AZ-104 (AZ-104) — Questions 76150

1170 questions total · 16pages · All types, answers revealed

Page 1

Page 2 of 16

Page 3
76
MCQhard

You need to run a stateless web workload on Azure virtual machines and automatically increase or decrease instance count based on demand. You also want a single management boundary for the VM instances. Which solution should you deploy?

A.A Virtual Machine Scale Set
B.An availability set with individual VMs
C.Azure Backup
D.A Recovery Services vault
AnswerA

VM Scale Sets support group management and autoscaling for identical VM instances.

Why this answer

A Virtual Machine Scale Set (VMSS) is the correct solution because it provides an autoscaling group of identical VMs that can automatically increase or decrease instance count based on demand (e.g., CPU or memory metrics). It also offers a single management boundary, allowing you to manage, monitor, and scale all instances as a unified resource rather than individually.

Exam trap

The trap here is that candidates often confuse an availability set (which provides high availability but no scaling) with a Virtual Machine Scale Set (which provides both scaling and a single management boundary), or they mistakenly think backup/recovery services can manage compute scaling.

How to eliminate wrong answers

Option B is wrong because an availability set with individual VMs does not provide autoscaling; it only ensures high availability by distributing VMs across fault domains and update domains, but each VM must be managed separately and scaled manually. Option C is wrong because Azure Backup is a data protection service for backing up VMs, files, and workloads; it has no capability to manage compute scaling or instance count. Option D is wrong because a Recovery Services vault is used for backup and disaster recovery (e.g., Azure Site Recovery), not for deploying or autoscaling compute instances.

77
MCQmedium

A developer wants to publish an internet-facing application from source code. Required capabilities include built-in HTTPS, deployment slots, and autoscale, but the team does not want to manage the operating system. Which Azure service should the administrator choose?

A.Azure Container Instances
B.Azure Virtual Machines
C.Azure App Service
D.Azure Kubernetes Service
AnswerC

Azure App Service is the best fit for a code-based internet-facing application that needs managed HTTPS, deployment slots, and autoscale without operating system administration. It provides a platform service for web hosting, which reduces operational work while supporting the common web app features named in the requirement.

Why this answer

Azure App Service is the correct choice because it provides a fully managed platform for hosting web applications with built-in HTTPS support, deployment slots for staging and swapping, and autoscale capabilities. It abstracts the underlying operating system, allowing the team to focus on code without managing infrastructure.

Exam trap

The trap here is that candidates often confuse Azure App Service with Azure Container Instances or Azure Kubernetes Service because they all support containers, but only App Service provides built-in deployment slots and OS abstraction without requiring container orchestration management.

How to eliminate wrong answers

Option A is wrong because Azure Container Instances does not provide built-in HTTPS, deployment slots, or autoscale; it is a container orchestration service for running individual containers without these application-level features. Option B is wrong because Azure Virtual Machines require the team to manage the operating system, including patching and configuration, which violates the requirement of not managing the OS. Option D is wrong because Azure Kubernetes Service involves managing the Kubernetes control plane and nodes, and while it can support HTTPS and autoscale, it does not offer built-in deployment slots and requires significant operational overhead for OS management.

78
Matchingmedium

A production team wants to match common Azure Monitor components to the action each one performs. Match each item on the left to the best description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Triggers when a numeric metric such as CPU percentage crosses a defined threshold.

Sends notifications or starts responses such as email, SMS, webhook, or automation.

Reports an Azure platform incident, advisory, or planned maintenance that affects a region or subscription.

Shows whether one specific Azure resource is currently healthy, degraded, or unavailable.

Exports a resource's logs and metrics to destinations such as Log Analytics or Storage.

Why these pairings

Log Analytics workspace stores logs centrally; Azure Monitor Metrics handles numeric time-series data; Application Insights focuses on application performance; Activity Log tracks control plane events; Alerts send notifications; Workbooks create interactive reports.

79
MCQmedium

An application runs on an Azure VM in a subnet and must access a storage account over the public endpoint without using a private IP address. The administrator wants to restrict access so only that subnet can reach the account. What should be configured?

A.Create a private endpoint for the storage account and disable the public endpoint.
B.Enable a service endpoint for Microsoft.Storage on the subnet and add the subnet to the storage account network rules.
C.Allow trusted Microsoft services to bypass the firewall.
D.Add a user-defined route that points storage traffic to the virtual network gateway.
AnswerB

A service endpoint lets the subnet reach the storage account over the Azure backbone while still using the storage account's public endpoint. Adding the subnet to the storage firewall allows only that subnet to connect. This meets the requirement to avoid a private IP while restricting access to a specific subnet.

Why this answer

Option B is correct because a service endpoint for Microsoft.Storage extends the virtual network identity to the subnet, allowing the storage account firewall to accept traffic from that subnet via its public endpoint. This meets the requirement of restricting access to the storage account's public endpoint without using a private IP address.

Exam trap

The trap here is that candidates confuse service endpoints with private endpoints, assuming that restricting access to a subnet requires a private IP, when service endpoints can achieve subnet-level restriction over the public endpoint without changing the IP addressing.

How to eliminate wrong answers

Option A is wrong because creating a private endpoint assigns a private IP to the storage account within the VNet, which disables the public endpoint — contradicting the requirement to use the public endpoint. Option C is wrong because allowing trusted Microsoft services bypasses the firewall for services like Azure Backup or Azure DevOps, but does not restrict access to a specific subnet; it opens access broadly to Microsoft services. Option D is wrong because a user-defined route (UDR) that points storage traffic to the virtual network gateway would force traffic through the gateway (e.g., for forced tunneling), but does not enforce access control at the storage account firewall; the storage account would still accept traffic from any IP unless network rules are configured.

80
MCQmedium

You create a private endpoint for an Azure Storage account. Virtual machines in VNet-Prod must resolve the storage account name to the private IP address of that endpoint. Which Azure feature should you configure?

A.A private DNS zone linked to VNet-Prod
B.A user-defined route
C.An Azure Firewall policy
D.A Recovery Services vault
AnswerA

A private DNS zone provides the required name resolution for the private endpoint.

Why this answer

A private endpoint uses a private IP address from the VNet, but DNS resolution must be explicitly configured to map the storage account's FQDN to that private IP. By creating a private DNS zone (privatelink.blob.core.windows.net) linked to VNet-Prod, Azure automatically creates an A record for the private endpoint IP, enabling VMs to resolve the storage account name to the private IP instead of the public IP.

Exam trap

The trap here is that candidates confuse network-level traffic control (UDRs or firewalls) with DNS resolution, assuming that routing or filtering traffic is sufficient to force private connectivity, when in fact DNS must be explicitly configured to resolve to the private IP.

How to eliminate wrong answers

Option B is wrong because a user-defined route (UDR) controls network traffic flow (next hop) and does not affect DNS resolution or name-to-IP mapping. Option C is wrong because an Azure Firewall policy defines filtering and threat protection rules for network traffic, not DNS record management or private endpoint resolution. Option D is wrong because a Recovery Services vault is used for backup and disaster recovery (Azure Backup, Site Recovery) and has no role in DNS configuration or private endpoint connectivity.

81
Multi-Selecteasy

Which two settings can you configure in an Azure Backup policy for a virtual machine? Select two.

Select 2 answers
A.Backup schedule
B.Retention period
C.Virtual network peering
D.Network security group rules
E.Public IP allocation
AnswersA, B

The policy controls when backups run, such as daily or weekly timing.

Why this answer

Option A is correct because an Azure Backup policy for a virtual machine includes a 'Backup schedule' setting that defines how often (e.g., daily or weekly) and at what time the backup job runs. This schedule controls the frequency of recovery point creation, which is essential for meeting recovery point objectives (RPOs).

Exam trap

The trap here is that candidates confuse Azure Backup policy settings with other Azure resource configurations, such as networking or IP addressing, because the exam often includes distractor options from different domains (networking, security, compute) to test whether you know the exact scope of a backup policy.

82
MCQmedium

A web app running in Azure App Service must upload files to a blob container. The team wants to avoid storing any secrets in application settings and wants the app to authenticate without a password or access key. What should the administrator configure?

A.Store the storage account key in the app configuration and use it from the application
B.Enable a system-assigned managed identity for the app and grant it a storage data role
C.Create an anonymous public container so the app can upload without authentication
D.Use a shared access signature generated from the storage account root key
AnswerB

Managed identity allows the app to authenticate to Storage with Microsoft Entra ID and no stored secret.

Why this answer

Option B is correct because a system-assigned managed identity allows the App Service to authenticate to Azure Storage without storing any secrets. By granting the identity the 'Storage Blob Data Contributor' role via Azure RBAC, the app can upload files using Azure AD authentication, eliminating the need for passwords or access keys.

Exam trap

The trap here is that candidates often confuse managed identities with SAS tokens or access keys, assuming any form of shared secret is acceptable, but the question explicitly requires no secrets in application settings and no password or access key.

How to eliminate wrong answers

Option A is wrong because storing the storage account key in app configuration violates the requirement to avoid storing secrets, and the key is a long-lived credential that could be exposed. Option C is wrong because anonymous public containers allow unauthenticated uploads, which is a security risk and does not meet the requirement for controlled authentication. Option D is wrong because a shared access signature (SAS) is still derived from a key and must be stored or generated at runtime, introducing a secret management issue.

83
Multi-Selecteasy

A helpdesk engineer wants to determine whether a VM issue is caused by a Microsoft platform problem or a problem limited to one specific VM. Which two Azure features should they use? Select two.

Select 2 answers
A.Azure Advisor
B.Backup center
C.Resource Health
D.Service Health
E.Log Analytics workspace
AnswersC, D

Resource Health shows whether a specific Azure resource is healthy or experiencing issues.

Why this answer

Resource Health (C) provides a personalized dashboard showing the health of your individual Azure resources, including VMs, and can indicate whether an issue is specific to that resource. Service Health (D) provides a global view of Azure service availability across regions and can identify platform-wide outages or planned maintenance. Together, they allow the engineer to differentiate between a problem limited to one VM and a broader Azure platform problem.

Exam trap

The trap here is that candidates often confuse Resource Health with Service Health, thinking they are interchangeable, when in fact Resource Health focuses on individual resources while Service Health covers the entire Azure platform, and both are needed together to isolate the scope of a problem.

84
MCQeasy

A storage account must stay reachable through its public endpoint, but only Azure workloads in AppSubnet should be allowed to access it. No private IP is required. What should you configure?

A.A private endpoint in AppSubnet.
B.A service endpoint on AppSubnet and a storage firewall VNet rule.
C.A VPN gateway between AppSubnet and the storage account.
D.A public IP address on the storage account.
AnswerB

Service endpoints let the subnet access the storage account securely through its public endpoint, and the firewall can restrict access to that subnet.

Why this answer

A service endpoint on AppSubnet extends the Azure backbone network to the subnet, allowing traffic to the storage account's public endpoint without a private IP. The storage firewall VNet rule then restricts access to only traffic originating from that specific subnet, meeting the requirement of public endpoint reachability with Azure workload-only access.

Exam trap

The trap here is that candidates confuse private endpoints (which remove public endpoint access) with service endpoints (which preserve public endpoint access while restricting traffic), leading them to choose the private endpoint option despite the explicit requirement to keep the public endpoint reachable.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP from the subnet to the storage account, which removes public endpoint access entirely, contradicting the requirement to keep the storage account reachable through its public endpoint. Option C is wrong because a VPN gateway is used for hybrid connectivity between on-premises and Azure, not for restricting access to Azure workloads within the same region; it adds unnecessary complexity and cost. Option D is wrong because a storage account already has a public IP by default; assigning a separate public IP does not restrict access to AppSubnet and is not a supported configuration for access control.

85
Multi-Selecteasy

Which two authentication methods let an app access blob data without storing the storage account key on the machine? Select two.

Select 2 answers
A.Microsoft Entra ID authorization with an appropriate Azure RBAC role.
B.A user delegation SAS generated through Microsoft Entra ID.
C.The storage account access key.
D.A service SAS generated directly from the account key.
E.Anonymous public access to the container.
AnswersA, B

Entra ID plus RBAC lets the app authenticate as a user, group, or managed identity without handling a storage key.

Why this answer

Option A is correct because Microsoft Entra ID authorization with an appropriate Azure RBAC role (e.g., Storage Blob Data Contributor) allows an app to authenticate to blob storage using OAuth 2.0 tokens, eliminating the need to store the storage account key on the machine. Option B is correct because a user delegation SAS is signed with Microsoft Entra ID credentials and can be generated without the account key, providing time-limited, scoped access to blob data.

Exam trap

The trap here is that candidates often confuse a service SAS (which still requires the account key) with a user delegation SAS (which does not), or they mistakenly think that anonymous access is a valid authentication method for an app.

86
MCQmedium

The team needs alerts for VM CPU and storage capacity thresholds, but they want to keep telemetry ingestion costs as low as possible. Which approach is best?

A.Use Azure Monitor metric alerts for the threshold conditions.
B.Send all VM diagnostic logs to Log Analytics and create only log search alerts.
C.Create a Recovery Services vault backup policy with a short retention period.
D.Assign Azure Policy to the subscription to audit CPU and storage trends.
AnswerA

Metric alerts evaluate native platform metrics directly and do not require broad log ingestion, so they are usually the most cost-aware option for threshold monitoring. For CPU and capacity-type measurements that are available as metrics, this approach gives near real-time alerting with minimal telemetry overhead. It fits the requirement to monitor multiple resources while keeping data collection costs down.

Why this answer

Azure Monitor metric alerts are the most cost-effective approach because they evaluate lightweight, pre-collected platform metrics (e.g., CPU percentage, disk read/write operations) at regular intervals without ingesting or storing raw log data. This avoids the ingestion and retention costs associated with sending diagnostic logs to a Log Analytics workspace, making it ideal for simple threshold-based monitoring of VM CPU and storage capacity.

Exam trap

The trap here is that candidates often assume Log Analytics is always the right choice for alerts because it provides richer data, but they overlook the cost implications of ingesting and storing diagnostic logs for simple threshold monitoring, where metric alerts are both sufficient and far cheaper.

How to eliminate wrong answers

Option B is wrong because sending all VM diagnostic logs to Log Analytics incurs significant data ingestion and retention costs, and log search alerts require querying that stored data, which is far more expensive than metric alerts for simple threshold conditions. Option C is wrong because a Recovery Services vault backup policy is designed for backup and disaster recovery of VMs, not for real-time monitoring or alerting on CPU and storage thresholds. Option D is wrong because Azure Policy is used for enforcing compliance rules (e.g., requiring specific VM sizes or tags), not for monitoring performance metrics or generating alerts on CPU and storage usage.

87
MCQhard

An operations team wants to know when Azure marks a specific storage account unhealthy because of a regional platform issue. They do not want to depend on a custom metric, a Log Analytics query, or any polling script. What should they create?

A.A metric alert on storage capacity because platform issues always reduce capacity first
B.A resource health alert for the storage account
C.A log alert that searches AzureDiagnostics for unavailable status codes
D.An activity log alert on every write operation to the storage account
AnswerB

Resource Health is designed to notify you when Azure reports the specific resource as unhealthy, which matches the requirement exactly.

Why this answer

A resource health alert is the correct choice because it directly monitors the health of a specific Azure resource, such as a storage account, and triggers when Azure detects a platform-level issue that marks the resource as unhealthy. This alert does not require custom metrics, Log Analytics queries, or polling scripts, aligning perfectly with the team's requirement to avoid those dependencies. Resource health alerts are designed to notify you of service-impacting events originating from the Azure platform, not from your own configuration or usage patterns.

Exam trap

The trap here is that candidates often confuse resource health alerts with activity log alerts or metric alerts, mistakenly thinking that monitoring operational metrics or logging errors can detect platform-level unavailability, when in fact resource health alerts are the only native, dependency-free mechanism for this specific scenario.

How to eliminate wrong answers

Option A is wrong because storage capacity metrics do not indicate platform health; platform issues can cause unavailability without any change in capacity, and capacity alerts are based on custom metric thresholds, which the team explicitly wants to avoid. Option C is wrong because a log alert searching AzureDiagnostics requires a Log Analytics workspace and a query, which violates the requirement of not depending on a Log Analytics query. Option D is wrong because an activity log alert on every write operation would generate excessive noise and does not detect platform-level unhealthiness; it monitors user-initiated operations, not the underlying platform health status.

88
MCQmedium

Based on the exhibit, an Azure Policy with the Modify effect was assigned to add Environment=Prod to resources in RG-Prod. New resources get the tag, but existing virtual machines still do not have it. What should the administrator do next?

A.Create a remediation task for the policy assignment.
B.Move the policy assignment to the subscription scope.
C.Change the policy effect from Modify to Deny.
D.Add a CanNotDelete lock to RG-Prod.
AnswerA

Modify can add or update the tag for future deployments, but existing resources usually need remediation so the policy engine can apply the change to what is already deployed. A remediation task is the correct next step.

Why this answer

The Modify effect in Azure Policy automatically applies to new resources during creation or update, but it does not retroactively fix existing non-compliant resources. To apply the tag to existing virtual machines, the administrator must create a remediation task for the policy assignment, which triggers a deployment to modify those resources.

Exam trap

The trap here is that candidates often assume Azure Policy automatically remediates all resources at assignment time, but in reality, only new or updated resources are affected unless a remediation task is explicitly created.

How to eliminate wrong answers

Option B is wrong because moving the policy assignment to the subscription scope would not retroactively fix existing resources; it would only expand the policy's evaluation scope, and remediation tasks are still required for existing non-compliant resources. Option C is wrong because changing the effect from Modify to Deny would block creation of resources without the tag but would not add the tag to existing resources, and it could break future deployments. Option D is wrong because adding a CanNotDelete lock prevents deletion of resources but does not modify existing tags or enforce tagging compliance.

89
MCQmedium

Based on the exhibit, a help desk engineer cannot RDP from an approved admin subnet to a VM in Azure. What change should the administrator make so the connection is allowed?

A.Change the deny rule to use UDP instead of TCP.
B.Move Allow-RDP-Admin to a priority lower than 100.
C.Add the VM NIC to an application security group and leave the rules unchanged.
D.Delete the default AllowVNetInBound rule.
AnswerB

NSG rules are processed in priority order, and the lowest number wins. Because the deny rule at priority 100 matches first, the allow rule at 200 never takes effect. Moving the allow rule to a smaller number than 100 lets the approved subnet match the permit rule before the deny rule is evaluated.

Why this answer

The exhibit shows a deny rule with priority 100 that blocks all inbound traffic from the approved admin subnet, and an allow rule for RDP with a priority lower than 100 (e.g., 200). Since Azure Network Security Group (NSG) rules are evaluated in priority order (lowest number first), the deny rule at priority 100 is evaluated before the allow rule at a lower priority, thus blocking the RDP connection. To allow the RDP traffic, the administrator must move the Allow-RDP-Admin rule to a priority lower than 100 (e.g., 90) so it is evaluated before the deny rule.

Exam trap

The trap here is that candidates assume allow rules always override deny rules, but in Azure NSGs, the rule with the lowest priority number (highest precedence) wins, regardless of whether it is an allow or deny rule.

How to eliminate wrong answers

Option A is wrong because changing the deny rule from TCP to UDP would not resolve the issue; RDP uses TCP (port 3389), and the deny rule would still block TCP traffic, while UDP is irrelevant for RDP. Option C is wrong because adding the VM NIC to an application security group (ASG) does not override the explicit deny rule at priority 100; the deny rule still applies to the subnet and will block traffic regardless of ASG membership. Option D is wrong because deleting the default AllowVNetInBound rule is unnecessary and would break other intra-VNet traffic; the issue is the explicit deny rule, not the default allow rule.

90
MCQmedium

A production storage account must remain available for updates, but administrators want to prevent accidental deletion during maintenance windows. Which lock should be applied to the storage account?

A.ReadOnly lock at the storage account scope.
B.CanNotDelete lock at the storage account scope.
C.CanNotDelete lock at the subscription scope.
D.Azure Policy deny assignment on all storage account operations.
AnswerB

CanNotDelete is the correct lock because it prevents deletion while still allowing typical configuration updates. That matches the requirement to protect the storage account from accidental removal without freezing all management operations. Applying it directly at the resource scope keeps the protection targeted to the specific storage account.

Why this answer

The CanNotDelete lock at the storage account scope prevents the storage account from being deleted while still allowing all read and update operations. This meets the requirement of keeping the storage account available for updates while preventing accidental deletion during maintenance windows.

Exam trap

The trap here is that candidates often confuse the ReadOnly lock with preventing deletion, but ReadOnly also blocks updates, which fails the requirement; they may also incorrectly assume a subscription-scoped lock is necessary for a single resource, ignoring the principle of least privilege.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all write operations, including updates, which contradicts the requirement that the storage account must remain available for updates. Option C is wrong because a CanNotDelete lock at the subscription scope would prevent deletion of all resources in the subscription, which is overly broad and not scoped to just the storage account; it could also interfere with other resources that need to be deleted. Option D is wrong because an Azure Policy deny assignment on all storage account operations would block all operations, including updates, and is not a lock mechanism; it is a policy-based control that can be more complex to manage and does not specifically target accidental deletion.

91
Multi-Selecteasy

A VM must be backed up every day, and backups must be retained for several days after creation. Which two settings are configured in an Azure Backup policy? Select two.

Select 2 answers
A.Backup schedule
B.Retention rules
C.Network security group rules
D.Private DNS zone records
E.Availability set placement
AnswersA, B

The schedule defines when Azure Backup creates the recovery point each day.

Why this answer

Option A is correct because an Azure Backup policy requires a backup schedule to define when the backup job runs (e.g., daily at a specific time). Option B is correct because retention rules specify how long each backup recovery point is kept (e.g., 7 days for daily backups, 30 days for weekly). Together, these two settings form the core of a backup policy, ensuring both the timing and lifespan of backups are controlled.

Exam trap

The trap here is that candidates confuse backup policies with other VM management features like networking or availability, but Azure Backup policies strictly require only a schedule and retention rules to function.

92
MCQmedium

An administrator plans to peer VNet-A with VNet-B so two application tiers can communicate over private IPs. VNet-A uses 10.20.0.0/16. VNet-B currently uses 10.20.1.0/24, and both VNets already contain subnets that must remain intact. The peering operation fails. What should the administrator do first?

A.Add a route table to VNet-B so traffic can bypass the overlap.
B.Change VNet-B to a non-overlapping address space before creating the peering.
C.Create a network security group rule to allow all traffic between the VNets.
D.Enable gateway transit on VNet-A so the address conflict is ignored.
AnswerB

Azure VNet peering requires that the peered VNets use non-overlapping IP address ranges. Because VNet-B overlaps with VNet-A, the peering cannot be created successfully until one side is renumbered. The safest first step is to plan and apply a new, unique CIDR block for VNet-B that does not conflict with any existing subnet or on-premises range. Once the address spaces are non-overlapping, peering can be created and private connectivity can work as intended.

Why this answer

VNet peering in Azure requires that the address spaces of the peered VNets do not overlap. VNet-A uses 10.20.0.0/16 and VNet-B uses 10.20.1.0/24, which is a subset of VNet-A's range, creating a direct overlap. The peering operation fails because Azure cannot route traffic correctly when address spaces conflict.

The first step must be to change VNet-B's address space to a non-overlapping range (e.g., 10.21.0.0/16) before attempting to create the peering.

Exam trap

The trap here is that candidates often think they can use route tables or NSG rules to work around the overlap, but Azure enforces non-overlapping address spaces at the peering creation stage, making any post-creation workaround impossible.

How to eliminate wrong answers

Option A is wrong because adding a route table does not resolve the fundamental address space overlap; Azure blocks peering creation when address spaces overlap, and route tables cannot bypass this validation. Option C is wrong because network security group rules control traffic filtering, not address space conflicts; the peering creation itself fails before any traffic can flow. Option D is wrong because gateway transit is used to route traffic through a hub VNet's VPN gateway, not to ignore address conflicts; overlapping address spaces are not allowed regardless of gateway settings.

93
MCQmedium

A stateless API must automatically add or remove identical VM instances when CPU usage crosses thresholds. The team also wants Microsoft to distribute instances across fault domains when possible. Which service should the administrator deploy?

A.An availability set
B.Azure Load Balancer
C.A virtual machine scale set
D.Azure App Service
AnswerC

A virtual machine scale set is designed for identical VM instances that can scale out and scale in automatically. It fits stateless workloads well and supports placement across fault domains in supported configurations, which helps improve resiliency while also meeting the demand-based scaling requirement.

Why this answer

A virtual machine scale set (VMSS) is the correct choice because it provides built-in autoscaling capabilities that automatically add or remove identical VM instances based on CPU usage thresholds. VMSS also supports automatic distribution of instances across fault domains when configured with a fault domain count greater than 1, meeting the requirement for Microsoft to distribute instances across fault domains.

Exam trap

The trap here is that candidates often confuse an availability set with a scale set, thinking that an availability set provides autoscaling, but it only offers fault domain distribution without any automatic instance management.

How to eliminate wrong answers

Option A is wrong because an availability set only provides high availability by distributing VMs across fault domains and update domains, but it does not support autoscaling or automatic addition/removal of VM instances based on CPU thresholds. Option B is wrong because Azure Load Balancer distributes incoming traffic across existing VM instances but has no native autoscaling capability to add or remove VMs based on CPU usage. Option D is wrong because Azure App Service is a platform-as-a-service (PaaS) offering for web applications, not for deploying and managing identical VM instances, and it does not provide the same level of control over VM-level autoscaling or fault domain distribution.

94
Multi-Selecthard

A VM in subnet S1 has two network security groups applied: one at the subnet and one directly on the NIC. The subnet NSG contains DenyAllInbound at priority 100 and AllowHTTPSFromOffice at priority 200. The NIC NSG contains AllowHTTPSFromOffice at priority 150 and no deny rules. Office users still cannot reach the VM on TCP 443. Which two statements are correct? Select two.

Select 2 answers
A.The subnet-level deny rule is evaluated before the later allow rule because lower priority numbers are processed first.
B.The NIC allow rule can override a deny decision already made by the subnet NSG.
C.Both the subnet NSG and the NIC NSG are evaluated, and a deny in either one blocks the packet.
D.The allow rule must use a private IP source range because public source ranges are not valid in NSG rules.
E.A user-defined route with next hop Internet would bypass the NSG deny and restore access.
AnswersA, C

NSG rules are processed in ascending priority order, so a lower number is evaluated before a higher number.

Why this answer

Option A is correct because Azure Network Security Groups (NSGs) process rules in order of priority, with lower numbers evaluated first. The subnet NSG's DenyAllInbound rule at priority 100 is evaluated before the AllowHTTPSFromOffice rule at priority 200, resulting in an immediate deny for all inbound traffic, including HTTPS from the office. Since the subnet NSG denies the traffic at priority 100, the NIC NSG's allow rule at priority 150 is never reached, as the packet is already blocked.

Exam trap

The trap here is that candidates often assume NIC-level rules can override subnet-level rules due to a misconception about rule precedence, but Azure applies both NSGs cumulatively, and a deny at any level blocks the traffic, so the subnet's lower-priority deny rule takes effect before the NIC's allow rule is evaluated.

95
MCQmedium

Based on the exhibit, which method should the administrator use to grant the partner time-limited access to one container?

A.Generate a service SAS by using the storage account key and email the URL to the partner.
B.Generate a user delegation SAS after authenticating with Microsoft Entra ID.
C.Make the container public and remove the SAS requirement from the partner workflow.
D.Assign the partner Storage Blob Data Contributor on the storage account and let them sign in interactively.
AnswerB

A user delegation SAS is the safest temporary access method in this scenario because it does not require exposing the storage account key. It is signed with Microsoft Entra credentials, can be scoped to one container, and can be set to expire after six hours. That makes it easy to grant and revoke access while limiting permissions.

Why this answer

A user delegation SAS is secured with Microsoft Entra ID credentials and can be scoped to a specific container with a time-limited expiry, meeting the requirement for time-limited access to one container. Unlike a service SAS, which uses the storage account key and grants broader permissions, the user delegation SAS provides finer-grained control and does not expose the account key. This method is the recommended approach for granting delegated, time-bound access to Azure Storage resources.

Exam trap

The trap here is that candidates often confuse a service SAS (which uses the storage account key and is easier to generate) with a user delegation SAS, not realizing that the user delegation SAS provides superior security and granularity for time-limited, container-scoped access without exposing the account key.

How to eliminate wrong answers

Option A is wrong because a service SAS generated from the storage account key exposes the account key indirectly and cannot be scoped to a single container with time-limited access as securely as a user delegation SAS; it also lacks the ability to enforce Microsoft Entra ID-based authentication. Option C is wrong because making the container public removes all access control, granting anonymous read access to everyone, which violates the requirement for time-limited and partner-specific access. Option D is wrong because assigning Storage Blob Data Contributor on the storage account grants persistent, broad permissions that are not time-limited, and interactive sign-in does not provide a scoped, time-bound URL for the partner to use programmatically.

96
MCQhard

A storage account hosts application logs that security wants to search in Log Analytics for 30 days and keep in a separate retained copy for one year. They also want to monitor storage metrics in the same place for troubleshooting. What should be configured on the storage account?

A.Enable only the activity log export because it already includes all storage telemetry.
B.Create a diagnostic setting that sends the storage resource logs and AllMetrics to Log Analytics and a storage account.
C.Create an action group that archives storage events and forwards them to investigators.
D.Create a metric alert on the storage account and use it as the retention mechanism.
AnswerB

Diagnostic settings can stream both resource logs and supported metrics from the storage account. Sending the logs to Log Analytics makes them searchable for troubleshooting, while sending them to a storage account preserves a second copy for the required one-year retention. Including metrics in the same diagnostic setting gives operators a unified view of performance and troubleshooting data. This is the most complete configuration for the stated retention and analysis goals.

Why this answer

Option B is correct because a diagnostic setting on a storage account can send both resource logs (e.g., StorageRead, StorageWrite) and AllMetrics (e.g., transactions, ingress) to a Log Analytics workspace for querying and to a secondary storage account for long-term retention. This meets the requirement to search logs for 30 days in Log Analytics (which has its own retention setting) and keep a separate archived copy for one year in the storage account.

Exam trap

The trap here is that candidates confuse the activity log (which only covers Azure resource management events) with resource logs (which capture data-plane operations), leading them to choose Option A, or they mistakenly think an action group or metric alert can handle log retention.

How to eliminate wrong answers

Option A is wrong because the activity log does not include storage resource logs or metrics; it only records control-plane operations (e.g., creating a storage account), not data-plane telemetry like read/write requests or latency. Option C is wrong because an action group is used to send notifications (e.g., email, SMS) when an alert fires, not to archive or forward logs for retention or search. Option D is wrong because a metric alert triggers a notification based on a threshold condition; it does not provide a mechanism for retaining or searching logs or metrics over time.

97
MCQmedium

A hub VNet has a VPN gateway connected to on-premises networks. A new spoke VNet must reach on-premises resources through the existing hub gateway without deploying another gateway. What peering configuration should the administrator use?

A.Enable forwarded traffic on both peerings and create a route table in the spoke.
B.Enable gateway transit on the hub peering and use remote gateways on the spoke peering.
C.Deploy a private endpoint in the spoke for each on-premises subnet.
D.Create a service endpoint on the spoke subnet for Microsoft.Network.
AnswerB

This is the standard configuration for letting a spoke VNet use an existing hub VPN gateway. The hub side must allow gateway transit, and the spoke side must be configured to use the remote gateway. Together, these settings let the spoke inherit on-premises connectivity through the hub without deploying a separate gateway.

Why this answer

Option B is correct because it enables the hub VNet's VPN gateway to be shared with the spoke VNet without deploying a separate gateway. 'Gateway transit' on the hub peering allows the hub to advertise routes from its VPN gateway to the spoke, while 'Use remote gateways' on the spoke peering allows the spoke to use the hub's gateway for outbound traffic to on-premises. This configuration ensures the spoke can reach on-premises resources through the hub's VPN tunnel.

Exam trap

The trap here is that candidates often confuse 'forwarded traffic' with 'gateway transit' — forwarded traffic only allows traffic to pass through a VNet (e.g., from a network virtual appliance), but it does not enable the use of a VPN gateway in the peered VNet, which requires the specific gateway transit setting.

How to eliminate wrong answers

Option A is wrong because enabling forwarded traffic on both peerings only allows traffic to pass through the hub from the spoke, but without gateway transit, the spoke cannot use the hub's VPN gateway; a route table in the spoke alone does not enable gateway functionality. Option C is wrong because a private endpoint is used for secure access to Azure PaaS services (e.g., Azure SQL, Storage) over a private IP, not for routing traffic to on-premises networks through a VPN gateway. Option D is wrong because a service endpoint for Microsoft.Network extends the spoke's VNet identity to Azure services, but it does not provide connectivity to on-premises networks via a VPN gateway.

98
Multi-Selecthard

A build pipeline starts a Linux container once per request. Each run lasts about 12 minutes, never needs inbound connections, and should not leave an always-on server running afterward. Which two configuration choices best fit Azure Container Instances? Select two.

Select 2 answers
A.Use Azure Container Instances for the workload.
B.Set the container group's restart policy to Never.
C.Create an App Service plan with deployment slots.
D.Use a virtual machine scale set to host the container.
E.Place the workload in an availability set for host protection.
AnswersA, B

Correct. ACI is designed for short-lived container runs without managing hosts or clusters.

Why this answer

Azure Container Instances (ACI) is the correct choice because it is a serverless container platform that starts containers on demand, runs them for the duration of the workload (here ~12 minutes), and automatically stops and deallocates resources when the container exits. It requires no always-on infrastructure, supports Linux containers, and does not need inbound connections, making it ideal for ephemeral build pipeline tasks.

Exam trap

The trap here is that candidates may confuse Azure Container Instances with always-on services like App Service or VM-based solutions, failing to recognize that ACI's 'Never' restart policy perfectly matches the requirement for a single-run, ephemeral workload that leaves no server running afterward.

99
Matchingmedium

An operations team monitors a group of Azure VMs and storage accounts. Match each Azure Monitor component to the behavior it provides in day-to-day operations.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Evaluates a numeric metric and fires when the threshold condition is met.

Sends the alert to chosen recipients or automation targets.

Shows Microsoft platform, region, or resource health incidents affecting the subscription.

Sends resource logs and metrics to Log Analytics, Event Hub, or Storage for later analysis.

Why these pairings

Metrics give real-time performance; Logs store detailed events; Alerts trigger notifications; Workbooks visualize data; Autoscale adjusts capacity; Action Groups configure alert responses.

100
Matchinghard

An operations lead must choose the right Azure Monitor target for each requirement. Match each requirement to the Azure component that best satisfies it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Log Analytics workspace

Storage account

Event Hub

Action group

Why these pairings

Metrics Explorer shows real-time metrics; Action Groups define notification actions; Log Analytics Workspace stores and queries logs; Alert Rules define conditions; Workbooks provide visualizations.

101
MCQmedium

An application in a subnet must access an Azure Storage account over a private IP. The storage account must not be reachable through its public endpoint, and access should be limited to that subnet only. Which configuration should the administrator implement?

A.Create a service endpoint for Microsoft.Storage on the subnet and keep the public endpoint enabled.
B.Create a private endpoint in the subnet and disable public network access on the storage account.
C.Use a shared access signature token and leave network settings unchanged.
D.Associate the storage account with a NAT gateway to control inbound access.
AnswerB

A private endpoint places a private IP address for the storage account into the VNet, so traffic stays on the private network path. Disabling public network access ensures the account cannot be reached through its public endpoint. Together, these settings meet both requirements: private IP access and subnet-scoped connectivity.

Why this answer

Option B is correct because a private endpoint assigns a private IP from the subnet to the storage account, effectively bringing the service into the virtual network. Disabling public network access ensures the storage account is only reachable via that private endpoint, meeting the requirement to block public endpoint access and limit access to the specific subnet.

Exam trap

The trap here is confusing service endpoints (which still use the public endpoint) with private endpoints (which provide a private IP and can disable public access), leading candidates to choose Option A thinking it provides private connectivity.

How to eliminate wrong answers

Option A is wrong because a service endpoint keeps the public endpoint enabled and only adds a route to the storage account's public IPs, which does not satisfy the requirement to make the storage account unreachable through its public endpoint. Option C is wrong because a shared access signature (SAS) token provides time-limited access via the public endpoint, but it does not restrict access to a specific subnet or disable the public endpoint. Option D is wrong because a NAT gateway controls outbound traffic from the subnet to the internet, not inbound access to the storage account, and does not provide private connectivity or disable the public endpoint.

102
MCQmedium

A company runs two identical Linux VMs for a stateless web app in an Azure region that supports availability zones. The business requires protection from a full datacenter outage, not just planned host maintenance. Which deployment choice best meets this requirement?

A.Place both VMs in an availability set.
B.Deploy the VMs across availability zones.
C.Use a proximity placement group for both VMs.
D.Deploy both VMs in a single-zone virtual machine scale set.
AnswerB

Availability zones place resources in physically separate datacenters within the same region. If one zone becomes unavailable, the other zone can continue serving traffic. That makes zones the correct choice when the requirement is resilience to a datacenter-scale outage. They provide stronger isolation than availability sets, which mainly protect against host and maintenance failures inside a single datacenter boundary.

Why this answer

Option B is correct because deploying the two VMs across different availability zones ensures that each VM resides in a physically separate datacenter within the region. This architecture protects against a full datacenter outage, as an availability zone failure affects only one zone, leaving the other VM operational. Availability zones provide a 99.99% SLA for VMs when two or more instances are deployed across zones, which aligns with the requirement for protection beyond planned host maintenance.

Exam trap

The trap here is that candidates confuse availability sets (which protect against rack-level failures within a single datacenter) with availability zones (which protect against full datacenter outages), leading them to choose Option A incorrectly.

How to eliminate wrong answers

Option A is wrong because an availability set protects only against hardware failures within a single datacenter and planned maintenance events, not against a full datacenter outage, as all VMs in an availability set are placed within the same datacenter. Option C is wrong because a proximity placement group is designed to reduce network latency by co-locating VMs close together, which actually increases the risk of a single datacenter outage affecting both VMs, not providing protection. Option D is wrong because a single-zone virtual machine scale set places all VM instances within the same availability zone, so a full datacenter outage in that zone would take down all instances, failing to meet the protection requirement.

103
MCQhard

You store long-term financial statements in Azure Blob Storage. The files are almost never accessed, but when they are needed they must be readable immediately without waiting for rehydration. You need to minimize cost. Which access tier should you use?

A.Hot
B.Cool
C.Archive
D.Premium
AnswerB

Cool provides lower cost for infrequently accessed data while keeping it immediately available.

Why this answer

The Cool access tier is optimal for data that is infrequently accessed but must be available immediately when needed, offering lower storage costs than Hot while maintaining low-latency read access. Archive would require rehydration (taking hours) before reading, violating the requirement for immediate readability. Hot is more expensive for long-term storage of rarely accessed data, and Premium is designed for high-performance workloads, not cost-efficient archival.

Exam trap

The trap here is that candidates often choose Archive thinking it is the cheapest option, but they overlook the requirement for 'immediate readability without waiting for rehydration,' which Archive cannot satisfy.

How to eliminate wrong answers

Option A is wrong because the Hot tier has higher storage costs per GB than Cool, making it suboptimal for long-term storage of almost never accessed files. Option C is wrong because the Archive tier requires rehydration (which can take up to 15 hours) before data can be read, violating the requirement for immediate readability without waiting. Option D is wrong because the Premium tier is optimized for low-latency, high-transaction workloads (e.g., Azure Virtual Desktop disks) and incurs significantly higher costs, making it unsuitable for cost-minimized long-term storage of rarely accessed financial statements.

104
MCQhard

A customer runs two Windows VMs in a region that does not support availability zones. The app can lose one VM but must keep running through planned maintenance and a single host failure. Which deployment pattern should you use?

A.Use a single-instance deployment and add more backup jobs.
B.Place both VMs in an availability set.
C.Use availability zones because they always exist in every region.
D.Put both VMs on the same dedicated host to avoid migration during maintenance.
AnswerB

An availability set spreads VMs across fault domains and update domains within one datacenter boundary. That protects the application from planned maintenance and from a single host or rack failure. Because the region does not support availability zones, the availability set is the best way to improve uptime for two VMs that can tolerate one instance being unavailable.

Why this answer

An availability set ensures that VMs are placed on different fault domains (separate physical hardware) and update domains (separate maintenance batches). This protects against both a single host failure and planned Azure maintenance, meeting the requirement that the app can lose one VM but keep running.

Exam trap

The trap here is that candidates assume availability zones are always available or that a dedicated host provides isolation, but the question's constraint (region without zones) and the need for both fault domain and update domain protection point directly to an availability set.

How to eliminate wrong answers

Option A is wrong because a single-instance deployment with backup jobs does not provide high availability; backups restore data but do not prevent downtime during a host failure or maintenance. Option C is wrong because availability zones do not exist in every region, and the question explicitly states the region does not support them. Option D is wrong because placing both VMs on the same dedicated host means they share the same physical hardware, so a host failure or maintenance event would take both VMs down simultaneously.

105
Multi-Selecteasy

A production VM needs an email and SMS notification when CPU percentage stays above 80 percent for five minutes. Which two Azure Monitor components should the administrator configure? Select two.

Select 2 answers
A.Action group
B.Azure Policy assignment
C.Metric alert rule
D.Recovery Services vault
E.Log Analytics workspace
AnswersA, C

An action group defines the notifications or automated responses sent when an alert fires.

Why this answer

A Metric alert rule monitors the VM’s CPU percentage metric and triggers when the condition (above 80% for 5 minutes) is met. An Action group defines the notification actions (email and SMS) that are executed when the alert fires. Together, they enable the required notification workflow.

Exam trap

The trap here is that candidates may confuse Log Analytics workspace (which can also generate alerts from log queries) with the metric-based alerting required for CPU percentage, or mistakenly think a Recovery Services vault is involved in monitoring notifications.

106
Matchingmedium

A backup administrator is learning how Azure VM backup actions map to their purpose. Match each Recovery Services or backup item to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Central place where Azure VM backups, policies, and recovery points are managed.

Defines when backups run and how long recovery points are retained.

Mounts a recovery point so individual files or folders can be copied back.

Recovers VM disks so they can be attached or used to rebuild a machine.

Overwrites the original VM by restoring it from a chosen recovery point.

Why these pairings

Recovery Services vault stores backups; policy defines schedule; instant snapshot allows fast restore; extension is the agent; restore point is a backup copy; cross-region restore enables DR.

107
MCQmedium

A help desk analyst wants a query in Log Analytics that returns Azure virtual machines that have stopped sending a heartbeat for more than 15 minutes. Which KQL query should the analyst run?

A.Heartbeat | summarize LastSeen=max(TimeGenerated) by Computer | where LastSeen < ago(15m)
B.AzureActivity | where OperationNameValue contains 'Heartbeat' | summarize count() by ResourceGroup
C.Perf | where CounterName == '% Processor Time' | summarize avg(CounterValue) by Computer
D.SecurityEvent | where EventID == 4624 | summarize count() by Computer
AnswerA

This query uses the Heartbeat table to identify the most recent signal from each VM and filters for machines whose latest heartbeat is older than 15 minutes. That is the correct pattern for detecting VMs that are no longer reporting to Log Analytics or Azure Monitor. It is practical, concise, and directly aligned to troubleshooting agent connectivity or VM availability.

Why this answer

Option A is correct because the Heartbeat table in Log Analytics records a heartbeat signal from Azure Monitor agents every 5 minutes by default. The query uses `summarize` to find the latest `TimeGenerated` per computer, then filters with `where LastSeen < ago(15m)` to identify VMs that have not sent a heartbeat in over 15 minutes, indicating they are likely offline or unresponsive.

Exam trap

The trap here is that candidates may confuse the Heartbeat table with other log tables (AzureActivity, Perf, SecurityEvent) that contain different data types, leading them to pick a query that looks for 'heartbeat' in the wrong table or uses irrelevant metrics like CPU or logon events.

How to eliminate wrong answers

Option B is wrong because the AzureActivity table tracks Azure resource management operations (e.g., create, delete), not agent heartbeats; filtering for 'Heartbeat' in OperationNameValue would not return meaningful data for VM connectivity. Option C is wrong because the Perf table stores performance counters like '% Processor Time', which does not indicate VM heartbeat status; it measures CPU usage, not agent connectivity. Option D is wrong because the SecurityEvent table logs Windows security events such as logon attempts (EventID 4624), which are unrelated to agent heartbeats and cannot determine if a VM has stopped sending heartbeats.

108
MCQmedium

A web workload in a subnet must use a NAT gateway for outbound internet traffic so the source IP is stable. The subnet currently has a route table with a 0.0.0.0/0 user-defined route to a virtual appliance. What should the administrator change?

A.Add an NSG outbound allow rule for TCP 80 and TCP 443.
B.Remove or replace the 0.0.0.0/0 UDR to the virtual appliance and associate the NAT gateway with the subnet.
C.Create a private endpoint for the web workload.
D.Enable VNet peering to a hub network with a firewall.
AnswerB

A NAT gateway provides stable outbound internet connectivity only when traffic follows the normal internet path from the subnet. The custom default route to a virtual appliance forces traffic away from that path, so the NAT gateway is bypassed. Removing or replacing the forced-tunnel route and then attaching the NAT gateway to the subnet allows outbound internet traffic to use the NAT gateway’s public IPs.

Why this answer

The current route table has a 0.0.0.0/0 user-defined route (UDR) pointing to a virtual appliance, which forces all outbound traffic through that appliance. To use a NAT gateway for outbound internet traffic with a stable source IP, the administrator must remove or replace that UDR (so the default route no longer points to the appliance) and associate the NAT gateway with the subnet. The NAT gateway automatically creates a default route (0.0.0.0/0) with a next hop of 'Internet', overriding the appliance route, ensuring traffic egresses via the NAT gateway's public IP.

Exam trap

The trap here is that candidates often think adding a NAT gateway automatically overrides existing UDRs, but in Azure, user-defined routes have higher priority than system routes (including those from NAT gateways), so the existing UDR must be explicitly removed or modified for the NAT gateway to handle outbound traffic.

How to eliminate wrong answers

Option A is wrong because adding an NSG outbound allow rule for TCP 80 and TCP 443 does not change the routing path; traffic would still be forced through the virtual appliance due to the existing UDR, and the NAT gateway would not be used. Option C is wrong because a private endpoint is used for inbound access to Azure PaaS services over a private IP, not for outbound internet traffic with a stable source IP. Option D is wrong because enabling VNet peering to a hub network with a firewall does not remove the existing UDR to the virtual appliance; the peering would still route traffic through the appliance unless the UDR is modified, and it does not directly provide a stable source IP via a NAT gateway.

109
MCQmedium

An administrator creates a route table with a UDR for 10.20.0.0/16 and next hop type Virtual appliance. A VM in the subnet still does not send that traffic to the appliance. The route table contents are correct. What should be checked first?

A.Whether the NSG has an outbound deny rule for port 80.
B.Whether the route table is associated with the correct subnet.
C.Whether the VM uses a managed identity.
D.Whether the virtual machine is in an availability set.
AnswerB

A route table only affects traffic for the subnet to which it is associated. If the table exists and the route is correct but traffic still follows another path, the first thing to verify is that the VM's subnet is actually linked to that route table. Without that association, the UDR is never applied, even though the route definition itself looks valid.

Why this answer

The most common reason a UDR fails to take effect is that the route table is not associated with the subnet containing the VM. Even if the route table contents are correct, the VM's traffic will follow default system routes unless the route table is explicitly linked to the subnet. Association is a required step to override Azure's default routing behavior.

Exam trap

The trap here is that candidates often focus on the route table contents being correct and overlook the critical step of associating the route table with the subnet, assuming that creating the route table is sufficient to apply it.

How to eliminate wrong answers

Option A is wrong because an NSG outbound deny rule for port 80 would block traffic based on port, not prevent the UDR from being applied; the UDR controls routing, not firewall filtering. Option C is wrong because a managed identity is an Azure AD authentication mechanism for accessing Azure resources and has no impact on network routing or UDR enforcement. Option D is wrong because an availability set is a high-availability configuration for VMs across fault domains and update domains; it does not influence route table association or traffic forwarding.

110
MCQhard

You need to collect performance counters and event logs from multiple Azure virtual machines and query the data centrally by using Kusto Query Language. Which Azure resource should you deploy?

A.A Log Analytics workspace
B.A Recovery Services vault
C.Azure Network Watcher
D.A load balancer
AnswerA

A Log Analytics workspace is the central platform for Azure Monitor Logs and KQL queries.

Why this answer

A Log Analytics workspace is the correct Azure resource because it ingests performance counters and event logs from Azure virtual machines via the Azure Monitor agent or the legacy Log Analytics agent, and stores them in a centralized repository. You can then query this data using Kusto Query Language (KQL) to perform real-time analysis, troubleshooting, and reporting across multiple VMs.

Exam trap

The trap here is that candidates often confuse Azure Monitor with Azure Backup or network monitoring tools, mistakenly thinking a Recovery Services vault or Network Watcher can store and query log data, when in fact only a Log Analytics workspace provides the centralized KQL-based querying capability for performance counters and event logs.

How to eliminate wrong answers

Option B is wrong because a Recovery Services vault is used for Azure Backup and Azure Site Recovery scenarios, such as backing up VMs or replicating them to another region, not for collecting and querying performance counters or event logs. Option C is wrong because Azure Network Watcher provides network-level monitoring and diagnostics (e.g., packet capture, NSG flow logs, connection troubleshoot), but it does not ingest OS-level performance counters or event logs, nor does it support KQL-based querying. Option D is wrong because a load balancer distributes incoming network traffic across backend resources and does not collect or store performance counters or event logs for querying.

111
Multi-Selecteasy

A subscription admin wants to investigate who changed a resource and also review the platform-generated events for that subscription. Which two types of logs can be sent to Log Analytics and queried later? Select two.

Select 2 answers
A.Activity log entries
B.Resource diagnostic logs
C.Azure Backup vault names
D.Virtual network address spaces
E.Managed disk size settings
AnswersA, B

Activity logs record subscription-level events such as create, update, and delete operations.

Why this answer

The Activity log (option A) records subscription-level events such as who created, modified, or deleted a resource, making it essential for investigating administrative changes. Resource diagnostic logs (option B) capture platform-generated events emitted by a resource itself (e.g., Azure SQL Database audit logs, network security group flow logs), which can be sent to Log Analytics for querying. Both log types can be configured to stream to a Log Analytics workspace, enabling Kusto Query Language (KQL) analysis.

Exam trap

The trap here is that candidates often confuse resource diagnostic logs (which are platform-generated events from the resource) with Activity logs (which are subscription-level administrative events), and mistakenly think configuration properties like disk sizes or address spaces are loggable events.

112
MCQmedium

A stateless API runs on Azure VMs and experiences unpredictable traffic spikes during the day. The administrator must automatically add or remove identical VM instances based on CPU usage, and the platform should distribute instances across fault domains without manual placement. What should be used?

A.Availability set
B.Virtual machine scale set
C.Availability zone
D.Proximity placement group
AnswerB

A virtual machine scale set supports automatic instance scaling and distributes instances for better platform resilience.

Why this answer

Virtual machine scale sets (VMSS) automatically manage identical VM instances and can scale out/in based on CPU usage metrics via autoscale rules. They distribute instances across fault domains automatically without manual placement, ensuring high availability during unpredictable traffic spikes.

Exam trap

The trap here is that candidates often confuse availability sets with scale sets, thinking an availability set can also handle automatic scaling, but availability sets only provide fault domain distribution for a static set of VMs and lack autoscaling capabilities.

How to eliminate wrong answers

Option A is wrong because an availability set only provides fault domain and update domain distribution for a fixed set of VMs, but it does not support automatic scaling based on CPU usage or dynamic addition/removal of instances. Option C is wrong because an availability zone is a physically separate datacenter within a region used for disaster recovery, not a mechanism for automatic scaling or fault domain distribution within a single region. Option D is wrong because a proximity placement group is designed to reduce network latency by colocating VMs, but it does not provide automatic scaling or fault domain distribution across instances.

113
Multi-Selecthard

A stateless application must keep serving traffic if one datacenter in the region fails, and it must also add or remove instances during daily load spikes. Which two deployment choices should the administrator make? Select two.

Select 2 answers
A.Deploy the application on a virtual machine scale set.
B.Configure the deployment to use availability zones.
C.Use a single availability set with one VM to reduce complexity.
D.Use a proximity placement group for the workload.
E.Deploy one larger VM with a premium SSD instead of multiple instances.
AnswersA, B

Correct. A VM scale set supports adding and removing identical instances automatically as demand changes.

Why this answer

A virtual machine scale set (VMSS) allows automatic scaling of instances in response to load spikes, meeting the requirement to add or remove instances dynamically. Combined with availability zones, which distribute instances across physically separate datacenters within a region, the application remains available even if one entire datacenter fails. This pair ensures both high availability and elastic scaling for a stateless application.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack-level failures within a single datacenter) with availability zones (which protect against entire datacenter failures), leading them to pick a single availability set as sufficient for datacenter failure resilience.

114
MCQeasy

A help desk engineer must be able to start, stop, and resize only VM-App01. The engineer must not gain access to any other virtual machines or resource groups in the subscription. What scope should you use for the Azure RBAC role assignment?

A.Assign the role at the subscription scope so the engineer can manage any VM in the subscription.
B.Assign the role at the virtual machine scope for VM-App01 only.
C.Assign the role at the resource group scope that contains VM-App01.
D.Assign the role at a management group scope so the team can standardize access.
AnswerB

This limits the role to a single resource and matches the requirement exactly.

Why this answer

Option B is correct because Azure RBAC allows you to assign a role at the virtual machine scope, which restricts permissions to that specific resource only. By assigning a role like 'Virtual Machine Contributor' at the scope of VM-App01, the help desk engineer can start, stop, and resize only that VM without gaining access to any other VMs or resource groups in the subscription.

Exam trap

The trap here is that candidates often default to resource group scope thinking it is granular enough, but they overlook that resource group scope grants access to all resources within that group, not just the single VM.

How to eliminate wrong answers

Option A is wrong because assigning the role at the subscription scope grants permissions to all virtual machines and resources within the subscription, violating the requirement to restrict access to only VM-App01. Option C is wrong because assigning the role at the resource group scope would allow the engineer to manage all VMs within that resource group, not just VM-App01. Option D is wrong because assigning the role at a management group scope would apply permissions to all subscriptions and resources under that management group, far exceeding the required scope.

115
MCQmedium

A Windows VM and a Linux VM in Azure need to use the same shared folder for application artifacts. The team wants a managed file service instead of running a separate file server VM, and both operating systems must be able to mount the share using a standard protocol. Which solution should the administrator implement?

A.Create a blob container and mount it as a file system from both virtual machines.
B.Create an Azure Files share and mount it over SMB from both virtual machines.
C.Use an Azure managed disk and attach it to both virtual machines.
D.Create an Azure Files share and force the Linux VM to use NFS while the Windows VM uses SMB.
AnswerB

Azure Files is the managed file service designed for shared file access. SMB is supported by Windows natively and can also be mounted from Linux using standard tools. This gives both VMs access to the same share without introducing a separate file server VM, which fits the requirement precisely.

Why this answer

Azure Files provides a fully managed file share that supports both SMB and NFS protocols. Since the question requires a managed file service accessible by both Windows and Linux VMs using a standard protocol, the correct solution is to create an Azure Files share and mount it over SMB from both VMs. Windows natively supports SMB, and Linux can mount SMB shares using the CIFS-utils package, meeting the requirement without running a separate file server VM.

Exam trap

The trap here is that candidates may assume Azure Files supports both SMB and NFS on the same share, but in reality each share is protocol-specific, and mixing protocols is not allowed, making Option D a common distractor.

How to eliminate wrong answers

Option A is wrong because a blob container is an object storage service, not a file system; mounting it as a file system requires third-party tools or FUSE drivers, and it does not natively support standard file-sharing protocols like SMB or NFS. Option C is wrong because an Azure managed disk can only be attached to a single VM at a time (except for shared disks, which require a cluster-aware file system and are not a managed file service). Option D is wrong because Azure Files shares are protocol-specific; you cannot force a single share to serve both SMB and NFS simultaneously—each share is created with either SMB or NFS protocol, and mixing protocols on the same share is not supported.

116
Multi-Selectmedium

Which two statements accurately describe the value of centralized DHCP in enterprise networks?

Select 2 answers
A.It can reduce the need to maintain separate DHCP servers in every subnet or site.
B.It can make address-policy changes easier to manage from a central location.
C.It removes the need for relay across Layer 3 boundaries.
D.It eliminates the need for default gateways.
E.It is useful only on wireless networks.
AnswersA, B

This is correct because centralization can simplify service management.

Why this answer

Centralized DHCP can simplify operations by keeping address assignment services in a more controlled central location rather than distributing separate servers everywhere. In practical terms, this can reduce administration overhead and make policy changes easier. The tradeoff is that Layer 3 boundaries must then be handled properly so client requests can still reach the server.

This is why DHCP relay becomes important in many campus and branch designs.

Why the other options are wrong

C

This option is wrong because centralized DHCP can still require DHCP relay agents to forward requests across Layer 3 boundaries, especially when clients and servers are on different subnets.

D

This option is wrong because centralized DHCP does not eliminate the need for default gateways; devices still require a default gateway to communicate outside their local subnet regardless of DHCP configuration.

E

This option is wrong because centralized DHCP is beneficial for both wired and wireless networks, not limited to just wireless environments. Centralized DHCP can manage IP addresses across all types of network infrastructures.

117
Multi-Selecteasy

A support engineer is narrowing a Log Analytics query to only failed backup jobs and wants to show only the needed columns. Which two KQL operators should they use? Select two.

Select 2 answers
A.extend
B.join
C.project
D.summarize
E.where
AnswersC, E

Project keeps only the columns you want to display in the query results.

Why this answer

The `where` operator filters rows based on a condition, so it is used to narrow results to only failed backup jobs (e.g., `where Status == "Failed"`). The `project` operator selects a subset of columns, allowing the engineer to display only the needed columns (e.g., `project JobName, Status, StartTime`). Together, they achieve both row filtering and column selection in a Kusto Query Language (KQL) query.

Exam trap

The trap here is that candidates often confuse `project` with `extend` (thinking both are for column manipulation) or incorrectly assume `summarize` can filter rows, when in fact `summarize` aggregates and loses row-level detail.

118
MCQmedium

You need to run a PowerShell script inside a newly deployed Azure virtual machine to configure application settings immediately after deployment. Which feature should you use?

A.Azure Policy
B.A Custom Script Extension
C.Boot diagnostics
D.An availability set
AnswerB

A Custom Script Extension runs scripts inside the virtual machine.

Why this answer

The Custom Script Extension (CSE) is the correct choice because it allows you to run a PowerShell script on an Azure VM after deployment, making it ideal for configuring application settings. CSE downloads and executes scripts on the VM using the Azure VM agent, and it can be invoked during VM creation or post-deployment via ARM templates, Azure CLI, or PowerShell.

Exam trap

The trap here is that candidates confuse Azure Policy (which governs resource configuration at the Azure control plane) with the Custom Script Extension (which operates inside the guest OS), leading them to incorrectly select Azure Policy for post-deployment script execution.

How to eliminate wrong answers

Option A is wrong because Azure Policy enforces organizational rules and compliance across Azure resources (e.g., restricting VM SKUs or requiring tags), but it does not execute scripts inside a VM. Option C is wrong because Boot diagnostics captures serial console output and screenshots for troubleshooting VM boot failures, not for running configuration scripts. Option D is wrong because an availability set is a logical grouping of VMs to ensure high availability across fault and update domains, and it has no capability to execute scripts or configure applications.

119
MCQmedium

You want Azure to recommend ways to reduce cost, improve performance, and strengthen security across your subscriptions. Which service should you use?

A.Azure Advisor
B.Azure Policy
C.Azure Backup
D.Virtual network peering
AnswerA

Azure Advisor is the service designed to provide optimization recommendations across these categories.

Why this answer

Azure Advisor is the correct service because it provides personalized recommendations across your Azure subscriptions to optimize for cost, performance, reliability, and security. It analyzes your resource configuration and usage telemetry, then generates actionable recommendations such as right-sizing underutilized VMs, enabling geo-redundant storage, or applying security rules. This directly matches the question's requirement for a unified tool that suggests improvements in all three areas.

Exam trap

The trap here is that candidates often confuse Azure Advisor (a recommendation engine) with Azure Policy (a governance enforcement tool), mistakenly thinking Policy can also suggest cost or performance improvements when it only enforces rules and audits compliance.

How to eliminate wrong answers

Option B (Azure Policy) is wrong because it enforces compliance rules and governance (e.g., tagging, allowed regions) rather than analyzing existing resources to recommend cost, performance, or security improvements. Option C (Azure Backup) is wrong because it is a data protection service for backup and disaster recovery, not a recommendation engine for optimization. Option D (Virtual network peering) is wrong because it is a networking feature that connects VNets for low-latency communication, not a service that provides cost, performance, or security recommendations.

120
MCQmedium

A line-of-business app runs on two VMs in an Azure region that supports availability zones. The business wants protection from a datacenter failure and wants the VMs placed in different physical locations within the region. Which deployment choice should be used?

A.An availability set with two fault domains
B.Two availability zones with one VM in each zone
C.A proximity placement group for both VMs
D.A single larger VM size with Premium SSD
AnswerB

Availability zones place resources in separate physical datacenters within a region, improving resilience to zone failure.

Why this answer

Availability zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Placing one VM in each of two zones ensures that if one datacenter fails, the other VM remains available. This directly meets the requirement for protection from a datacenter failure with VMs in different physical locations.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack failures) with availability zones (which protect against datacenter failures), leading them to choose an availability set when the question explicitly requires different physical locations within the region.

How to eliminate wrong answers

Option A is wrong because an availability set with two fault domains protects against rack-level failures within a single datacenter, not against a full datacenter failure. Option C is wrong because a proximity placement group is designed to reduce network latency by co-locating VMs close together, which is the opposite of placing them in different physical locations. Option D is wrong because a single larger VM with Premium SSD does not provide any redundancy; it remains a single point of failure and does not address datacenter-level protection.

121
MCQmedium

Why is centralized logging especially helpful during incident investigation?

A.It helps investigators analyze related events from multiple devices in one place.
B.It guarantees that no attack can ever succeed.
C.It replaces the need for access control.
D.It forces all devices to use the same VLAN.
AnswerA

This is correct because centralized collection improves visibility and correlation.

Why this answer

Centralized logging aggregates logs from multiple sources (servers, firewalls, applications) into a single repository, enabling investigators to correlate events across devices during an incident. This eliminates the need to manually access each device's local logs, speeding up root cause analysis and providing a unified timeline of activities.

Exam trap

The trap here is that candidates may confuse centralized logging with a security control that prevents attacks, rather than recognizing it as a detective and forensic tool for post-incident analysis.

Why the other options are wrong

B

Option B is incorrect because centralized logging does not guarantee the prevention of attacks; it merely provides a means to analyze and respond to incidents after they occur. Security measures must be implemented to prevent attacks, which is outside the scope of logging.

C

Access control is a separate security measure that governs who can view or manipulate logs; centralized logging does not eliminate the need for such controls. Therefore, this option incorrectly suggests that centralized logging alone suffices for security management.

D

This option is wrong because forcing all devices to use the same VLAN does not inherently improve logging capabilities or facilitate incident investigation. Centralized logging focuses on aggregating logs, not on network segmentation.

122
MCQmedium

Based on the exhibit, what should the administrator do first to restore the missing data disk?

A.Create a managed disk from the snapshot, then attach it to the VM.
B.Recreate the VM from the marketplace image and restore applications manually.
C.Convert the snapshot directly into an operating system disk and replace the VM.
D.Increase the VM size so that Azure automatically recreates the missing disk.
AnswerA

A snapshot is a point-in-time copy of a disk, and the normal recovery path is to create a new managed disk from that snapshot. After the disk is created, it can be attached to the VM or a recovery VM. This keeps the OS disk untouched and minimizes impact while restoring the missing data volume.

Why this answer

The snapshot represents the missing data disk, not the OS disk. To restore it, you must first create a managed disk from the snapshot (using Azure CLI, PowerShell, or portal), then attach that disk to the VM. This preserves the existing VM configuration and applications without redeployment.

Exam trap

The trap here is that candidates may confuse a data disk snapshot with an OS disk snapshot and attempt to replace the VM's OS disk, or assume that Azure automatically recreates missing disks when resizing the VM.

How to eliminate wrong answers

Option B is wrong because recreating the VM from a marketplace image would require manual reinstallation of all applications and does not restore the specific data disk snapshot. Option C is wrong because converting the snapshot directly into an OS disk would replace the VM's operating system, but the snapshot is of a data disk, not the OS disk, and this action would not restore the missing data disk. Option D is wrong because increasing the VM size does not trigger automatic recreation of a missing data disk; Azure does not regenerate disks from snapshots based on size changes.

123
MCQeasy

An Azure Policy that appends the Environment tag is assigned to a subscription. New virtual machines get the tag, but existing VMs do not. What should the administrator do next?

A.Remove the policy and reassign it at the resource group scope
B.Create a remediation task for the policy assignment
C.Grant the policy assignment Reader access
D.Apply a CanNotDelete lock to the subscription
AnswerB

A remediation task is used to bring existing resources into compliance after a policy assignment is in place. In this case, the append effect works for new deployments, but older virtual machines need remediation so the Environment tag is added to resources that were created before the policy took effect. That is the expected operational follow-up.

Why this answer

Azure Policy assignments with 'deployIfNotExists' or 'append' effects only apply to new resources by default. To bring existing non-compliant resources into compliance, a remediation task must be triggered, which uses a managed identity to modify the resource. Option B is correct because creating a remediation task for the policy assignment will evaluate and append the missing Environment tag to existing VMs.

Exam trap

The trap here is that candidates assume policy effects like 'append' or 'deny' automatically apply to all resources in scope, forgetting that only 'audit' and 'modify' effects have built-in support for existing resources, while others require a remediation task.

How to eliminate wrong answers

Option A is wrong because removing and reassigning the policy at a different scope does not retroactively apply the effect to existing resources; the append effect still only applies to new resources unless a remediation task is run. Option C is wrong because granting the policy assignment Reader access does not enable remediation; remediation requires a managed identity with contributor-level permissions to modify resources, not read-only access. Option D is wrong because applying a CanNotDelete lock prevents deletion of the subscription or its resources but does not modify existing resources to add the missing tag; it is unrelated to policy compliance remediation.

124
Drag & Dropmedium

Arrange the steps to assign a custom RBAC role to a user in Azure.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Navigate to roles, create custom role with permissions and scopes, then assign at scope.

125
MCQeasy

Based on the exhibit, administrators can reach a web server from the approved subnet, but connections still fail. What is the most likely reason?

A.The allow rule is blocked because inbound rules are evaluated from highest priority number to lowest.
B.The deny rule has a higher priority and matches the traffic before the allow rule.
C.The destination port must be changed to 80 because NSGs cannot allow TCP 443.
D.The subnet requires a route table before HTTPS can be permitted.
AnswerB

Azure NSG evaluation uses the lowest priority number first. In the exhibit, the deny rule at priority 100 matches TCP 443 from Any, so it blocks the traffic before the later allow rule at priority 200 is considered. To fix the issue, the allow rule must be placed above the deny rule or the deny rule must be narrowed.

Why this answer

Network Security Groups (NSGs) evaluate rules in order of priority, where a lower priority number (e.g., 100) is evaluated before a higher number (e.g., 200). If a deny rule with a higher priority (lower number) matches the traffic before the allow rule, the traffic is blocked. In this scenario, the deny rule (priority 100) matches the source subnet and destination port 443 before the allow rule (priority 200) can permit it, causing connections to fail.

Exam trap

The trap here is that candidates often assume NSG rules are evaluated in the order they appear in the portal (top-to-bottom) or that allow rules override deny rules regardless of priority, but Azure explicitly uses the priority number to determine evaluation order, and a higher-priority deny rule will block traffic even if a lower-priority allow rule exists.

How to eliminate wrong answers

Option A is wrong because inbound rules are evaluated from lowest priority number to highest (i.e., highest priority first), not from highest to lowest. Option C is wrong because NSGs can allow TCP 443 (HTTPS) just as they can allow TCP 80 (HTTP); there is no restriction that prevents port 443 from being used. Option D is wrong because a route table is not required to permit HTTPS traffic; NSGs control traffic flow at the network interface or subnet level, and routing is handled separately by Azure's default routes or user-defined routes.

126
MCQhard

A web app and a VM scale set both need the same Azure identity to read secrets from Key Vault. The identity must survive redeployment, and the team wants to remove it centrally without changing each resource individually. Which identity type should they use?

A.A system-assigned managed identity on each resource.
B.A user-assigned managed identity attached to both resources.
C.A service principal with a client secret stored in application settings.
D.A resource lock on the Key Vault to preserve the secret access path.
AnswerB

A user-assigned identity is reusable across resources and can be managed independently of any single workload.

Why this answer

A user-assigned managed identity (B) is the correct choice because it is created as a standalone Azure resource, can be attached to multiple Azure resources (e.g., a web app and a VM scale set), and persists independently of those resources. This allows the identity to survive redeployment of either resource and enables centralized removal (by deleting the user-assigned identity) without needing to modify each resource individually.

Exam trap

The trap here is that candidates often confuse system-assigned managed identities (which are simpler but resource-bound) with user-assigned managed identities, failing to recognize that only user-assigned identities can be shared across multiple resources and survive independent redeployment.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single resource; it is automatically deleted when the resource is deleted, so it cannot survive redeployment, and it cannot be shared across multiple resources. Option C is wrong because a service principal with a client secret stored in application settings introduces secret management overhead, does not survive redeployment seamlessly (the secret must be re-stored), and requires individual configuration changes on each resource to remove the identity. Option D is wrong because a resource lock on Key Vault only prevents accidental deletion or modification of the vault itself; it does not provide an identity for authentication and does not address the requirement for a shared, centrally removable identity.

127
Multi-Selectmedium

A help desk analyst needs a KQL query that identifies each VM's most recent heartbeat so computers can be flagged if their last check-in is older than 20 minutes. Which two KQL elements should be used? Select two.

Select 2 answers
A.Query the Heartbeat table, because it stores the heartbeat records for Azure VMs.
B.Summarize max(TimeGenerated) by Computer to get the most recent heartbeat per VM.
C.Join the results to AzureActivity to calculate service health.
D.Filter where TimeGenerated is older than 20 minutes before summarizing.
E.Use the Perf table because it stores heartbeat timestamps.
AnswersA, B

Heartbeat is the log source that records the VM check-in data required for this troubleshooting query.

Why this answer

Option A is correct because the Heartbeat table in Azure Monitor Logs (Log Analytics) is specifically designed to store heartbeat records from Azure Monitor Agent (AMA) or the legacy Log Analytics agent. Each heartbeat record contains a TimeGenerated timestamp, making it the authoritative source for determining when a VM last reported its health status.

Exam trap

The trap here is that candidates mistakenly think filtering before summarizing is more efficient, but doing so removes the very data needed to identify the most recent heartbeat, leading to incorrect results.

128
MCQeasy

Before changing a managed data disk attached to a VM, you want a point-in-time copy that can be restored later if the change fails. What should you create?

A.Managed disk snapshot
B.Availability set
C.Image
D.Resource lock
AnswerA

A snapshot creates a point-in-time copy of a managed disk that you can use later for restore or cloning.

Why this answer

A managed disk snapshot is a point-in-time, read-only copy of a managed disk that can be used to restore the disk to that exact state if a change fails. Snapshots are incremental, capturing only the changes since the last snapshot, and they exist independently of the source disk, allowing you to create a new disk from the snapshot for recovery.

Exam trap

The trap here is that candidates often confuse a snapshot with an image, thinking both serve the same purpose, but an image is used for deployment and includes OS configuration, while a snapshot is a raw disk copy for recovery without any generalization.

How to eliminate wrong answers

Option B (Availability set) is wrong because an availability set is a logical grouping of VMs to ensure high availability across fault and update domains, not a mechanism for creating point-in-time copies of disks. Option C (Image) is wrong because an image captures the entire VM configuration, including the OS and data disks, but it is used to deploy new VMs, not to create a restore point for a specific data disk; images are generalized and cannot be used to revert a disk to a previous state. Option D (Resource lock) is wrong because a resource lock prevents accidental deletion or modification of a resource at the management scope, but it does not create a copy of the disk data; it only protects the resource from changes, not from data corruption or failed updates.

129
MCQmedium

A VM in subnet S1 must accept RDP only from the administrator workstation at 203.0.113.25. The subnet NSG has a custom inbound deny-all rule at priority 200 and a custom allow-RDP rule at priority 300 for source 203.0.113.25, destination Any, TCP 3389. RDP is still blocked from the workstation. What should the administrator change?

A.Move the allow-RDP rule to a lower priority number than 200.
B.Change the allow rule from inbound to outbound traffic.
C.Change the protocol from TCP to Any on the deny-all rule.
D.Attach a user-defined route so the workstation can reach the VM directly.
AnswerA

NSG rules are processed in priority order, where lower numbers are evaluated first. Because the deny-all rule at priority 200 is hit before the allow rule at 300, the RDP traffic is denied before it can match the allow entry. Moving the allow rule to a number lower than 200, such as 100, ensures the authorized workstation is permitted while the later deny-all rule still blocks everyone else.

Why this answer

Network Security Group (NSG) rules are evaluated in priority order, with lower numbers having higher precedence. The deny-all rule at priority 200 is evaluated before the allow-RDP rule at priority 300, so the deny rule blocks the RDP traffic before the allow rule can be applied. To allow RDP from the workstation, the allow-RDP rule must have a lower priority number (e.g., 100) than the deny-all rule, ensuring it is evaluated first.

Exam trap

The trap here is that candidates often assume rules are evaluated in the order they appear in the portal (top to bottom) or that a more specific rule (allow-RDP) overrides a general rule (deny-all), but Azure NSGs strictly use numeric priority, not specificity or order of creation.

How to eliminate wrong answers

Option B is wrong because the allow rule must be inbound (for incoming RDP traffic to the VM), not outbound; outbound rules control traffic leaving the subnet, which is irrelevant for accepting RDP connections. Option C is wrong because changing the protocol from TCP to Any on the deny-all rule would still block RDP (TCP 3389) and would not resolve the priority issue; it would also unnecessarily block all other protocols. Option D is wrong because a user-defined route (UDR) controls network traffic routing, not NSG rule evaluation; the workstation can already reach the VM via the default route, and the issue is purely an NSG priority conflict.

130
MCQmedium

An organization has an Azure Storage account that must be reachable from Azure VMs and from an on-premises application. Internet access to the storage account must be disabled, and the service should be accessible only over private IP paths. Which solution best meets the requirement?

A.Enable a service endpoint on the Azure VNet and keep the storage account public endpoint enabled.
B.Use a private endpoint for the storage account and connect on-premises through a site-to-site VPN or ExpressRoute path.
C.Use VNet peering only and leave the storage account firewall open to selected public IPs.
D.Assign a public IP address to the storage account and restrict access with an NSG.
AnswerB

A private endpoint gives the storage account a private IP in a VNet, which keeps traffic off the public internet. Because the on-premises application also needs access, the on-premises network must have private connectivity to that VNet, typically through a site-to-site VPN gateway or ExpressRoute. This design satisfies both private access and the no-public-access requirement.

Why this answer

Option B is correct because a private endpoint assigns the storage account a private IP address from the Azure VNet, making it accessible over a private IP path. On-premises connectivity is achieved via a site-to-site VPN or ExpressRoute, which extends the private network. This configuration disables internet access by blocking the public endpoint, meeting the requirement to disable internet access.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, thinking service endpoints also provide private-only access, but service endpoints still use the public endpoint and do not block internet access by default.

How to eliminate wrong answers

Option A is wrong because enabling a service endpoint keeps the storage account's public endpoint enabled, which still allows internet access to the storage account, violating the requirement to disable internet access. Option C is wrong because VNet peering only connects Azure VNets, not on-premises networks, and leaving the storage account firewall open to selected public IPs still exposes the storage account to the internet, failing the requirement. Option D is wrong because assigning a public IP address to a storage account is not possible; storage accounts use a public endpoint by default, and NSGs cannot be applied directly to a storage account, only to subnets or NICs, so this does not disable internet access.

131
MCQeasy

Based on the exhibit, which next hop will Azure use for traffic from the VM to 10.50.1.20?

A.Virtual appliance 10.1.1.4, because all traffic always follows the default route.
B.Internet, because the /24 route is more specific than the default route.
C.Virtual network, because private IP addresses always stay inside Azure.
D.No route is selected, so the packet is dropped before leaving the subnet.
AnswerB

Azure uses longest-prefix match when selecting a route. The destination 10.50.1.20 falls within 10.50.1.0/24, which is more specific than the 0.0.0.0/0 default route. Therefore, the Internet next hop is chosen instead of the virtual appliance.

Why this answer

Option B is correct because Azure uses the most specific route (longest prefix match) to determine next hop. The route for 10.50.1.0/24 with next hop Internet is more specific than the default route 0.0.0.0/0, so traffic to 10.50.1.20 will be forwarded to the Internet, not the virtual appliance.

Exam trap

The trap here is that candidates assume private IP traffic always stays within Azure or follows the default route, but Azure prioritizes more specific routes regardless of IP address range.

How to eliminate wrong answers

Option A is wrong because Azure does not always follow the default route; it uses the longest prefix match, so the /24 route takes precedence over the default route. Option C is wrong because private IP addresses can be routed outside the virtual network if a more specific route (e.g., to the Internet) exists; Azure does not force traffic to stay inside the virtual network. Option D is wrong because a route is selected (the /24 route to the Internet), so the packet is not dropped.

132
Multi-Selecteasy

You want to send a storage account's platform logs to a workspace so they can be queried with KQL later. Which two items are part of the required configuration? Select two.

Select 2 answers
A.Diagnostic settings on the storage account
B.A Log Analytics workspace
C.A network security group
D.A Recovery Services vault
E.An availability zone assignment
AnswersA, B

Diagnostic settings control which logs and metrics are exported from the resource.

Why this answer

A is correct because diagnostic settings on the storage account are the mechanism that defines which platform logs (e.g., storage read/write/delete operations) are collected and where they are sent. Without configuring diagnostic settings, the storage account does not emit logs to any destination. B is correct because a Log Analytics workspace is the required destination for storing the logs so they can be queried with KQL; it provides the ingestion and retention infrastructure for log analytics.

Exam trap

The trap here is that candidates often confuse the destination (Log Analytics workspace) with the source configuration (diagnostic settings), or mistakenly think that network-level components like NSGs or redundancy features like availability zones are involved in log routing.

133
MCQmedium

You need to collect guest operating system performance counters and Windows event logs from several Azure virtual machines into a central queryable platform. Which Azure component should you configure?

A.A Log Analytics workspace
B.A Recovery Services vault
C.An Azure Policy initiative
D.A route table
AnswerA

A Log Analytics workspace centralizes collected data for querying and retention.

Why this answer

A Log Analytics workspace is the correct Azure component for collecting guest OS performance counters and Windows event logs from Azure VMs. It serves as a central repository where diagnostic data from Azure Monitor agents (such as the Log Analytics agent or Azure Monitor Agent) is ingested, stored, and made available for querying via Kusto Query Language (KQL). This enables you to analyze performance metrics and event logs across multiple VMs in a unified, queryable platform.

Exam trap

The trap here is that candidates often confuse a Log Analytics workspace with a Recovery Services vault, mistakenly thinking that backup vaults can also store and query performance data, when in fact Recovery Services vaults are solely for backup and disaster recovery operations.

How to eliminate wrong answers

Option B is wrong because a Recovery Services vault is used for backup and disaster recovery scenarios (e.g., Azure Backup, Site Recovery), not for collecting and querying guest OS performance counters or event logs. Option C is wrong because an Azure Policy initiative is a set of policies used to enforce compliance and governance rules (e.g., requiring specific tags or encryption), not a data collection or querying platform. Option D is wrong because a route table controls network traffic routing between subnets and virtual networks, and has no capability to ingest, store, or query performance counters or event logs.

134
MCQmedium

A branch office with a static public IP needs encrypted connectivity to an Azure virtual network so users can access private Azure VMs and internal services. The connection should support a site-to-site design and not rely on public IPs for the Azure resources themselves. Which service should the administrator deploy?

A.Azure VNet peering
B.Service endpoint
C.VPN gateway with a site-to-site connection
D.Azure Front Door
AnswerC

A VPN gateway is the standard Azure service for encrypted site-to-site connectivity between an on-premises network and an Azure VNet. It allows branch users to reach private IPs in Azure without exposing the VMs to the internet. Because the branch has a static public IP, it can terminate a reliable site-to-site tunnel to the Azure VPN gateway.

Why this answer

A VPN gateway with a site-to-site connection (option C) is the correct choice because it provides encrypted connectivity over the public internet between an on-premises branch office with a static public IP and an Azure virtual network. This design uses IPsec/IKE (RFC 4301) to secure traffic, and Azure resources remain private within the VNet, not requiring public IPs. The site-to-site connection establishes a tunnel from the on-premises VPN device to the Azure VPN gateway, enabling users to access private VMs and services securely.

Exam trap

The trap here is that candidates often confuse site-to-site VPN with VNet peering or service endpoints, mistakenly thinking those can provide encrypted on-premises connectivity, but they lack the necessary IPsec tunnel and on-premises-to-Azure routing capabilities.

How to eliminate wrong answers

Option A is wrong because Azure VNet peering connects two VNets within Azure, not an on-premises branch office to Azure, and it does not provide encrypted connectivity over the internet. Option B is wrong because a service endpoint extends a VNet's private address space to Azure PaaS services (e.g., Storage, SQL) but does not create an encrypted tunnel for on-premises users to access private VMs or internal services. Option D is wrong because Azure Front Door is a global load balancer and application delivery service for HTTP/HTTPS traffic, not a site-to-site VPN solution, and it does not provide encrypted connectivity for private VMs or internal services without public exposure.

135
Multi-Selectmedium

One team needs to run a Linux container for about 15 minutes per request with no inbound traffic and no cluster to manage. Another team needs an internet-facing web app with built-in HTTPS, deployment slots, and autoscale. Which two Azure services should the administrator choose? Select two.

Select 2 answers
A.Azure Container Instances
B.Azure App Service
C.Azure Virtual Machines
D.Azure Kubernetes Service
E.Azure Batch
AnswersA, B

Runs isolated containers without requiring a cluster or server management.

Why this answer

Azure Container Instances (ACI) is the correct choice for the first team because it allows running a Linux container directly on Azure without managing any underlying infrastructure or cluster, and it supports a 15-minute execution time with no inbound traffic required. ACI is ideal for burstable, short-lived container workloads that do not need orchestration.

Exam trap

The trap here is that candidates may confuse Azure Container Instances with Azure Kubernetes Service, thinking orchestration is needed for any container, or they may overlook that Azure App Service natively supports deployment slots and autoscale without requiring additional services.

136
Multi-Selecthard

A help desk group must use the Azure portal to start a virtual machine, stop or deallocate it, and see its current state, but they must not change any other VM settings. Which three Microsoft.Compute actions should be included in a custom role? Select three.

Select 3 answers
A.Microsoft.Compute/virtualMachines/read
B.Microsoft.Compute/virtualMachines/start/action
C.Microsoft.Compute/virtualMachines/deallocate/action
D.Microsoft.Compute/virtualMachines/write
E.Microsoft.Compute/virtualMachines/delete
AnswersA, B, C

Read access is needed so the portal can display the VM and its current operational state.

Why this answer

Option A is correct because the Microsoft.Compute/virtualMachines/read permission is required to view the current state of a virtual machine in the Azure portal. Without this read action, the help desk group would not be able to see the VM's status, which is essential for their task of monitoring and managing the VM lifecycle.

Exam trap

The trap here is that candidates often confuse the write action with the specific start and deallocate actions, incorrectly assuming that write is needed for power operations, when in fact write grants full configuration change capabilities that exceed the required scope.

137
Multi-Selecthard

An Azure application and an Azure Automation account need Azure access without any stored secrets. The same identity should be reusable and should not require manual secret rotation. Which two identity choices meet the requirement? Select two.

Select 2 answers
A.System-assigned managed identity attached to the resource that needs access.
B.User-assigned managed identity that can be attached to multiple Azure resources.
C.Service principal with a client secret stored in an app setting.
D.Shared administrator username and password stored in a Key Vault secret.
E.SAS token generated once and reused indefinitely by both resources.
AnswersA, B

System-assigned managed identities eliminate secrets and are automatically managed for the lifetime of the resource.

Why this answer

System-assigned managed identity (Option A) is correct because it is automatically created and tied to a specific Azure resource, such as a virtual machine or App Service, and provides an Azure AD identity that can be used to authenticate to any service supporting Azure AD authentication without storing any secrets. The identity is managed by Azure, eliminating the need for manual secret rotation, and it is automatically deleted when the resource is deleted, ensuring no orphaned secrets.

Exam trap

The trap here is that candidates often confuse service principals with managed identities, thinking that storing a client secret in an app setting or Key Vault is acceptable, but the question explicitly requires 'no stored secrets' and 'no manual secret rotation,' which only managed identities satisfy.

138
MCQmedium

A public web application runs on two identical VMs behind a load balancer. The region supports availability zones. The business wants the app to keep serving traffic if one datacenter in the region becomes unavailable. What should the administrator use?

A.An availability set with two VMs
B.Availability zones for the two VMs
C.A single virtual machine scale set instance
D.A proximity placement group
AnswerB

Availability zones are the right design when the business needs resiliency against a full datacenter or zone outage within a supported region. Placing the VMs in different zones keeps the application available if one zone has a failure, assuming the load balancer and application are designed accordingly.

Why this answer

Option B is correct because deploying the two VMs in different availability zones within the same region protects against a single datacenter failure. Each availability zone is a physically separate datacenter with independent power, cooling, and networking. If one zone goes down, the load balancer automatically routes traffic to the VM in the other zone, ensuring the application continues serving traffic.

Exam trap

The trap here is confusing an availability set (which protects against rack failures within a single datacenter) with availability zones (which protect against full datacenter outages), leading candidates to choose the cheaper but insufficient option A.

How to eliminate wrong answers

Option A is wrong because an availability set only protects against rack-level failures within a single datacenter, not against an entire datacenter outage. Option C is wrong because a single virtual machine scale set instance provides no redundancy; if the single VM fails or the datacenter hosting it goes down, the application becomes unavailable. Option D is wrong because a proximity placement group is designed to reduce network latency between VMs by placing them close together, which increases the risk of a single point of failure and does not provide datacenter-level fault isolation.

139
MCQeasy

An engineering team stores build artifacts that are downloaded every day by developers for a week after release, then rarely after that. Which tier should the administrator choose for the period when the artifacts are still actively used?

A.Hot
B.Archive
C.Cool
D.Cold
AnswerA

Hot is the best fit for data that is accessed frequently over a short period, such as newly released build artifacts.

Why this answer

The Hot tier is the correct choice for the period when build artifacts are actively used because it provides the lowest access latency and highest throughput, which is essential for daily downloads by developers. Azure Blob Storage's Hot tier is optimized for frequent access patterns (e.g., multiple times per day) and incurs no data retrieval costs, making it cost-effective for this high-access phase.

Exam trap

The trap here is that candidates often confuse 'Cool' as a middle-ground choice for weekly access, but the Cool tier's retrieval cost and higher latency make it suboptimal for daily downloads, whereas Hot is the only tier designed for frequent, low-latency access without retrieval penalties.

How to eliminate wrong answers

Option B (Archive) is wrong because it is designed for data that is rarely accessed (e.g., less than once per year) and has a retrieval latency of up to 15 hours, which is unacceptable for daily downloads. Option C (Cool) is wrong because it is optimized for data accessed infrequently (e.g., once per month) and incurs a per-GB retrieval cost, making it more expensive than Hot for daily access patterns. Option D (Cold) is wrong because it is intended for data that is accessed very rarely (e.g., once per quarter) and has higher retrieval costs and latency compared to Hot, which is not suitable for active daily use.

140
Multi-Selecthard

A contractor needs to upload files into one blob container for six hours. The administrator must avoid sharing the storage account key and wants the access to expire automatically. Which two actions should the administrator take? Select two.

Select 2 answers
A.Generate a user delegation SAS for the contractor.
B.Generate a service SAS by using the account key.
C.Set the SAS expiry to six hours.
D.Enable anonymous blob access on the container.
E.Create a storage account access key specifically for the contractor.
AnswersA, C

A user delegation SAS avoids exposing the storage account key and is signed through Microsoft Entra authentication.

Why this answer

A user delegation SAS is secured with Azure AD credentials rather than the storage account key, allowing the administrator to grant time-limited access without exposing the key. Setting the SAS expiry to six hours ensures the contractor's access automatically expires after the required duration, meeting both security and time-bound requirements.

Exam trap

The trap here is that candidates often confuse a service SAS (which requires the account key) with a user delegation SAS (which uses Azure AD), leading them to select Option B instead of A, missing the key requirement to avoid sharing the storage account key.

141
MCQhard

A web tier and a backend tier are deployed in separate subnets. Backend VMs are rebuilt regularly, so their private IP addresses change. The web tier must reach the backend on TCP 8443, and administrators do not want to update NSG rules whenever a backend VM is replaced. What should be used in the NSG rule?

A.The backend subnet CIDR, because subnet ranges never change during VM rebuilds.
B.The AzureLoadBalancer service tag, because it identifies internal traffic between tiers.
C.Application security groups for both tiers, because they track the VMs even when IP addresses change.
D.A user-defined route to the backend subnet, because route tables follow the VM even if the IP changes.
AnswerC

Application security groups let you group NICs by application role instead of by changing IP addresses. By referencing ASG-Web as the source and ASG-Backend as the destination, the NSG rule stays stable when backend VMs are rebuilt or NICs are replaced. This is the most maintainable option for tier-based filtering on a fixed port.

Why this answer

Option C is correct because Application Security Groups (ASGs) allow you to group VMs logically and reference them in NSG rules. When backend VMs are rebuilt and their private IPs change, the ASG membership (based on the VM's NIC configuration) remains intact, so the NSG rule continues to apply without manual updates. This decouples security rules from dynamic IP addresses.

Exam trap

The trap here is that candidates confuse service tags (which identify Azure services) with ASGs (which identify application tiers), or they assume subnet CIDRs are always the best choice despite the requirement for dynamic IP handling.

How to eliminate wrong answers

Option A is wrong because while the backend subnet CIDR is static, using it in the NSG rule would allow traffic from any VM in that subnet, not just the intended backend VMs, and it does not leverage the dynamic tracking that ASGs provide. Option B is wrong because the AzureLoadBalancer service tag identifies traffic from Azure's load balancer health probes, not general inter-tier traffic between web and backend VMs. Option D is wrong because a user-defined route (UDR) controls traffic routing (next hop), not firewall rules; UDRs do not filter traffic or adapt to changing IPs for NSG purposes.

142
Multi-Selectmedium

Backend VMs are rebuilt often and get new private IP addresses. Frontend VMs must reach them only on TCP 8443, and the rule should keep working after rebuilds. Which two actions should the administrator take? Select two.

Select 2 answers
A.Place the backend NICs in an ASG named ASG-Backend.
B.Create an NSG rule that allows TCP 8443 from ASG-Front to ASG-Backend.
C.Create a static route for the backend subnet to preserve the same IPs.
D.Use a service endpoint between the two subnets.
E.Add a load balancer health probe rule on TCP 8443 only.
AnswersA, B

ASG membership follows the NIC, so the rule still matches even when the VM IP changes.

Why this answer

Option A is correct because an Application Security Group (ASG) allows you to group backend VMs by their NICs, regardless of their private IP addresses. When backend VMs are rebuilt and receive new IPs, the ASG membership remains intact, so NSG rules referencing the ASG continue to work without manual updates. This decouples security rules from dynamic IP addresses.

Exam trap

The trap here is that candidates often confuse Application Security Groups with Network Security Groups (NSGs) or think that static routes or service endpoints can solve dynamic IP addressing, when in fact ASGs are the correct Azure feature for grouping VMs by function regardless of IP changes.

143
MCQeasy

An employee accidentally deletes several folders from an Azure file share. The administrator must recover only those folders from yesterday, not roll back the whole share. What should the administrator use?

A.The latest Azure file share snapshot
B.The storage account access key
C.A shared access signature
D.A private endpoint to the storage account
AnswerA

A snapshot captures the share at a point in time and allows restoring only the needed folders.

Why this answer

Azure file share snapshots capture the state of the share at a point in time. By mounting a snapshot taken yesterday, the administrator can browse the snapshot's directory structure and copy only the deleted folders back to the live share, without affecting other files. This provides granular recovery without rolling back the entire share.

Exam trap

The trap here is that candidates might confuse snapshots with storage account failover or backup vaults, assuming that only a full restore is possible, when in fact snapshots allow granular, file-level recovery without affecting the current share state.

How to eliminate wrong answers

Option B is wrong because the storage account access key provides full administrative access to the entire storage account, but it cannot selectively recover individual folders from a previous point in time. Option C is wrong because a shared access signature (SAS) grants delegated, time-limited access to specific resources, but it does not provide any versioning or snapshot recovery capability. Option D is wrong because a private endpoint connects the storage account to a virtual network securely, but it offers no data recovery functionality.

144
MCQeasy

Help desk staff must start, stop, and restart virtual machines in one application resource group. They must not create or delete VMs or modify networking or disks. Which built-in role should you assign?

A.Reader
B.Virtual Machine Contributor
C.Virtual Machine Operator
D.Contributor
AnswerC

Virtual Machine Operator is the appropriate least-privilege choice for operational control of VMs. It allows actions such as starting, stopping, and restarting virtual machines without giving full management rights over creation, deletion, or related networking and disk resources. That makes it a better fit than broader contributor roles when the team only needs day-to-day operations.

Why this answer

The Virtual Machine Operator role allows starting, stopping, and restarting virtual machines, but explicitly denies creating, deleting, or modifying VMs, networking, or disks. This matches the help desk staff's required permissions exactly, making it the correct built-in role for this scenario.

Exam trap

The trap here is that candidates often choose Virtual Machine Contributor (Option B) because it sounds like it covers VM operations, but they overlook that it also includes create and delete permissions, which are explicitly prohibited in the question.

How to eliminate wrong answers

Option A is wrong because the Reader role provides read-only access to all resources, including VMs, but does not allow any start, stop, or restart actions. Option B is wrong because the Virtual Machine Contributor role allows full management of VMs, including creating and deleting them, which exceeds the required permissions. Option D is wrong because the Contributor role grants full access to manage all resources in the resource group, including networking and disks, which is too permissive for the help desk staff's needs.

145
MCQmedium

A company created a new spoke virtual network with the address space 10.40.1.0/24. The existing hub virtual network already uses 10.40.0.0/16. The administrator must peer the two VNets so resources can communicate normally. What must be changed before peering can succeed?

A.Create a route table on the spoke subnet before adding the peering.
B.Change the spoke VNet address space to a range that does not overlap the hub.
C.Enable gateway transit on the hub peering to permit overlapping spaces.
D.Add an NSG rule that allows traffic between the hub and spoke address spaces.
AnswerB

Azure virtual network peering requires non-overlapping IP address spaces on both sides. Because the spoke is using 10.40.1.0/24, which sits inside the hub's 10.40.0.0/16 range, peering cannot be created successfully. The administrator must renumber the spoke to a unique range before attempting the peering, then update any dependent subnet and DNS settings as needed.

Why this answer

Azure Virtual Network peering requires that the address spaces of the peered VNets do not overlap. The hub VNet uses 10.40.0.0/16, which includes the spoke's 10.40.1.0/24 range. Overlapping address spaces prevent successful peering because Azure cannot route traffic correctly between overlapping IP ranges.

Therefore, the spoke VNet address space must be changed to a non-overlapping range before peering can succeed.

Exam trap

The trap here is that candidates often confuse overlapping address spaces with connectivity issues that can be fixed by routing or security rules, but Azure strictly prohibits overlapping address spaces for VNet peering at the control plane level.

How to eliminate wrong answers

Option A is wrong because creating a route table on the spoke subnet does not resolve the fundamental address overlap issue; route tables control traffic flow within a VNet but cannot override the peering requirement for non-overlapping address spaces. Option C is wrong because gateway transit allows a spoke VNet to use the hub's VPN/ExpressRoute gateway, but it does not permit overlapping address spaces; Azure still enforces non-overlapping address spaces for peering regardless of gateway transit settings. Option D is wrong because NSG rules filter traffic at the subnet or NIC level but cannot fix the underlying routing conflict caused by overlapping IP ranges; peering itself will fail before any NSG rules come into effect.

146
MCQmedium

You need to deploy 20 identical Azure virtual machines for a web application and automatically scale the number of instances based on CPU demand. Which Azure feature should you use?

A.An availability set
B.A Virtual Machine Scale Set
C.A Recovery Services vault
D.Boot diagnostics
AnswerB

Scale Sets provide grouped VM deployment and autoscaling.

Why this answer

A Virtual Machine Scale Set (VMSS) is the correct Azure feature because it allows you to deploy and manage a group of identical, load-balanced VMs that can automatically scale in or out based on CPU demand using autoscale rules. This directly meets the requirement for deploying 20 identical VMs with automatic scaling based on a performance metric like CPU utilization.

Exam trap

The trap here is that candidates often confuse an availability set (which provides high availability through fault domain distribution) with a Virtual Machine Scale Set (which provides both high availability and automatic scaling), leading them to select Option A when the question explicitly requires automatic scaling based on demand.

How to eliminate wrong answers

Option A is wrong because an availability set is a logical grouping of VMs that protects against hardware failures within a datacenter by distributing VMs across fault domains and update domains, but it does not provide any automatic scaling capability based on CPU demand. Option C is wrong because a Recovery Services vault is used for backup and disaster recovery scenarios, such as Azure Backup and Azure Site Recovery, not for deploying or scaling virtual machines. Option D is wrong because boot diagnostics is a feature that captures serial console output and screenshots of a VM to help troubleshoot boot failures; it has no role in deploying multiple VMs or scaling them automatically.

147
MCQmedium

An administrator moved old log blobs to the Archive tier last month. An auditor now needs one blob for review later today. What must happen before the blob can be opened?

A.Download the blob directly from the Archive tier and open it immediately
B.Change the blob to Hot or Cool and wait for rehydration to complete
C.Create a snapshot of the blob and open the snapshot instead
D.Copy the blob to another container without changing its tier
AnswerB

Archived blobs must be rehydrated back to an online tier before their contents can be read.

Why this answer

Blobs in the Archive tier are offline and cannot be read directly. To access the data, you must first change the blob's access tier to Hot or Cool (rehydrate it), which can take up to 15 hours depending on the rehydration priority. Only after rehydration completes can the blob be downloaded and opened.

Exam trap

The trap here is that candidates assume archived blobs are still readable like Cool or Hot tier blobs, or that a snapshot or copy operation can bypass the rehydration requirement, but Azure enforces that the data must be physically moved back to an online tier before any access is allowed.

How to eliminate wrong answers

Option A is wrong because blobs in the Archive tier are offline and cannot be downloaded or opened directly; attempting to do so results in an error (e.g., HTTP 409 or 403). Option C is wrong because creating a snapshot of an archived blob does not change its tier; the snapshot remains in the Archive tier and is also inaccessible until rehydrated. Option D is wrong because copying an archived blob to another container without changing its tier leaves the copy in the Archive tier, which remains offline and unreadable.

148
Multi-Selecthard

A web app already reads blobs by using a managed identity. Security now requires blocking any future requests that use shared key authorization, while the app must continue to work without storing secrets. Which two changes should the administrator make? Select two.

Select 2 answers
A.Disable shared key access on the storage account.
B.Assign the managed identity a data-plane role such as Storage Blob Data Reader.
C.Replace the managed identity with a storage account key in the app settings.
D.Remove all network rules from the storage account.
E.Create a service SAS and embed it in the code.
AnswersA, B

Disabling shared key access prevents new requests from authenticating with account keys while leaving Entra-based access available.

Why this answer

Option A is correct because disabling shared key access on the storage account enforces the security requirement to block future requests that use shared key authorization. This setting, when enabled, rejects any request that does not use Azure AD authentication, such as those signed with storage account keys or SAS tokens. Since the web app already uses a managed identity, it can continue to authenticate via Azure AD without storing secrets, ensuring the app works seamlessly after the change.

Exam trap

The trap here is that candidates often think disabling shared key access will break the app, but they overlook that a managed identity with the correct RBAC role can authenticate via Azure AD, so the app continues to work without shared keys or secrets.

149
Matchingmedium

Match each data-access pattern to the blob tier or required action.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hot

Cool

Archive

Rehydrate from Archive

Why these pairings

Azure Blob Storage tiers are Hot (frequent access), Cool (infrequent, 30-day minimum), and Archive (rare, 180-day minimum). Rehydration is needed to access Archive blobs. Azure Files sync is used for replication.

150
MCQmedium

A subnet already has a user-defined default route (0.0.0.0/0) that sends all outbound traffic to a network virtual appliance. The administrator now needs traffic to the on-premises network 10.50.0.0/16 to use the VPN gateway instead of the appliance. What should be added to the route table?

A.Remove the default route so the system route to the VPN gateway is used
B.Add a user-defined route for 10.50.0.0/16 with next hop type Virtual network gateway
C.Change the subnet address space to a smaller CIDR block
D.Enable a service endpoint for the on-premises prefix
AnswerB

A more specific prefix takes precedence over the broader default route. By adding a route for 10.50.0.0/16 that points to the virtual network gateway, traffic to the on-premises network follows the gateway while all other destinations can still follow the default route to the appliance.

Why this answer

Option B is correct because adding a user-defined route (UDR) for the specific prefix 10.50.0.0/16 with next hop type 'Virtual network gateway' creates a more specific route (longest prefix match) than the existing default route (0.0.0.0/0). This ensures traffic destined for the on-premises network is forwarded to the VPN gateway instead of the network virtual appliance, while all other outbound traffic continues to use the appliance.

Exam trap

The trap here is that candidates assume removing the default route is necessary to force traffic through the VPN gateway, but they overlook that a more specific UDR for the on-premises prefix can coexist with the default route, allowing both paths to function correctly.

How to eliminate wrong answers

Option A is wrong because removing the default route would break all outbound traffic not destined for the on-premises network, as the system route for the VPN gateway only applies to traffic matching the gateway's advertised prefixes (e.g., 10.50.0.0/16) and does not replace the default route for internet-bound traffic. Option C is wrong because changing the subnet address space does not affect routing decisions for traffic to the on-premises network; routing is based on destination prefixes, not subnet size. Option D is wrong because service endpoints are used to secure Azure service traffic (e.g., to Azure Storage or SQL) to a virtual network, not to route traffic to on-premises networks over a VPN gateway.

Page 1

Page 2 of 16

Page 3