AZ-104 (AZ-104) — Questions 226300

1170 questions total · 16pages · All types, answers revealed

Page 3

Page 4 of 16

Page 5
226
MCQhard

You need to collect Windows event logs and performance counters from multiple Azure virtual machines and query the data centrally by using Kusto Query Language. Which Azure resource should you deploy?

A.A Log Analytics workspace
B.A Recovery Services vault
C.Azure Network Watcher
D.A load balancer
AnswerA

A Log Analytics workspace stores and enables KQL querying of collected monitoring data.

Why this answer

A Log Analytics workspace is the correct resource because it serves as the central repository for collecting diagnostic data such as Windows event logs and performance counters from Azure VMs. Once collected, you can query this data using Kusto Query Language (KQL) to perform advanced analysis and monitoring. This aligns directly with the requirement to centrally query the data using KQL.

Exam trap

The trap here is that candidates often confuse a Log Analytics workspace with a Recovery Services vault because both involve data storage, but the vault is strictly for backup/recovery data, not for operational log analytics.

How to eliminate wrong answers

Option B is wrong because a Recovery Services vault is designed for backup and disaster recovery scenarios, such as Azure Backup and Azure Site Recovery, not for collecting and querying operational logs or performance counters. Option C is wrong because Azure Network Watcher provides network-level monitoring and diagnostics tools (e.g., packet capture, NSG flow logs, connection troubleshoot) but does not ingest Windows event logs or performance counters for KQL-based querying. Option D is wrong because a load balancer distributes incoming network traffic across backend resources and does not have any capability to collect or store log data for querying with KQL.

227
MCQeasy

Based on the exhibit, a metric alert already exists for VM01, but the on-call team never receives an email when CPU exceeds 80% for 5 minutes. What should you configure to deliver the notification?

A.Create a diagnostic setting on VM01 to export metrics to Log Analytics.
B.Add an action group to the alert rule and configure email delivery.
C.Assign the Reader role to the on-call team so they can view the alert.
D.Create a resource lock on VM01 to prevent accidental changes.
AnswerB

Action groups define who is notified and how when an alert fires, including email.

Why this answer

The alert rule exists, but no notification action is configured. An action group defines how to notify administrators (e.g., email, SMS, webhook). Adding an action group with an email action to the existing alert rule will deliver the email when the CPU threshold is breached.

Exam trap

The trap here is that candidates confuse diagnostic settings (which export data) with action groups (which deliver notifications), or assume that simply creating an alert rule automatically sends notifications without an explicit action group.

How to eliminate wrong answers

Option A is wrong because diagnostic settings export metrics to Log Analytics for analysis or retention, they do not trigger notifications. Option C is wrong because the Reader role only grants read access to resources, it does not enable email delivery or alert notifications. Option D is wrong because a resource lock prevents accidental deletion or modification of VM01, it has no effect on alert notifications.

228
MCQmedium

A hub VNet already has a VPN gateway connected to on-premises networks. A new spoke VNet must reach those on-premises networks through the existing gateway without deploying another gateway. Which peering settings are required?

A.Enable gateway transit on the hub peering and use remote gateways on the spoke peering.
B.Enable forwarded traffic on both peerings and leave gateway settings disabled.
C.Enable use remote gateways on the hub peering and gateway transit on the spoke peering.
D.Create a private endpoint between the two VNets.
AnswerA

To let a spoke VNet use the hub's gateway, the hub side must allow gateway transit and the spoke side must be configured to use the remote gateway. This combination lets the spoke send traffic to on-premises networks through the existing hub VPN gateway, avoiding duplicate gateway deployment. It is the standard design for hub-and-spoke environments that centralize connectivity and reduce cost and operational overhead.

Why this answer

Option A is correct because to allow a spoke VNet to use the hub VNet's VPN gateway without deploying its own, you must enable 'Use remote gateways' on the spoke peering and 'Gateway transit' on the hub peering. This configuration allows the spoke to route traffic destined for on-premises networks through the hub's VPN gateway, leveraging the existing site-to-site VPN connection.

Exam trap

The trap here is that candidates often confuse which peering (hub or spoke) gets which setting, incorrectly assuming 'Use remote gateways' goes on the hub and 'Gateway transit' on the spoke, or they think 'Forwarded traffic' is sufficient for gateway routing.

How to eliminate wrong answers

Option B is wrong because enabling 'Forwarded traffic' on both peerings only allows traffic to be forwarded between VNets but does not enable gateway transit; without gateway transit and use remote gateways, the spoke cannot use the hub's VPN gateway. Option C is wrong because it reverses the required settings: 'Use remote gateways' must be enabled on the spoke peering, not the hub, and 'Gateway transit' must be enabled on the hub peering, not the spoke. Option D is wrong because a private endpoint is used to connect privately to a specific Azure service (e.g., Storage, SQL) over the Microsoft backbone, not to route traffic through a VPN gateway to on-premises networks.

229
MCQmedium

A Windows file server VM in Azure must mount an Azure file share by using existing Active Directory Domain Services credentials instead of a storage account key. The organization already has domain-joined Windows servers in the environment. What should the administrator configure on the storage account?

A.Enable Azure Files identity-based authentication with Active Directory Domain Services.
B.Enable blob soft delete and mount the share with a blob container SAS token.
C.Enable a service endpoint for Microsoft.Storage on the subnet.
D.Create a shared access signature for the file share and map it as a local drive.
AnswerA

Azure Files can use AD DS-based Kerberos authentication for SMB access. This allows the VM to authenticate with existing domain credentials instead of using a storage account key.

Why this answer

Option A is correct because Azure Files supports identity-based authentication over SMB using Active Directory Domain Services (AD DS). By enabling this on the storage account, the administrator can mount the file share using existing domain credentials instead of a storage account key, provided the client VM is domain-joined and the share is configured with appropriate NTFS permissions. This eliminates the need to manage or expose storage account keys.

Exam trap

The trap here is that candidates often confuse network-level controls (like service endpoints) or key-based access methods (like SAS tokens) with identity-based authentication, failing to recognize that only enabling AD DS authentication on the storage account allows the use of existing domain credentials.

How to eliminate wrong answers

Option B is wrong because blob soft delete is a data protection feature for Azure Blob Storage, not for Azure Files, and mounting a share with a blob container SAS token is not applicable to file shares. Option C is wrong because a service endpoint for Microsoft.Storage on the subnet only restricts network access to the storage account from that subnet; it does not enable identity-based authentication or replace the need for a storage account key. Option D is wrong because creating a shared access signature (SAS) for the file share still requires a SAS token (a form of key-based access) rather than using existing Active Directory Domain Services credentials for authentication.

230
MCQhard

A security team needs to investigate future configuration changes on a storage account and subscription-level control-plane changes in one place by using KQL. The team already created a Log Analytics workspace. What else must the administrator configure so the required logs are queryable in that workspace?

A.Enable only the Azure Activity log export and skip resource diagnostic settings.
B.Configure diagnostic settings on the storage account and export the subscription Activity log to the same workspace.
C.Install the Azure Monitor Agent on the storage account so it can send its own logs.
D.Create separate workspaces for each resource and query them independently.
AnswerB

Resource logs from the storage account are collected through diagnostic settings, while control-plane events at subscription scope come from the Activity log. Sending both to the same Log Analytics workspace makes the data available for a single KQL investigation workflow, which is what the requirement asks for.

Why this answer

Option B is correct because the Azure Activity log captures subscription-level control-plane events (e.g., resource creation, policy changes), and diagnostic settings on the storage account capture resource-level control-plane and data-plane changes. By exporting both to the same Log Analytics workspace, the security team can query all future configuration changes in one place using KQL, meeting the requirement without needing separate workspaces or agents.

Exam trap

The trap here is that candidates assume the Activity log alone covers all control-plane changes, but it only captures subscription-level events, not resource-specific configuration changes, which require separate diagnostic settings on each resource.

How to eliminate wrong answers

Option A is wrong because enabling only the Activity log export omits storage-account-specific configuration changes (e.g., blob soft-delete settings, network rules), which require resource diagnostic settings on the storage account itself. Option C is wrong because the Azure Monitor Agent (AMA) is designed for OS-level metrics and logs from virtual machines, not for capturing control-plane changes on Azure resources like a storage account; control-plane logs are emitted via Azure Resource Manager and require diagnostic settings. Option D is wrong because creating separate workspaces would prevent querying both log sources in one place using KQL, directly contradicting the requirement for unified querying.

231
MCQmedium

An admin enables backup on a newly deployed Azure VM, but every backup job fails immediately with a message that the VM agent is not ready. What should the administrator verify first?

A.The VM is placed in an availability zone that supports backup.
B.The Azure VM Agent is installed, running, and able to provision backup-related extensions.
C.The VM has a public IP address assigned for outbound connectivity.
D.The VM is added to a load balancer backend pool.
AnswerB

Azure Backup relies on the VM agent and extensions inside the guest. If the agent is missing, stopped, or unhealthy, backup jobs can fail before a recovery point is created. Verifying the agent first addresses the specific error message.

Why this answer

The Azure VM Agent (also known as the Windows Guest Agent or Linux Agent) is required for the Azure Backup service to install the backup extension (e.g., IaaSBcdrExtension for Windows or SnapshotV2 for Linux). If the agent is not installed, not running, or is in a 'Not Ready' state, the backup extension cannot be provisioned, causing immediate failure. The administrator should first verify that the VM Agent is installed and its status is 'Ready' in the VM's properties.

Exam trap

The trap here is that candidates often assume network connectivity (public IP or load balancer) is the root cause, but the immediate failure message 'VM agent not ready' directly points to the agent status, not network issues.

How to eliminate wrong answers

Option A is wrong because backup functionality is not dependent on availability zones; Azure Backup supports VMs in all availability zones and regions. Option C is wrong because outbound connectivity for backup traffic is handled via Azure Private Endpoint or Service Tag-based network rules, not a public IP address; a public IP is not required for backup to succeed. Option D is wrong because adding a VM to a load balancer backend pool is unrelated to backup operations; load balancers distribute network traffic, not backup jobs.

232
MCQhard

Your operations team needs to receive a Microsoft Teams or email notification whenever a production application becomes unavailable. You have already created an availability test in Azure Monitor. What should you configure next?

A.A metric or log alert rule linked to an action group
B.A management group
C.A resource lock
D.A private endpoint
AnswerA

The alert rule detects failure conditions and the action group sends the notification.

Why this answer

An availability test in Azure Monitor detects when an application is unavailable, but it does not inherently trigger notifications. To send a Teams or email alert, you must create a metric or log alert rule that references the availability test's results and link it to an action group, which defines the notification actions (e.g., email, SMS, webhook to Teams). This is the standard Azure Monitor workflow for proactive incident response.

Exam trap

The trap here is that candidates may think an availability test alone sends notifications, but Azure Monitor requires an explicit alert rule linked to an action group to trigger any notification action.

How to eliminate wrong answers

Option B is wrong because a management group is a container for managing multiple subscriptions' governance (e.g., policy, RBAC), not for configuring alerts or notifications. Option C is wrong because a resource lock prevents accidental deletion or modification of resources, but does not enable alerting or notification delivery. Option D is wrong because a private endpoint provides secure network connectivity to Azure services over a private IP, but has no role in alerting or notification configuration.

233
MCQeasy

Two application teams created separate virtual networks so their workloads can communicate through VNet peering. VNet-A uses 10.20.0.0/16. VNet-B was created with 10.20.128.0/17. The peering request fails during validation. What is the best fix?

A.Add an NSG rule to allow traffic between the two VNets.
B.Change one VNet to use a non-overlapping address space.
C.Create a private endpoint in each VNet.
D.Attach a route table to both subnets.
AnswerB

VNet peering requires non-overlapping IP ranges. Readdressing one VNet removes the conflict and allows peering to be created.

Why this answer

VNet peering requires that the address spaces of the peered virtual networks do not overlap. VNet-A uses 10.20.0.0/16, which includes the entire range from 10.20.0.0 to 10.20.255.255. VNet-B uses 10.20.128.0/17, which is a subset of VNet-A's range (10.20.128.0 to 10.20.255.255).

This overlap causes the peering validation to fail because Azure cannot route traffic between overlapping address spaces. Changing one VNet to a non-overlapping address space resolves the conflict.

Exam trap

The trap here is that candidates may think NSG rules or route tables can fix connectivity issues between peered VNets, but the peering validation itself fails due to overlapping address spaces, which is a fundamental design constraint that cannot be overridden by network security or routing policies.

How to eliminate wrong answers

Option A is wrong because NSG rules control traffic filtering at the subnet or NIC level, but they cannot resolve an address space overlap; peering itself fails before any traffic flows. Option C is wrong because private endpoints are used to securely connect to Azure PaaS services over a private IP, not to enable VNet peering between overlapping address spaces. Option D is wrong because route tables (UDRs) define custom routes for traffic within a VNet, but they cannot override the fundamental requirement that peered VNets must have non-overlapping address spaces.

234
MCQeasy

Based on the exhibit, the team must prevent accidental deletion of a resource group, but administrators still need to update settings on resources inside it. Which lock should you apply?

A.Apply no lock and rely on RBAC alone.
B.Apply a ReadOnly lock to RG-Prod.
C.Apply a CanNotDelete lock to RG-Prod.
D.Apply a Contributor role assignment to RG-Prod.
AnswerC

CanNotDelete prevents accidental deletion while still allowing normal update operations on existing resources in the scope.

Why this answer

Option C is correct because applying a CanNotDelete lock to RG-Prod prevents the resource group from being deleted while still allowing administrators to update settings on resources inside it. This lock type blocks delete operations but permits read and update operations, which aligns with the requirement to prevent accidental deletion without restricting management changes.

Exam trap

The trap here is that candidates often confuse CanNotDelete with ReadOnly, mistakenly thinking that preventing deletion requires blocking all write operations, but CanNotDelete specifically targets delete operations while allowing updates.

How to eliminate wrong answers

Option A is wrong because relying solely on RBAC does not prevent accidental deletion; RBAC controls access based on roles, but a user with Contributor or Owner permissions could still delete the resource group. Option B is wrong because a ReadOnly lock prevents all write operations, including updates to resource settings, which contradicts the requirement that administrators need to update settings. Option D is wrong because assigning a Contributor role grants permissions to manage resources, including the ability to delete the resource group, so it does not prevent deletion.

235
MCQmedium

A line-of-business application stores transaction logs in an Azure Storage account. The app must keep working if one availability zone in the primary region fails, and administrators want read access to the secondary copy if the primary region becomes unavailable. Which redundancy option should you choose?

A.LRS, because it keeps three local copies in one datacenter and is the simplest choice.
B.RA-GRS, because it provides geo-replication and read access to the secondary region.
C.GZRS, because it combines zone redundancy in the primary region with geo-replication.
D.RA-GZRS, because it keeps the primary region zone-redundant and allows read access to the secondary copy.
AnswerD

RA-GZRS is the only option listed that combines zone-redundant storage in the primary region with geo-replication and read access to the secondary endpoint. That satisfies both the availability-zone failure requirement and the need to read data during a regional outage. It is the strongest choice when you need resilience across both datacenter-level and regional failure scenarios.

Why this answer

RA-GZRS (Read-Access Geo-Zone-Redundant Storage) is correct because it combines zone-redundant storage (ZRS) across availability zones in the primary region, ensuring continued operation if one zone fails, with geo-replication to a secondary region. Additionally, the 'RA' prefix enables read access to the secondary copy if the primary region becomes unavailable, meeting both requirements.

Exam trap

The trap here is that candidates often confuse GZRS with RA-GZRS, overlooking that GZRS does not grant read access to the secondary region unless a failover is initiated, while RA-GZRS explicitly allows read access to the secondary copy at all times.

How to eliminate wrong answers

Option A is wrong because LRS (Locally Redundant Storage) only keeps three copies within a single datacenter and does not protect against an availability zone failure or provide geo-replication. Option B is wrong because RA-GRS (Read-Access Geo-Redundant Storage) provides geo-replication and read access to the secondary region, but it does not offer zone redundancy in the primary region; it uses LRS in the primary region, so a zone failure could still cause downtime. Option C is wrong because GZRS (Geo-Zone-Redundant Storage) provides zone redundancy in the primary region and geo-replication, but it does not include read access to the secondary copy; the secondary copy is only available for failover, not for read access during an outage.

236
MCQeasy

Based on the exhibit, which Azure construct should the administrator create to group these related policy rules into one assignment?

A.Azure Policy initiative
B.Resource lock
C.Azure RBAC custom role
D.Policy exemption
AnswerA

An initiative groups multiple policy definitions into one assignment, which is ideal when the organization wants a single governance package at management group scope. This makes deployment and compliance tracking simpler than assigning each policy separately.

Why this answer

An Azure Policy initiative is a collection of policy definitions designed to group related policies into a single assignable unit. This allows the administrator to apply multiple policy rules together for consistent governance across resources, which is exactly what the question describes.

Exam trap

The trap here is confusing a policy initiative with a policy exemption, as both involve policy grouping, but only an initiative groups rules for assignment, while an exemption removes resources from evaluation.

How to eliminate wrong answers

Option B is wrong because a resource lock prevents accidental deletion or modification of resources, not grouping policy rules. Option C is wrong because an Azure RBAC custom role defines permissions for access control, not policy rules. Option D is wrong because a policy exemption is used to exclude specific resources from policy evaluation, not to group policies together.

237
MCQhard

A subnet contains two NSGs: one associated with the subnet and one associated with the NIC of VM-App03. You need to determine whether inbound TCP 3389 from the internet is allowed. What is the correct interpretation?

A.The NIC NSG always overrides the subnet NSG.
B.Inbound traffic is allowed as long as one NSG has an allow rule.
C.The effective rules are determined by evaluating both NSGs together, and a deny in either applicable path can block access.
D.Subnet NSGs apply only to outbound traffic.
AnswerC

This reflects how effective NSG rules are evaluated for a VM NIC and its subnet.

Why this answer

When a subnet NSG and a NIC NSG are both applied, Azure evaluates the effective rules by combining both NSGs. Inbound traffic must be allowed by both NSGs along the traffic path; if either NSG has a deny rule that matches the traffic (e.g., a default deny rule for inbound internet traffic), the traffic is blocked. Option C correctly states that a deny in either applicable path can block access, which is the fundamental behavior of NSG evaluation in Azure.

Exam trap

The trap here is that candidates often assume the NIC NSG overrides the subnet NSG (Option A) or that an allow in one NSG is sufficient (Option B), but Azure requires both NSGs to permit the traffic for it to be allowed.

How to eliminate wrong answers

Option A is wrong because the NIC NSG does not always override the subnet NSG; instead, both NSGs are evaluated, and the most restrictive rule applies (a deny in either NSG blocks traffic). Option B is wrong because inbound traffic is not allowed as long as one NSG has an allow rule; both NSGs must allow the traffic, and a deny in either NSG overrides any allow. Option D is wrong because subnet NSGs apply to both inbound and outbound traffic, not just outbound traffic; they filter traffic at the subnet level for all resources within that subnet.

238
MCQmedium

A shared resource group contains a critical virtual machine and a storage account. Administrators must still be able to update settings, but nobody should accidentally delete either resource during routine maintenance. Which lock should be applied?

A.ReadOnly lock on the resource group.
B.CanNotDelete lock on the resource group.
C.A policy assignment that denies delete operations.
D.A management group assignment with Contributor removed.
AnswerB

CanNotDelete blocks deletion while still allowing normal update operations on the resources.

Why this answer

The CanNotDelete lock on the resource group prevents deletion of the resource group and all resources within it, while still allowing administrators to update settings. This meets the requirement of protecting both the critical VM and storage account from accidental deletion during routine maintenance, without blocking configuration changes.

Exam trap

The trap here is that candidates often confuse Azure Policy with resource locks, thinking a deny policy can prevent deletion, but locks are the only mechanism that directly blocks delete operations at the resource level regardless of RBAC permissions.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all write operations, including updates to settings, which contradicts the requirement that administrators must still be able to update settings. Option C is wrong because a policy assignment that denies delete operations is not a lock; Azure Policy evaluates compliance and can block creation or modification, but it does not provide the same resource-level protection as locks and can be bypassed if the policy is removed or excluded. Option D is wrong because a management group assignment with Contributor removed would affect all subscriptions under that management group, is overly broad, and does not directly protect the specific resource group from accidental deletion; it also does not prevent deletion by users with Owner or other high-privilege roles.

239
Multi-Selectmedium

An enterprise has a management group named Corp that contains all production and sandbox subscriptions. An Entra ID group named Auditors must be able to read resources in every current subscription under Corp and in any subscription added later. Which two actions should the administrator take? Select two.

Select 2 answers
A.Assign the Reader role to the Auditors group at the Corp management group scope.
B.Assign the Reader role directly to every subscription under Corp.
C.Assign the Reader role to the Auditors group at one resource group scope.
D.Add the intended users to the Auditors Entra ID group.
E.Create an Azure Policy assignment to grant read access to all subscriptions.
AnswersA, D

A Reader assignment at the management group scope inherits to every child subscription and resource below it. That is the narrowest scope that still covers all current and future subscriptions under Corp.

Why this answer

Assigning the Reader role at the Corp management group scope ensures that the Auditors group inherits read permissions to all current and future subscriptions under Corp, because Azure RBAC permissions assigned at a management group are inherited by all child subscriptions and resource groups. This meets the requirement for both existing and future subscriptions without manual updates.

Exam trap

The trap here is confusing Azure Policy (which enforces compliance rules) with Azure RBAC (which grants permissions), leading candidates to incorrectly select Option E instead of recognizing that RBAC assignments at the management group scope are the correct method for inheritance across all subscriptions.

240
MCQeasy

An administrator moved a blob to the Archive tier last month. A user needs to open it tomorrow. What must happen before the file can be read?

A.Change the blob to Hot or Cool and wait for rehydration to complete
B.Create a snapshot of the archived blob
C.Enable versioning on the storage account
D.Move the storage account to LRS redundancy
AnswerA

Archive blobs are offline, so they must be rehydrated to an online tier such as Hot or Cool before they can be read.

Why this answer

To read a blob in the Archive tier, it must first be rehydrated to the Hot or Cool tier. This process, called rehydration, changes the blob's tier and makes it accessible for reading. Until rehydration completes, the blob remains offline and cannot be read.

Exam trap

The trap here is that candidates may think archived blobs can be read directly or that other operations like snapshots or versioning bypass the rehydration requirement, but Azure explicitly requires tier change and rehydration before any read access.

How to eliminate wrong answers

Option B is wrong because creating a snapshot of an archived blob does not change its tier; the snapshot inherits the Archive tier and remains offline. Option C is wrong because enabling versioning creates new versions of blobs but does not rehydrate archived blobs; archived versions remain inaccessible. Option D is wrong because changing redundancy to LRS does not affect the blob's tier; the blob stays in the Archive tier and remains offline until rehydrated.

241
Multi-Selecthard

A policy initiative is assigned at the Corp management group to enforce allowed locations and required tags. A new subscription is added under Corp later. Which two statements are true? Select two.

Select 2 answers
A.The new subscription is automatically in scope because the assignment is at the management group.
B.The initiative must be copied to every resource group in the new subscription before it takes effect.
C.Existing noncompliant resources appear in Azure Policy compliance, but they are not changed until remediation runs.
D.The initiative changes RBAC so users lose read access to the subscription.
E.Compliance results are only visible in Activity Log, not in Azure Policy.
AnswersA, C

Management group assignments inherit to child subscriptions, including subscriptions added later.

Why this answer

Option A is correct because Azure Policy assignments at a management group scope are inherited by all child subscriptions, including new ones added later. When the Corp management group has the initiative assigned, any subscription under Corp automatically falls within the policy's evaluation scope without requiring manual re-assignment.

Exam trap

The trap here is that candidates often assume new subscriptions or resources are not automatically covered by a management group policy assignment, or they confuse policy enforcement with RBAC changes, leading them to select options B or D.

242
MCQmedium

Based on the exhibit, what is the best access change to let John download blobs from only the invoices container?

A.Assign Reader at the storage account scope so John can view the storage account and its data.
B.Assign Storage Blob Data Reader at the invoices container scope.
C.Assign Storage Account Contributor at the resource group scope.
D.Make the invoices container public and keep John's existing Contributor role.
AnswerB

Blob downloads require a data-plane role, not the Contributor role on the storage account. Assigning Storage Blob Data Reader at the container scope gives John only the read permissions needed for invoices and avoids granting access to other containers or management operations.

Why this answer

Option B is correct because assigning the Storage Blob Data Reader role at the invoices container scope grants John the minimum permissions needed to download blobs from that specific container. This role provides read access to blob data without allowing any write or management operations, and scoping it to the container ensures John cannot access other containers in the storage account.

Exam trap

The trap here is that candidates often confuse management-plane roles (like Reader or Contributor) with data-plane roles, assuming that any role with 'read' or 'contributor' in the name grants access to blob data, when in fact only specific data-plane roles (e.g., Storage Blob Data Reader) provide the necessary permissions for blob operations.

How to eliminate wrong answers

Option A is wrong because the Reader role at the storage account scope only allows viewing the storage account's configuration and metadata, not reading blob data; it does not include the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read permission required to download blobs. Option C is wrong because Storage Account Contributor at the resource group scope grants full management access to the storage account, including the ability to delete or modify the account, which is excessive and does not specifically grant blob data read permissions. Option D is wrong because making the invoices container public would allow anonymous access to all blobs in that container, bypassing Azure RBAC entirely and violating security best practices; John's existing Contributor role still does not grant blob data read permissions.

243
MCQmedium

A development team needs a single Azure Storage account for blob containers, Azure Files shares, and blob lifecycle rules. The account must support standard performance and allow future use of access tiers. Which account kind should you create?

A.BlobStorage because it is optimized for blobs and supports lifecycle management.
B.StorageV2 because it supports blobs, Azure Files, lifecycle management, and access tiers.
C.FileStorage because it is designed for file shares and can also host blob lifecycle rules.
D.BlockBlobStorage because it provides the best performance for lifecycle policies and file shares.
AnswerB

StorageV2 is the correct choice because it is the general-purpose v2 account type. It supports blob containers, Azure Files shares, blob access tiers, lifecycle management rules, and the standard capabilities used in most Azure administration scenarios. It is also the recommended account type when a team wants one storage account for multiple storage services and operational features.

Why this answer

StorageV2 (general-purpose v2) is the only account kind that supports blobs, Azure Files shares, lifecycle management policies, and all access tiers (hot, cool, archive) with standard performance. BlobStorage lacks Azure Files support, FileStorage is premium-only and does not support lifecycle rules, and BlockBlobStorage is premium-only and does not support Azure Files or lifecycle management.

Exam trap

Microsoft often tests the misconception that BlobStorage accounts are sufficient for mixed workloads, but they intentionally omit that BlobStorage cannot host Azure Files shares, making StorageV2 the only viable choice when both blob and file storage are required with lifecycle management.

How to eliminate wrong answers

Option A is wrong because BlobStorage accounts support only block blobs and append blobs, not Azure Files shares, and while they support lifecycle management, they cannot host file shares. Option C is wrong because FileStorage accounts are premium-only (SSD-based) and do not support blob lifecycle management rules or standard performance tiers. Option D is wrong because BlockBlobStorage accounts are premium-only, designed for high-throughput block blob workloads, and do not support Azure Files shares or lifecycle management policies.

244
MCQmedium

Based on the exhibit, which identity approach should be used so all three virtual machines can reuse the same Azure access without sharing secrets?

A.Assign a system-assigned managed identity to each VM.
B.Use a user-assigned managed identity and attach it to all three VMs.
C.Create a storage account access key and place it in each VM's application settings.
D.Create a separate SAS token for each VM and rotate it manually.
AnswerB

A user-assigned managed identity is the right fit when multiple resources need the same Azure identity. It is created as a standalone resource and can be attached to all three VMs, so the access model remains consistent even if a VM is reimaged or replaced. This also avoids storing storage keys, passwords, or connection strings in the application or operating system.

Why this answer

A user-assigned managed identity is a standalone Azure resource that can be assigned to multiple Azure VMs, allowing all three VMs to authenticate to Azure services (e.g., Azure Storage, Key Vault) using the same identity without sharing any secrets. This approach eliminates the need to manage or rotate credentials, as the identity is managed entirely by Azure AD and tokens are obtained via the Azure Instance Metadata Service (IMDS) endpoint.

Exam trap

The trap here is that candidates often confuse system-assigned and user-assigned managed identities, incorrectly assuming that system-assigned identities can be shared across multiple VMs, when in fact only user-assigned identities support multi-VM assignment.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to a single VM and cannot be shared across multiple VMs; each VM would get a unique identity principal, not the same identity. Option C is wrong because storing a storage account access key in each VM's application settings requires sharing a static secret, which violates the requirement of not sharing secrets and introduces security risks if the key is compromised. Option D is wrong because creating separate SAS tokens for each VM still requires sharing tokens (which are secrets) and manually rotating them, which is not a 'no secrets' approach and adds operational overhead.

245
Matchingmedium

Match each file-sharing requirement to the best Azure Files mounting or integration approach.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Azure File Sync

SMB with AD DS-based identity authentication

NFS 4.1 share

SAS token

Why these pairings

SMB mounting requires storage account credentials; NFS needs private endpoint; REST API for programmatic access; Azure AD DS enables identity-based access; File Sync caches on-premises.

246
MCQeasy

A build pipeline must run a Linux container for about 10 minutes per request. The team does not want to manage servers or a Kubernetes cluster. Which Azure service should the administrator choose?

A.Azure Container Instances
B.Azure Virtual Machines
C.Azure App Service
D.Azure Kubernetes Service
AnswerA

Azure Container Instances runs containers on demand without managing servers or orchestration clusters.

Why this answer

Azure Container Instances (ACI) is the correct choice because it allows you to run a Linux container directly on Azure without managing any underlying servers or orchestrators. The 10-minute execution time fits perfectly within ACI's per-second billing model, and the service automatically starts and stops the container on demand, making it ideal for short-lived, ephemeral workloads like build pipeline tasks.

Exam trap

The trap here is that candidates often confuse Azure Container Instances with Azure Kubernetes Service, assuming that any container workload requires an orchestrator, but ACI is purpose-built for simple, serverless container execution without cluster management.

How to eliminate wrong answers

Option B is wrong because Azure Virtual Machines require you to manage the OS, updates, and scaling, which contradicts the requirement to not manage servers. Option C is wrong because Azure App Service is designed for hosting long-running web applications and APIs, not for running short-lived, ephemeral containers on demand. Option D is wrong because Azure Kubernetes Service (AKS) is a managed Kubernetes cluster that still requires cluster management and is overkill for a simple 10-minute container task.

247
Multi-Selecteasy

An operations team wants to label resources by Department and Environment so they can search and report on ownership across many resource groups. Which two statements are correct? Select two.

Select 2 answers
A.Tags are key-value pairs that can be applied to resources and resource groups.
B.Tags help organize and filter resources, but they do not grant access.
C.A ReadOnly lock is the best way to record department ownership.
D.Tags automatically encrypt the data in a resource.
E.Tags replace Azure Policy when compliance must be enforced.
AnswersA, B

Tags are simple metadata labels, usually in key-value form, that can be attached to resources and resource groups. They are commonly used for cost allocation, ownership, and environment tracking.

Why this answer

Option A is correct because Azure tags are indeed key-value pairs that can be applied to resources and resource groups. This allows the operations team to label resources with metadata like Department and Environment, enabling efficient searching, filtering, and reporting across multiple resource groups without affecting resource functionality.

Exam trap

The trap here is that candidates often confuse Azure tags with access control or compliance enforcement, mistakenly thinking tags can replace Azure Policy or locks, when in fact tags are purely for organization and metadata.

248
Multi-Selecteasy

Which two statements about Azure Backup soft delete are correct? Select two.

Select 2 answers
A.Deleted backup data is retained for a grace period
B.A protected item can be recovered after accidental deletion within that period
C.It permanently deletes backups immediately
D.It changes the VM to a different availability zone
E.It only applies to Azure Policy assignments
AnswersA, B

Soft delete keeps deleted backup data recoverable for a limited time window.

Why this answer

Azure Backup soft delete ensures that deleted backup data is not immediately purged but retained for a default grace period of 14 days. This allows recovery of accidentally deleted backup items, such as Recovery Services vault backup data, without data loss. Option A is correct because the grace period is a core feature of soft delete.

Exam trap

The trap here is that candidates may confuse soft delete with immediate permanent deletion (Option C) or incorrectly associate it with unrelated Azure features like availability zones or Azure Policy, rather than recognizing it as a backup-specific retention mechanism.

249
Multi-Selectmedium

A production resource group contains application VMs and databases. Operators must be able to update resources inside the group, but nobody should be able to delete the whole group by accident. Finance also wants ownership data to remain with the resources if they are moved to another resource group. Which two actions should you take? Select two.

Select 2 answers
A.Apply a CanNotDelete lock to the resource group.
B.Use tags such as Department and Owner on the resources.
C.Apply a ReadOnly lock to the resource group.
D.Move the resource group to a management group.
E.Grant Resource Policy Contributor to the operators.
AnswersA, B

A CanNotDelete lock prevents accidental deletion while still allowing normal updates and configuration changes inside the resource group.

Why this answer

Option A is correct because applying a CanNotDelete lock to the resource group prevents anyone from deleting the entire resource group, while still allowing operators to update resources inside it. This lock does not prevent resource-level deletions or modifications, so operators can continue to manage the VMs and databases as needed.

Exam trap

The trap here is that candidates often confuse resource group locks with resource-level locks or assume that moving a resource group to a management group provides deletion protection, when in fact only explicit locks (CanNotDelete or ReadOnly) prevent deletion at the resource group scope.

250
MCQmedium

An administrator assigns Contributor at the RG-Apps resource group scope and Reader at the subscription scope. A developer opens a VM inside RG-Apps and can change its settings, but a different VM in RG-Shared is read-only. Which statement best explains this behavior?

A.The VM in RG-Apps has a direct Contributor assignment that does not apply elsewhere.
B.The VM in RG-Apps inherited Contributor from the resource group, while RG-Shared only inherits Reader.
C.Reader always overrides Contributor when both roles exist in the same subscription.
D.Azure Policy is granting write access only inside RG-Apps because the subscription has no policy.
AnswerB

Permissions flow from the resource group to its resources. Contributor at RG-Apps applies to all resources there, while the subscription-level Reader remains inherited everywhere.

Why this answer

Role assignments in Azure are inherited from higher scopes (subscription, management group) down to lower scopes (resource group, resource). The developer has Reader at the subscription scope, which is inherited by all resource groups, including RG-Shared. However, the Contributor assignment at the RG-Apps resource group scope overrides the inherited Reader for that specific resource group, granting write access to VMs within RG-Apps.

RG-Shared has no direct role assignment, so it only inherits the subscription-level Reader, making its VMs read-only.

Exam trap

The trap here is that candidates often confuse inheritance with direct assignments, thinking that a role at a higher scope (subscription) always overrides a role at a lower scope (resource group), when in fact RBAC combines permissions additively and the most permissive role at the most specific scope wins.

How to eliminate wrong answers

Option A is wrong because Contributor was assigned at the resource group scope (RG-Apps), not directly on the VM; the VM inherits the role from its resource group. Option C is wrong because Azure RBAC does not have a fixed override order between Reader and Contributor; the effective permissions are determined by the most permissive role at the lowest applicable scope, and here Contributor at the resource group scope is more permissive than Reader at the subscription scope. Option D is wrong because Azure Policy is not involved in this scenario; the behavior is purely due to RBAC role assignments, and the subscription having no policy does not grant write access.

251
Multi-Selectmedium

A storage account must remain on its public endpoint, but only one Azure subnet named AppSubnet should be allowed to access it from Azure. No private IP is required. Which two actions should the administrator take? Select two.

Select 2 answers
A.Enable the Microsoft.Storage service endpoint on AppSubnet.
B.Configure the storage account networking firewall to allow the selected virtual network and subnet.
C.Create a private endpoint and disable public network access.
D.Link a private DNS zone to AppSubnet.
E.Assign the Reader RBAC role to AppSubnet.
AnswersA, B

The service endpoint lets Azure identify traffic from that subnet when it reaches the storage service.

Why this answer

Option A is correct because enabling the Microsoft.Storage service endpoint on AppSubnet allows traffic from that subnet to the storage account over the Azure backbone network, using the public endpoint while restricting access to only that subnet. Option B is correct because configuring the storage account's networking firewall to allow the selected virtual network and subnet explicitly permits traffic from AppSubnet while blocking all other public access, meeting the requirement to keep the public endpoint but limit access to one subnet.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that restricting access to a single subnet requires a private IP and disabling public access, when in fact service endpoints achieve the same goal without changing the endpoint type.

252
MCQhard

A help desk team must be able to reset passwords for cloud users in Microsoft Entra ID, but they must not be able to create or delete users. Which built-in role should you assign?

A.Global Administrator
B.User Administrator
C.Reader
D.Billing Administrator
AnswerB

This aligns with the least-privilege requirement for user management tasks like password resets.

Why this answer

The User Administrator role in Microsoft Entra ID (formerly Azure AD) grants permissions to reset passwords for cloud users, but explicitly excludes the ability to create or delete users. This makes it the correct choice for a help desk team that needs password reset capabilities without broader user management rights.

Exam trap

The trap here is that candidates often confuse the User Administrator role with the Global Administrator role, assuming password reset requires the highest privilege, but Microsoft deliberately scopes the User Administrator role to include password reset while excluding user creation and deletion.

How to eliminate wrong answers

Option A is wrong because Global Administrator has full access to all administrative features, including creating and deleting users, which violates the requirement. Option C is wrong because the Reader role only provides read-only access to Azure resources and cannot reset passwords. Option D is wrong because Billing Administrator is limited to billing-related tasks and cannot reset user passwords.

253
MCQmedium

A branch office uses an on-premises firewall that supports IPsec/IKE and has a stable public IP. The office needs always-on private connectivity to an Azure VNet over the internet. Which Azure component should the administrator deploy?

A.A site-to-site connection using Azure VPN Gateway.
B.VNet peering between the branch office and the Azure VNet.
C.Azure Bastion in the target VNet.
D.A private endpoint for the Azure VNet.
AnswerA

A site-to-site VPN with Azure VPN Gateway is designed for permanent encrypted connectivity between an on-premises network and an Azure VNet. The branch firewall can establish an IPsec/IKE tunnel to the gateway using its public IP, which matches the scenario. This approach provides private connectivity across the internet without exposing the workload directly to public endpoints. It is the standard choice for hybrid network connectivity when ExpressRoute is not required.

Why this answer

A site-to-site VPN connection using Azure VPN Gateway is the correct choice because it provides always-on, encrypted connectivity over the internet between an on-premises network with a stable public IP and an Azure VNet. Azure VPN Gateway supports IPsec/IKE protocols, which are compatible with the branch office's firewall, enabling a secure tunnel that meets the requirement for private connectivity.

Exam trap

The trap here is that candidates often confuse VNet peering (which only works between Azure VNets) with site-to-site VPN connectivity, or they mistakenly think Azure Bastion or private endpoints can provide network-level connectivity to on-premises networks.

How to eliminate wrong answers

Option B is wrong because VNet peering connects two Azure VNets within the Azure backbone, not an on-premises network to an Azure VNet; it cannot extend to a branch office over the internet. Option C is wrong because Azure Bastion provides secure RDP/SSH access to Azure VMs without exposing public IPs, but it does not establish network connectivity between an on-premises network and an Azure VNet. Option D is wrong because a private endpoint enables private access to Azure PaaS services from within a VNet, not site-to-site connectivity between an on-premises network and an Azure VNet.

254
MCQmedium

A subnet is associated with a NAT gateway, but its route table also contains a 0.0.0.0/0 route to a virtual appliance at 10.2.0.4. The business wants all outbound internet traffic from the VMs to use one static public IP, and inspection by the appliance is no longer required. What should the administrator change?

A.Add a public IP address directly to each virtual machine NIC.
B.Remove the 0.0.0.0/0 user-defined route from the subnet.
C.Enable service endpoints for the subnet.
D.Change the NAT gateway to a zone-redundant SKU.
AnswerB

The default route to the virtual appliance forces all internet-bound traffic away from the subnet's NAT gateway. Because NAT gateway only handles outbound traffic that is not sent to another next hop, the UDR prevents the NAT gateway from being used. Removing the default route allows the subnet to use the NAT gateway's static public IP for outbound internet connections while keeping routing simple.

Why this answer

The correct answer is B because removing the 0.0.0.0/0 user-defined route (UDR) from the subnet's route table will allow the NAT gateway to handle all outbound internet traffic. The NAT gateway provides a single static public IP for outbound traffic, and since inspection by the virtual appliance is no longer required, the conflicting UDR that directs traffic to the appliance must be deleted. This ensures that the subnet's default route points to the NAT gateway, which uses Source Network Address Translation (SNAT) to translate private IPs to the static public IP.

Exam trap

The trap here is that candidates often think adding a public IP to VMs (Option A) is simpler or that service endpoints (Option C) can replace a NAT gateway for general internet access, but they fail to recognize that the existing UDR is the direct conflict preventing the NAT gateway from being the default route for outbound traffic.

How to eliminate wrong answers

Option A is wrong because adding a public IP directly to each VM NIC would bypass the NAT gateway, resulting in multiple public IPs and failing the requirement for a single static public IP; it also introduces security risks and management overhead. Option C is wrong because service endpoints provide secure, direct connectivity to Azure PaaS services over the Azure backbone, not outbound internet traffic, and they do not provide a static public IP for general internet access. Option D is wrong because changing the NAT gateway to a zone-redundant SKU improves availability but does not resolve the routing conflict caused by the 0.0.0.0/0 UDR pointing to the virtual appliance.

255
MCQmedium

You need to restore a deleted file from a backed-up Azure virtual machine without restoring the entire VM. Which Azure Backup capability should you use?

A.Cross-region restore
B.File Recovery
C.Azure Site Recovery failover
D.Boot diagnostics
AnswerB

This is the feature designed for restoring specific files and folders.

Why this answer

Azure Backup's File Recovery capability allows you to mount the VM's recovery point as a drive on your local machine, enabling you to browse and restore individual files without restoring the entire VM. This is achieved by creating an iSCSI target from the recovery point snapshot, which you can connect to from a compatible OS. It is the correct choice for granular file-level recovery from a VM backup.

Exam trap

The trap here is that candidates often confuse Azure Backup's File Recovery with Azure Site Recovery's failover, mistakenly thinking failover can be used for granular file restoration, when in fact Site Recovery is for full VM replication and disaster recovery, not backup-based file recovery.

How to eliminate wrong answers

Option A is wrong because Cross-region restore is used to restore a VM or its data to a paired Azure region for disaster recovery or compliance, not for granular file-level recovery from a local backup. Option C is wrong because Azure Site Recovery failover is designed for orchestrating full VM replication and failover to a secondary site, not for restoring individual files from a backup. Option D is wrong because Boot diagnostics captures serial console logs and screenshots for troubleshooting VM boot failures, and has no role in file recovery from backups.

256
MCQeasy

A stateless web app on Azure must add or remove instances automatically when CPU usage changes. Which service should you deploy?

A.Virtual machine scale set with autoscale
B.Single virtual machine
C.Availability set
D.Managed disk
AnswerA

VM scale sets are designed for multiple identical instances and can scale automatically based on rules.

Why this answer

A virtual machine scale set (VMSS) with autoscale is the correct choice because it is designed to automatically increase or decrease the number of VM instances based on metrics like CPU usage. Autoscale rules can be configured to scale out when CPU exceeds a threshold (e.g., 75%) and scale in when it drops below a threshold, ensuring the stateless web app handles variable load without manual intervention.

Exam trap

The trap here is that candidates confuse high-availability constructs (availability sets) or storage components (managed disks) with autoscaling compute, or assume a single VM can be dynamically scaled horizontally, when only VMSS provides automated instance-level scaling based on metrics.

How to eliminate wrong answers

Option B is wrong because a single virtual machine cannot automatically add or remove instances; it is a fixed resource that can only be scaled vertically (changing size) and does not support horizontal scaling. Option C is wrong because an availability set is a logical grouping for high availability and fault tolerance, not an autoscaling mechanism; it does not add or remove instances based on CPU usage. Option D is wrong because a managed disk is a storage volume for VMs, not a compute service; it has no capability to manage instance count or respond to CPU metrics.

257
MCQeasy

A subnet has an NSG with a custom inbound deny-all rule at priority 200. You need to allow HTTPS traffic to a VM in that subnet from any source. Which action should you take?

A.Create an inbound allow rule for TCP 443 with priority 300.
B.Create an inbound allow rule for TCP 443 with priority 100.
C.Change the deny-all rule to outbound instead of inbound.
D.Add a route table entry for port 443 traffic to the VM subnet.
AnswerB

A smaller priority number is evaluated first, so a priority 100 allow rule will match before the deny-all rule.

Why this answer

NSG rules are evaluated in priority order, with lower numbers evaluated first. The existing deny-all rule at priority 200 blocks all inbound traffic. To allow HTTPS (TCP 443) before the deny rule is evaluated, you must create an allow rule with a priority lower than 200, such as priority 100.

This ensures the allow rule is processed first, permitting the traffic.

Exam trap

The trap here is that candidates often think higher priority numbers (like 300) are evaluated first, or they confuse NSG rule priority with route table priority, leading them to choose a higher priority number or a route table entry instead of a lower priority allow rule.

How to eliminate wrong answers

Option A is wrong because a priority of 300 is higher than the deny-all rule's priority of 200, meaning the deny rule will be evaluated first and block the HTTPS traffic before the allow rule is reached. Option C is wrong because changing the deny rule to outbound would not affect inbound HTTPS traffic; the inbound deny-all rule would still block it. Option D is wrong because route tables control the path traffic takes through the virtual network, not whether traffic is permitted or denied; NSGs are the firewall that filters traffic.

258
Multi-Selecthard

A subnet has a route table with these user-defined routes: 10.10.0.0/16 to Virtual appliance, 10.10.5.0/24 to Virtual network gateway, and 10.10.5.128/25 to Virtual network. The subnet is attached to a VM that sends traffic to several destinations. Which three next-hop decisions are correct? Select three.

Select 3 answers
A.Traffic to 10.10.5.9 uses Virtual network gateway.
B.Traffic to 10.10.5.200 uses Virtual network.
C.Traffic to 10.10.8.4 uses Virtual appliance.
D.Traffic to 10.10.5.9 uses Virtual appliance.
E.Traffic to 8.8.8.8 uses Virtual appliance.
AnswersA, B, C

The /24 route is more specific than the broader /16 route, so it wins for 10.10.5.9.

Why this answer

Option A is correct because the route table uses longest prefix match. The destination 10.10.5.9 falls within the 10.10.5.0/24 range, which has a more specific prefix (24 bits) than 10.10.0.0/16 (16 bits). The user-defined route for 10.10.5.0/24 specifies a next hop of Virtual network gateway, so traffic to 10.10.5.9 is forwarded to the gateway.

Exam trap

The trap here is that candidates often assume a broader route (like 10.10.0.0/16 to Virtual appliance) applies to all subnets, forgetting that more specific user-defined routes (like 10.10.5.0/24 to Virtual network gateway) take precedence via longest prefix match, and that public IPs like 8.8.8.8 are not matched by private address space routes.

259
MCQeasy

Based on the exhibit, which policy best matches the requirement for daily backups retained for 30 days?

A.A policy with daily backups retained for 7 days.
B.A policy with daily backups retained for 30 days.
C.A policy with weekly backups retained for 30 days.
D.A policy with daily backups retained for 365 days.
AnswerB

This policy matches both parts of the requirement: backups run every day, and each daily recovery point is kept for 30 days. It aligns exactly with the business need shown in the exhibit.

Why this answer

Option B is correct because the requirement explicitly states 'daily backups retained for 30 days.' A backup policy in Azure Backup allows you to define the frequency (daily) and retention duration (30 days) for recovery points. This policy directly matches the requirement without over-retention or under-retention.

Exam trap

The trap here is that candidates often confuse backup frequency with retention duration, or they assume that longer retention is always better, ignoring cost implications and the specific requirement stated in the question.

How to eliminate wrong answers

Option A is wrong because retaining daily backups for only 7 days does not meet the 30-day retention requirement; it would result in data loss after a week. Option C is wrong because it specifies weekly backups, not daily, so it fails to meet the daily backup frequency requirement. Option D is wrong because retaining daily backups for 365 days exceeds the 30-day requirement, leading to unnecessary storage costs and potential confusion in lifecycle management.

260
MCQmedium

An analytics team stores exported reports in a storage account. They want the data to survive a zone failure and a regional outage, and if the primary region becomes unavailable they also want read-only access to the replica while failover is being planned. Which redundancy option should you select?

A.GZRS
B.RA-GZRS
C.RA-GRS
D.ZRS
AnswerB

RA-GZRS combines zone-redundant storage with geo-replication and also allows read access to the secondary region.

Why this answer

RA-GZRS (Read-Access Geo-Zone-Redundant Storage) is correct because it combines zone-redundant storage (ZRS) within the primary region with geo-redundant replication to a secondary region, and crucially provides read-only access to the secondary replica even when the primary region is available. This meets the requirement for data survival during both a zone failure and a regional outage, while allowing read-only access to the replica during failover planning.

Exam trap

The trap here is that candidates often confuse GZRS with RA-GZRS, forgetting that the 'RA' prefix is required to enable read access to the secondary region before a failover occurs.

How to eliminate wrong answers

Option A (GZRS) is wrong because while it provides zone redundancy and geo-replication, it does not enable read access to the secondary region unless a failover is initiated; the secondary is offline for reads until then. Option C (RA-GRS) is wrong because it uses LRS (locally redundant storage) in the primary region, which does not survive a zone failure (only a single datacenter failure). Option D (ZRS) is wrong because it only protects against zone failures within a single region and does not provide geo-replication for regional outage protection or read access to a secondary replica.

261
MCQmedium

The operations team manages several Azure VMs in one resource group. They need an alert whenever average CPU percentage on any VM in the group stays above 80% for 10 minutes, and the alert must send email and SMS to the on-call team. What should the administrator configure?

A.Create a Log Analytics query alert on the Activity log and manually notify the on-call team.
B.Create an Azure Monitor metric alert rule at the resource-group scope and attach an action group.
C.Export VM diagnostics to a storage account and have operators review the files after each incident.
D.Create a resource lock on the VMs and use Azure Policy to notify the team about CPU spikes.
AnswerB

A metric alert is the right tool for CPU thresholds, and an action group provides the email and SMS notifications. Scoping the alert to the resource group ensures all current VMs are covered without configuring each VM separately.

Why this answer

Option B is correct because Azure Monitor metric alerts can be created at the resource-group scope, which allows a single alert rule to monitor the 'Percentage CPU' metric across all VMs in that group. The alert triggers when the average CPU stays above 80% for 10 minutes (evaluated using a fixed aggregation window). An action group attached to the alert rule sends email and SMS notifications to the on-call team, meeting all requirements without manual intervention.

Exam trap

The trap here is that candidates may think a metric alert must be created per individual VM, but Azure Monitor supports resource-group scoped metric alerts that apply to all resources of the same type within that scope, simplifying management while still meeting the requirement.

How to eliminate wrong answers

Option A is wrong because Log Analytics query alerts on the Activity log capture administrative events (e.g., VM creation/deletion), not performance metrics like CPU usage; they cannot trigger on metric thresholds. Option C is wrong because exporting VM diagnostics to a storage account is a passive archival method that requires operators to manually review files after incidents, failing the requirement for real-time alerting via email/SMS. Option D is wrong because resource locks prevent accidental deletion or modification of resources but do not monitor metrics or send notifications; Azure Policy enforces compliance rules (e.g., tagging) and cannot trigger alerts on CPU spikes.

262
MCQmedium

Three application VMs in different resource groups must use the same Azure identity to read blobs from a storage account. The identity must continue to work if the VMs are redeployed. What should you use?

A.A system-assigned managed identity on each VM
B.A user-assigned managed identity
C.A shared access signature stored in a configuration file
D.The local Administrator account on each VM
AnswerB

A user-assigned managed identity can be attached to multiple VMs and survives VM redeployment.

Why this answer

A user-assigned managed identity is the correct choice because it is a standalone Azure resource that can be assigned to multiple VMs across different resource groups. It persists independently of the VM lifecycle, so it continues to work even if the VMs are redeployed, and it can be used to authenticate to Azure Storage for blob read operations via Azure AD.

Exam trap

The trap here is that candidates often choose a system-assigned managed identity (Option A) because they assume it can be shared, but it is per-resource and cannot be assigned to multiple VMs across resource groups.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to a single VM and cannot be shared across multiple VMs in different resource groups; it is also deleted when the VM is deleted. Option C is wrong because a shared access signature (SAS) stored in a configuration file is a static token that can expire, requires manual rotation, and does not provide a managed identity that persists across VM redeployments. Option D is wrong because the local Administrator account is a local user account that cannot be used to authenticate to Azure Storage blobs; it has no Azure RBAC permissions and is not designed for cloud resource access.

263
Matchinghard

A VM suffered corruption and an auditor also needs one missing file. Match each Azure Backup restore workflow to the recovery outcome it provides.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Creates a separate virtual machine from the recovery point.

Recovers the managed disks so you can rebuild or inspect the workload manually.

Mounts the recovery point so you can retrieve individual files or folders.

Restores from the paired region when the primary region is unavailable.

Why these pairings

Azure Backup restore workflows: 'Restore VM' creates a new VM, 'Restore files' recovers individual files, 'Restore as unmanaged/managed disks' recovers disks, 'Replace existing VM' overwrites the original, and 'Cross-region restore' restores to another region.

264
MCQhard

A container group must run an image from a private Azure Container Registry without embedding registry credentials in the deployment. The same authentication method should be reusable by future container groups, and the application must continue to work if the container group is recreated. Which identity approach should the administrator use?

A.A system-assigned managed identity for the container group.
B.A user-assigned managed identity assigned to the container group.
C.An ACR admin username and password stored in the container image.
D.A shared access signature token passed as an environment variable.
AnswerB

A user-assigned managed identity can be reused across container groups and survives recreation of the workload resource. After granting the identity AcrPull on the registry, the container group can authenticate without stored usernames, passwords, or registry secrets.

Why this answer

A user-assigned managed identity (B) is the correct approach because it is a persistent Azure AD identity that can be pre-created and assigned to any number of container groups. It decouples the identity from the container group's lifecycle, so if the container group is recreated, the same identity can be reassigned without reconfiguration. The container group uses this identity to authenticate to ACR via Azure AD token-based authentication, eliminating the need to embed registry credentials.

Exam trap

The trap here is that candidates often choose system-assigned managed identity (A) because it is simpler to configure, but they overlook the requirement for reusability across container group recreations, which only a user-assigned managed identity can satisfy due to its independent lifecycle.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of the container group; if the container group is deleted and recreated, a new identity is created, breaking the reusability requirement. Option C is wrong because using ACR admin credentials stored in the image violates the requirement to not embed credentials and is not reusable across future container groups without manual credential rotation. Option D is wrong because a shared access signature (SAS) token is used for Azure Storage access, not for authenticating to Azure Container Registry, and passing it as an environment variable would expose credentials.

265
MCQeasy

Based on the exhibit, what should the administrator do next so the VM can use the extra capacity on the resized data disk?

A.Resize the managed disk again in Azure.
B.Extend the partition or file system inside the VM.
C.Detach the disk and attach it to another VM.
D.Create a new virtual machine from the disk.
AnswerB

After Azure increases a managed disk, the guest operating system still needs to recognize the new space. Expanding the partition or file system inside the VM makes the newly allocated disk capacity available to applications.

Why this answer

After resizing a managed disk in Azure, the additional capacity is allocated at the Azure platform level but is not automatically available to the operating system. The administrator must extend the partition or file system inside the VM using tools like Diskpart (Windows) or fdisk/resize2fs (Linux) to make the new space usable. This is a standard post-resize step because the OS still sees the original partition boundaries.

Exam trap

The trap here is that candidates assume resizing the disk in Azure automatically makes the extra space available inside the VM, overlooking the required OS-level partition extension step.

How to eliminate wrong answers

Option A is wrong because resizing the disk again would only allocate more space at the Azure level without addressing the OS-level partition, and repeating the resize does not automatically extend the file system. Option C is wrong because detaching and reattaching the disk to another VM does not extend the partition; it only moves the unchanged disk to a different host. Option D is wrong because creating a new VM from the disk is unnecessary and wasteful—the existing VM can use the extra capacity after a simple partition extension, and this option does not solve the immediate issue.

266
MCQeasy

A partner must upload files to one blob container for 12 hours. You do not want to share the storage account key, and the access should expire automatically. Which access method should you use?

A.Role assignment in Azure RBAC
B.Shared access signature (SAS)
C.Private endpoint
D.Storage account lock
AnswerB

A SAS can grant scoped, time-limited access to a container or blob without exposing the storage account key.

Why this answer

A shared access signature (SAS) is the correct choice because it provides time-limited, delegated access to a specific blob container without exposing the storage account key. You can set an expiry time of 12 hours, and the SAS token can be generated with only the permissions needed (e.g., write). Once the token expires, access is automatically revoked, meeting the requirement for automatic expiration.

Exam trap

The trap here is that candidates often confuse RBAC with SAS, thinking that a role assignment can be made temporary, but RBAC does not support automatic expiration; only SAS provides time-bound, delegated access without sharing the account key.

How to eliminate wrong answers

Option A is wrong because Azure RBAC role assignments do not have a built-in automatic expiration mechanism; they grant persistent access until explicitly removed, and they cannot be scoped to a single blob container with a time limit. Option C is wrong because a private endpoint provides a secure network connection to the storage account over a private IP, but it does not control or expire access to specific containers or blobs. Option D is wrong because a storage account lock prevents accidental deletion or modification of the storage account itself, but it does not provide time-limited access to blob containers.

267
MCQmedium

You need to ensure that all newly created resource groups in a subscription automatically inherit the CostCenter tag with a fixed value, even if the creator forgets to add it. Which Azure Policy effect should you use?

A.Audit
B.Deny
C.Modify
D.Disabled
AnswerC

Modify can add the required tag value during deployment and is the best fit here.

Why this answer

The Modify effect is correct because it allows Azure Policy to automatically add or alter tags on resources or resource groups during creation or update, ensuring the CostCenter tag with a fixed value is applied even if the creator omits it. Unlike Audit or Deny, Modify actively remediates non-compliant resources by appending the required tag, making it ideal for enforcing mandatory inheritance without blocking deployment.

Exam trap

The trap here is that candidates often choose Deny thinking it enforces compliance by blocking non-tagged resources, but they overlook that the question requires automatic inheritance, not rejection, making Modify the only effect that actively adds the missing tag.

How to eliminate wrong answers

Option A is wrong because Audit only logs non-compliance without taking any action, so the CostCenter tag would not be automatically added. Option B is wrong because Deny blocks the creation of resource groups that lack the tag, which would prevent deployment entirely rather than ensuring the tag is inherited. Option D is wrong because Disabled turns off the policy effect, providing no enforcement or remediation at all.

268
MCQhard

An archive team stores legal exhibits in Azure Blob Storage. The files are downloaded only during quarterly audits, but when an auditor needs one, it must be readable immediately without waiting for a rehydration job. The team wants the lowest practical cost after the first 30 days and does not want to move blobs manually each quarter. What should the administrator configure?

A.Keep the blobs in Hot tier permanently and delete them manually after each audit cycle.
B.Use a lifecycle management rule to move the blobs to Cool tier after 30 days.
C.Move the blobs to Archive tier after 30 days and rehydrate them when audits begin.
D.Store the files in Premium block blob storage and use snapshots for audit recovery.
AnswerB

Cool tier remains online and immediately readable, while costing less than Hot for infrequent access.

Why this answer

Option B is correct because Azure Blob Storage lifecycle management rules can automatically move blobs from Hot to Cool tier after 30 days, reducing storage costs while keeping data immediately accessible. Cool tier offers lower storage costs than Hot tier with the same low-latency read access, satisfying the requirement for instant auditor access without manual intervention.

Exam trap

The trap here is that candidates often confuse Archive tier's low storage cost with immediate accessibility, forgetting that Archive requires a rehydration step that can take hours, while Cool tier provides instant access at a slightly higher but still cost-effective rate.

How to eliminate wrong answers

Option A is wrong because keeping blobs in Hot tier permanently incurs the highest storage cost, and manual deletion each quarter violates the 'do not want to move blobs manually' requirement. Option C is wrong because moving blobs to Archive tier after 30 days would require a rehydration job (taking up to 15 hours) before auditors can read them, contradicting the 'readable immediately' requirement. Option D is wrong because Premium block blob storage is designed for low-latency workloads with high transaction costs, not for archival data, and snapshots do not provide tier-based cost savings or automate tier transitions.

269
Matchinghard

A security analyst is reviewing deleted-resource evidence, exported diagnostics, and heartbeat data. Match each monitoring term to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Central repository for collected telemetry that you query and analyze over a retention period.

The query language used to filter, summarize, and correlate log records in Azure Monitor.

Subscription-scoped record of Azure control-plane operations such as create, update, and delete.

Alert that evaluates the result of a KQL query on a schedule and fires when conditions are met.

Configuration that sends resource logs and metrics to a workspace, storage account, or Event Hub.

Why these pairings

The monitoring terms relate to Azure Monitor data sources. Deleted-resource evidence comes from activity logs, exported diagnostics are resource logs sent elsewhere, heartbeat data indicates agent health, and the other terms are standard Azure Monitor components.

270
Multi-Selectmedium

A subnet already has a 0.0.0.0/0 route that sends traffic to a virtual appliance at 10.1.1.4. One server in that subnet must reach 172.16.1.0/24 directly through the Internet, while all other traffic should still use the appliance. Which two actions are required? Select two.

Select 2 answers
A.Add a more specific user-defined route for 172.16.1.0/24 with next hop type Internet.
B.Associate the route table with the subnet that contains the server.
C.Create an NSG rule that allows outbound Internet traffic.
D.Enable a service endpoint for the Internet destination.
E.Change the subnet address space to a smaller CIDR.
AnswersA, B

A longer prefix beats the broader 0.0.0.0/0 route, so only that destination uses the Internet path.

Why this answer

A is correct because a more specific user-defined route (UDR) for 172.16.1.0/24 with next hop type Internet overrides the existing 0.0.0.0/0 route that points to the virtual appliance. Azure uses longest prefix match, so the /24 route takes precedence for traffic to that destination, sending it directly to the Internet instead of through the appliance.

Exam trap

The trap here is that candidates often think an NSG rule is needed to allow outbound Internet traffic, but Azure VMs have default outbound connectivity via SNAT, so the routing decision (UDR) is the only missing piece, not a firewall rule.

271
MCQeasy

A reporting application needs an Azure VM with at least 8 vCPUs and 64 GiB of RAM. The workload is memory-heavy, and the team wants a reasonable starting point. Which VM family should the administrator choose?

A.B-series
B.D-series
C.E-series
D.F-series
AnswerC

E-series is memory optimized and is a strong fit for workloads that need higher RAM per vCPU.

Why this answer

The E-series (memory-optimized) VM family is designed for memory-intensive workloads, offering a high memory-to-CPU ratio. With a requirement of at least 8 vCPUs and 64 GiB of RAM, the E-series provides the necessary memory capacity (e.g., E8s_v3 offers 8 vCPUs and 64 GiB RAM) as a reasonable starting point for a memory-heavy reporting application.

Exam trap

The trap here is that candidates often confuse 'general purpose' (D-series) as sufficient for all workloads, overlooking the specific memory requirement of 64 GiB, which D-series cannot meet at 8 vCPUs.

How to eliminate wrong answers

Option A is wrong because B-series (burstable) VMs are intended for workloads with low-to-moderate baseline CPU utilization that can burst, not for consistent memory-heavy performance; they lack the high memory-to-CPU ratio required. Option B is wrong because D-series (general purpose) VMs offer a balanced CPU-to-memory ratio (e.g., D8s_v3 has 8 vCPUs but only 32 GiB RAM), which does not meet the 64 GiB requirement. Option D is wrong because F-series (compute-optimized) VMs prioritize high CPU performance with a low memory-to-CPU ratio (e.g., F8s_v2 has 8 vCPUs but only 16 GiB RAM), making them unsuitable for memory-heavy workloads.

272
Multi-Selecthard

A management group named Corp contains subscription Sales. RG-App is in Sales and contains several virtual machines. The Auditors group must read every resource in Sales, including resources in future resource groups created under that subscription. The ServerOps group must be able to start, stop, and restart only the virtual machines in RG-App. Which two role assignments should the administrator configure? Select two.

Select 2 answers
A.Assign Reader to Auditors at the Sales subscription scope.
B.Assign Reader to Auditors at the RG-App resource group scope.
C.Assign Virtual Machine Contributor to ServerOps at the RG-App resource group scope.
D.Assign Virtual Machine Contributor to ServerOps at the Sales subscription scope.
E.Assign Owner to ServerOps at the RG-App resource group scope.
AnswersA, C

Subscription scope covers all existing and future resource groups and resources inside Sales, which matches the auditor requirement.

Why this answer

Option A is correct because assigning the Reader role to the Auditors group at the Sales subscription scope grants read access to all resources within that subscription, including any future resource groups and resources created under it. This meets the requirement that Auditors must read every resource in Sales, including those in future resource groups.

Exam trap

The trap here is that candidates often assign roles at too broad a scope (e.g., subscription) for ServerOps, thinking it simplifies management, or assign too permissive a role like Owner, not realizing that Virtual Machine Contributor is the precise built-in role for VM start/stop/restart operations.

273
Multi-Selectmedium

You are designing a virtual networking solution for a critical application deployed across multiple Azure regions. You need to ensure secure, high-performance, and resilient connectivity between the virtual networks. Which four of the following options should you consider? (Choose four.)

Select 4 answers
.Use VNet peering with Gateway Transit to connect the virtual networks.
.Configure Azure VPN Gateway with active-active mode to provide high availability for site-to-site connections.
.Implement Azure Private Link to expose the application's backend service securely over the Microsoft backbone network.
.Deploy Azure Virtual Network Manager to dynamically manage and enforce connectivity rules across multiple virtual networks.
.Use Azure ExpressRoute with FastPath enabled to reduce latency and improve data throughput between the virtual networks.
.Create a single VNet spanning multiple regions using a large contiguous address space to simplify routing.

Why this answer

VNet peering with Gateway Transit is correct because it allows virtual networks to connect through a shared VPN gateway, enabling secure and efficient cross-region communication without deploying separate gateways. This approach leverages the Azure backbone for low-latency, high-bandwidth connectivity while maintaining isolation and control over routing policies.

Exam trap

The trap here is that candidates often confuse ExpressRoute as a solution for VNet-to-VNet connectivity, but ExpressRoute is strictly for hybrid connectivity between on-premises and Azure, not for inter-VNet traffic within Azure.

274
MCQmedium

A help desk engineer needs a Log Analytics query that returns each computer whose most recent heartbeat is older than 20 minutes. Which query should they use?

A.Heartbeat | where TimeGenerated < ago(20m) | summarize LastSeen = max(TimeGenerated) by Computer
B.Heartbeat | summarize LastSeen = max(TimeGenerated) by Computer | where LastSeen < ago(20m)
C.Heartbeat | summarize count() by Computer | where count_ < 20
D.Heartbeat | where TimeGenerated > ago(20m) | summarize LastSeen = max(TimeGenerated) by Computer
AnswerB

This query first finds the latest heartbeat per computer and then filters for machines whose latest timestamp is older than 20 minutes. That matches the operational requirement exactly and avoids false positives caused by filtering before summarization.

Why this answer

Option B is correct because it first summarizes the most recent heartbeat timestamp for each computer using `max(TimeGenerated)`, then filters for computers where that latest heartbeat is older than 20 minutes with `where LastSeen < ago(20m)`. This ensures only computers that have not sent a heartbeat in the last 20 minutes are returned, which is the exact requirement.

Exam trap

The trap here is that candidates often filter by time first (as in Option A) thinking it will find old heartbeats, but they forget that summarizing after filtering can include computers with recent heartbeats if any old heartbeat exists, whereas the correct approach is to summarize the latest heartbeat per computer first, then filter for staleness.

How to eliminate wrong answers

Option A is wrong because it filters heartbeats to only those older than 20 minutes before summarizing, which would return computers that had an old heartbeat but might also have a recent one—missing the requirement to check the most recent heartbeat. Option C is wrong because it counts heartbeats per computer and filters where the count is less than 20, which has no relation to time—it could return computers with few heartbeats ever, not those with a stale latest heartbeat. Option D is wrong because it filters for heartbeats newer than 20 minutes and then summarizes the max, which would return computers with recent heartbeats, the opposite of what is needed.

275
MCQmedium

The subscription admin wants to receive an alert whenever anyone deletes a resource group, regardless of which resource type was inside it. Which alert type should be used?

A.A metric alert on the deleted resource group's CPU
B.A log alert on a custom KQL query in a workspace only
C.An activity log alert targeting the delete resource group operation
D.A backup alert from a Recovery Services vault
AnswerC

An activity log alert is the right tool for subscription-level events such as resource group deletion. It monitors the Azure Activity log directly, so it can react as soon as the delete operation is recorded. This avoids depending on resource-specific metrics or a separate workspace query pipeline for a basic administrative event.

Why this answer

Option C is correct because the 'Delete Resource Group' operation is an Azure Resource Manager control-plane action that is automatically logged in the Azure Activity Log. An activity log alert can be configured to fire whenever this specific operation is recorded, regardless of the resource types inside the group. This is the only alert type that directly monitors management-plane events like resource group deletion.

Exam trap

The trap here is that candidates confuse resource-level monitoring (metrics, logs) with control-plane monitoring (Activity Log), and assume a metric or log alert can detect a deletion event, when in fact only an activity log alert natively watches for Azure Resource Manager operations like resource group deletion.

How to eliminate wrong answers

Option A is wrong because a metric alert on CPU monitors performance metrics of a resource, not management-plane operations; once the resource group is deleted, the metric data source no longer exists, so the alert cannot fire. Option B is wrong because a log alert on a custom KQL query in a Log Analytics workspace can only analyze data already ingested into that workspace (e.g., diagnostic logs or resource logs), but the 'Delete Resource Group' operation is an Activity Log event, not a resource log; while you could route Activity Logs to a workspace, the question asks for the alert type directly targeting the operation, and a log alert requires additional configuration and is not the native alert type for Activity Log events. Option D is wrong because a backup alert from a Recovery Services vault monitors backup job failures or warnings, not resource group deletion events.

276
MCQmedium

Based on the exhibit, what next hop will the VM use when it sends traffic to 10.30.5.10?

A.Virtual appliance at the user-defined next hop
B.Virtual network gateway
C.Internet
D.Virtual network
AnswerB

The BGP route to 10.30.0.0/16 is the most specific matching route and therefore takes precedence.

Why this answer

The VM's effective route table shows a route for 10.30.5.0/24 with a next hop type of 'Virtual network gateway'. Since 10.30.5.10 falls within this prefix, the VM will use the virtual network gateway as the next hop. This overrides the default virtual network (local) route because it is a more specific prefix match.

Exam trap

The trap here is that candidates assume traffic to an IP within the virtual network's address space (10.0.0.0/16) will always use the 'Virtual network' next hop, but a more specific route (e.g., 10.30.5.0/24) with a different next hop type overrides it, leading to an incorrect choice of Option D.

How to eliminate wrong answers

Option A is wrong because the exhibit does not show any user-defined route (UDR) with a next hop of 'Virtual appliance' for the 10.30.5.0/24 prefix; the next hop type is explicitly 'Virtual network gateway'. Option C is wrong because the route for 10.30.5.0/24 does not have a next hop of 'Internet'; the default 0.0.0.0/0 route points to the Internet, but the more specific 10.30.5.0/24 route takes precedence. Option D is wrong because the default virtual network route (10.0.0.0/16) would use 'Virtual network' as next hop, but the more specific 10.30.5.0/24 route overrides it with a 'Virtual network gateway' next hop.

277
Multi-Selectmedium

A production virtual machine must trigger an immediate notification whenever average CPU stays above 85 percent for 15 minutes, and the same event must also start an Azure Function that opens an incident ticket. Which two Azure Monitor components should you configure? Select two.

Select 2 answers
A.Create a metric alert rule on the VM CPU percentage.
B.Add an action group that sends email and invokes the Azure Function.
C.Enable a diagnostic setting on the VM without creating an alert rule.
D.Create a Log Analytics workspace and rely on manual queries only.
E.Apply a resource lock so CPU usage changes are blocked.
AnswersA, B

A metric alert evaluates the VM CPU metric continuously and can fire when the threshold and duration are met.

Why this answer

A metric alert rule on the VM CPU percentage is correct because it monitors the specific metric (Percentage CPU) and triggers when the average exceeds 85% for 15 minutes, meeting the notification requirement. This rule evaluates the metric at regular intervals and fires when the condition is met, which is the standard Azure Monitor approach for real-time metric-based alerts.

Exam trap

The trap here is that candidates might think a diagnostic setting alone can trigger alerts, but diagnostic settings only forward data and do not evaluate conditions, so an alert rule is always required for threshold-based notifications.

278
MCQmedium

An application subnet has a network security group with these inbound rules: Allow-Web-From-Internet at priority 200, Allow-App-From-Web at priority 300, and Deny-All-Inbound at priority 250. The web tier must reach the app tier on TCP 8080, but traffic is being denied. The administrator confirms the source and destination IPs are correct. What is the best fix?

A.Delete the Deny-All-Inbound rule because default NSG rules will allow the traffic.
B.Change the Allow-App-From-Web rule to a lower priority number than 250.
C.Add a route table entry for TCP 8080 traffic to bypass the NSG.
D.Move the Allow-Web-From-Internet rule to priority 400.
AnswerB

NSG rules are processed in priority order, and the lowest number wins. Because Deny-All-Inbound at 250 is evaluated before the allow rule at 300, it blocks the traffic first. Moving the allow rule to a lower number than 250 lets the permitted web-to-app traffic match before the deny rule is applied.

Why this answer

The Deny-All-Inbound rule at priority 250 is evaluated before the Allow-App-From-Web rule at priority 300 because lower priority numbers are processed first. To allow web-to-app traffic on TCP 8080, the Allow-App-From-Web rule must have a lower priority number (e.g., 240) than the Deny-All-Inbound rule so it is evaluated and applied first, permitting the traffic before the deny rule blocks it.

Exam trap

The trap here is that candidates assume all rules are evaluated and the most specific rule wins, but in Azure NSGs, priority order (numerical value) strictly determines evaluation sequence, not specificity or rule type.

How to eliminate wrong answers

Option A is wrong because default NSG rules (e.g., AllowVNetInBound) only allow traffic within the virtual network and do not override explicit deny rules; deleting the Deny-All-Inbound rule would leave no explicit deny, but the default rules would not automatically allow TCP 8080 from the internet to the app subnet. Option C is wrong because route tables control traffic routing at Layer 3 (IP forwarding) and cannot bypass NSG rules, which are stateful packet filters applied at the subnet or NIC level. Option D is wrong because moving the Allow-Web-From-Internet rule to a higher priority number (400) does not affect the conflict between the Allow-App-From-Web and Deny-All-Inbound rules; the web-to-app traffic is still denied by the higher-priority deny rule.

279
MCQmedium

A web app running on an Azure VM must connect to an Azure SQL Database instance. The security team requires the database to be reachable through a private IP inside the VNet, and the application should keep using the normal SQL server name without any connection string change. What should the administrator implement?

A.A service endpoint on the subnet and a firewall rule on the SQL server.
B.A private endpoint for Azure SQL and the corresponding private DNS zone linked to the VNet.
C.A public endpoint with selected network access and a network security group on the VM subnet.
D.A virtual network peering connection to the SQL service subnet.
AnswerB

A private endpoint gives the SQL service a private IP address inside the VNet, and the private DNS zone allows the standard SQL name to resolve to that address. This meets both requirements: private network access and no connection string change. It is the correct Azure Private Link pattern for secure PaaS access.

Why this answer

Option B is correct because a private endpoint assigns Azure SQL Database a private IP from the VNet, making it reachable via a private IP while preserving the normal SQL server FQDN. The corresponding private DNS zone (privatelink.database.windows.net) linked to the VNet ensures that DNS resolution of the SQL server name resolves to the private IP, so no connection string changes are needed. This meets the security requirement of private IP reachability and the application requirement of unchanged connection strings.

Exam trap

The trap here is that candidates confuse service endpoints (which still use public IPs) with private endpoints (which use private IPs), leading them to choose Option A, thinking it provides private IP connectivity when it only provides source subnet restriction via the public endpoint.

How to eliminate wrong answers

Option A is wrong because a service endpoint exposes the SQL server to the subnet via its public endpoint, not a private IP, and requires a firewall rule to allow traffic from the subnet, which does not satisfy the 'private IP inside the VNet' requirement. Option C is wrong because a public endpoint with selected network access still uses a public IP, not a private IP, and a network security group on the VM subnet does not change the SQL server's public endpoint nature. Option D is wrong because virtual network peering connects VNets, but Azure SQL Database is a PaaS service, not a service subnet, so peering does not provide a private IP for the database.

280
MCQmedium

A subnet has a user-defined route for 0.0.0.0/0 that sends all outbound traffic to a virtual appliance. Traffic to 10.20.4.12 must instead go directly to an Azure VPN gateway. What should you configure?

A.Add a network security group rule that allows traffic to 10.20.4.12.
B.Add a more specific UDR for 10.20.4.0/24 that uses the virtual network gateway next hop.
C.Increase the priority of the 0.0.0.0/0 route so it is preferred less often.
D.Remove the VPN gateway association from the virtual network.
AnswerB

Azure uses longest-prefix match, so the more specific route overrides the broader 0.0.0.0/0 entry.

Why this answer

Option B is correct because User-Defined Routes (UDRs) use the longest prefix match to determine the next hop. The existing 0.0.0.0/0 route sends all outbound traffic to a virtual appliance, but adding a more specific route for 10.20.4.0/24 with a next hop of the virtual network gateway (VPN gateway) overrides the default route for that subnet, directing traffic to 10.20.4.12 through the VPN gateway.

Exam trap

The trap here is that candidates confuse NSG rules with routing decisions, thinking that allowing traffic in an NSG will change the path it takes, when in fact NSGs only filter traffic and do not influence the next hop.

How to eliminate wrong answers

Option A is wrong because network security group (NSG) rules control inbound and outbound traffic filtering (allow/deny based on IP, port, protocol), not routing decisions; they cannot change the path traffic takes. Option C is wrong because UDR priority is based on prefix length (more specific prefix wins), not a numeric priority value; increasing the priority of the 0.0.0.0/0 route does not affect its preference over a more specific route. Option D is wrong because removing the VPN gateway association from the virtual network would break all VPN connectivity, not just the traffic to 10.20.4.12, and does not solve the routing requirement.

281
MCQmedium

A contractor needs temporary access to upload and download files in only one blob container for 8 hours. You do not want to share the storage account key, and you want to revoke access later without affecting other containers. What should you create?

A.A storage account access key, because it can be limited to one container by policy.
B.A container-level SAS token backed by a stored access policy, so you can limit and revoke access.
C.Anonymous public access on the container, because it is the easiest way to time-limit access.
D.Azure RBAC on the storage account only, because RBAC automatically expires after a few hours.
AnswerB

A container-level SAS with a stored access policy is ideal for temporary access to one container. It avoids sharing the account key, limits permissions and lifetime to exactly what is needed, and gives you a revocation point through the stored access policy. That combination is safer than broad key-based access and more operationally flexible than changing account-wide settings.

Why this answer

A container-level SAS token backed by a stored access policy is the correct solution because it allows you to grant temporary, scoped access to a single blob container without exposing the storage account key. The stored access policy enables you to revoke the SAS token at any time by modifying or deleting the policy, which immediately invalidates all tokens associated with it, without affecting other containers.

Exam trap

The trap here is that candidates often confuse a container-level SAS with a stored access policy, thinking a SAS alone provides revocability, but without a stored access policy, a SAS token cannot be revoked before its expiry time.

How to eliminate wrong answers

Option A is wrong because a storage account access key grants full administrative access to the entire storage account, cannot be scoped to a single container, and cannot be revoked without regenerating the key (which affects all containers). Option C is wrong because anonymous public access allows anyone to read blobs without authentication, cannot enforce time-limited access for uploads, and cannot be revoked granularly without disabling public access entirely. Option D is wrong because Azure RBAC on the storage account does not automatically expire after a few hours; RBAC assignments persist until explicitly removed, and they apply to the entire storage account or container level only with proper scope, but they cannot provide time-bound access without additional tooling like Azure AD PIM.

282
Multi-Selecteasy

Finance, HR, and Engineering each have their own subscriptions, and one production resource group must not be deleted by mistake. Which two Azure features should be used? Select two.

Select 2 answers
A.Create a management group for the subscriptions.
B.Apply a CanNotDelete lock to the production resource group.
C.Assign Reader to everyone in the company.
D.Use a distribution list for the subscriptions.
E.Move the resource group into a different region.
AnswersA, B

Management groups are designed to organize subscriptions above the subscription level. They help apply consistent governance to groups of subscriptions such as Finance, HR, and Engineering.

Why this answer

Option A is correct because a management group allows you to centrally manage governance, policy, and compliance across multiple Azure subscriptions. By placing the Finance, HR, and Engineering subscriptions under a single management group, you can apply Azure Policy or RBAC assignments that affect all subscriptions, ensuring consistent governance without needing to configure each subscription individually.

Exam trap

The trap here is that candidates often confuse RBAC roles (like Reader) with resource locks, thinking that restricting permissions alone prevents deletion, but locks are required to explicitly block delete operations regardless of permissions.

283
Multi-Selectmedium

Three application VMs in separate resource groups must use the same identity to read a configuration endpoint. The identity must keep working if any one VM is deleted and later recreated. Which three actions should the administrator take? Select three.

Select 3 answers
A.Create a user-assigned managed identity that can exist independently of any single VM.
B.Attach the same user-assigned managed identity to each of the three VMs.
C.Grant the user-assigned identity the minimum required RBAC role on the target configuration endpoint.
D.Use a system-assigned managed identity on only one VM and copy its access token to the other two VMs.
E.Store one application password locally on each VM and use it instead of Azure-managed identities.
AnswersA, B, C

A user-assigned managed identity has its own lifecycle and is not deleted when a VM is removed. That makes it the correct choice when multiple VMs need the same identity and the identity must survive VM recreation.

Why this answer

A user-assigned managed identity is an Azure resource that exists independently of any VM, unlike a system-assigned identity which is tied to the VM lifecycle. This independence ensures the identity persists even when a VM is deleted and recreated, maintaining continuous access to the configuration endpoint. By creating a user-assigned managed identity, the administrator decouples the identity from any single VM, satisfying the requirement that the identity must keep working after VM deletion and recreation.

Exam trap

The trap here is that candidates often confuse user-assigned and system-assigned managed identities, incorrectly assuming that a system-assigned identity can be shared across VMs or that its access token can be copied, when in fact system-assigned identities are per-resource and cannot survive resource deletion.

284
MCQmedium

A storage account must be accessible only from one virtual network, and the storage service must have a private IP address inside that network. Public network access should be disabled. Which solution should the administrator use?

A.Add a storage firewall rule that allows the subnet's public IP range
B.Configure a service endpoint for the subnet and keep public access enabled
C.Create a private endpoint for the storage account in the virtual network
D.Peer the virtual network to the storage account's region
AnswerC

A private endpoint gives the storage account a private IP address in the VNet and supports disabling public access.

Why this answer

Option C is correct because a private endpoint assigns the storage account a private IP address from the virtual network's address space, using Azure Private Link to route traffic entirely over the Microsoft backbone. This ensures the storage account is accessible only from that virtual network and allows public network access to be disabled, meeting both requirements.

Exam trap

The trap here is confusing service endpoints (which still leave the public endpoint enabled and only provide source-side filtering) with private endpoints (which provide a private IP and fully disable public access).

How to eliminate wrong answers

Option A is wrong because adding a storage firewall rule for the subnet's public IP range does not give the storage account a private IP address; it only restricts access to traffic from that public IP range, and the storage account still has a public endpoint. Option B is wrong because configuring a service endpoint keeps the storage account's public endpoint enabled and does not provide a private IP address; it only allows traffic from the subnet to be routed via the Azure backbone, but public access remains. Option D is wrong because VNet peering connects virtual networks, not a storage account to a virtual network; storage accounts are not peered, and this does not assign a private IP or disable public access.

285
MCQmedium

A hub VNet already has a VPN gateway connected to on-premises. A new spoke VNet must reach on-premises through the hub gateway and should not deploy its own gateway. What configuration should be enabled on the peering?

A.Enable gateway transit on the hub peering and Use remote gateways on the spoke peering.
B.Create a service endpoint from the spoke to the hub.
C.Add a default route to Internet in the spoke subnet.
D.Enable accelerated networking on the spoke subnet.
AnswerA

This is the correct hub-and-spoke configuration when only the hub should own the VPN gateway. Gateway transit allows the hub to share its gateway with peered VNets, and the spoke must be configured to use the remote gateway. Together, these settings let the spoke route on-premises traffic through the hub gateway without deploying another gateway or duplicating connectivity infrastructure.

Why this answer

Option A is correct because enabling 'Use remote gateways' on the spoke VNet peering and 'Allow gateway transit' on the hub VNet peering allows the spoke VNet to route traffic to on-premises through the hub's VPN gateway without deploying its own gateway. This configuration leverages BGP routes (if the VPN gateway is route-based) to propagate on-premises prefixes to the spoke, enabling transitive routing across the peering.

Exam trap

The trap here is that candidates often confuse 'gateway transit' with simply enabling peering, forgetting that both the hub's 'Allow gateway transit' and the spoke's 'Use remote gateways' must be explicitly set, and that the spoke cannot have its own gateway (otherwise the setting is blocked).

How to eliminate wrong answers

Option B is wrong because a service endpoint provides private connectivity to Azure PaaS services (e.g., Azure Storage) via the Azure backbone, not to on-premises networks through a VPN gateway. Option C is wrong because adding a default route (0.0.0.0/0) to the spoke subnet would force all internet-bound traffic through that route, but it does not enable connectivity to on-premises via the hub gateway; it would likely break routing unless properly configured with a next hop to the hub. Option D is wrong because accelerated networking improves network performance (SR-IOV) for VMs, but it has no role in enabling transitive routing or gateway transit between peered VNets.

286
MCQmedium

A subnet has an NSG with these inbound rules: priority 200 DenyAllInbound and priority 300 AllowHTTPSFromInternet. A VM in the subnet is still unreachable on TCP 443 from the internet. What should you do to make HTTPS work while keeping the deny rule in place?

A.Move the allow HTTPS rule to a lower priority number such as 100 so it is evaluated before the deny rule.
B.Create the same allow rule on the NIC-level NSG at priority 300 and leave the subnet NSG unchanged.
C.Change the deny rule to protocol Any and keep the same priority so Azure evaluates the allow rule first.
D.Add a route table entry for TCP 443 traffic so Azure sends it directly to the VM.
AnswerA

NSG rules are processed in order of priority, and the lowest number wins. Because the deny rule at 200 is evaluated before the allow rule at 300, HTTPS is blocked. Moving the allow rule to a lower priority number lets it match first while keeping the deny rule for all other inbound traffic.

Why this answer

Option A is correct because NSG rules are evaluated in priority order, with lower numbers evaluated first. Moving the allow HTTPS rule to priority 100 ensures it is processed before the DenyAllInbound rule at priority 200, allowing TCP 443 traffic from the internet while the deny rule remains in place for all other inbound traffic.

Exam trap

The trap here is that candidates often think NSG rules are evaluated based on specificity (e.g., more specific rules override broader ones) rather than strictly by priority number, leading them to believe a higher-priority allow rule can override a lower-priority deny rule.

How to eliminate wrong answers

Option B is wrong because NIC-level NSG rules are evaluated after subnet-level NSG rules; if the subnet NSG denies all inbound traffic, the NIC-level allow rule will never be reached. Option C is wrong because changing the deny rule to protocol Any does not affect evaluation order—Azure always evaluates rules by priority number, not by protocol specificity; the deny rule at priority 200 will still block HTTPS before the allow rule at priority 300 is evaluated. Option D is wrong because route tables control traffic routing, not traffic filtering; a route table entry cannot bypass NSG rules, which are stateful firewall rules that must explicitly allow traffic.

287
MCQmedium

Based on the exhibit, the help desk team must be able to restart virtual machines in RG-App, but they must not be able to create, delete, or resize VMs. What is the best action?

A.Assign Virtual Machine Contributor to HelpDeskGroup at the subscription scope.
B.Assign Contributor to HelpDeskGroup at RG-App.
C.Create a custom RBAC role that allows VM start, restart, and deallocate actions, then assign it at RG-App.
D.Assign Owner to HelpDeskGroup at RG-App and use Azure Policy to block unwanted changes.
AnswerC

A custom role is the best fit when no built-in role is narrow enough. Assigning it at the resource group scope limits the permission to RG-App, while the role itself can be restricted to only the VM operational actions that the help desk needs.

Why this answer

Option C is correct because the help desk team needs only specific actions (start, restart, deallocate) without the ability to create, delete, or resize VMs. The built-in Virtual Machine Contributor role includes write permissions that allow creating and deleting VMs, so a custom RBAC role that explicitly grants only the required actions (Microsoft.Compute/virtualMachines/start/action, restart/action, deallocate/action) and is assigned at the RG-App scope meets the requirement precisely.

Exam trap

The trap here is that candidates often assume the built-in Virtual Machine Contributor role is the correct choice because it sounds restrictive, but it actually includes write permissions that allow VM creation and deletion, making a custom role necessary for the exact set of actions required.

How to eliminate wrong answers

Option A is wrong because assigning Virtual Machine Contributor at the subscription scope grants permissions to create, delete, and resize VMs across all resource groups, which violates the requirement to prevent those actions. Option B is wrong because the Contributor role at RG-App includes full write access to all resources in the resource group, allowing VM creation, deletion, and resizing. Option D is wrong because assigning Owner at RG-App grants full control, including the ability to modify or remove Azure Policy assignments, and using Azure Policy to block changes is an indirect, less reliable approach that can be bypassed by users with Owner permissions.

288
Multi-Selectmedium

An operations team must be able to restart virtual machines in one resource group. They must not create, delete, resize, or change disks or networking. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create a custom RBAC role that includes only read and restart actions for virtual machines.
B.Assign the Virtual Machine Contributor role to the operations group.
C.Assign the custom role to the operations group at the resource group scope.
D.Create an Azure Policy assignment that denies VM creation in the resource group.
E.Apply a ReadOnly lock to the resource group.
AnswersA, C

A custom role lets the administrator grant only the exact VM actions needed. Including read and restart permissions satisfies the task without giving broader management capabilities.

Why this answer

Option A is correct because a custom RBAC role can be defined to include only the 'Microsoft.Compute/virtualMachines/read' and 'Microsoft.Compute/virtualMachines/restart/action' permissions, which precisely limits the operations team to reading and restarting VMs without allowing create, delete, resize, or disk/network changes. This aligns with the principle of least privilege.

Exam trap

The trap here is that candidates often confuse Azure Policy (which enforces compliance rules) with RBAC (which controls permissions), or mistakenly think a ReadOnly lock still allows restart actions, not realizing that restart is a write operation in the Azure Resource Manager.

289
MCQmedium

A VM subnet has an NSG with these custom rules: - Inbound priority 100: Allow TCP 443 from Internet - Outbound priority 100: Deny Any to Internet The VM hosts an app that must download updates from an HTTPS repository on the Internet. The downloads fail. What change should be made?

A.Add another inbound allow rule for TCP 443 from the repository address.
B.Add an outbound allow rule for TCP 443 to Internet or the repository service tag.
C.Change the inbound allow rule to priority 50.
D.Remove the VM's public IP address.
AnswerB

The VM is initiating outbound HTTPS sessions, so the outbound direction must permit TCP 443. Because a deny-all outbound rule is blocking traffic to Internet, the fix is to add a higher-priority outbound allow rule that matches the repository destination, such as Internet or a specific service tag. Inbound HTTPS rules do not help traffic leaving the VM.

Why this answer

The VM's outbound traffic is blocked by the default outbound deny rule (priority 100). Since the app needs to download updates from an HTTPS repository (TCP 443), an outbound allow rule for TCP 443 to the Internet or the repository service tag is required. Inbound rules do not affect outbound traffic, so the existing inbound allow rule is irrelevant to the download failure.

Exam trap

The trap here is that candidates often focus on inbound rules because the NSG has an inbound allow rule, but the real issue is that outbound traffic is explicitly denied, and they forget that NSGs are stateful only for traffic that matches an allow rule, not for all traffic.

How to eliminate wrong answers

Option A is wrong because inbound rules control traffic entering the VM, not traffic leaving it; the download failure is due to blocked outbound traffic, so adding another inbound rule does not help. Option C is wrong because changing the priority of the inbound rule does not affect outbound traffic; the outbound deny rule remains in effect. Option D is wrong because removing the VM's public IP address would prevent any inbound or outbound Internet connectivity, making the problem worse, and the issue is specifically about outbound traffic being denied.

290
MCQmedium

Based on the exhibit, a user deleted one file from a Windows Azure VM. The VM is still running, and the administrator wants to restore only that file instead of recovering the full machine. Which restore approach should be used?

A.Use the VM restore option and overwrite the entire VM.
B.Mount the recovery point and copy the file back to the VM.
C.Increase the VM size and redeploy the workload.
D.Enable a diagnostic setting on the VM and recover the file from logs.
AnswerB

Azure Backup supports file-level recovery by mounting the recovery point so you can browse the backup content and copy back only the missing file. This minimizes impact and avoids replacing the entire VM.

Why this answer

Option B is correct because Azure VM backup allows you to mount a recovery point as a disk on another VM or the same VM, enabling file-level restore without overwriting the entire VM. This approach uses the 'File Recovery' feature of Azure Backup, which presents the recovery point as an iSCSI target that can be mounted and browsed to copy individual files back to the running VM.

Exam trap

The trap here is that candidates may assume file-level recovery requires restoring the entire VM (Option A) or confuse diagnostic logs with backup data (Option D), not realizing that Azure Backup's mount-and-copy feature is specifically designed for granular file recovery from a running VM.

How to eliminate wrong answers

Option A is wrong because using the VM restore option to overwrite the entire VM would replace the current VM state, causing data loss of any changes made after the backup point, and is unnecessary for a single file recovery. Option C is wrong because increasing the VM size and redeploying the workload does not restore any deleted files; it only changes the VM's SKU and potentially reallocates resources, with no impact on file recovery. Option D is wrong because diagnostic settings on a VM capture metrics and logs (e.g., boot diagnostics, performance counters) but do not store file contents; they cannot be used to recover a deleted file.

291
MCQmedium

A web tier and an app tier run in separate subnets. Each VM NIC is placed in an application security group named WebASG or AppASG. The administrator must allow only the web tier to reach the app tier on TCP port 8443 and block all other inbound traffic to the app tier. Which NSG rule should be created on the app subnet?

A.Allow TCP 8443 from WebASG to AppASG with a priority lower number than the deny rule.
B.Allow TCP 8443 from the entire virtual network to the app subnet with a lower priority than the deny rule.
C.Allow UDP 8443 from WebASG to AppASG with any priority below 65000.
D.Allow TCP 8443 from WebASG to AppASG with a priority higher number than the deny rule.
AnswerA

This is the most precise approach because it targets the source and destination groups instead of broad IP ranges. The rule must use a lower priority number than the deny-all rule so it is evaluated first. That lets only the web tier reach the app tier on TCP 8443 while preserving the block on all other inbound traffic.

Why this answer

Option A is correct because NSG rules are evaluated in priority order, with lower numbers having higher priority. By placing an Allow rule for TCP 8443 from WebASG to AppASG with a lower priority number than a subsequent Deny-All rule, only traffic from the web tier is permitted, and all other inbound traffic to the app subnet is blocked. This leverages application security groups (ASGs) to define fine-grained, role-based network security policies without relying on IP addresses.

Exam trap

The trap here is that candidates often confuse priority numbering—thinking a higher number means higher priority—or mistakenly assume that allowing traffic from the entire virtual network is sufficient, overlooking the need to restrict the source to only the web tier via ASGs.

How to eliminate wrong answers

Option B is wrong because allowing TCP 8443 from the entire virtual network would permit traffic from any subnet (including the app subnet itself and any other subnets), not just the web tier, violating the requirement to restrict access solely to the web tier. Option C is wrong because the requirement specifies TCP port 8443, not UDP; using UDP would not match the intended protocol and would fail to allow the required traffic. Option D is wrong because a priority with a higher number (lower priority) than the deny rule means the deny rule would be evaluated first, blocking all traffic including the desired web-to-app traffic before the allow rule is ever considered.

292
MCQmedium

You need to prevent accidental deletion of a production resource group while still allowing administrators to update resources inside it. What should you apply to the resource group?

A.A ReadOnly lock
B.A CanNotDelete lock
C.A deny assignment
D.A budget alert
AnswerB

A CanNotDelete lock prevents accidental deletion while still allowing updates.

Why this answer

A CanNotDelete lock (B) prevents the resource group from being deleted while still allowing all operations (including updates) on resources within it. This is the correct choice because the requirement is to block accidental deletion of the entire resource group, not to restrict modifications to its resources.

Exam trap

The trap here is that candidates often confuse a ReadOnly lock with a CanNotDelete lock, assuming that preventing deletion requires a more restrictive lock, but the correct lock is the one that specifically targets deletion only.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents both deletion and modification of resources, which would block administrators from updating resources inside the group. Option C is wrong because a deny assignment is used with Azure Blueprints or managed applications to explicitly deny specific actions via RBAC, not to prevent deletion of a resource group while allowing updates. Option D is wrong because a budget alert only sends notifications when spending exceeds a threshold; it does not enforce any deletion prevention.

293
Multi-Selectmedium

An operations team needs to know when Azure marks a storage account unavailable because of a regional platform issue, and they also want to detect abnormal service latency on the account itself. Which two alerting approaches should they configure? Select two.

Select 2 answers
A.Create a Resource Health alert for the storage account.
B.Create a metric alert for storage availability or latency on the account.
C.Create an Activity Log alert for every blob write.
D.Send a workbook link in an action group instead of an alert.
E.Turn on Azure Policy compliance scanning for the storage account.
AnswersA, B

Resource Health alerts report when Azure considers the resource unhealthy due to a platform or regional issue.

Why this answer

Option A is correct because a Resource Health alert monitors the health of the storage account from the Azure platform's perspective, triggering when Azure marks the resource as unavailable due to a regional platform issue (e.g., an outage or degradation). This directly addresses the requirement to know when the account is marked unavailable.

Exam trap

The trap here is that candidates may confuse Activity Log alerts (which track control-plane operations) with metric or health alerts (which track data-plane performance and availability), leading them to select option C for monitoring latency or unavailability.

294
MCQmedium

Based on the exhibit, a subscription activity log is already being sent to Log Analytics. The operations team wants an alert that fires when any resource group is deleted, but it should ignore deletions performed by a known automation account. Which approach should the administrator use?

A.Create a metric alert on CPU percentage for the subscription.
B.Create a log alert using the AzureActivity table and filter out the automation caller.
C.Enable a diagnostic setting on the resource group object.
D.Apply an Azure Policy deny assignment to all deletions.
AnswerB

The deletion event is captured in the AzureActivity table, and the alert should evaluate a KQL query that excludes the known automation account. That provides precise log-based alerting for administrative operations.

Why this answer

Option B is correct because the AzureActivity table in Log Analytics captures all control-plane operations, including resource group deletions. By creating a log alert query that filters on OperationNameValue='MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE' and excludes Caller where it matches the automation account's service principal or object ID, the alert triggers only for non-automation deletions. This approach leverages the existing activity log stream to Log Analytics without additional configuration.

Exam trap

The trap here is that candidates may think a diagnostic setting on the resource group is needed to capture deletion events, but the activity log is already streaming at the subscription level and includes all resource group operations, making the additional setting redundant and incorrect.

How to eliminate wrong answers

Option A is wrong because a metric alert on CPU percentage monitors performance metrics, not control-plane operations like resource group deletions, and cannot filter by caller identity. Option C is wrong because enabling a diagnostic setting on the resource group object streams resource-level logs (e.g., metrics or resource-specific logs) but does not capture the subscription-level activity log events needed to detect deletions; the activity log is already being sent to Log Analytics at the subscription scope. Option D is wrong because an Azure Policy deny assignment prevents deletions from occurring entirely, which would block legitimate automation deletions that the team wants to allow, and it does not provide alerting functionality.

295
MCQmedium

You need to receive an email when average CPU usage on VM-App01 exceeds 85 percent for 10 minutes. Which Azure Monitor components should you configure?

A.A metric alert and an action group
B.A resource lock and Azure Advisor
C.An activity log alert only
D.A budget alert
AnswerA

This combination detects the threshold breach and sends the notification.

Why this answer

A metric alert monitors a specific Azure resource metric (like CPU percentage) and triggers when a condition (e.g., average > 85%) is met over a specified evaluation period (e.g., 10 minutes). An action group defines the notification actions (e.g., sending an email) when the alert fires. Together, they fulfill the requirement to receive an email based on a performance threshold.

Exam trap

The trap here is confusing metric alerts (for performance metrics) with activity log alerts (for management events) or budget alerts (for cost), leading candidates to pick an option that monitors the wrong type of data.

How to eliminate wrong answers

Option B is wrong because a resource lock prevents accidental deletion or modification of resources, and Azure Advisor provides best-practice recommendations; neither monitors CPU usage or sends email alerts. Option C is wrong because an activity log alert only triggers on Azure management events (e.g., VM creation, restart), not on performance metrics like CPU usage. Option D is wrong because a budget alert monitors Azure spending against cost thresholds, not resource performance metrics.

296
MCQmedium

Exhibit: A network engineer wants a subscription-based mechanism to stream operational updates from devices as values change, instead of polling over and over. Which approach best fits?

A.Model-driven telemetry
B.TFTP backup
C.Port security sticky learning
D.VTP pruning
AnswerA

Telemetry streaming is built for near-real-time updates without constant polling.

Why this answer

Model-driven telemetry uses a subscription-based push model to stream operational data from network devices to a collector as values change, eliminating the need for repeated polling. This approach reduces bandwidth and CPU overhead by delivering only relevant updates in real time, which aligns with the requirement for a subscription-based mechanism.

Exam trap

The trap here is that candidates may confuse TFTP backup with a streaming mechanism because both involve data transfer, but TFTP is a pull-based file transfer protocol, not a subscription-based push model for operational updates.

How to eliminate wrong answers

Option B is wrong because TFTP backup is a file transfer protocol used for backing up configuration files or images, not for streaming operational updates. Option C is wrong because port security sticky learning is a switch feature that dynamically learns and secures MAC addresses on a port, unrelated to streaming telemetry. Option D is wrong because VTP pruning is a VLAN Trunking Protocol feature that reduces unnecessary broadcast traffic on trunk links, not a mechanism for streaming operational data.

297
MCQmedium

In Log Analytics, you want an alert that fires if VM01 has not sent a Heartbeat record in the last 15 minutes. Which query should be used as the alert condition?

A.Heartbeat | where Computer == "VM01" | summarize LastHeartbeat = max(TimeGenerated) | where LastHeartbeat > ago(15m)
B.Heartbeat | where Computer == "VM01" | summarize LastHeartbeat = max(TimeGenerated) | where LastHeartbeat < ago(15m)
C.Heartbeat | where Computer == "VM01" and TimeGenerated > ago(15m) | summarize count() by Computer
D.Heartbeat | where Computer == "VM01" | summarize count() by bin(TimeGenerated, 15m)
AnswerB

This query finds the most recent heartbeat for VM01 and compares it to the 15-minute threshold. If the latest heartbeat is older than that, the query returns a result that can be used to trigger an alert. That directly matches the requirement to detect when the VM has stopped reporting heartbeats.

Why this answer

Option B is correct because the alert must fire when VM01 has *not* sent a Heartbeat in the last 15 minutes. The query uses `max(TimeGenerated)` to find the most recent heartbeat, then filters with `where LastHeartbeat < ago(15m)` to detect records older than 15 minutes. This condition evaluates to true when the last heartbeat is older than the threshold, triggering the alert.

Exam trap

The trap here is that candidates often confuse the comparison operator, choosing `>` (greater than) instead of `<` (less than), because they mistakenly think 'last heartbeat > 15 minutes ago' means it happened more than 15 minutes ago, when in fact `ago(15m)` returns a timestamp 15 minutes in the past, and a heartbeat older than that has a *smaller* timestamp value.

How to eliminate wrong answers

Option A is wrong because it uses `where LastHeartbeat > ago(15m)`, which fires when the last heartbeat is *within* the last 15 minutes — the opposite of the desired condition. Option C is wrong because it checks for heartbeats *within* the last 15 minutes and then counts them; a count of zero would not fire the alert (Log Analytics alerts on non-zero results by default), and it fails to detect the absence of a heartbeat. Option D is wrong because it counts heartbeats in 15-minute bins but does not compare against a time threshold; it would always return a result for the current bin, even if VM01 has not sent a heartbeat, and does not evaluate the absence condition.

298
Multi-Selecthard

A user deleted a file from an Azure VM, and the administrator wants to use Azure Backup file-level recovery rather than restore the whole VM. Which two prerequisites are required before mounting the recovery point from the portal? Select two.

Select 2 answers
A.Download the vault credentials file
B.Select the appropriate recovery point
C.Provide the storage account access key
D.Assign a public IP address to the VM
E.Create an Azure AD application secret
AnswersA, B

Vault credentials authenticate the temporary mount process used for file-level recovery.

Why this answer

Option A is correct because vault credentials are required to authenticate the portal session to the Recovery Services vault when performing file-level recovery. Option B is correct because you must select a specific recovery point (snapshot) from which to mount the files; the portal uses this point to create an iSCSI target on the VM.

Exam trap

The trap here is that candidates often confuse file-level recovery with restoring a VM from a storage account snapshot, leading them to think a storage account key is needed, when in fact the iSCSI mount uses vault credentials and the Backup service's managed identity.

299
MCQmedium

You need to create a storage account that provides the lowest-cost redundant storage for non-critical data and only needs protection against local disk or server failure within a single datacenter. Which redundancy option should you choose?

A.LRS
B.ZRS
C.GRS
D.GZRS
AnswerA

LRS provides redundancy within a single datacenter at the lowest cost.

Why this answer

A is correct because Locally Redundant Storage (LRS) replicates data three times within a single datacenter in the same region, protecting against local disk or server failures. It is the lowest-cost redundancy option, making it ideal for non-critical data that does not require protection against zone- or region-level outages.

Exam trap

The trap here is that candidates may choose ZRS or GRS thinking they need 'redundancy' without realizing the question specifically limits the scope to local failures within a single datacenter, making LRS the cheapest and sufficient option.

How to eliminate wrong answers

Option B (ZRS) is wrong because it replicates data synchronously across three Azure availability zones within a region, providing higher durability than needed for single-datacenter protection and at a higher cost. Option C (GRS) is wrong because it includes LRS within the primary region plus asynchronous replication to a secondary region, offering region-level disaster recovery at significantly higher cost. Option D (GZRS) is wrong because it combines ZRS in the primary region with asynchronous replication to a secondary region, providing the highest durability and cost, far exceeding the requirement for local disk or server failure protection.

300
MCQhard

A shared resource group contains a VM and a storage account used by payroll. Administrators still need to modify configuration and apply patches, but accidental deletion of either resource must be prevented. What should the administrator apply?

A.A ReadOnly lock on the entire resource group.
B.A CanNotDelete lock on each resource.
C.A policy assignment that denies delete operations on the resource group.
D.A management group with a deny assignment.
AnswerB

CanNotDelete prevents deletion while still allowing updates, and applying it per resource limits collateral impact.

Why this answer

Option B is correct because a CanNotDelete lock prevents the deletion of a resource while still allowing all other operations, including configuration modifications and patching. This meets the requirement of protecting the VM and storage account from accidental deletion while preserving administrative access for updates.

Exam trap

The trap here is that candidates often confuse resource locks with Azure Policy or RBAC, mistakenly thinking a policy or role assignment at the resource group scope will protect individual resources, when in fact locks must be applied directly to each resource to prevent its deletion.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all write operations, including configuration changes and patching, which violates the requirement that administrators must still be able to modify configuration and apply patches. Option C is wrong because a policy assignment that denies delete operations on the resource group would block deletion of the resource group itself, but it does not prevent deletion of individual resources within the group; Azure Policy evaluates at the resource level only if the policy definition explicitly targets resource types, and a simple deny on the resource group does not cascade to resources. Option D is wrong because a management group with a deny assignment applies at a higher scope (multiple subscriptions) and is overly broad; it would affect all resources under that management group, not just the specific shared resource group, and it does not provide the granular per-resource protection needed here.

Page 3

Page 4 of 16

Page 5