AZ-104 (AZ-104) — Questions 151225

1170 questions total · 16pages · All types, answers revealed

Page 2

Page 3 of 16

Page 4
151
MCQeasy

Based on the exhibit, a compliance dashboard shows that several storage accounts are marked noncompliant because they do not have the required tag. The policy itself is correct, but one business unit needs a temporary exception for a single resource group during a merger. What should the administrator configure?

A.A policy exemption at the rg-merger01 resource group scope.
B.Delete the policy assignment from corp-root and recreate it later.
C.Move rg-merger01 to a separate subscription so the policy no longer applies.
D.Change the policy effect to Audit so the resources can remain noncompliant.
AnswerA

A policy exemption lets the administrator document and scope a temporary exception without disabling the policy for the rest of the environment. Because the request applies to one resource group for a limited time, an exemption at that scope is the cleanest governance solution.

Why this answer

A policy exemption at the rg-merger01 resource group scope is the correct solution because it allows the administrator to temporarily exclude a specific resource group from the policy's enforcement or compliance evaluation without modifying or deleting the original policy assignment. This is designed for scenarios like mergers where a short-term exception is needed, and it maintains the policy's integrity for all other scopes.

Exam trap

The trap here is that candidates often confuse a policy exemption with modifying the policy effect or scope, not realizing that exemptions are the only built-in mechanism to grant a temporary, scoped exception without affecting the rest of the environment.

How to eliminate wrong answers

Option B is wrong because deleting the policy assignment from corp-root would remove the policy from all resources under that root scope, not just rg-merger01, causing a broader compliance gap that would require manual re-creation later. Option C is wrong because moving rg-merger01 to a separate subscription is an overly complex and disruptive workaround that may break dependencies, incur additional management overhead, and does not address the temporary nature of the exception. Option D is wrong because changing the policy effect to Audit would make the policy non-enforcing for all resources under the assignment scope, not just rg-merger01, and would still mark resources as noncompliant without providing a true exception mechanism.

152
MCQeasy

Based on the exhibit, a contractor must be able to restart only one virtual machine named vm-pay-01 and read its properties. The contractor must not be able to manage any other VM in the resource group. Where should the role assignment be created?

A.At the subscription scope so the contractor inherits access everywhere in the subscription.
B.At the resource scope for vm-pay-01 so the contractor receives permissions only on that VM.
C.At the resource group scope because resource assignments cannot be applied to virtual machines.
D.At the management group scope so the same role can be reused for all payroll subscriptions.
AnswerB

Assigning the role at the specific virtual machine resource scope limits the contractor to that VM only. Because Azure RBAC permissions inherit downward, this is the narrowest scope that still allows restart and read operations on vm-pay-01 without exposing other resources in the resource group.

Why this answer

Option B is correct because Azure RBAC allows role assignments at the resource scope, which in this case is the virtual machine vm-pay-01. By assigning a role (e.g., Virtual Machine Contributor or a custom role with restart and read permissions) directly to the VM resource, the contractor receives permissions only on that specific VM, fulfilling the requirement to restrict access to other VMs in the resource group.

Exam trap

The trap here is that candidates often assume role assignments must be at the resource group or subscription scope, forgetting that Azure RBAC supports direct assignments at the individual resource scope, which is the most precise way to grant permissions to a single VM.

How to eliminate wrong answers

Option A is wrong because assigning the role at the subscription scope would grant the contractor permissions on all resources in the subscription, including all VMs in the resource group, violating the requirement to restrict access to only vm-pay-01. Option C is wrong because Azure RBAC supports role assignments at the resource scope (e.g., a specific virtual machine), so the statement that 'resource assignments cannot be applied to virtual machines' is factually incorrect. Option D is wrong because assigning the role at the management group scope would propagate permissions to all subscriptions under that management group, granting broader access than intended and making it impossible to isolate permissions to just vm-pay-01.

153
MCQmedium

An existing application in AppSubnet1 must access an Azure Storage account. The team does not want to add a private endpoint or change DNS records, but they do want to allow access only from AppSubnet1. Which configuration should the administrator use?

A.Enable the Microsoft.Storage service endpoint on AppSubnet1 and restrict the storage account to selected virtual networks.
B.Create a private endpoint and remove all public network access from the storage account.
C.Add a network security group rule that allows outbound TCP 443 to the storage account.
D.Enable peering between AppSubnet1 and the storage account network.
AnswerA

A service endpoint lets traffic from the subnet reach the storage account over the Azure backbone while the storage firewall can allow only that subnet. This matches the requirement to avoid private endpoints and DNS changes. The access is still limited to the approved subnet identity, which is what the storage firewall evaluates.

Why this answer

Option A is correct because enabling the Microsoft.Storage service endpoint on AppSubnet1 allows traffic from that subnet to be routed directly to the Azure Storage service over the Azure backbone network, bypassing the internet. By then restricting the storage account's firewall to 'selected virtual networks' and adding AppSubnet1's virtual network and subnet, access is limited exclusively to that subnet without needing a private endpoint or DNS changes.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming both require DNS changes, or they mistakenly think NSG rules alone can restrict inbound access to a PaaS service, when in fact the storage account firewall must be explicitly configured to accept traffic only from the specified subnet.

How to eliminate wrong answers

Option B is wrong because creating a private endpoint requires adding a private IP to the storage account and modifying DNS records (either via Azure Private DNS or custom DNS), which the team explicitly wants to avoid. Option C is wrong because an NSG rule allowing outbound TCP 443 to the storage account does not restrict inbound access from AppSubnet1; it only controls outbound traffic from the subnet, and the storage account's public endpoint would still be reachable from any source unless the firewall is configured. Option D is wrong because VNet peering connects virtual networks, not subnets to storage accounts, and storage accounts are not part of a VNet; peering does not provide subnet-level access control to PaaS services.

154
MCQmedium

A workload in a VNet must connect to Azure SQL Database over a private IP address, and the database must not be reachable through its public endpoint. Users should still connect by using the normal server name. What should you configure?

A.A service endpoint on the subnet and a public firewall rule on the SQL server.
B.A private endpoint for Azure SQL Database and a private DNS zone linked to the VNet.
C.A network security group rule that denies all public internet traffic to the subnet.
D.A NAT gateway on the subnet so the SQL connection uses a private source address.
AnswerB

A private endpoint assigns a private IP from the VNet to the Azure SQL resource, which keeps traffic off the public endpoint. Linking the appropriate private DNS zone to the VNet ensures the normal server name resolves to the private IP. This gives private connectivity and keeps application configuration simple.

Why this answer

Option B is correct because a private endpoint assigns Azure SQL Database a private IP address from the VNet, making it accessible over a private connection. By creating a private DNS zone linked to the VNet, the normal server name resolves to that private IP, allowing users to connect without using the public endpoint. This configuration ensures the database is not reachable via its public endpoint while maintaining name-based connectivity.

Exam trap

The trap here is that candidates confuse service endpoints with private endpoints, assuming a service endpoint alone provides private IP connectivity, when in fact it only provides source network identity and does not remove public endpoint exposure.

How to eliminate wrong answers

Option A is wrong because a service endpoint only extends the VNet identity to the SQL service but does not assign a private IP; the database remains reachable via its public endpoint, and a public firewall rule would still allow public access. Option C is wrong because an NSG rule denying all public internet traffic to the subnet does not prevent the SQL database from being accessed via its public endpoint from outside the subnet; it only controls traffic within the subnet. Option D is wrong because a NAT gateway provides outbound connectivity with a private source address but does not enable inbound private connectivity to Azure SQL Database; the database would still be accessed via its public endpoint.

155
MCQmedium

A cloud operations team in the Corp business unit needs to read all Azure resources in every current and future subscription under the Corp management group to prepare monthly governance reports. They must not gain access to subscriptions that belong to other business units. What scope should the administrator use when assigning the Reader role?

A.Subscription scope
B.Resource group scope
C.Management group scope
D.Resource scope
AnswerC

This scope lets the Reader role inherit to all subscriptions currently under the Corp management group and to new subscriptions moved there later.

Why this answer

The Reader role assigned at the management group scope grants read-only access to all subscriptions within that management group, including future subscriptions, because Azure RBAC permissions are inherited by child resources. This meets the requirement to cover all current and future subscriptions under the Corp management group while excluding subscriptions in other business units.

Exam trap

The trap here is that candidates often choose subscription scope because they think each subscription needs a separate role assignment, failing to realize that management group scope provides inheritance to all current and future subscriptions under that management group.

How to eliminate wrong answers

Option A is wrong because assigning the Reader role at the subscription scope would only grant access to a single subscription, not all current and future subscriptions under the Corp management group. Option B is wrong because resource group scope limits access to a single resource group, failing to cover all resources across multiple subscriptions. Option D is wrong because resource scope restricts access to a single resource, which is far too granular for the team's need to read all resources across multiple subscriptions.

156
Matchingmedium

An administrator is comparing Azure monitoring data sources and destinations during an investigation. Match each item to the best operational use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Shows subscription-level management events such as deployments, deletes, and role assignments.

Provide detailed, service-specific telemetry from an Azure resource after diagnostics are enabled.

Capture near-real-time numeric measurements used for charts and threshold-based alerts.

Stores data that can be searched and correlated with KQL queries.

Provides official Azure platform incident and maintenance information.

Why these pairings

Activity Log tracks management events; Metrics provide numeric performance data; Logs workspace enables cross-resource log analysis; Application Insights monitors app performance; Alerts trigger notifications; Workbooks combine data into dashboards.

157
MCQmedium

Two application teams created separate VNets for independent workloads. VNet-A uses 10.40.0.0/16 and VNet-B uses 10.40.128.0/17. The teams want to peer the VNets so both apps can communicate privately. What should the administrator do first?

A.Create the peering now and add a route table to one VNet later.
B.Renumber one VNet so its address space no longer overlaps before creating the peering.
C.Add an NSG rule that allows traffic between the two address ranges.
D.Enable gateway transit on both VNets so overlapping ranges can route through a shared gateway.
AnswerB

Azure VNet peering requires non-overlapping address spaces. The administrator must change one network to a unique prefix before attempting the peering. Route tables, NSGs, and DNS settings do not solve the fundamental address conflict.

Why this answer

B is correct because Azure VNet peering requires non-overlapping address spaces. VNet-A (10.40.0.0/16) and VNet-B (10.40.128.0/17) overlap, as 10.40.128.0/17 is a subset of 10.40.0.0/16. Before peering can be established, one VNet must be renumbered to eliminate the overlap; otherwise, the peering creation will fail with an error indicating overlapping address spaces.

Exam trap

The trap here is that candidates assume overlapping ranges can be handled with routing or filtering (NSGs, route tables, or gateways), but Azure VNet peering strictly requires non-overlapping address spaces and will reject the peering creation outright.

How to eliminate wrong answers

Option A is wrong because creating the peering now will fail immediately due to overlapping address spaces; adding a route table later does not resolve the fundamental conflict. Option C is wrong because NSG rules control traffic filtering, not address space overlap; overlapping ranges prevent peering from being established at all, regardless of NSG configuration. Option D is wrong because gateway transit does not resolve overlapping address spaces; it allows a peered VNet to use a VPN gateway, but the underlying address space conflict still prevents peering from being created.

158
MCQmedium

You need to grant an external partner temporary read access to a single blob in an Azure storage account without giving access to the account key. What should you create?

A.A storage account access key
B.A shared access signature (SAS)
C.A resource lock
D.A private endpoint
AnswerB

A SAS provides scoped, time-limited access to the specific blob.

Why this answer

A shared access signature (SAS) is the correct solution because it provides delegated, time-limited access to a specific Azure storage resource (such as a single blob) without exposing the storage account key. You can configure the SAS with read-only permissions, an expiration time, and apply it to a specific blob URL, meeting the requirement for temporary external read access.

Exam trap

The trap here is that candidates often confuse a shared access signature with a storage account access key, mistakenly thinking the key can be shared for temporary access, or they incorrectly assume a resource lock or private endpoint can control data access permissions.

How to eliminate wrong answers

Option A is wrong because a storage account access key grants full administrative access to the entire storage account, not temporary or scoped access to a single blob, and sharing it violates the principle of least privilege. Option C is wrong because a resource lock prevents accidental deletion or modification of a resource but does not grant any access permissions or control read access to data. Option D is wrong because a private endpoint provides secure network connectivity to the storage account over a private IP address, but it does not grant data access permissions or provide temporary, scoped access to a specific blob.

159
MCQeasy

A production application runs on three Azure VMs in a region that supports availability zones. The business wants the application to remain available if one datacenter in the region fails. What should the administrator use?

A.An availability set
B.Availability zones
C.A managed disk snapshot
D.A proximity placement group
AnswerB

Availability zones place VMs in separate datacenters within the same Azure region. If one datacenter or zone fails, the VMs in the remaining zones can continue running. This is the correct choice when the requirement is resilience against a zone-level or datacenter-level outage.

Why this answer

Availability zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying the three VMs across different zones ensures that if one datacenter fails, the application remains available because the other zones continue to operate. This directly meets the requirement for resilience against a single datacenter failure.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack-level failures) with availability zones (which protect against datacenter-level failures), leading them to choose the wrong option when the question specifies a full datacenter failure.

How to eliminate wrong answers

Option A is wrong because an availability set protects against failures within a single datacenter (e.g., rack or update domain failures) but does not provide resilience if an entire datacenter fails. Option C is wrong because a managed disk snapshot is a point-in-time backup of a disk, not a high-availability mechanism; it cannot keep the application running during a datacenter outage. Option D is wrong because a proximity placement group is used to co-locate VMs for low network latency, not to distribute them for fault tolerance, and it offers no protection against a datacenter failure.

160
Matchingeasy

Match each Azure VM access feature to the task it supports.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Runs a script on a VM without opening inbound management ports.

Installs software or applies configuration during VM provisioning.

Lets users sign in to a VM with Entra identities.

Resets local administrator credentials or SSH configuration on a VM.

Why these pairings

Azure Bastion provides secure RDP/SSH without public IP; JIT restricts port access; NSGs filter traffic; Azure AD authentication enables identity-based login; Private Link ensures private connectivity; Firewall offers centralized control.

161
MCQmedium

You need to notify the operations team by email when average CPU utilization on VM-App01 exceeds 80 percent for 15 minutes. Which Azure Monitor components should you configure?

A.A metric alert and an action group
B.An activity log alert only
C.A resource lock and Azure Advisor
D.A budget alert
AnswerA

The metric alert detects the threshold breach and the action group sends the email.

Why this answer

A metric alert monitors a specific performance metric (like CPU utilization) and triggers when a threshold is exceeded for a defined duration. An action group defines the notification action (e.g., sending an email) when the alert fires. Together, they meet the requirement to email the operations team when average CPU exceeds 80% for 15 minutes.

Exam trap

The trap here is confusing metric alerts (for performance data) with activity log alerts (for resource operations), leading candidates to choose an activity log alert when the requirement is about a performance metric like CPU utilization.

How to eliminate wrong answers

Option B is wrong because an activity log alert monitors changes to Azure resources (e.g., VM creation or deletion), not performance metrics like CPU utilization. Option C is wrong because a resource lock prevents accidental deletion or modification of resources, and Azure Advisor provides optimization recommendations; neither monitors CPU thresholds or sends email notifications. Option D is wrong because a budget alert monitors Azure spending against a cost budget, not VM performance metrics.

162
MCQmedium

You need to deploy 20 identical Azure virtual machines that host the same web application. The solution must support automatic scale-out based on CPU usage and should minimize administrative overhead. What should you deploy?

A.20 individual virtual machines in the same resource group.
B.A Virtual Machine Scale Set.
C.An availability set.
D.Azure Container Instances.
AnswerB

VM Scale Sets provide a managed group of identical VMs with autoscaling support.

Why this answer

A Virtual Machine Scale Set (VMSS) is the correct choice because it automates the deployment and management of identical VMs, supports autoscaling based on CPU usage metrics, and minimizes administrative overhead by handling VM creation, load balancing, and scaling policies as a single resource. This aligns with the requirement for 20 identical VMs with automatic scale-out based on CPU usage.

Exam trap

The trap here is that candidates often confuse an availability set (which provides high availability but no scaling) with a scale set (which provides both scaling and high availability), or they mistakenly think deploying individual VMs in a resource group is simpler, ignoring the requirement for automatic scale-out and reduced administrative overhead.

How to eliminate wrong answers

Option A is wrong because deploying 20 individual VMs in the same resource group does not provide automatic scale-out based on CPU usage; each VM must be managed separately, and scaling would require manual intervention or custom scripting, increasing administrative overhead. Option C is wrong because an availability set is designed to protect against hardware failures and updates by distributing VMs across fault and update domains, but it does not provide any autoscaling capability or reduce administrative overhead for deploying identical VMs. Option D is wrong because Azure Container Instances (ACI) is a container orchestration service for running individual containers, not for managing identical VMs; it does not support VM-level autoscaling based on CPU usage and is not suitable for deploying virtual machines.

163
MCQeasy

A workload subnet must send all outbound internet traffic through a network virtual appliance at 10.4.2.4. What should the administrator configure?

A.An NSG rule that allows outbound traffic to 10.4.2.4.
B.A route table with a user-defined route sending 0.0.0.0/0 to 10.4.2.4.
C.A private DNS zone for the subnet.
D.A service endpoint for the virtual network.
AnswerB

A default route in a user-defined route table forces all internet-bound traffic to the appliance as the next hop.

Why this answer

Option B is correct because a user-defined route (UDR) with a destination of 0.0.0.0/0 and a next hop of Virtual Appliance (10.4.2.4) overrides the default system route for internet traffic, forcing all outbound traffic from the subnet to be forwarded to the network virtual appliance (NVA) for inspection or NAT. This is the standard method to implement forced tunneling or centralized internet egress in Azure.

Exam trap

The trap here is that candidates confuse NSG rules with routing: an NSG can block or allow traffic, but it cannot change the path traffic takes, so they incorrectly choose Option A thinking a permit rule will force traffic through the appliance.

How to eliminate wrong answers

Option A is wrong because an NSG rule controls traffic that is allowed or denied at the subnet or NIC level, but it does not change the routing path; traffic to 10.4.2.4 would still use the default route unless a UDR is applied. Option C is wrong because a private DNS zone is used for custom domain name resolution within a virtual network, not for controlling outbound internet traffic routing. Option D is wrong because a service endpoint provides direct, optimized connectivity to Azure PaaS services (e.g., Azure Storage, SQL Database) over the Azure backbone, but it does not redirect general internet traffic through an NVA.

164
MCQmedium

A DevOps pipeline runs on an on-premises build server and must deploy ARM templates to a resource group in Azure without using a user password. The server is not in Azure, so managed identity is not available. What should the administrator create?

A.A system-assigned managed identity on the build server.
B.A user-assigned managed identity attached to the on-premises server.
C.A service principal for the pipeline, with certificate-based or federated authentication.
D.A shared access signature for the target resource group.
AnswerC

An on-premises build server cannot use Azure managed identity directly, so the correct approach is to create a service principal and grant it the required RBAC permissions. Using certificate-based or federated authentication avoids storing a user password and supports secure non-interactive deployment from outside Azure.

Why this answer

Option C is correct because the on-premises build server cannot use Azure managed identities (which require an Azure resource). Instead, a service principal with certificate-based or federated authentication provides a secure, passwordless identity for the pipeline to authenticate to Azure AD and deploy ARM templates. This aligns with the principle of using Azure AD application credentials for non-Azure workloads.

Exam trap

The trap here is that candidates assume managed identities can be used on any server, but Azure restricts them to Azure-hosted resources, forcing the use of service principals for on-premises scenarios.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity can only be created on an Azure resource (e.g., an Azure VM), not on an on-premises server. Option B is wrong because a user-assigned managed identity also requires an Azure resource to host it; attaching it to an on-premises server is not supported. Option D is wrong because a shared access signature (SAS) is a delegation token for specific Azure storage resources (e.g., blobs, queues), not for authenticating to Azure AD or deploying ARM templates to a resource group.

165
Multi-Selecteasy

A user deleted a single document from a backed-up Windows VM. Which two Azure Backup actions are appropriate if only that file must be recovered? Select two.

Select 2 answers
A.Use file recovery from the backup point
B.Mount the recovery point and copy the file back
C.Recreate the VM in another region
D.Change the VM size
E.Disable the backup policy
AnswersA, B

File recovery lets you retrieve individual files from a backup point without restoring the whole VM.

Why this answer

Option A is correct because Azure Backup provides file-level recovery for Windows VMs via the 'File Recovery' option in the Recovery Services vault. This allows you to mount the recovery point as a drive on the VM (using iSCSI) and directly copy the deleted file back to its original location without restoring the entire VM. Option B is also correct because mounting the recovery point (via the same file recovery process) and copying the file back is the exact mechanism used; the two options describe the same action from different perspectives.

Exam trap

The trap here is that candidates may think file recovery requires a full VM restore or that mounting the recovery point is a separate, unsupported action, when in fact both options describe the same Azure Backup feature.

166
MCQmedium

A Windows VM must automatically run a setup script after provisioning to install an agent, create a folder, and write configuration files. The administrator wants the script to be delivered through Azure management and run without a human signing in. What should be used?

A.Custom Script Extension
B.Availability set
C.Azure Load Balancer
D.Route table
AnswerA

Custom Script Extension can download and run setup commands on the VM after provisioning without interactive login.

Why this answer

The Custom Script Extension (CSE) is the correct Azure feature to automatically run a setup script on a Windows VM after provisioning. It downloads and executes scripts from Azure Storage or GitHub, runs as the local system account, and requires no user sign-in, making it ideal for post-deployment configuration like installing agents and writing files.

Exam trap

The trap here is that candidates may confuse the Custom Script Extension with VM-level configuration tools like Desired State Configuration (DSC) or automation accounts, but the question specifically asks for a simple script delivery method that runs without human sign-in, which CSE directly provides.

How to eliminate wrong answers

Option B is wrong because an availability set is a logical grouping of VMs to provide high availability across fault and update domains, not a mechanism to run scripts. Option C is wrong because Azure Load Balancer distributes incoming network traffic across multiple VMs and cannot execute scripts on a VM. Option D is wrong because a route table controls network traffic routing via user-defined routes and has no capability to run scripts or perform configuration tasks.

167
Multi-Selectmedium

An app on a VM must connect to Azure SQL Database without using the public endpoint. The database name must resolve to a private IP inside the VNet, and public network access should be disabled. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create a private endpoint for the Azure SQL server in the VNet.
B.Link the private DNS zone for the SQL private link domain to the VNet.
C.Enable a service endpoint for Microsoft.Sql on the subnet.
D.Grant the VM's managed identity Reader on the SQL server.
E.Keep public network access enabled and restrict the firewall to the VNet.
AnswersA, B

A private endpoint gives the SQL service a private IP address inside the VNet for private access.

Why this answer

Option A is correct because a private endpoint assigns the Azure SQL Database server a private IP address from the VNet, allowing the VM to connect without using the public endpoint. This ensures traffic stays within the Microsoft backbone and the database name resolves to a private IP inside the VNet.

Exam trap

The trap here is confusing service endpoints with private endpoints: service endpoints keep the public endpoint active and only add a network-level route, while private endpoints completely remove public exposure by assigning a private IP and requiring DNS reconfiguration.

168
MCQeasy

A single Azure virtual machine must read blobs from a storage account without storing any passwords, keys, or connection strings. The identity should be removed automatically if the VM is deleted. Which option should you use?

A.Storage account access key, because it is the simplest authentication method.
B.System-assigned managed identity, because it is tied to that VM.
C.Shared access signature, because it always removes the need for identity management.
D.User-assigned managed identity, because it is deleted automatically with the VM.
AnswerB

A system-assigned managed identity is attached directly to one Azure resource, such as a VM, and is automatically removed when that resource is deleted.

Why this answer

System-assigned managed identity is tied directly to the lifecycle of the Azure VM. When the VM is deleted, the identity is automatically removed. It allows the VM to authenticate to Azure Storage without storing any credentials, using Azure AD tokens obtained via the Azure Instance Metadata Service (IMDS).

Exam trap

The trap here is that candidates often confuse user-assigned managed identities with system-assigned ones, assuming user-assigned identities are also automatically deleted with the VM, when in fact they are independent resources that must be manually cleaned up.

How to eliminate wrong answers

Option A is wrong because storage account access keys are static secrets that must be stored in code or configuration, violating the requirement to avoid storing passwords, keys, or connection strings. Option C is wrong because a shared access signature (SAS) is a token that can be generated without identity management but still requires the SAS token to be stored or passed securely, and it does not automatically remove access when the VM is deleted. Option D is wrong because user-assigned managed identity is not automatically deleted with the VM; it is a standalone Azure resource that persists independently until explicitly removed.

169
Matchingmedium

Match each Azure VM administration requirement on the left with the most appropriate Azure CLI command on the right. Use each answer once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

az vm deallocate

az vm redeploy

az vm resize

az snapshot create

az vm disk attach

Why these pairings

Azure CLI commands for VM administration: 'az vm create' deploys, 'az vm resize' changes size, 'az vm start/stop/restart' controls state, and 'az vm delete' removes the VM.

170
MCQmedium

Based on the exhibit, which Azure Policy effect should be used so new resources without an Environment tag are blocked at deployment time?

A.Audit
B.Append
C.Deny
D.Disabled
AnswerC

Deny stops the deployment when the condition is not met, which is exactly what is needed to block resources missing the required tag.

Why this answer

The Deny effect (Option C) is the correct choice because it actively blocks any deployment that does not meet the policy rule—in this case, resources lacking an Environment tag. When a policy with Deny is assigned, Azure Resource Manager evaluates the request during deployment and rejects it with a 403 (Forbidden) status if the condition is not satisfied, preventing the resource from being created entirely.

Exam trap

The trap here is that candidates often confuse 'Audit' with 'Deny' because both can report non-compliance, but only Deny actively prevents the deployment, whereas Audit merely logs the violation without blocking it.

How to eliminate wrong answers

Option A (Audit) is wrong because it only generates a warning log entry for non-compliant resources without blocking the deployment; the resource would still be created. Option B (Append) is wrong because it adds missing tags or values after deployment but does not prevent the resource from being created; it modifies the resource post-creation. Option D (Disabled) is wrong because it renders the policy ineffective, allowing all resources to be deployed regardless of tags.

171
MCQmedium

A VM-based app must upload invoices to a blob container every hour. Security prohibits storing account keys or SAS tokens on the VM. The app should authenticate with Microsoft Entra ID and be allowed only to write blobs in one container. What should you configure?

A.Create an account SAS token and store it in the VM's application settings.
B.Enable a managed identity on the VM and assign Storage Blob Data Contributor at the container scope.
C.Assign Reader on the storage account so the VM can reach the container securely.
D.Grant Storage Account Contributor at the subscription scope so the app can manage all storage resources.
AnswerB

A managed identity lets the VM authenticate to Azure Storage through Microsoft Entra ID without storing credentials on the server. Assigning Storage Blob Data Contributor at the container scope gives the app the ability to upload and modify blob data only where needed. This is the least-privilege approach and aligns with secure operational practice for Azure administrators.

Why this answer

Option B is correct because enabling a managed identity on the VM allows the app to authenticate with Microsoft Entra ID without storing any secrets. Assigning the Storage Blob Data Contributor role at the container scope grants the VM’s managed identity the minimum required permission to write blobs only to that specific container, adhering to the principle of least privilege.

Exam trap

The trap here is that candidates often confuse the Reader role (which only allows read access to the storage account's control plane) with the ability to write data, or they incorrectly assume that a broad role like Storage Account Contributor is acceptable because it 'covers' the storage account, ignoring the security constraint and the need for data-plane permissions at the container scope.

How to eliminate wrong answers

Option A is wrong because storing an account SAS token in the VM's application settings violates the security requirement that prohibits storing account keys or SAS tokens on the VM. Option C is wrong because the Reader role on the storage account only allows read access to the account's metadata and configuration, not write access to blobs in a container. Option D is wrong because granting Storage Account Contributor at the subscription scope provides far too broad permissions, allowing the app to manage all storage resources across the subscription, which violates the principle of least privilege and does not restrict write access to a single container.

172
MCQhard

A finance operations team manages virtual machines in RG-App. They must start, stop, deallocate, and view VM properties for any VM in that resource group. They must not be able to delete VMs, read NIC settings, or manage disks. What should the administrator do?

A.Assign the built-in Virtual Machine Contributor role at the subscription scope.
B.Create a custom role with only the required VM actions and assign it at the RG-App scope.
C.Assign the built-in Reader role at the RG-App scope and let the team use portal buttons.
D.Assign the built-in Contributor role at the resource group scope.
AnswerB

This limits permissions to the exact VM operations needed and confines access to RG-App only.

Why this answer

Option B is correct because the required permissions (start, stop, deallocate, view properties) are a subset of the built-in Virtual Machine Contributor role, but that role also includes delete and other management actions. A custom role allows you to grant only the specific Microsoft.Compute/virtualMachines/start/action, Microsoft.Compute/virtualMachines/deallocate/action, and Microsoft.Compute/virtualMachines/read permissions, while explicitly excluding delete, NIC read, and disk management actions. Assigning this custom role at the RG-App scope ensures the team can manage VMs without broader access.

Exam trap

The trap here is that candidates often assume the built-in Virtual Machine Contributor role is sufficient because it covers VM management, but they overlook that it includes delete and other broader permissions that must be explicitly excluded via a custom role.

How to eliminate wrong answers

Option A is wrong because the built-in Virtual Machine Contributor role at subscription scope grants permissions to delete VMs, read NIC settings, and manage disks, which violates the requirement to prevent those actions. Option C is wrong because the built-in Reader role only allows read operations (Microsoft.Compute/virtualMachines/read) and does not include start, stop, or deallocate actions, so the team cannot perform those operations via portal buttons or any other method. Option D is wrong because the built-in Contributor role at the resource group scope includes full management permissions, including delete, read NIC settings, and manage disks, which exceeds the required permissions and violates the restriction.

173
Multi-Selecteasy

Which two statements about a Log Analytics workspace are correct? Select two.

Select 2 answers
A.It can store logs collected from Azure resources
B.It supports KQL queries
C.It creates backups of Azure virtual machines
D.It assigns permissions to Azure resources at scope
E.It blocks resource creation that violates a rule
AnswersA, B

The workspace is a central store for logs ingested from Azure services and devices.

Why this answer

Option A is correct because a Log Analytics workspace is a centralized repository that can ingest and store log data from various Azure resources, including virtual machines, Azure Activity logs, and resource diagnostics, enabling monitoring and analysis. Option B is correct because Log Analytics workspaces support Kusto Query Language (KQL) queries, which allow users to perform complex searches, aggregations, and visualizations on the stored log data.

Exam trap

The trap here is that candidates often confuse the monitoring and log storage capabilities of Log Analytics workspaces with other Azure services like Azure Backup, Azure Policy, or RBAC, leading them to select options that describe those separate services instead.

174
MCQhard

A production VM must generate an alert when average CPU exceeds 80 percent for 10 minutes. The alert must be evaluated continuously, but email notifications should be suppressed outside 08:00 to 18:00 on weekdays. What should the administrator configure?

A.A log query alert only, with the query scheduled to run during business hours
B.A metric alert rule with an action group and an alert processing rule that suppresses actions outside business hours
C.A diagnostic setting that sends CPU logs to a storage account and a Logic App for email delivery
D.An action group with an email receiver and a virtual machine extension to pause the workload outside business hours
AnswerB

A metric alert keeps evaluating all day and night, while an alert processing rule can mute notifications during the excluded time window without disabling detection.

Why this answer

Option B is correct because it combines a metric alert rule (which continuously evaluates the CPU threshold) with an alert processing rule that suppresses notifications outside business hours. The metric alert rule evaluates every minute by default, meeting the 'continuously evaluated' requirement, while the alert processing rule (formerly action rule) allows you to suppress actions based on a schedule without altering the alert rule itself.

Exam trap

The trap here is that candidates often confuse alert processing rules with action group schedules or diagnostic settings, failing to realize that alert processing rules are the correct mechanism to suppress notifications based on time without altering the alert rule's evaluation frequency.

How to eliminate wrong answers

Option A is wrong because a log query alert runs on a scheduled interval (e.g., every 5 minutes) and does not provide continuous evaluation; it also cannot natively suppress notifications based on time of day without additional logic. Option C is wrong because sending CPU logs to a storage account and using a Logic App for email delivery adds unnecessary complexity and latency, and does not provide the built-in continuous evaluation and suppression capabilities of metric alerts and alert processing rules. Option D is wrong because an action group with an email receiver and a VM extension to pause the workload does not address the requirement to suppress email notifications outside business hours; pausing the workload is an overreaction and not a suppression mechanism.

175
MCQmedium

A hub-and-spoke environment uses a DNS server VM in the hub VNet at 10.8.0.4 to resolve internal names such as app01.corp.local. The spoke VNet can reach hub VMs by IP after peering, but name resolution still fails from the spoke. What should the administrator configure so VMs in the spoke use the hub DNS server?

A.Add an inbound NSG rule on the spoke subnet to allow UDP and TCP 53 to 10.8.0.4.
B.Configure the spoke VNet to use 10.8.0.4 as a custom DNS server.
C.Create a service endpoint for Microsoft.Storage on the spoke subnet.
D.Add a user-defined route for 10.8.0.4/32 pointing to the virtual network gateway.
AnswerB

A spoke VNet can inherit DNS behavior from a custom DNS setting on the VNet itself. Once the spoke VNet is configured to use 10.8.0.4, its VMs will send name-resolution queries to the hub DNS server over the peering connection. This is the right fix when direct IP connectivity works but internal names do not resolve.

Why this answer

Option B is correct because in Azure, a spoke VNet must explicitly be configured with a custom DNS server address to use a non-default DNS resolver. By setting the spoke VNet's DNS server to 10.8.0.4, all VMs in the spoke will send their DNS queries to that hub VM, resolving internal names like app01.corp.local. Without this configuration, the spoke VNet uses Azure-provided DNS, which cannot resolve custom private DNS zones hosted on the hub VM.

Exam trap

The trap here is that candidates assume VNet peering automatically forwards DNS queries to the hub's DNS server, but peering only provides IP-level connectivity, not DNS configuration; the spoke VNet must be explicitly set to use the custom DNS server address.

How to eliminate wrong answers

Option A is wrong because an NSG rule on the spoke subnet is unnecessary; the hub DNS server VM already accepts inbound traffic on UDP/TCP 53 from peered VNets by default, and NSGs do not control DNS server assignment. Option C is wrong because a service endpoint for Microsoft.Storage is used to secure Azure Storage access to a VNet, not to configure DNS resolution or forward queries to a custom DNS server. Option D is wrong because a user-defined route for 10.8.0.4/32 pointing to the virtual network gateway is irrelevant; DNS traffic to the hub VM uses the peering connection, not a gateway, and UDRs do not change the DNS server configuration of the spoke VNet.

176
MCQmedium

A backend VM must accept TCP 8443 only from the web tier. The subnet NSG already has a deny-all inbound rule at priority 200. The administrator adds an allow rule for the web tier at priority 300, but the connection still fails. What should be changed?

A.Change the allow rule to a lower priority number than 200.
B.Change the allow rule protocol from TCP to Any.
C.Move the VM to a different subnet so the rule can apply.
D.Add a route table entry for TCP 8443 to bypass the NSG.
AnswerA

NSG rules are processed in priority order, where the lowest number wins. The allow rule must be evaluated before the deny-all rule to permit the traffic.

Why this answer

Azure Network Security Groups (NSGs) process rules in priority order, with lower numbers evaluated first. The existing deny-all inbound rule at priority 200 is evaluated before the new allow rule at priority 300, so the deny rule blocks the traffic before the allow rule can be considered. To permit TCP 8443 from the web tier, the allow rule must have a priority number lower than 200 (e.g., 100) so it is evaluated first and allows the traffic.

Exam trap

The trap here is that candidates often assume higher priority numbers (like 300) override lower numbers (like 200), but in Azure NSGs, lower priority numbers are evaluated first, so a deny rule with a lower number will block traffic before a higher-numbered allow rule is ever checked.

How to eliminate wrong answers

Option B is wrong because changing the protocol from TCP to Any does not resolve the priority ordering issue; the deny rule at priority 200 would still block all inbound traffic regardless of protocol. Option C is wrong because moving the VM to a different subnet does not change the fact that the subnet's NSG still has a deny-all rule at priority 200 that would block the traffic; the NSG is applied at the subnet level, not per VM. Option D is wrong because route tables control traffic routing (next hop) and cannot bypass NSG rules; NSGs are stateful firewalls that are evaluated independently of routing, and a route table entry cannot override an NSG deny rule.

177
MCQmedium

Based on the exhibit, what should the administrator do to meet the performance requirement without rebuilding the server?

A.Attach an additional data disk and move the application binaries to it.
B.Resize the VM to a larger SKU that provides more vCPU and RAM.
C.Redeploy the VM from a different marketplace image.
D.Place the VM in an availability set to spread processing across hosts.
AnswerB

Resizing a VM is the standard way to increase compute capacity while preserving the existing OS disk and installed applications. The exhibit shows sustained high CPU and memory pressure, so moving to a larger size such as a higher D-series SKU addresses the bottleneck directly. This avoids rebuilding the server and keeps the workload on the same VM configuration with more resources.

Why this answer

Resizing the VM to a larger SKU with more vCPU and RAM directly addresses the performance requirement by providing additional compute and memory resources to the existing server without requiring a rebuild. This is the correct approach because the VM's current SKU is insufficient for the workload, and Azure allows resizing within the same hardware family or to a compatible series, preserving the OS and application state.

Exam trap

The trap here is that candidates confuse performance scaling with high availability or storage optimization, mistakenly choosing to add a data disk or use an availability set when the real need is to increase compute capacity.

How to eliminate wrong answers

Option A is wrong because moving application binaries to an additional data disk improves storage I/O performance but does not increase vCPU or RAM, which are the likely bottlenecks for a performance issue. Option C is wrong because redeploying the VM from a different marketplace image would replace the OS and applications, effectively rebuilding the server, which contradicts the requirement to avoid a rebuild. Option D is wrong because placing the VM in an availability set provides high availability by distributing replicas across fault domains, but it does not increase the resources of the existing single VM and does not address performance constraints.

178
Multi-Selecteasy

A VM-hosted app needs to upload blobs without storing a storage account key or password on the VM. Which two authentication options meet this requirement? Select two.

Select 2 answers
A.System-assigned managed identity
B.User-assigned managed identity
C.Storage account access key in an application setting
D.Shared access signature token saved on the VM
E.Anonymous public access to the container
AnswersA, B

A system-assigned managed identity lets the VM authenticate to Azure services without a stored secret.

Why this answer

System-assigned managed identity (Option A) is correct because it allows the VM to authenticate to Azure Blob Storage without storing any credentials on the VM. When enabled, Azure automatically creates a service principal in Azure AD for the VM, and the VM can obtain an access token from the Azure Instance Metadata Service (IMDS) endpoint (169.254.169.254) to authenticate to storage. This eliminates the need for any storage account key or password on the VM.

Exam trap

The trap here is that candidates may confuse 'not storing a key or password on the VM' with 'using a credential that is stored elsewhere on the VM' — for example, a SAS token saved in a file or an access key in an app setting still counts as a stored credential, while managed identities provide credential-less authentication via Azure AD tokens.

179
MCQmedium

A security team requires all outbound traffic from a subnet to pass through an Azure Firewall at 10.1.0.4, including internet-bound traffic from the VMs. What should the administrator configure?

A.Assign a NAT gateway to the subnet and leave the default routing in place.
B.Create a route table with a 0.0.0.0/0 route to 10.1.0.4 and associate it with the subnet.
C.Enable service endpoints for the subnet so outbound traffic stays private.
D.Deploy a public IP on each VM and use NSG rules to inspect the traffic.
AnswerB

Forced tunneling is implemented with a user-defined route that sends the default route to a virtual appliance. By creating a 0.0.0.0/0 UDR that points to the Azure Firewall’s private IP and associating that route table with the subnet, all outbound traffic is steered through the firewall. This is the standard design when the firewall must inspect internet-bound traffic.

Why this answer

Option B is correct because creating a route table with a default route (0.0.0.0/0) pointing to the Azure Firewall private IP (10.1.0.4) and associating it with the subnet forces all outbound traffic, including internet-bound traffic, to be routed through the firewall. This ensures the firewall can inspect and control all egress traffic as required by the security team.

Exam trap

The trap here is that candidates often confuse NAT gateways or service endpoints as solutions for routing traffic through a firewall, but neither provides the forced routing and inspection required; only a UDR with a default route to the firewall's private IP achieves this.

How to eliminate wrong answers

Option A is wrong because a NAT gateway provides outbound connectivity with source network address translation but does not route traffic through a firewall for inspection; it bypasses the firewall entirely. Option C is wrong because service endpoints enable private access to Azure services over the Microsoft backbone, not internet-bound traffic, and do not route traffic through a firewall. Option D is wrong because assigning public IPs to VMs and using NSG rules allows direct outbound internet access without firewall inspection; NSGs are stateful packet filters, not a routing or inspection solution like Azure Firewall.

180
MCQmedium

Based on the exhibit, web servers can reach a backend VM only after it is added to a specific group. What should the administrator change to allow the traffic to match the existing NSG rule?

A.Add api01's NIC to ASG-Api.
B.Move the deny rule to priority 100.
C.Change the source of the allow rule from ASG-Web to VirtualNetwork.
D.Place api01 in the same subnet as web01.
AnswerA

The NSG rule is already written to permit traffic from ASG-Web to ASG-Api on TCP 8443. The backend NIC is not in the destination ASG, so the allow rule never matches. Adding api01 to ASG-Api makes the existing rule effective without broadening access to the entire subnet.

Why this answer

The exhibit shows that the NSG rule allows traffic from ASG-Web to ASG-Api. Since web01 is in ASG-Web, traffic from web01 to api01 is only permitted if api01 is a member of ASG-Api. Adding api01's NIC to ASG-Api ensures the destination matches the NSG rule, allowing the traffic.

Exam trap

The trap here is that candidates may think subnet placement or rule priority is the issue, but the core concept is that ASG membership must match the rule's destination to allow traffic.

How to eliminate wrong answers

Option B is wrong because moving the deny rule to priority 100 would block all traffic, including the desired traffic from web01 to api01, as it would be evaluated before the allow rule. Option C is wrong because changing the source from ASG-Web to VirtualNetwork would allow traffic from any resource in the virtual network, not just web servers, which is overly permissive and does not address the specific requirement of matching the existing rule. Option D is wrong because placing api01 in the same subnet as web01 does not affect NSG rule matching; NSG rules are evaluated based on the NIC's application security group membership, not subnet placement.

181
MCQmedium

An operations team must apply three related policies to all subscriptions in a department: require a cost-center tag, allow only approved locations, and block certain VM SKUs. They want to assign and track these rules as one unit. What should they create?

A.A single Azure Policy definition containing all three rules.
B.An Azure Policy initiative.
C.A management group with no policy assignments.
D.An RBAC custom role with deny permissions.
AnswerB

An initiative groups multiple policy definitions so they can be assigned, monitored, and managed together. This is ideal when several compliance rules must be applied consistently across multiple subscriptions. It also simplifies reporting because the team can evaluate one assignment instead of several separate ones.

Why this answer

An Azure Policy initiative is a collection of policy definitions designed to group related policies together for assignment and tracking as a single unit. By creating an initiative, the operations team can assign all three rules (cost-center tag, allowed locations, blocked VM SKUs) to all subscriptions in a department and track compliance at the initiative level, simplifying management and reporting.

Exam trap

The trap here is that candidates may think a single policy definition can contain multiple rules (Option A), but Azure Policy requires each definition to enforce one specific condition or effect, and grouping multiple rules requires an initiative.

How to eliminate wrong answers

Option A is wrong because a single Azure Policy definition can only contain one policy rule; it cannot combine multiple distinct rules like tag enforcement, location restrictions, and VM SKU blocking into one definition. Option C is wrong because a management group with no policy assignments does not enforce any rules; it is merely a container for organizing subscriptions and cannot apply or track the required policies. Option D is wrong because an RBAC custom role with deny permissions controls access to Azure resources (who can perform actions) but does not enforce resource-level compliance rules like required tags, allowed locations, or blocked VM SKUs; policy-based governance is separate from role-based access control.

182
Multi-Selecthard

A bootstrap script must install software on three VMs, then download configuration files from Blob Storage. Security forbids secrets in templates or scripts, and the same authentication method must work after the VMs are rebuilt. Which two choices should you make? Select two.

Select 2 answers
A.Assign a user-assigned managed identity and attach it to each VM.
B.Store the storage account access key in a script variable.
C.Use a Custom Script Extension to run the bootstrap commands at provisioning.
D.Create a separate local administrator account for the script to use.
E.Embed a SAS token directly in the Bicep parameters file.
AnswersA, C

A user-assigned managed identity can be reused across multiple VMs and survives VM rebuilds because it is a separate Azure resource. That makes it ideal when the same identity must work for several machines over time.

Why this answer

Option A is correct because a user-assigned managed identity provides a secure, credential-free authentication method that persists across VM rebuilds. Unlike system-assigned managed identities, which are tied to a specific VM lifecycle and are lost when the VM is deleted, a user-assigned identity is a standalone Azure resource that can be reassigned to new VMs. This allows the bootstrap script to authenticate to Azure Blob Storage via Azure AD without storing any secrets, satisfying the security constraint.

Exam trap

The trap here is that candidates often confuse system-assigned managed identities (which are tied to the VM lifecycle and lost on deletion) with user-assigned managed identities (which persist independently), leading them to incorrectly assume that managed identities cannot survive a VM rebuild.

183
MCQmedium

A storage account hosts blobs used by a public website. You need to reduce the risk of accidental deletion by developers while allowing updates to existing blobs. What should you configure?

A.Enable blob soft delete.
B.Enable immutable storage for the container.
C.Move the account to premium performance.
D.Enable static website hosting only.
AnswerA

This retains deleted blobs for recovery while allowing normal blob updates.

Why this answer

Blob soft delete protects against accidental deletion by retaining deleted blobs for a specified retention period, allowing recovery. This meets the requirement to reduce risk from developers while still permitting updates to existing blobs, as soft delete only applies to delete operations, not overwrites.

Exam trap

The trap here is that candidates confuse blob soft delete with immutable storage, assuming both prevent deletion, but immutable storage also blocks updates, which violates the requirement to allow modifications to existing blobs.

How to eliminate wrong answers

Option B is wrong because immutable storage prevents any modification or deletion of blobs during the policy period, which blocks the required ability to update existing blobs. Option C is wrong because moving to premium performance (Azure Premium Block Blob Storage) does not provide any deletion protection; it only offers consistent low-latency and higher IOPS for workloads like high-transaction applications. Option D is wrong because enabling static website hosting only configures a container for serving static content via a web endpoint; it does not implement any deletion safeguards or versioning.

184
MCQmedium

An application writes transaction logs to a storage account in a region that supports availability zones. The business wants the account to stay available if one datacenter or zone fails, but it does not need a secondary region replica. Which redundancy option should you choose?

A.LRS, because it keeps three copies within a single datacenter and is enough for any zone failure.
B.ZRS, because it replicates synchronously across zones in the same region and survives a zone outage.
C.GRS, because it adds a geographically replicated secondary region for disaster recovery.
D.RA-GRS, because read access to the secondary region is the best protection against a zone failure.
AnswerB

ZRS keeps data synchronously replicated across multiple availability zones within one region. That design helps the storage account remain available when a zone or datacenter becomes unavailable, which matches the requirement. It avoids the added complexity and cost of geo-replication because a secondary region is not required.

Why this answer

B is correct because Zone-Redundant Storage (ZRS) synchronously replicates data across three Azure availability zones within the same region. This design ensures that if one datacenter or zone fails, the storage account remains available and durable without requiring a secondary region replica, exactly matching the business requirement.

Exam trap

The trap here is that candidates often confuse LRS's three-copy replication within one datacenter as sufficient for zone failures, not realizing that a zone can contain multiple datacenters and LRS does not span zones, while ZRS is specifically designed for zone-level resilience.

How to eliminate wrong answers

Option A is wrong because LRS (Locally Redundant Storage) keeps three copies within a single datacenter; it cannot survive a full zone failure since an entire zone may contain multiple datacenters, and LRS does not span zones. Option C is wrong because GRS (Geo-Redundant Storage) adds a secondary region replica, which is unnecessary and more expensive when only zone-level resilience is needed. Option D is wrong because RA-GRS (Read-Access Geo-Redundant Storage) also involves a secondary region and provides read access there, but it does not address zone failures within the primary region and introduces unnecessary geo-replication cost and complexity.

185
Multi-Selecthard

A production Azure VM farm runs customer-facing APIs. Operations wants an automatic notification when the average Percentage CPU on any VM stays above 85 percent for 10 minutes, and the notification must reach both email and SMS recipients. Which two Azure Monitor items must be configured? Select two.

Select 2 answers
A.Metric alert rule
B.Action group
C.Diagnostic setting
D.Workbook
E.Service health alert
AnswersA, B

Metric alert rules evaluate numeric platform metrics and trigger when thresholds are crossed.

Why this answer

A Metric alert rule is correct because it monitors the 'Percentage CPU' metric on Azure VMs and can trigger when the average value exceeds 85% for a duration of 10 minutes. This rule evaluates the metric over a specified time window and fires an alert based on the threshold condition, meeting the requirement for automatic notification based on performance metrics.

Exam trap

The trap here is that candidates often confuse a Metric alert rule with a Diagnostic setting, thinking that streaming metrics to a destination automatically triggers notifications, or they mistakenly select a Service health alert because they associate 'notification' with Azure service health, not VM-level performance.

186
MCQmedium

Based on the exhibit, the OS disk on a production VM is corrupted, but the VM must stay in place and keep its NIC and data disks. Which restore option should you choose?

A.Restore the VM as a new virtual machine and delete the existing one immediately.
B.Restore the disk, then attach or swap it as needed to repair the existing VM.
C.Use Azure Monitor to roll back the last deployment automatically.
D.Enable a diagnostic setting on the VM so the OS disk will be repaired.
AnswerB

When the VM still exists but one disk is corrupted, restoring the disk is the correct approach. It lets you recover the damaged OS disk from a backup point and then attach or swap it without rebuilding the VM identity, NIC, or data disk layout. This is a common recovery pattern for targeted repair.

Why this answer

Option B is correct because when an OS disk is corrupted, you can restore just the disk from a recovery point and then either attach it as a data disk to the existing VM or swap the OS disk. This approach preserves the VM's NIC, data disks, and IP configuration, meeting the requirement to keep the VM in place.

Exam trap

The trap here is that candidates often confuse Azure Monitor with Azure Backup or Site Recovery, assuming monitoring can perform recovery actions, when in fact only backup-based disk restoration can repair a corrupted OS disk while keeping the VM in place.

How to eliminate wrong answers

Option A is wrong because restoring the VM as a new virtual machine and deleting the existing one would change the VM's identity, potentially losing the NIC and data disk attachments, and does not keep the VM in place. Option C is wrong because Azure Monitor is a monitoring and alerting service, not a deployment rollback tool; it cannot automatically roll back a deployment or repair a corrupted OS disk. Option D is wrong because diagnostic settings on a VM only collect logs and metrics; they do not have any capability to repair a corrupted OS disk.

187
MCQeasy

Based on the exhibit, an Azure VM must read secrets from Azure Key Vault during startup. No passwords, certificates, or client secrets may be stored on the VM. What should you configure?

A.Assign a user-assigned managed identity to the VM so it can be shared later.
B.Enable a system-assigned managed identity on the VM.
C.Create a service principal and store its client secret in the VM configuration.
D.Use a shared access signature in the startup script to authenticate to Key Vault.
AnswerB

A system-assigned managed identity is the best fit because it gives the VM an Azure identity without storing secrets on the machine. It is tied directly to that VM, so it is easy to create, use, and automatically remove when the VM is deleted. This matches the requirement for startup access to Key Vault and avoids any embedded credentials.

Why this answer

A system-assigned managed identity is the correct choice because it is tied directly to the VM's lifecycle, requires no credential storage, and can authenticate to Azure Key Vault without any secrets stored on the VM. When enabled, Azure automatically creates a service principal in Azure AD for the VM, and the VM can request an access token from the Azure Instance Metadata Service (IMDS) endpoint (169.254.169.254) to access Key Vault secrets. This satisfies the requirement of no passwords, certificates, or client secrets on the VM.

Exam trap

The trap here is that candidates often confuse managed identities with service principals or shared access signatures, mistakenly thinking that a client secret or SAS token is needed for authentication, when in fact managed identities eliminate the need for any stored credentials.

How to eliminate wrong answers

Option A is wrong because a user-assigned managed identity is not required for a single VM and adds unnecessary complexity; it is designed for scenarios where the identity must be shared across multiple resources, not for a single VM's startup secret retrieval. Option C is wrong because storing a client secret in the VM configuration violates the explicit requirement that no passwords, certificates, or client secrets may be stored on the VM, and it introduces a security risk. Option D is wrong because a shared access signature (SAS) is used for granting delegated access to Azure Storage resources, not for authenticating to Azure Key Vault; Key Vault uses Azure AD authentication (OAuth 2.0) and does not support SAS tokens.

188
MCQmedium

A security team needs to grant and remove RBAC access for a set of operators on resources in one resource group, but those operators must not create, modify, or delete the resources themselves. Which built-in role should be assigned?

A.Reader, because it is the most restrictive role available.
B.Contributor, because it can manage resources and role assignments together.
C.User Access Administrator at the resource group scope.
D.Tag Contributor, because role management and tagging are both governance tasks.
AnswerC

User Access Administrator is the built-in role designed for managing access permissions without granting broad resource management rights. At the resource group scope, it lets the security team add and remove RBAC assignments for that group while avoiding direct control over the workload resources themselves. This matches least privilege much better than Owner or Contributor.

Why this answer

Option C is correct because the User Access Administrator role at the resource group scope grants the ability to manage RBAC role assignments for other users on resources within that resource group, but it does not grant permissions to create, modify, or delete the resources themselves. This meets the security team's requirement to grant and remove access without allowing resource management.

Exam trap

The trap here is that candidates often confuse the Contributor role (which can manage resources but not role assignments) with the User Access Administrator role, or mistakenly think the Reader role is sufficient for managing access, when in fact only roles with Microsoft.Authorization/roleAssignments/write can grant or remove RBAC assignments.

How to eliminate wrong answers

Option A is wrong because the Reader role only allows read-only access to resources and cannot grant or remove RBAC assignments for other users. Option B is wrong because the Contributor role allows full management of resources (create, modify, delete) but does not include the permission to manage role assignments (Microsoft.Authorization/roleAssignments/write). Option D is wrong because the Tag Contributor role only allows management of resource tags and does not include any permissions to manage RBAC role assignments.

189
MCQeasy

An administrator accidentally deletes a VM backup item from a Recovery Services vault. The company wants a built-in protection feature that helps recover the deleted backup item during the retention window. Which feature is this?

A.Archive tier
B.Availability zones
C.Private endpoint
D.Soft delete
AnswerD

Soft delete keeps a deleted backup item recoverable for a period of time, giving administrators a safety net after accidental deletion.

Why this answer

Soft delete is a built-in protection feature for Azure Recovery Services vaults that preserves deleted backup data for an additional 14 days (default retention period) after deletion. When a backup item is accidentally deleted, soft delete retains the data in a 'soft deleted' state, allowing administrators to recover it within the retention window before permanent deletion occurs. This feature is enabled by default for new vaults and helps prevent data loss from accidental or malicious deletions.

Exam trap

The trap here is that candidates may confuse soft delete with other data protection features like archive tier or private endpoint, not realizing that soft delete is specifically designed to recover accidentally deleted backup items within the retention window.

How to eliminate wrong answers

Option A is wrong because Archive tier is a backup storage tier for long-term retention of infrequently accessed data, not a feature for recovering deleted backup items. Option B is wrong because Availability zones are a high-availability infrastructure feature that protects Azure resources from datacenter failures, not a backup recovery mechanism. Option C is wrong because Private endpoint provides secure connectivity to the Recovery Services vault over a private IP address in a virtual network, not a data recovery feature for deleted backups.

190
MCQmedium

An application running on a VM in a subnet must access an Azure Storage account. The security team wants the storage account to accept traffic only from that subnet, but they do not want a private IP address in the VNet and they do not want to change DNS records. What should the administrator configure?

A.Create a private endpoint and a private DNS zone for the storage account.
B.Enable a service endpoint for Microsoft.Storage on the subnet and restrict the storage firewall to that subnet.
C.Allow access only from the VM public IP address.
D.Place the storage account in the same resource group as the VM.
AnswerB

A service endpoint extends the subnet identity to the Azure Storage service without creating a private IP address in the VNet. It also avoids DNS changes because clients continue to use the normal public endpoint name, while the storage firewall can be configured to allow only the selected subnet. This matches the requirement for subnet-only access while keeping the service on its public endpoint architecture.

Why this answer

Option B is correct because a service endpoint for Microsoft.Storage allows the subnet to send traffic to the storage account over the Azure backbone network using the storage account's public endpoint, without requiring a private IP address or DNS changes. The storage firewall then restricts access to only that subnet's traffic, meeting the security team's requirements.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that any restriction to a VNet requires a private IP address, but service endpoints achieve subnet-level restriction using the public endpoint without private IPs or DNS changes.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP address to the storage account within the VNet, which violates the requirement to not use a private IP address, and it also requires a private DNS zone to resolve the storage account's FQDN to that private IP, which the team does not want. Option C is wrong because allowing access only from the VM's public IP address does not restrict traffic to the subnet; the VM's public IP can change (e.g., if the VM is deallocated) and does not represent the subnet, plus it exposes the storage account to the internet from that IP. Option D is wrong because placing the storage account in the same resource group as the VM has no effect on network access control; resource groups are logical containers and do not enforce network security.

191
MCQmedium

Based on the exhibit, which subnet prefix is the smallest that can support the planned resources in Azure?

A./27
B./26
C./25
D./24
AnswerB

A /26 provides 64 addresses, which is enough after Azure reserves five addresses.

Why this answer

The subnet prefix /26 provides 64 IP addresses per subnet (2^(32-26) = 64), of which 59 are usable after Azure reserves 5 addresses (first 4 and last 1). The planned resources require 50 IP addresses, so /26 is the smallest prefix that meets this requirement without waste. A /27 would only provide 32 total addresses (27 usable), which is insufficient.

Exam trap

The trap here is that candidates often forget Azure reserves 5 IP addresses per subnet (not just 3 like on-premises) and incorrectly calculate usable addresses, leading them to choose /27 thinking 32 addresses are enough when only 27 are usable.

How to eliminate wrong answers

Option A (/27) is wrong because it provides only 32 total IP addresses (27 usable after Azure reservations), which cannot support the 50 required IP addresses. Option C (/25) is wrong because while it provides 128 total IP addresses (123 usable), it is larger than necessary and not the smallest prefix that meets the requirement. Option D (/24) is wrong because it provides 256 total IP addresses (251 usable), which is far larger than needed and not the smallest possible prefix.

192
MCQhard

An analytics platform stores daily export files in Azure Blob Storage. The business wants the storage account to survive a failure of any one availability zone and also keep a replicated copy in a paired region for disaster recovery. No one needs to read from the secondary region unless a disaster recovery event occurs. Which redundancy option should be used?

A.ZRS
B.GRS
C.GZRS
D.RA-GRS
AnswerC

GZRS is designed for workloads that need both zone resilience and geo-replication without requiring read access to the secondary region. It keeps the primary copy spread across zones in the region and replicates that data to a paired region for disaster recovery. That matches the requirement exactly.

Why this answer

C is correct because GZRS (Geo-Zone-Redundant Storage) combines zone-redundant storage (ZRS) within the primary region, ensuring the storage account survives any single availability zone failure, with geo-redundant replication to a paired region for disaster recovery. The secondary region copy is read-only unless a failover is initiated, matching the requirement that no one reads from the secondary region unless a disaster recovery event occurs.

Exam trap

The trap here is that candidates often confuse GZRS with RA-GZRS, assuming that geo-redundant storage always provides read-access to the secondary region, but GZRS does not—only RA-GZRS does, and the question explicitly states no one needs to read from the secondary region unless a disaster recovery event occurs.

How to eliminate wrong answers

Option A is wrong because ZRS provides zone-level redundancy within a single region but does not replicate data to a paired region, failing the disaster recovery requirement. Option B is wrong because GRS replicates data to a paired region but uses LRS within the primary region, meaning a single availability zone failure could cause data loss or unavailability in the primary region. Option D is wrong because RA-GRS offers read-access to the secondary region at all times, which violates the requirement that no one reads from the secondary region unless a disaster recovery event occurs.

193
MCQmedium

Based on the exhibit, the Prod management group contains three subscriptions that host application workloads. An operations group must be able to read all current and future resources in those Prod subscriptions, but it must not have access to Sandbox. Where should you assign the Reader role?

A.Assign Reader to OpsGroup at the Corp management group.
B.Assign Reader to OpsGroup at the Prod management group.
C.Assign Reader to OpsGroup at one application resource group in AppSub1.
D.Assign Reader to OpsGroup at each subscription individually.
AnswerB

Assigning at the Prod management group gives inherited read access to every subscription, resource group, and resource under Prod. It also automatically applies to future subscriptions added under Prod, while keeping Sandbox out of scope.

Why this answer

Assigning the Reader role at the Prod management group scope ensures that OpsGroup inherits read permissions to all current and future subscriptions and resources within that management group, while excluding the Sandbox subscription which is outside the Prod hierarchy. This leverages Azure RBAC inheritance, where roles assigned at a management group propagate to all child subscriptions and resource groups, meeting the requirement for a single assignment that covers all Prod workloads without granting access to Sandbox.

Exam trap

The trap here is that candidates often choose subscription-level assignments (Option D) because they think it's more precise, but they miss the requirement for future resources and the efficiency of a single management group assignment that automatically covers new subscriptions.

How to eliminate wrong answers

Option A is wrong because assigning Reader at the Corp management group would grant OpsGroup read access to all subscriptions under Corp, including Sandbox, violating the requirement to exclude Sandbox. Option C is wrong because assigning Reader at a single resource group in AppSub1 would only grant access to that specific resource group, not to all current and future resources across all three Prod subscriptions. Option D is wrong because assigning Reader at each subscription individually would work but is inefficient and does not automatically cover future subscriptions added to the Prod management group, requiring manual updates.

194
MCQmedium

A company wants development and production workloads for the same application to have separate budgets, separate subscription administrators, and different access controls. The central IT team still wants to apply the same security policies to both environments. What is the best design?

A.Use one subscription and separate the environments with tags only
B.Use one management group and two resource groups, one for dev and one for prod
C.Create a separate subscription for dev and prod, then place both subscriptions under the same management group
D.Put production in a management group and development in a resource group
AnswerC

Separate subscriptions provide billing and admin boundaries, while the management group allows central policy and governance to be applied consistently to both environments.

Why this answer

Option C is correct because it uses separate subscriptions for development and production, which provides independent budget tracking, subscription-level role assignments, and separate administrators. Placing both subscriptions under the same management group allows the central IT team to apply consistent Azure Policy and RBAC security policies across both environments via the management group hierarchy, ensuring governance without compromising isolation.

Exam trap

The trap here is that candidates often confuse resource groups with management groups, thinking that resource groups can provide the same policy inheritance and administrative isolation as subscriptions, but resource groups lack subscription-level billing separation and independent RBAC administration.

How to eliminate wrong answers

Option A is wrong because tags alone cannot enforce separate budgets, subscription administrators, or access controls; tags are metadata for resource organization and cost reporting, not a security boundary. Option B is wrong because resource groups within a single subscription share the same subscription-level administrators and budget, and cannot provide the required separation of administrative control. Option D is wrong because a management group is a container for subscriptions, not for individual workloads, and placing production in a management group with development in a resource group is architecturally invalid and provides no isolation or policy enforcement.

195
Multi-Selectmedium

A Windows VM needs a one-time command run immediately after deployment, and a second VM must automatically install an agent and copy configuration files during provisioning. Which two Azure compute features should the administrator use? Select two.

Select 2 answers
A.Run Command
B.Custom Script Extension
C.Azure Monitor agent
D.Azure Policy assignment
E.Azure Bastion
AnswersA, B

Executes a command on a running VM without interactive sign-in.

Why this answer

Run Command (A) is correct because it allows a one-time command to be executed immediately on a Windows VM after deployment, without requiring any agent or extension. Custom Script Extension (B) is correct because it enables automated installation of an agent and copying of configuration files during VM provisioning by running a script (e.g., PowerShell or Bash) as part of the deployment process.

Exam trap

The trap here is that candidates confuse Azure Monitor agent (a data-collection tool) with the ability to run scripts or install software, or they think Azure Policy can execute commands, when in fact it only audits or enforces configurations.

196
Matchingeasy

Match each blob tier or protection feature to the correct description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Best for data accessed frequently and kept immediately available.

Best for infrequently accessed data that still remains online.

Stores data offline and requires rehydration before it can be read.

Moves archived data back to an online tier so it can be accessed again.

Helps prevent modification or deletion for a retention period.

Why these pairings

The hot, cool, and archive tiers differ in access frequency and cost structure. Soft delete, immutable storage, and point-in-time restore are protection features that prevent data loss or tampering.

197
Multi-Selectmedium

A developer wants to keep application data separate from the operating system so the VM can be rebuilt without losing files. Before making a risky change, the administrator also wants a fast rollback point for that data disk. Which two actions should the administrator take? Select two.

Select 2 answers
A.Store the application data on a separate managed data disk
B.Create a snapshot of the data disk before the change
C.Use an ephemeral OS disk for the application files
D.Keep the files only on the OS disk and rely on reimaging
E.Delete and recreate the VM from the same image
AnswersA, B

Keeps data independent from the OS disk and VM rebuild process.

Why this answer

Option A is correct because storing application data on a separate managed data disk decouples the data from the OS disk. This allows the VM to be rebuilt or reimaged without affecting the application files, as the data disk persists independently. Option B is correct because a snapshot of the data disk provides a point-in-time, crash-consistent backup that can be used to quickly restore the data disk to its pre-change state, enabling fast rollback without needing to rebuild the entire VM.

Exam trap

The trap here is that candidates often confuse ephemeral OS disks with persistent data disks, mistakenly thinking ephemeral disks can retain data across VM rebuilds, or they overlook that a snapshot is the only fast rollback mechanism for a data disk, unlike VM reimaging or deletion.

198
MCQhard

Traffic from Subnet-App to the internet is being routed through a virtual appliance unexpectedly. You need to identify which route is being applied to the network interface of VM-App01. Which Azure feature should you use?

A.Effective routes for the network interface
B.NSG flow logs
C.Azure Policy compliance
D.The subscription activity log
AnswerA

Effective routes display the actual routing behavior applied to the VM NIC.

Why this answer

Effective routes for the network interface (NIC) shows the actual routes applied to a specific VM's NIC after evaluating all route tables, virtual network gateway routes, and BGP routes. Since traffic from Subnet-App to the internet is unexpectedly going through a virtual appliance, you need to see which route (e.g., a user-defined route with next hop type VirtualAppliance or VirtualNetworkGateway) is being selected based on the longest prefix match. This tool directly displays the effective next hop for each destination prefix, allowing you to identify the misconfigured route causing the traffic to be redirected.

Exam trap

The trap here is that candidates confuse NSG flow logs (which show traffic filtering) with effective routes (which show routing decisions), leading them to pick NSG flow logs when the question is about path selection rather than security rule evaluation.

How to eliminate wrong answers

Option B (NSG flow logs) is wrong because NSG flow logs record allowed or denied traffic flows based on network security group rules, not the routing path or next hop decisions; they cannot show which route is applied. Option C (Azure Policy compliance) is wrong because Azure Policy evaluates resource compliance against defined policies (e.g., tagging, allowed locations), not the effective routing configuration of a NIC. Option D (The subscription activity log) is wrong because the activity log tracks control-plane operations (e.g., creating a route table), not the data-plane routing state or the effective routes currently applied to a NIC.

199
MCQmedium

Based on the exhibit, the backup policy must support 30-day recovery for daily backups while keeping 12 months of monthly copies. Which setting should be changed?

A.Increase daily retention from 7 days to 30 days.
B.Increase weekly retention from 4 weeks to 30 weeks.
C.Change the backup schedule to every 30 days.
D.Turn on archive tier for the backup policy.
AnswerA

The requirement is specifically about being able to recover recent daily backups for 30 days. Increasing the daily retention period directly satisfies that need without changing the already acceptable monthly retention.

Why this answer

The backup policy currently has daily retention set to 7 days, which only keeps daily recovery points for a week. To meet the requirement of 30-day recovery for daily backups, you must increase the daily retention to 30 days. This ensures that each daily backup is retained for 30 days, allowing point-in-time recovery within that window.

Exam trap

The trap here is that candidates may confuse retention duration with backup frequency or assume that archive tier extends retention, when in fact archive tier only changes storage tier without altering the retention count.

How to eliminate wrong answers

Option B is wrong because increasing weekly retention from 4 weeks to 30 weeks would retain weekly backups for 30 weeks, but the requirement is for daily backups to be recoverable for 30 days, not weekly backups. Option C is wrong because changing the backup schedule to every 30 days would only create one backup every 30 days, which fails the requirement for daily backups. Option D is wrong because turning on archive tier moves older backups to cold storage for long-term retention, but it does not change the retention duration of daily backups; it only affects cost and access latency, not the recovery window.

200
MCQmedium

A finance department shares a resource group containing a critical VM and a storage account. Administrators must still be able to update settings and apply patches, but no one should accidentally delete the resources. Which lock should be applied at the resource group level?

A.ReadOnly lock, because it is the most restrictive option.
B.CanNotDelete lock.
C.A policy assignment that denies delete operations.
D.No lock, because RBAC permissions already prevent deletion.
AnswerB

CanNotDelete is the appropriate lock when administrators must continue making changes but want to prevent accidental deletion. Applied at the resource group level, it protects the VM and storage account from removal while allowing normal management operations to continue.

Why this answer

The CanNotDelete lock (option B) is correct because it prevents users from deleting the resource group or its resources, while still allowing read and update operations. This meets the requirement that administrators can update settings and apply patches, but accidental deletion is blocked. ReadOnly locks would block all write operations, including patching, which is too restrictive for this scenario.

Exam trap

The trap here is that candidates often confuse ReadOnly locks with the most restrictive option and assume it is the best choice, without considering that it blocks all write operations, including necessary updates and patching.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all write operations, including updates and patching, which contradicts the requirement that administrators must be able to update settings and apply patches. Option C is wrong because a policy assignment that denies delete operations is a more complex solution that requires custom policy definitions and assignment, whereas a resource lock is the simpler, built-in mechanism designed specifically for this purpose. Option D is wrong because RBAC permissions alone do not prevent accidental deletion; a user with Contributor or Owner role can delete resources, and locks provide an additional layer of protection beyond RBAC.

201
MCQeasy

Based on the exhibit, which restore option should the administrator choose?

A.Recreate VM, because it restores the entire virtual machine from the backup point.
B.File recovery, because it restores individual files or folders from the VM backup.
C.Backup policy, because it defines which files are included in the restore operation.
D.Recovery point, because it is the portal action used to mount a deleted file directly.
AnswerB

File recovery is the right choice when only specific files or folders must be restored from an Azure VM backup. The exhibit states that one Excel file was deleted and the rest of the VM should remain unchanged, which matches file-level recovery exactly.

Why this answer

File recovery is the correct option because the administrator needs to restore a specific deleted file from a VM backup without restoring the entire VM. Azure Backup's file-level recovery allows mounting the backup as a drive (via iSCSI) to browse and copy individual files or folders, which directly addresses the requirement.

Exam trap

The trap here is that candidates may confuse 'Recreate VM' (a full restore) with the more granular file-level recovery, assuming that any restore of a deleted file requires rebuilding the entire VM, when in fact Azure Backup provides a direct file recovery option.

How to eliminate wrong answers

Option A is wrong because 'Recreate VM' restores the entire virtual machine from the backup point, which is overkill and unnecessary when only a single file needs to be recovered. Option C is wrong because 'Backup policy' defines the schedule and retention of backups, not the restore operation or file selection. Option D is wrong because 'Recovery point' is the backup snapshot itself, not an action; mounting a deleted file directly is not a portal action, but file recovery is the feature that enables this.

202
MCQmedium

Based on the exhibit, what should the administrator do to prevent anyone from changing the retention settings after validation?

A.Lock the immutability policy after validation is complete.
B.Move the container to the Cool access tier to preserve the retention period.
C.Create a blob snapshot every day so the retention settings cannot be edited.
D.Enable container public access so the audit logs are easier to verify.
AnswerA

An unlocked immutability policy allows authorized changes during setup and testing. Once the retention period is validated, locking the policy prevents shortening or weakening retention settings later, which is exactly what the compliance note requires.

Why this answer

Option A is correct because locking the immutability policy (also known as a legal hold or time-based retention policy) prevents any user—including administrators—from modifying or deleting the policy. Once locked, the retention settings become irrevocable, ensuring that data cannot be altered or overwritten during the specified retention period. This is a critical step for compliance with regulations such as SEC 17a-4 or FINRA.

Exam trap

The trap here is that candidates often confuse 'locking' a policy with other storage management actions like changing access tiers or creating snapshots, mistakenly believing those actions can enforce immutability when only a locked policy provides the required legal protection.

How to eliminate wrong answers

Option B is wrong because moving the container to the Cool access tier does not prevent changes to retention settings; it only changes the storage cost and latency, not the immutability configuration. Option C is wrong because creating a blob snapshot does not lock retention settings; snapshots are point-in-time copies that can be deleted or modified independently, and they do not enforce immutability on the base blob. Option D is wrong because enabling container public access would expose the data to anonymous read requests, which violates security best practices and does not protect retention settings from being changed.

203
Multi-Selecteasy

A team wants daily Azure VM backups with a 30-day retention period. Which two settings are configured in the backup policy? Select two.

Select 2 answers
A.Backup schedule
B.Log Analytics workspace
C.Retention rules
D.Private endpoint
E.Metric alert threshold
AnswersA, C

The backup schedule controls how often Azure Backup creates recovery points.

Why this answer

Option A is correct because a backup policy for Azure VM backups must include a backup schedule that defines when the backup job runs (e.g., daily at a specific time). This schedule triggers the Azure Backup service to create recovery points for the VM. Without a schedule, the backup policy cannot automate the creation of backups.

Exam trap

The trap here is that candidates often confuse the backup policy settings (schedule and retention) with other Azure features like monitoring (Log Analytics) or networking (private endpoints), leading them to select irrelevant options.

204
MCQmedium

An organization wants to enforce two governance controls on all subscriptions under a management group: only approved Azure regions can be used, and every resource must have a costCenter tag. Central IT wants one assignment that can grow as more controls are added later. What should they use?

A.A single Azure Policy assignment that contains both requirements as separate policy rules.
B.An initiative assigned at the management group scope.
C.A role assignment at the management group scope.
D.A resource lock applied to each subscription.
AnswerB

An initiative groups related policies under one assignment and is ideal for reusable governance baselines.

Why this answer

An initiative (policy set) allows grouping multiple policy definitions into a single assignment, which can be assigned at the management group scope to enforce both the allowed regions and costCenter tag requirements. This approach supports future growth by simply adding new policy definitions to the initiative without creating separate assignments. Assigning at the management group scope ensures the controls cascade to all child subscriptions.

Exam trap

The trap here is confusing a single policy assignment with an initiative assignment, as candidates often think multiple rules can be added to one policy definition, but Azure Policy requires an initiative to combine separate policy definitions.

How to eliminate wrong answers

Option A is wrong because a single Azure Policy assignment can contain only one policy definition; you cannot combine two separate policy rules into one assignment without using an initiative. Option C is wrong because role assignments control permissions (who can do what), not governance controls like allowed regions or tagging requirements. Option D is wrong because resource locks prevent deletion or modification of resources but cannot enforce allowed regions or require specific tags.

205
Multi-Selecthard

A legal team stores scanned contracts in Blob Archive. Auditors will need to open several files next week for about five days and then the documents should return to the lowest practical storage cost. Which two actions should the administrator plan? Select two.

Select 2 answers
A.Download the blobs directly from Archive with a normal read operation.
B.Initiate a rehydration to the Cool tier before the review window.
C.Set the blobs to the Hot tier permanently as soon as the review starts.
D.Move the blobs back to Archive after the review window ends.
E.Change the storage account redundancy to RA-GRS so the files can be read.
AnswersB, D

Rehydrating to Cool makes the data online again at a lower cost than Hot, which fits infrequent access during a short review.

Why this answer

Option B is correct because blobs in the Archive tier are offline and cannot be read directly; they must first be rehydrated to a hot or cool tier. Rehydrating to the Cool tier is appropriate for a five-day access window and avoids the higher cost of the Hot tier. After the review, moving the blobs back to Archive (Option D) ensures the lowest practical storage cost for long-term retention.

Exam trap

The trap here is that candidates assume Archive blobs can be read directly (like a normal download) or that changing redundancy (RA-GRS) somehow bypasses the offline nature of Archive, when in fact rehydration is mandatory and redundancy settings only affect replication, not tier accessibility.

206
MCQmedium

You need to redeploy an Azure virtual machine to a new host while keeping the VM configuration and attached disks. Which action should you use in the Azure portal?

A.Resize
B.Redeploy
C.Capture
D.Reapply
AnswerB

Redeploy moves the VM to a new host while keeping the configuration and disks.

Why this answer

The Redeploy action moves the VM to a new Azure host node while preserving the VM configuration, attached managed disks, and network resources. This is used to recover from underlying host failures or performance issues without losing the VM's state or data.

Exam trap

The trap here is that candidates confuse 'Redeploy' with 'Reapply' or 'Resize', assuming any action that changes the host qualifies, but only Redeploy explicitly moves the VM to a new host while keeping all configuration and disks intact.

How to eliminate wrong answers

Option A (Resize) is wrong because it changes the VM's SKU or size, which may require a different host but does not guarantee a move to a new host for recovery purposes. Option C (Capture) is wrong because it creates a generalized or specialized image from the VM, which is used to create new VMs, not to redeploy the existing VM to a new host. Option D (Reapply) is wrong because it reapplies the VM's current configuration (e.g., extensions, tags) without moving the VM to a new host; it is used to resolve provisioning state issues, not host failures.

207
Multi-Selecthard

An application depends on a regional Azure service. Operations wants an automatic notification if Microsoft posts an incident that affects only the region where the app runs, even when the individual VMs remain healthy. Which two Azure Monitor capabilities should be configured? Select two.

Select 2 answers
A.Service health alert
B.Action group
C.Metric alert rule
D.Log Analytics query
E.Resource lock
AnswersA, B

Service health alerts notify you about Azure platform incidents, maintenance, and advisories.

Why this answer

A Service health alert is correct because it monitors for service incidents, maintenance, and health advisories published by Azure for a specific region or service. When Microsoft posts an incident affecting only the region where the application runs, the alert triggers automatically, even if individual VMs remain healthy. This meets the requirement for automatic notification of regional Azure service incidents.

Exam trap

The trap here is that candidates often confuse Metric alerts (which monitor resource performance) with Service Health alerts (which monitor Azure platform incidents), leading them to select Metric alert rule instead of Service health alert.

208
MCQmedium

A contractor needs read-only access to resources in one application resource group. The access must be removed immediately when the contractor is removed from the contractor team. What is the best access strategy?

A.Assign Reader directly to the contractor's user account at the subscription scope.
B.Assign Reader to the Entra ID contractor group at the resource group scope.
C.Assign Contributor to the contractor group at the resource group scope.
D.Assign Reader to the contractor group at the management group scope.
AnswerB

This is the best practice because Azure RBAC supports group-based assignments, and scope should be as narrow as possible. Assigning Reader to the contractor group at the resource group gives the team exactly the access needed and ensures removal from the group immediately revokes access through group membership changes. It is easier to audit and manage than assigning permissions to individual contractor accounts.

Why this answer

Option B is correct because assigning the Reader role to the Entra ID contractor group at the resource group scope ensures that all members of the group inherit read-only access to resources within that specific resource group. When a contractor is removed from the Entra ID group, their access is immediately revoked because Azure RBAC evaluates group membership dynamically at authentication time. This approach follows the principle of least privilege and enables centralized access management via group-based assignments.

Exam trap

The trap here is that candidates often choose a broader scope (subscription or management group) thinking it simplifies management, but they overlook the requirement to restrict access to only one resource group, which is a classic Azure RBAC scope misunderstanding.

How to eliminate wrong answers

Option A is wrong because assigning Reader directly to the contractor's user account at the subscription scope grants read-only access to all resource groups in the subscription, which violates the requirement of scoping access to only one application resource group. Option C is wrong because assigning Contributor to the contractor group at the resource group scope provides write-level permissions, which exceeds the required read-only access and violates the principle of least privilege. Option D is wrong because assigning Reader to the contractor group at the management group scope grants read-only access to all subscriptions and resource groups under that management group, which is too broad and does not limit access to the single application resource group.

209
MCQmedium

A web app running in Azure App Service must read blobs from a storage account. The app must authenticate without storing secrets or SAS tokens, and administrators should grant only blob data permissions, not storage management permissions. What should you configure?

A.The storage account access key in an application setting, because it works with any blob operation.
B.A system-assigned managed identity for the app with Storage Blob Data Reader assigned at the storage scope.
C.The Contributor role on the storage account, because it includes both management and data permissions.
D.A service endpoint on the subnet, because service endpoints are used for application authentication.
AnswerB

A managed identity lets the app authenticate to Azure Storage without storing credentials, and the Storage Blob Data Reader role grants only blob data read access. Assigning the role at the storage account scope keeps the permission focused on the intended resource while avoiding management-plane rights. This is the most secure operational pattern for an Azure-hosted app that only needs to read blobs.

Why this answer

Option B is correct because a system-assigned managed identity allows the App Service to authenticate to Azure Storage without storing any secrets or SAS tokens. By assigning the Storage Blob Data Reader role at the storage account scope, you grant only the necessary blob read permissions while explicitly excluding any storage management permissions (e.g., creating or deleting storage accounts). This aligns with the principle of least privilege and eliminates credential management overhead.

Exam trap

The trap here is that candidates often confuse RBAC roles like Contributor (which grants management permissions only) with data plane roles like Storage Blob Data Reader, or they mistakenly think service endpoints provide authentication instead of network-level access control.

How to eliminate wrong answers

Option A is wrong because using the storage account access key grants full management and data plane access to the storage account, which violates the requirement to avoid storing secrets and to restrict permissions to blob data only. Option C is wrong because the Contributor role is an Azure RBAC management role that includes permissions to manage the storage account itself (e.g., update firewall rules, regenerate keys) but does not grant any data plane access to blobs; it also fails the requirement to avoid storing secrets. Option D is wrong because a service endpoint on a subnet is a network-level feature that restricts traffic to the storage account from a specific virtual network, not an authentication mechanism; it does not provide identity-based access or eliminate the need for secrets.

210
MCQmedium

A route table contains a user-defined route for 172.16.0.0/16 to a virtual appliance. The ExpressRoute circuit advertises 172.16.10.0/24. A VM in the subnet sends traffic to 172.16.10.20. Which route does Azure use?

A.The user-defined route, because UDRs always beat BGP routes.
B.The BGP route, because it has the more specific prefix length.
C.The system route to the virtual network, because system routes are preferred over learned routes.
D.No route is chosen because Azure does not support overlapping prefixes.
AnswerB

Azure route selection uses longest-prefix match before considering route source precedence. The BGP route for 172.16.10.0/24 is more specific than the UDR for 172.16.0.0/16, so the /24 route is selected for traffic to 172.16.10.20. Source precedence only matters when multiple routes have the same prefix length.

Why this answer

Azure uses the most specific prefix match to determine the next hop. The BGP route for 172.16.10.0/24 has a longer prefix length (24) than the user-defined route for 172.16.0.0/16 (16), so the BGP route is preferred regardless of route source priority. This follows the longest prefix match (LPM) algorithm, which overrides the default preference order of UDRs over BGP routes.

Exam trap

The trap here is that candidates assume UDRs always override BGP routes, but Azure applies longest prefix match first, so a more specific BGP route will be used over a less specific UDR.

How to eliminate wrong answers

Option A is wrong because UDRs do not always beat BGP routes; the longest prefix match (LPM) takes precedence over route source priority, so a more specific BGP route (e.g., /24) will be chosen over a less specific UDR (e.g., /16). Option C is wrong because system routes are only used when no user-defined or BGP route matches; here, both a UDR and a BGP route exist, and the more specific BGP route is selected. Option D is wrong because Azure supports overlapping prefixes; it resolves conflicts using LPM, not by discarding traffic.

211
MCQeasy

Based on the exhibit, a compliance team must read all current and future resources in every subscription under the Corp management group. Where should you assign the Reader role?

A.Assign Reader at the RG-Finance resource group scope.
B.Assign Reader at the Corp management group scope.
C.Assign Reader separately at each subscription scope.
D.Assign Reader only at the individual resource scope.
AnswerB

This scope covers all subscriptions currently under Corp and any subscriptions added later beneath that management group.

Why this answer

Assigning the Reader role at the Corp management group scope applies the role to all current and future subscriptions and resource groups within that management group hierarchy. This is because Azure RBAC roles assigned at a management group scope are inherited by all child management groups, subscriptions, and resources, ensuring the compliance team can read all resources across the entire Corp hierarchy without needing separate assignments.

Exam trap

The trap here is that candidates often think they must assign roles at the subscription or resource group level for granularity, overlooking that management group scope provides automatic inheritance to all child scopes, which is the most efficient way to grant permissions across an entire hierarchy.

How to eliminate wrong answers

Option A is wrong because assigning Reader at the RG-Finance resource group scope only grants read access to resources within that single resource group, not to all subscriptions under Corp. Option C is wrong because assigning Reader separately at each subscription scope would require manual updates for every new subscription added under Corp, failing the requirement to cover future resources automatically. Option D is wrong because assigning Reader only at the individual resource scope would require assigning the role to every single resource, which is impractical and does not scale to cover all current and future resources.

212
Matchinghard

During a compliance review, the team must distinguish what each Azure Monitor object can and cannot do. Match each object to its primary operational scope.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Evaluates resource performance data such as CPU, latency, or disk metrics.

Watches subscription-level control-plane events such as deletes or policy changes.

Runs a KQL query against workspace data and alerts on the result.

Exports resource telemetry off the resource for storage or analysis.

Serves as the reusable response target for notifications and automation.

Why these pairings

Metrics collect numeric time-series data; Logs collect text logs for querying; Application Insights monitors web apps; Activity Log records subscription events; Diagnostic Logs capture resource logs; Service Health provides service incident info.

213
MCQmedium

A company is creating a new spoke virtual network that will be peered to an existing hub VNet. The hub uses 10.40.0.0/16, and an on-premises network already uses 10.41.0.0/16. The spoke must support about 120 endpoints now and should allow room for growth. Which address space should you assign to the new spoke VNet?

A.10.40.64.0/25
B.10.42.0.0/24
C.10.41.128.0/24
D.192.168.10.0/26
AnswerB

This is a non-overlapping private range that is large enough for the current requirement and leaves room for adding more subnets later.

Why this answer

Option B (10.42.0.0/24) is correct because it provides 256 IP addresses (251 usable) for the spoke, which exceeds the requirement of ~120 endpoints with room for growth, and it does not overlap with the hub VNet (10.40.0.0/16) or the on-premises network (10.41.0.0/16). This ensures successful VNet peering without IP address conflicts.

Exam trap

The trap here is that candidates often overlook the on-premises address space (10.41.0.0/16) and mistakenly choose an overlapping range like 10.41.128.0/24, assuming only the hub VNet's address space must be avoided.

How to eliminate wrong answers

Option A is wrong because 10.40.64.0/25 falls within the hub VNet's 10.40.0.0/16 range, causing an IP address overlap that would prevent VNet peering. Option C is wrong because 10.41.128.0/24 falls within the on-premises network's 10.41.0.0/16 range, creating a conflict with the existing on-premises address space. Option D is wrong because 192.168.10.0/26 provides only 64 IP addresses (62 usable), which is insufficient for the required 120 endpoints and future growth.

214
MCQeasy

A container group runs a one-time import task and should stop after the task completes successfully. Which restart policy should you use?

A.Always
B.OnFailure
C.Never
D.Manual
AnswerC

Never lets the container run once and then stop, which fits a batch or import task that should not restart.

Why this answer

The 'Never' restart policy is correct because the container group is designed to run a one-time import task and should stop after successful completion. In Azure Container Instances (ACI), the 'Never' policy ensures the container runs exactly once and does not restart, regardless of the exit code. This is ideal for batch jobs or import tasks that should not be retried automatically.

Exam trap

The trap here is that candidates often confuse 'OnFailure' with 'Never' for one-time tasks, mistakenly thinking that 'OnFailure' will stop after success, but it actually restarts on failure, which is not the same as stopping unconditionally after completion.

How to eliminate wrong answers

Option A is wrong because 'Always' restarts the container regardless of exit code, which would cause the import task to run repeatedly even after success, wasting resources and potentially causing data duplication. Option B is wrong because 'OnFailure' restarts the container only if it exits with a non-zero code; while this might seem appropriate for a one-time task, it would restart on failure, which is not desired for a task that should stop after completion (even if successful). Option D is wrong because 'Manual' is not a valid restart policy in Azure Container Instances; ACI supports only 'Always', 'OnFailure', and 'Never'.

215
Multi-Selectmedium

You are designing an Azure virtual network for a three-tier application. The frontend, application, and database tiers each require their own subnet. You need to ensure that the frontend tier can communicate with the application tier, but the database tier must be isolated from direct inbound traffic from the internet. Which three of the following actions should you include in your design? (Choose three.)

Select 3 answers
.Assign a network security group (NSG) to the database subnet that denies all inbound traffic from the internet.
.Create a single virtual network with three subnets: frontend, application, and database.
.Configure a virtual network peering to connect the frontend and database subnets.
.Use Azure Firewall to inspect traffic between the frontend and application tiers.
.Route traffic from the application tier to the database tier using a user-defined route (UDR) pointing to the Azure Firewall.
.Place all three tiers in the same virtual network using separate subnets.

Why this answer

Assigning a network security group (NSG) to the database subnet that denies all inbound traffic from the internet is correct because NSGs act as a distributed, stateful firewall at the subnet or NIC level. By default, NSGs allow all inbound traffic from within the virtual network, so you must explicitly add a deny rule for internet traffic (source 'Internet') to isolate the database tier. This ensures the database subnet is protected from direct inbound internet traffic while still allowing traffic from the application tier via the default allow rule for virtual network traffic.

Exam trap

The trap here is that candidates often think they need to create separate virtual networks or use complex routing/firewall rules for isolation, when in fact a single VNet with subnets and an NSG on the database subnet is sufficient to meet the requirement of isolating the database from the internet while allowing frontend-to-application communication.

216
MCQeasy

Based on the exhibit, what should the administrator add to send an email and SMS notification?

A.An action group with email and SMS receivers.
B.A Log Analytics workspace connected to the virtual machine.
C.A backup recovery point for the virtual machine.
D.A private endpoint for the virtual machine.
AnswerA

Action groups define how Azure Monitor sends notifications. Adding one with email and SMS receivers gives the alert rule the response path it currently lacks.

Why this answer

To send email and SMS notifications from an Azure Monitor alert, you must configure an action group. An action group defines the notification channels (e.g., email, SMS, webhook) and their respective receivers. When the alert rule triggers, Azure Monitor invokes the action group to deliver the notifications.

Without an action group, the alert rule has no mechanism to send email or SMS.

Exam trap

The trap here is that candidates may confuse a Log Analytics workspace (which can trigger alerts based on log queries) with the actual notification delivery mechanism, forgetting that an action group is required to define how and where the alert notification is sent.

How to eliminate wrong answers

Option B is wrong because a Log Analytics workspace is used for collecting and analyzing log data, not for sending notifications. Option C is wrong because a backup recovery point is a snapshot of the virtual machine's data for restore purposes; it does not provide any notification capability. Option D is wrong because a private endpoint enables secure network connectivity to Azure services over a private IP address; it has no role in sending email or SMS alerts.

217
MCQhard

Users on the internet cannot reach an HTTPS application hosted on VM-Web01. The VM has a public IP address, the application is listening on TCP port 443, and the guest OS firewall allows the traffic. What is the most likely Azure-side cause?

A.The NSG blocks inbound TCP 443
B.The VM uses Premium SSD
C.Azure Backup is not enabled
D.The storage account uses GRS
AnswerA

A missing allow rule or an explicit deny rule in the NSG will block internet access to the web application.

Why this answer

The most likely Azure-side cause is that a Network Security Group (NSG) associated with the VM's subnet or NIC is blocking inbound TCP port 443. Even if the VM has a public IP, the application is listening, and the guest OS firewall allows traffic, an NSG rule denying inbound HTTPS traffic will prevent external users from reaching the application. NSGs act as a distributed firewall filtering traffic at the Azure network layer before it reaches the VM.

Exam trap

The trap here is that candidates often focus on the VM's guest OS firewall or public IP configuration, overlooking the NSG as the first line of defense in Azure's network security model.

How to eliminate wrong answers

Option B is wrong because Premium SSD affects disk performance and IOPS, not network connectivity or firewall rules. Option C is wrong because Azure Backup is a data protection service that does not influence inbound network traffic or port accessibility. Option D is wrong because storage account replication (GRS) is unrelated to VM networking; it controls data redundancy for blob storage, not network traffic to a VM.

218
MCQhard

You need to allow a partner application to upload files to a blob container for the next 24 hours. The partner must not receive the storage account key. What should you provide?

A.The storage account access key
B.A shared access signature (SAS)
C.The connection string with the account key
D.A Recovery Services vault
AnswerB

A SAS provides limited access for a defined time and permission scope.

Why this answer

A shared access signature (SAS) provides delegated, time-limited access to a specific Azure Storage resource (like a blob container) without exposing the storage account key. By generating a SAS token with write permissions and a 24-hour expiry, you grant the partner application the ability to upload files while maintaining security and control over the access window.

Exam trap

The trap here is that candidates often confuse a SAS with a connection string or access key, mistakenly thinking that any shared credential will work, but the exam specifically tests the ability to grant time-limited, scoped access without exposing the account key.

How to eliminate wrong answers

Option A is wrong because providing the storage account access key grants full, unrestricted access to the entire storage account, including all containers, blobs, tables, and queues, with no time limit or granular permission control. Option C is wrong because the connection string with the account key embeds the storage account key, which exposes the same full-access risk as option A and violates the requirement that the partner must not receive the key. Option D is wrong because a Recovery Services vault is used for Azure Backup and Site Recovery scenarios, not for granting delegated access to blob storage.

219
Drag & Dropmedium

Order the steps to configure Azure AD Connect for hybrid identity.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Install, choose sync method, connect to Azure AD, filter domains, then finalize.

220
MCQmedium

A team needs to run a Linux container for 15 to 20 minutes at a time, triggered by an external system. They do not want to manage servers, clusters, or a web framework. Which Azure service is the best fit?

A.Azure Container Instances
B.Azure App Service
C.Azure Kubernetes Service
D.A virtual machine
AnswerA

Azure Container Instances is the best fit for short-lived container execution without managing servers or a cluster. It is well suited for event-driven or scheduled jobs that run for a limited time and then exit, which matches the requirement to process work for only 15 to 20 minutes.

Why this answer

Azure Container Instances (ACI) is the best fit because it allows you to run a container directly in Azure without managing any underlying servers or orchestrators. The service is designed for short-lived, burst workloads (like 15–20 minutes) and can be triggered on-demand via an external system (e.g., HTTP request, Azure Logic Apps, or SDK). ACI automatically starts the container, runs it, and then stops and deallocates resources when the task completes, matching the exact requirement of no server, cluster, or web framework management.

Exam trap

The trap here is that candidates often choose Azure Kubernetes Service (AKS) because they associate containers with Kubernetes, overlooking that ACI is the simpler, serverless option for short-lived tasks without cluster management.

How to eliminate wrong answers

Option B (Azure App Service) is wrong because it is a fully managed platform for hosting web apps and APIs, not designed for ephemeral container tasks; it requires a web framework and runs continuously, not on-demand for 15–20 minutes. Option C (Azure Kubernetes Service) is wrong because it introduces unnecessary complexity with a managed Kubernetes cluster, requiring cluster management, node pools, and orchestration overhead, which contradicts the 'do not want to manage clusters' requirement. Option D (A virtual machine) is wrong because it requires managing the OS, patching, and scaling, and is not optimized for short-lived container workloads; it would also incur costs for idle time.

221
MCQeasy

A team manages many application VMs and backend VMs. The VM IP addresses change whenever they are rebuilt, but the same traffic rule must always allow the app tier to reach the backend tier on TCP 8443. What should the administrator use in the NSG rule?

A.Static private IP addresses for each virtual machine.
B.Application Security Groups for the app and backend VMs.
C.A user-defined route between the app and backend subnets.
D.An availability set for each tier.
AnswerB

ASGs let you group VMs by function and reference those groups in NSG rules, so IP changes do not require rule updates.

Why this answer

Application Security Groups (ASGs) allow you to group VMs logically and reference them directly in NSG rules without relying on static IP addresses. Since the VM IPs change on rebuild, ASGs ensure the NSG rule for TCP 8443 always applies to the correct app and backend tiers, regardless of IP changes.

Exam trap

The trap here is that candidates often default to static IPs (Option A) for consistency, overlooking that ASGs provide a dynamic, IP-agnostic solution that directly addresses the rebuild scenario.

How to eliminate wrong answers

Option A is wrong because static private IP addresses would require manual reconfiguration after each rebuild and do not scale, whereas the question specifically states IPs change on rebuild. Option C is wrong because user-defined routes (UDRs) control traffic routing between subnets, not firewall rules for specific ports like TCP 8443; NSGs handle port-based access control. Option D is wrong because an availability set provides high availability through fault and update domains but does not influence NSG rule matching or IP addressing for traffic filtering.

222
MCQmedium

A finance team stores application blobs in an Azure Storage account. The data must remain available if a single availability zone in the region is lost, and the team does not need automatic read access from another region. Which redundancy option best meets the requirement?

A.Locally redundant storage (LRS), which keeps three copies in one datacenter only.
B.Zone-redundant storage (ZRS), which replicates data across availability zones in the same region.
C.Geo-redundant storage (GRS), which replicates data to a paired region and supports failover.
D.Read-access geo-redundant storage (RA-GRS), which allows reads from the secondary region.
AnswerB

ZRS stores multiple copies of the data across availability zones within one region, so the storage account can remain available if one zone is lost. This matches the requirement for zone failure resiliency without introducing cross-region read access or the extra complexity of geo-failover. It is the least expansive redundancy option that still provides protection against a zone outage.

Why this answer

Zone-redundant storage (ZRS) replicates your data synchronously across three Azure availability zones within the primary region. This ensures that if a single zone fails, the data remains available and durable without requiring any manual intervention or failover, meeting the requirement of no automatic read access from another region.

Exam trap

The trap here is that candidates often confuse 'availability within a region' with 'disaster recovery across regions,' leading them to choose GRS or RA-GRS when the requirement is only to survive a single availability zone failure, not a full regional outage.

How to eliminate wrong answers

Option A is wrong because LRS keeps three copies within a single datacenter, so losing that datacenter (or its availability zone) would cause data loss or unavailability. Option C is wrong because GRS replicates data to a paired secondary region, which provides cross-region durability but also introduces a failover mechanism that is not required here; it also does not protect against a single-zone failure within the primary region without relying on the secondary region. Option D is wrong because RA-GRS adds read access to the secondary region, which is explicitly not needed, and like GRS, it does not provide zone-level redundancy within the primary region.

223
MCQmedium

A user deleted one Excel file from a Windows Server VM that is protected by Azure Backup. The VM must keep running, and the administrator must restore only that file as quickly as possible. What should the administrator do?

A.Restore the entire virtual machine from the most recent recovery point.
B.Use File Recovery from the Recovery Services vault, mount the recovery point, and copy back the deleted file.
C.Fail over the VM by using Azure Site Recovery and then copy the file from the replica.
D.Create a snapshot of the VM disk and restore the spreadsheet from the snapshot.
AnswerB

File Recovery is designed for this exact scenario. It mounts a backup recovery point so the administrator can browse the contents and copy back only the missing file, while the production VM continues running without a full restore.

Why this answer

Azure Backup for Azure VMs supports file-level recovery from recovery points without restoring the entire VM. The File Recovery feature mounts the recovery point as an iSCSI target on the VM, allowing the administrator to browse and copy the deleted Excel file directly. This is the fastest method because it avoids the overhead of a full VM restore or snapshot management.

Exam trap

The trap here is that candidates may assume a full VM restore is required for any file recovery, overlooking the Azure Backup File Recovery feature which provides granular, in-place restoration without disrupting the running VM.

How to eliminate wrong answers

Option A is wrong because restoring the entire VM is unnecessary and time-consuming; it would require stopping the VM or creating a new VM, which violates the requirement to keep the VM running. Option C is wrong because Azure Site Recovery is designed for disaster recovery and failover, not for granular file restoration from backup; it would involve failing over to a replica VM, which is excessive and not intended for single-file recovery. Option D is wrong because creating a snapshot of the VM disk is a manual process that requires stopping the VM or using a crash-consistent snapshot, and then attaching the snapshot to another VM to extract the file, which is slower and more complex than using the built-in File Recovery feature.

224
MCQeasy

An operations team must deploy 20 identical application VMs every sprint from source control and wants the deployment definition to be readable and repeatable. Which approach should they use?

A.Manually create each VM in the Azure portal
B.Use a Bicep template stored in source control
C.Capture a screenshot of the portal settings for future reference
D.Use Azure Policy to create the VMs automatically
AnswerB

Bicep is infrastructure as code, so the VM deployment can be versioned, reviewed, and deployed repeatedly.

Why this answer

B is correct because Bicep is a domain-specific language (DSL) for deploying Azure resources declaratively. Storing a Bicep template in source control ensures the deployment definition is readable (using concise syntax) and repeatable (via idempotent deployments), meeting the team's requirement for 20 identical VMs every sprint.

Exam trap

The trap here is that candidates may confuse Azure Policy with a deployment tool, but Azure Policy only audits or enforces rules (e.g., requiring a specific tag) and cannot provision resources like VMs, whereas Bicep is designed specifically for declarative infrastructure deployment.

How to eliminate wrong answers

Option A is wrong because manually creating each VM in the Azure portal is not repeatable, introduces human error, and cannot be version-controlled for consistent deployments across sprints. Option C is wrong because a screenshot of portal settings is not executable code; it cannot automate deployment and lacks the structured, machine-readable format needed for repeatable infrastructure provisioning. Option D is wrong because Azure Policy is used to enforce compliance rules (e.g., restricting VM sizes or locations) on existing or new resources, not to create VMs automatically; it cannot deploy 20 identical application VMs.

225
MCQeasy

A development team needs to run a Linux container for about 12 minutes each time a request is received. The team does not want to manage a server, cluster, or virtual machine. Which Azure service should the administrator use?

A.Azure Kubernetes Service
B.Azure Container Instances
C.Azure Virtual Machines
D.Azure App Service
AnswerB

ACI runs containers directly without managing servers or a Kubernetes cluster.

Why this answer

Azure Container Instances (ACI) is the correct choice because it allows the team to run a Linux container directly in Azure without managing any underlying infrastructure, such as servers, clusters, or virtual machines. ACI is ideal for short-lived, event-driven workloads like this 12-minute request-based container, as it supports rapid startup and automatic shutdown, aligning with the 'serverless' requirement.

Exam trap

The trap here is that candidates often choose Azure Kubernetes Service (AKS) because they associate containers with Kubernetes, but the question explicitly prohibits managing a cluster, making ACI the only serverless container option that meets the 'no management' requirement.

How to eliminate wrong answers

Option A is wrong because Azure Kubernetes Service (AKS) requires managing a Kubernetes cluster (control plane and nodes), which contradicts the 'no cluster management' requirement and is overkill for a single container running for 12 minutes. Option C is wrong because Azure Virtual Machines require provisioning and managing a full VM, including OS updates and scaling, which violates the 'no server or VM management' constraint. Option D is wrong because Azure App Service is designed for long-running web applications and services, not for ephemeral, request-triggered container runs; it also requires an App Service Plan (a managed server) and does not natively support running a container for exactly 12 minutes per request without additional configuration.

Page 2

Page 3 of 16

Page 4