

A.Modify the policy definition so all storage accounts can use public network access.
B.Create a policy exemption for the legacy storage account or its resource group.
C.Apply a ReadOnly lock to the storage account.
D.Move the storage account to another subscription so the policy no longer applies.
AnswerB

A policy exemption is designed for approved exceptions to an existing assignment. It lets the legacy storage account remain temporarily outside the deny effect while preserving the policy for everything else. This keeps governance intact and documents the exception clearly.

Why this answer

A policy exemption allows the administrator to exclude a specific resource (the legacy storage account) or its resource group from the Azure Policy evaluation without modifying the underlying policy definition. This is the correct approach because it temporarily grants noncompliance for that resource while the policy remains enforced for all other resources, aligning with the requirement to avoid changing the policy for everyone.

Exam trap

The trap here is that candidates often confuse policy exemptions with resource locks or policy definition modifications, mistakenly thinking a ReadOnly lock or moving the resource will bypass policy evaluation, when in fact only an exemption explicitly excludes a resource from policy compliance checks.

How to eliminate wrong answers

Option A is wrong because modifying the policy definition to allow public network access for all storage accounts would permanently change the policy for everyone, which contradicts the requirement to not change the policy for everyone. Option C is wrong because a ReadOnly lock prevents modifications to the storage account but does not exempt it from Azure Policy evaluation; the policy would still flag the account as noncompliant and could trigger remediation tasks. Option D is wrong because moving the storage account to another subscription would remove it from the current policy scope, but this is a permanent structural change that does not temporarily allow noncompliance and may introduce additional management overhead.

1167
MCQeasy

An application uses two Azure VMs in the same datacenter and must continue through planned maintenance and a single hardware host failure. The administrator does not need separate datacenter protection. Which option should be used?

A.Availability zones
B.Availability set
C.Proximity placement group
D.Virtual machine scale set
AnswerB

An availability set is designed to spread VMs across update and fault domains within a datacenter. That reduces the chance that maintenance or a host failure takes down all instances at once. Because the scenario only requires protection from host-level and planned maintenance events, an availability set is the appropriate and cost-effective choice.

Why this answer

An availability set distributes VMs across multiple fault domains (hardware hosts) and update domains within a single Azure datacenter. This ensures that during planned maintenance (update domains) or a single hardware host failure (fault domains), at least one VM remains available. Since the requirement does not include separate datacenter protection, an availability set is the correct choice.

Exam trap

The trap here is that candidates often confuse availability zones (which offer datacenter-level redundancy) with availability sets (which offer host-level redundancy within a single datacenter), leading them to choose zones even when the requirement explicitly states no separate datacenter protection is needed.

How to eliminate wrong answers

Option A is wrong because availability zones provide protection across physically separate datacenters within a region, which exceeds the requirement of not needing separate datacenter protection and incurs additional cross-zone latency. Option C is wrong because a proximity placement group is designed to minimize network latency by co-locating VMs as close as possible, which actually increases the risk of simultaneous failure and does not provide fault or update domain isolation. Option D is wrong because a virtual machine scale set is primarily for auto-scaling and load balancing multiple identical VMs, and while it can use availability sets or zones, the base configuration without explicit fault domain placement does not guarantee protection against a single hardware host failure.

1168
Multi-Selectmedium

A workload must keep storage available if one availability zone in the primary region fails. Geo-failover is optional, but the account must still meet the zone-failure requirement. Which two redundancy options satisfy this? Select two.

Select 2 answers
A.LRS
B.ZRS
C.GRS
D.GZRS
E.RA-GRS
AnswersB, D

Correct. ZRS replicates data across availability zones in the same region to survive a zone outage.

Why this answer

B is correct because Zone-Redundant Storage (ZRS) synchronously replicates data across three availability zones within a single region, ensuring durability and availability even if one zone fails. This meets the requirement of keeping storage available during a zone failure without relying on geo-failover.

Exam trap

The trap here is that candidates often confuse GRS or RA-GRS as providing zone-level redundancy, but they only replicate across regions, not across zones within the primary region, unless combined with ZRS (as in GZRS).

1169
MCQmedium

A team can already deploy virtual machines, but they want to prevent users from creating VMs unless the deployment includes an approved tag. They also want to see which existing resources do not meet the rule. What should the administrator use?

A.A custom RBAC role that removes the create action for virtual machines.
B.An Azure Policy assignment with a deny or audit effect for the tag requirement.
C.A resource lock on the resource group.
D.An Entra ID dynamic group for the VM creators.
AnswerB

Azure Policy is the correct control because the requirement is about resource compliance, not user authorization. A policy can deny deployments that do not include the approved tag and can also audit existing resources to show which ones are noncompliant. That separates governance enforcement from RBAC, which only decides who is allowed to perform actions in Azure.

Why this answer

Azure Policy with a 'deny' effect prevents creation of VMs that lack the required tag, while the 'audit' effect identifies non-compliant existing resources without blocking them. This directly addresses both requirements: enforcing the tag on new deployments and discovering which existing resources violate the rule.

Exam trap

The trap here is confusing Azure Policy (which enforces rules on resource properties like tags) with RBAC (which controls who can perform actions), leading candidates to mistakenly choose a custom role instead of the policy-based solution.

How to eliminate wrong answers

Option A is wrong because a custom RBAC role removing the create action would block all VM creation regardless of tags, not enforce a tag requirement, and it cannot audit existing resources. Option C is wrong because a resource lock prevents deletion or modification of the entire resource group, not the creation of VMs, and it cannot enforce tag policies. Option D is wrong because an Entra ID dynamic group manages user membership based on attributes, not resource compliance; it has no effect on VM creation or tag enforcement.

1170
MCQmedium

Based on the exhibit, a security team wants to search Key Vault audit events in Log Analytics for 30 days and create alerts when secrets are accessed unexpectedly. The current diagnostic configuration is not sending the right data. What should the administrator enable?

A.Enable AuditEvent and send the logs to a Log Analytics workspace.
B.Enable only AllMetrics and keep sending data to the storage account.
C.Create a private endpoint for the Key Vault.
D.Turn on a resource lock with the ReadOnly effect.
AnswerA

Key Vault audit events must be collected into Log Analytics to support search, KQL queries, and log-based alerting. Enabling the AuditEvent category and targeting a workspace satisfies both investigation and alerting requirements.

Why this answer

Option A is correct because the Key Vault diagnostic setting must include the AuditEvent category to capture all audit logs, including secret operations. Sending these logs to a Log Analytics workspace enables the security team to query them for 30 days and create alerts on unexpected secret access. Without AuditEvent enabled, no audit data is available for analysis.

Exam trap

The trap here is that candidates often confuse AllMetrics (which provides performance data) with AuditEvent (which provides security logs), or mistakenly think that network controls like private endpoints or resource locks can substitute for proper diagnostic logging configuration.

How to eliminate wrong answers

Option B is wrong because AllMetrics captures performance metrics (e.g., requests, latency) but not audit events; it cannot provide the security logs needed to detect unauthorized secret access. Option C is wrong because a private endpoint restricts network access to the Key Vault but does not enable or send audit logs to Log Analytics; it addresses network security, not diagnostic data collection. Option D is wrong because a ReadOnly resource lock prevents modifications to the Key Vault but does not enable audit logging or send data to Log Analytics; it is a governance control, not a diagnostic configuration.

Page 15

Page 16 of 16