AZ-104 (AZ-104) — Questions 301375

1170 questions total · 16pages · All types, answers revealed

Page 4

Page 5 of 16

Page 6
301
MCQeasy

You need to assign the same RBAC role to 15 administrators so they can manage backups for several virtual machines. You want to minimize ongoing administrative effort when membership changes. What should you use?

A.A Microsoft Entra group and a single role assignment to the group.
B.A separate custom role assignment for each administrator.
C.A resource lock on every virtual machine.
D.A policy exemption for the administrators.
AnswerA

This is the most scalable and maintainable approach.

Why this answer

Option A is correct because assigning a single RBAC role to a Microsoft Entra group allows you to manage permissions centrally. When membership changes, you only need to add or remove users from the group, and the role assignment automatically applies to the new members. This minimizes ongoing administrative effort compared to managing individual role assignments.

Exam trap

The trap here is confusing resource locks (which prevent changes) with RBAC role assignments (which grant permissions), leading candidates to incorrectly select option C as a way to control access.

How to eliminate wrong answers

Option B is wrong because creating a separate custom role assignment for each administrator increases administrative overhead; any membership change requires modifying each individual assignment, which is inefficient and error-prone. Option C is wrong because a resource lock prevents accidental deletion or modification of resources but does not grant permissions to manage backups; it is a protection mechanism, not an authorization mechanism. Option D is wrong because a policy exemption allows certain resources to be excluded from Azure Policy compliance evaluation; it does not assign RBAC roles or grant permissions to manage backups.

302
MCQmedium

A reporting system requires a storage account that is zone resilient in the primary region and also keeps a geo-replicated secondary copy that can be read during an outage. Which redundancy option should you select?

A.ZRS, because it protects against zone failure and also provides a readable secondary region.
B.GRS, because it stores a secondary copy in another region but does not offer zone redundancy in the primary region.
C.RA-GZRS, because it combines zone redundancy, geo-replication, and read access to the secondary region.
D.LRS, because local replication is enough when the workload already has application-level retries.
AnswerC

RA-GZRS provides the strongest fit for this scenario. It combines synchronous zone redundancy in the primary region with asynchronous geo-replication to a secondary region, and it allows read access to that secondary copy. That combination meets both the availability and reporting requirements described in the question.

Why this answer

RA-GZRS (Read-Access Geo-Zone-Redundant Storage) is the correct choice because it provides synchronous replication across three Azure availability zones in the primary region for zone resilience, asynchronous geo-replication to a secondary region for disaster recovery, and enables read access to the secondary copy during an outage. This meets all three requirements: zone resiliency, geo-replication, and readable secondary region.

Exam trap

The trap here is that candidates often confuse GRS with RA-GZRS, overlooking that GRS lacks zone redundancy in the primary region and does not provide read access to the secondary copy unless explicitly enabled via RA-GRS or RA-GZRS.

How to eliminate wrong answers

Option A is wrong because ZRS (Zone-Redundant Storage) only replicates data synchronously across availability zones in the primary region and does not provide geo-replication or a readable secondary region. Option B is wrong because GRS (Geo-Redundant Storage) provides geo-replication to a secondary region but does not offer zone redundancy in the primary region; it uses LRS locally. Option D is wrong because LRS (Locally Redundant Storage) replicates data three times within a single datacenter, offering no zone resilience, no geo-replication, and no readable secondary copy, making it unsuitable for the stated requirements.

303
MCQeasy

Based on the exhibit, HTTPS traffic from the admin workstation is still being blocked. What change should the administrator make?

A.Delete the Deny-All-Inbound rule.
B.Change Allow-HTTPS-Admin to priority 100.
C.Change Allow-HTTPS-Admin protocol from TCP to Any.
D.Move the allow rule to outbound traffic.
AnswerB

NSG rules are evaluated from the lowest priority number to the highest. In the exhibit, the deny rule at priority 200 is matched before the allow rule at 250, so traffic is blocked. Moving the admin allow rule to a lower number such as 100 makes it evaluate first and permits the HTTPS test traffic.

Why this answer

The Deny-All-Inbound rule has a default priority of 65000, which is higher (lower priority) than the Allow-HTTPS-Admin rule at priority 200. Since Azure Network Security Group (NSG) rules are evaluated in priority order (lowest number = highest priority), the Deny-All-Inbound rule is evaluated first and blocks all traffic, including HTTPS from the admin workstation. By changing Allow-HTTPS-Admin to priority 100, it will be evaluated before the Deny-All-Inbound rule, allowing HTTPS traffic to pass.

Exam trap

The trap here is that candidates often think deleting the deny rule is the solution, but the real issue is the priority order of rules in an NSG, not the existence of the deny rule itself.

How to eliminate wrong answers

Option A is wrong because deleting the Deny-All-Inbound rule would remove the default security boundary, exposing the resource to all inbound traffic, which is not a best practice and does not address the priority ordering issue. Option C is wrong because changing the protocol from TCP to Any would not resolve the blocking issue; the problem is the rule evaluation order, not the protocol specificity, and HTTPS requires TCP port 443. Option D is wrong because moving the allow rule to outbound traffic would not affect inbound HTTPS traffic; inbound and outbound rules are separate, and the blocking occurs on the inbound path.

304
MCQmedium

Based on the exhibit, the production resource group must not be deleted during a change freeze, but administrators still need to update VM sizes and tag values. Which lock should you apply?

A.Apply a ReadOnly lock to RG-Prod.
B.Apply a CanNotDelete lock to RG-Prod.
C.Apply a lock to the subscription instead of the resource group.
D.Use Azure Policy with a deny effect to block deletes.
AnswerB

CanNotDelete is designed to stop deletion while still allowing normal read and write operations. That fits a freeze where the team wants to prevent accidental removal but continue making approved changes.

Why this answer

A CanNotDelete lock (B) prevents deletion of the resource group while allowing all other operations, including updating VM sizes and modifying tag values. This meets the requirement of blocking deletion during a change freeze without restricting administrative updates.

Exam trap

The trap here is that candidates often confuse ReadOnly locks with CanNotDelete locks, assuming that any lock will prevent updates, when in fact ReadOnly locks block all write operations while CanNotDelete locks only block deletion.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all write operations, including updating VM sizes and tags, which violates the requirement that administrators need to perform these updates. Option C is wrong because applying a lock to the subscription would affect all resource groups within it, unnecessarily restricting other resource groups that may need to be deleted or modified. Option D is wrong because Azure Policy with a deny effect can block deletes but is more complex to configure and manage than a simple resource lock, and it does not provide the same straightforward, scope-specific protection against deletion as a CanNotDelete lock.

305
MCQhard

A team already has a metric alert on a production VM. The alert should continue evaluating 24/7, but email notifications must be sent only Monday through Friday from 08:00 to 18:00 local time. What should the administrator add or change?

A.Replace the metric alert with a diagnostic setting and store the data in Log Analytics.
B.Create an alert processing rule that suppresses notifications outside business hours.
C.Lower the alert threshold so fewer alerts occur during the week.
D.Use an autoscale profile instead of an alert rule.
AnswerB

An alert processing rule lets you control how alerts are handled without disabling the alert condition itself. That means the metric alert can keep evaluating continuously for history and state changes, while notifications are suppressed outside the approved business hours. This cleanly separates detection from delivery, which is exactly what the requirement describes.

Why this answer

Option B is correct because an alert processing rule (formerly action rule) can suppress notifications for a metric alert based on a schedule. By creating a rule with a suppression action that applies outside business hours (e.g., 18:00 to 08:00 and weekends), the alert continues to evaluate and fire, but email notifications are blocked during those times. This meets the requirement without altering the alert rule itself.

Exam trap

The trap here is that candidates confuse alert processing rules (which modify actions after an alert fires) with alert rules themselves, or incorrectly assume that changing thresholds or using diagnostic settings can control notification timing.

How to eliminate wrong answers

Option A is wrong because a diagnostic setting sends metrics and logs to Log Analytics for analysis, but it does not control notification timing; it replaces the alert with a storage pipeline, not a suppression mechanism. Option C is wrong because lowering the alert threshold reduces the sensitivity of the alert, which would change the evaluation criteria and potentially miss critical issues during business hours; it does not selectively suppress notifications. Option D is wrong because an autoscale profile scales resources based on load, not alert notifications; it is unrelated to email delivery schedules.

306
MCQhard

A compliance team wants to bundle three policy definitions—allowed locations, required cost center tags, and approved VM sizes—so they can assign them together to a management group and review compliance in one place. Later they want to exempt one pilot subscription from the entire set for 60 days. What should they use?

A.A policy initiative at the management group scope.
B.A custom RBAC role with resource permissions for policy management.
C.A resource lock on the pilot subscription.
D.A separate management group for each of the three policy definitions.
AnswerA

An initiative groups multiple policy definitions into one assignable unit and supports compliance tracking across them.

Why this answer

A policy initiative (also called a policy set) allows you to group multiple policy definitions into a single, reusable bundle. By assigning the initiative at the management group scope, all three policies apply together to every subscription under that group. When the pilot subscription needs an exemption, you can create an exemption resource on that subscription for the entire initiative, specifying a 60-day expiration, which temporarily excludes it from all bundled policies while keeping compliance reporting unified.

Exam trap

The trap here is that candidates often confuse policy exemptions with resource locks or RBAC roles, thinking that locking a subscription or assigning permissions can bypass policy evaluation, when in fact only a policy exemption (or an explicit deny assignment override) can exclude a scope from compliance enforcement for a defined period.

How to eliminate wrong answers

Option B is wrong because a custom RBAC role with resource permissions for policy management controls who can create or assign policies, but it does not bundle policy definitions or provide a mechanism to exempt a subscription from a set of policies. Option C is wrong because a resource lock prevents accidental deletion or modification of a subscription, but it does not exempt the subscription from policy compliance evaluation or allow a time-bound exclusion. Option D is wrong because creating a separate management group for each policy definition would fragment governance, require three separate assignments, and make it impossible to exempt all three policies from the pilot subscription with a single action.

307
MCQmedium

Backup protection was enabled on a new Azure VM, but every backup job fails immediately with a message indicating the guest agent is not ready. What should the administrator verify first?

A.That the Azure VM agent is installed, running, and up to date inside the guest operating system.
B.That the recovery vault uses GZRS storage redundancy.
C.That the VM has a private endpoint to the Recovery Services vault.
D.That a resource lock has not been applied to the VM.
AnswerA

Azure VM Backup depends on the VM agent to coordinate snapshot operations and communicate status back to Azure. If the portal reports that the guest agent is not ready, the first troubleshooting step is to verify that the agent exists, is running, and is current. Fixing the agent often resolves immediate backup failures without changing vault settings, policies, or storage configuration.

Why this answer

The Azure Backup extension requires the Azure VM agent to be installed, running, and up to date inside the guest OS to coordinate backup operations. When the agent is not ready, the backup job fails immediately because the extension cannot communicate with the VM to take snapshots. Verifying the agent's status is the first troubleshooting step before investigating network or configuration issues.

Exam trap

The trap here is that candidates may jump to network or vault configuration issues (like private endpoints or storage redundancy) when the error message explicitly points to the guest agent, which is a common first-check item in Azure Backup troubleshooting.

How to eliminate wrong answers

Option B is wrong because GZRS storage redundancy is a replication setting for the Recovery Services vault that affects data durability, not the guest agent readiness or backup job initiation. Option C is wrong because a private endpoint is used for secure network connectivity to the vault, but its absence does not cause an immediate 'guest agent not ready' error; that error is specific to the VM agent. Option D is wrong because a resource lock prevents deletion or modification of the VM, but it does not interfere with the guest agent's operational state or cause backup jobs to fail with an agent readiness message.

308
MCQmedium

During a change freeze, an administrator applies a lock to a resource group. Users can still read resource details, but attempts to update tags, resize a VM, or change an NSG fail. Which lock was applied?

A.CanNotDelete lock, because it blocks all updates but allows reading.
B.ReadOnly lock, because it blocks write operations while allowing read access.
C.Reader role assignment, because it removes edit permissions from the group.
D.Azure Policy audit assignment, because it reports changes without blocking them.
AnswerB

ReadOnly is the lock that allows users to view resources but prevents writes, including changes to tags, VM sizes, network rules, and many other configuration actions. This exactly matches the symptom described during a change freeze. It is a strong protection and should be used only when the organization truly wants to halt modifications.

Why this answer

The ReadOnly lock (option B) is correct because it explicitly blocks all write operations (including updates to tags, resizing a VM, or modifying an NSG) while allowing read operations. This matches the scenario where users can still read resource details but cannot perform any modifications.

Exam trap

The trap here is that candidates often confuse the CanNotDelete lock with blocking updates, when in fact it only prevents deletion, while the ReadOnly lock is the one that blocks all write operations including updates and modifications.

How to eliminate wrong answers

Option A is wrong because a CanNotDelete lock only prevents deletion of resources; it does not block updates to tags, resizing a VM, or changing an NSG. Option C is wrong because a Reader role assignment would remove all write permissions, but the scenario describes a lock applied to the resource group, not a role assignment; locks and role-based access control (RBAC) are separate governance mechanisms. Option D is wrong because an Azure Policy audit assignment only evaluates and reports compliance without actively blocking changes; it does not enforce a deny effect.

309
MCQmedium

Why is centralized logging especially useful during security investigations?

A.It makes related events from multiple devices easier to review and correlate.
B.It guarantees that attacks cannot succeed.
C.It replaces the need for authentication and authorization.
D.It forces all devices to use the same VLAN.
AnswerA

This is correct because centralized visibility is the main investigative benefit.

Why this answer

Centralized logging aggregates logs from multiple sources (e.g., firewalls, servers, Azure Network Watcher) into a single repository, such as Azure Log Analytics. During security investigations, this enables security analysts to correlate events across devices (e.g., matching a suspicious IP address in firewall logs with authentication failures in domain controller logs) without manually connecting to each device. This correlation is critical for reconstructing attack timelines and identifying lateral movement, which is impossible with siloed logs.

Exam trap

The trap here is that candidates confuse centralized logging with a security control that prevents attacks, rather than recognizing it as a detective tool for post-incident analysis and correlation.

Why the other options are wrong

B

This option is incorrect because centralized logging does not prevent attacks; it merely provides a means to analyze and respond to them after they occur. Security measures must be implemented to actually prevent attacks from succeeding.

C

This option is wrong because centralized logging does not eliminate the need for authentication and authorization; rather, it complements these security measures by providing a way to analyze logs from authenticated users and authorized actions.

D

This option is wrong because forcing all devices to use the same VLAN does not directly relate to centralized logging or its benefits during security investigations. VLANs are primarily about network segmentation, not log aggregation or analysis.

310
Multi-Selectmedium

The operations team wants 3 to 8 identical Linux VM instances, with more instances added when average CPU stays above 70 percent for 10 minutes and removed when load falls. Which three settings should be configured? Select three.

Select 3 answers
A.Use a virtual machine scale set for the identical application instances.
B.Create an autoscale profile with a scale-out rule based on average CPU utilization.
C.Set minimum and maximum instance counts so the service cannot scale below 3 or above 8.
D.Place the VMs in an availability set instead of using a scale set.
E.Clone the VM manually whenever CPU rises and remove clones by hand later.
AnswersA, B, C

A VM scale set is the compute service built for multiple identical instances with centralized scaling and management. It is the correct foundation for a workload that expands and contracts over time.

Why this answer

A virtual machine scale set (VMSS) is the correct Azure service for deploying and managing a group of identical, load-balanced Linux VMs that can automatically scale in and out based on demand. It supports autoscaling rules that adjust the instance count within a defined range, meeting the requirement for 3 to 8 identical instances with automatic addition when average CPU exceeds 70% for 10 minutes and removal when load falls.

Exam trap

The trap here is that candidates may confuse availability sets with scale sets, thinking both provide scaling, but availability sets only offer redundancy and fault tolerance, not automatic scaling or instance count management.

311
MCQmedium

Based on the exhibit, the support team needs a searchable 90-day history of who deleted Azure resources and when. The current workspace only contains VM guest logs. Which configuration should you add?

A.Enable guest-level diagnostics on each VM so deletion events are captured.
B.Configure a diagnostic setting at the subscription scope to send the Azure Activity log to Log Analytics and retain it for 90 days.
C.Turn on NSG flow logs for all subnets to capture resource deletions.
D.Store VM backups in the vault and use restore points as an audit trail.
AnswerB

The Azure Activity log records control-plane actions like deletes, updates, and role assignments. Exporting it from the subscription to Log Analytics makes those events searchable, and increasing retention gives the team the required 90-day history.

Why this answer

The Azure Activity log records all control-plane events, including resource deletions, at the subscription level. By configuring a diagnostic setting to stream the Activity log to a Log Analytics workspace, you can retain the data for up to 90 days (or longer with data export rules) and make it searchable via KQL queries. The current workspace only contains VM guest logs, so adding this setting directly meets the requirement without relying on guest-level or network-level logs.

Exam trap

The trap here is that candidates confuse guest-level diagnostics (OS logs) with the Azure Activity log (control-plane logs), or assume NSG flow logs or backups can serve as an audit trail for resource deletions, when in fact only the Activity log captures who deleted what and when at the Azure Resource Manager layer.

How to eliminate wrong answers

Option A is wrong because guest-level diagnostics capture OS-level events inside the VM (e.g., application crashes, performance counters), not Azure control-plane operations like resource deletions; deletion events are recorded in the Azure Activity log, not in guest logs. Option C is wrong because NSG flow logs capture network traffic metadata (IPs, ports, protocols) and have no visibility into Azure Resource Manager operations such as deleting resources; they are used for network security analysis, not audit trails of resource lifecycle events. Option D is wrong because VM backups and restore points only capture VM state at a point in time; they do not log who deleted a resource or when, and they cannot provide a searchable history of deletion events across all Azure resource types.

312
Multi-Selecthard

A service desk must grant and revoke access to an internal application for a changing group of employees. The service desk must not receive any Azure subscription or resource permissions. Which two actions should you take? Select two.

Select 2 answers
A.Use a Microsoft Entra security group to represent application access.
B.Add the service desk as an owner of that security group.
C.Assign the service desk the Contributor role on the application resource group.
D.Assign the service desk the User Administrator directory role to manage the application users.
E.Create individual user assignments for every employee instead of using group-based access.
AnswersA, B

A security group is the right identity container for access delegation and membership-based authorization.

Why this answer

Using a Microsoft Entra security group creates a stable access boundary for the application, and making the service desk an owner lets them add or remove members without touching Azure RBAC. That is the least-privilege way to delegate access administration. It keeps resource permissions out of the model, avoids tenant-wide admin roles, and supports frequent employee changes cleanly through group membership updates.

Why others are wrong: Contributor on a resource group gives Azure resource control, not just membership administration. User Administrator is a directory-wide role and is too broad for one application group. Individual user assignments defeat the goal of delegated membership management and create ongoing maintenance. The correct pattern is group-based access with delegated ownership.

313
MCQhard

A Windows VM protected by Azure Backup is missing one application file, but the VM must stay online during recovery. Which restore approach should the administrator use?

A.Restore the entire VM to a new deployment and then copy the file back
B.Use the file recovery option from the Recovery Services vault for the relevant recovery point
C.Trigger an Azure Site Recovery failover to a recovery region
D.Create a new backup policy with a shorter retention period and run the next scheduled backup
AnswerB

File recovery lets you mount a backup recovery point and copy back only the missing file while the VM continues running.

Why this answer

Azure Backup's file recovery option allows you to mount a recovery point as a drive on the running VM without restoring the entire VM or taking it offline. This enables you to copy the missing application file directly from the backup while the VM remains operational, meeting the requirement to stay online.

Exam trap

The trap here is that candidates may confuse Azure Backup's file-level recovery with Azure Site Recovery's failover, or assume that a full VM restore is the only way to access individual files, overlooking the granular mount capability.

How to eliminate wrong answers

Option A is wrong because restoring the entire VM to a new deployment is unnecessary, time-consuming, and may cause IP or name conflicts; it also does not keep the original VM online during the process. Option C is wrong because Azure Site Recovery is designed for disaster recovery and failover to a secondary region, not for granular file-level recovery from backups, and it would require the VM to be failed over, disrupting operations. Option D is wrong because creating a new backup policy with shorter retention does not recover the missing file; it only changes future backup behavior and does not address the immediate recovery need.

314
MCQhard

A development VM is recreated from scratch every week. The team wants the operating system disk to boot as quickly as possible and does not need the OS disk contents to survive deallocation. Which disk choice should the administrator make?

A.A Premium SSD managed OS disk
B.An ephemeral OS disk
C.A Standard SSD managed OS disk
D.The VM temporary disk as the operating system disk
AnswerB

Ephemeral OS disks use local storage and provide very fast boot with no persistence requirement.

Why this answer

An ephemeral OS disk is created on the local VM host storage, not on Azure managed storage, which eliminates network latency and provides significantly faster boot times. Since the team does not need the OS disk contents to survive deallocation and recreates the VM weekly, ephemeral disks are ideal as they are reset to the original image state on each deployment.

Exam trap

The trap here is that candidates often choose Premium SSD for 'fastest boot' without realizing that ephemeral OS disks bypass network storage entirely, offering even lower latency for boot operations, and that the temporary disk cannot be used as an OS disk despite its local nature.

How to eliminate wrong answers

Option A is wrong because Premium SSD managed OS disks, while fast, still incur network I/O latency and are not optimized for the fastest possible boot; they also persist data across deallocations, which is unnecessary here. Option C is wrong because Standard SSD managed OS disks are slower than Premium SSD and ephemeral disks, and they also persist data, adding cost and complexity without benefit. Option D is wrong because the VM temporary disk (D: drive on Windows, /dev/sdb on Linux) is not supported as an operating system disk; it is a scratch disk for temporary data and cannot host the OS.

315
MCQeasy

After enabling Azure VM backup, an administrator wants to confirm whether the nightly backup succeeded. Where should the administrator check the backup status?

A.In the Recovery Services vault backup jobs
B.In the VM's network security group
C.In the VM's availability set
D.In the subscription activity log only
AnswerA

Backup jobs in the vault show whether each backup operation completed successfully, failed, or is still running.

Why this answer

The correct place to check backup status is the Recovery Services vault backup jobs. When Azure VM backup is enabled, each backup operation creates a job entry in the associated Recovery Services vault. The 'Backup Jobs' blade within the vault lists all backup jobs, their status (e.g., Completed, Failed, In Progress), and details like start time and error messages.

This is the centralized monitoring point for backup operations, as defined by Azure Backup's job-based monitoring model.

Exam trap

The trap here is that candidates may confuse the subscription activity log (which shows who enabled backup) with the backup job status log, not realizing that backup job details are stored separately in the Recovery Services vault's dedicated backup jobs interface.

How to eliminate wrong answers

Option B is wrong because a VM's network security group (NSG) controls inbound/outbound traffic rules and has no relation to backup job status or history. Option C is wrong because an availability set is a logical grouping for VM fault tolerance and update domains, not a monitoring or logging resource for backup operations. Option D is wrong because while the subscription activity log records resource-level administrative operations (e.g., enabling backup), it does not capture the detailed status of individual backup jobs; backup job status is stored only in the Recovery Services vault's backup jobs interface.

316
MCQmedium

A partner company needs to upload files to a single blob container for the next 24 hours. The partner should not receive the storage account key, and the access should be limited to that container only. Which access mechanism should you provide?

A.A container-level SAS token with write permission and a 24-hour expiry.
B.The storage account key, because it is easier for external users to use.
C.A management group role assignment, because RBAC can restrict access to one blob container.
D.A private endpoint, because it grants the partner write access over a private IP.
AnswerA

A SAS token is the right tool for short-lived, scoped access to one container. It avoids sharing the storage account key, and you can limit the permissions to write only with a precise expiration time. That makes it well suited for partner uploads, temporary transfers, and other delegated storage tasks.

Why this answer

A container-level SAS token with write permission and a 24-hour expiry is correct because it provides time-limited, delegated access to a specific blob container without exposing the storage account key. The SAS token is generated with the container as the resource scope, write permission (add/create), and an expiry time of 24 hours, meeting all requirements: no key sharing, container-only access, and time-bound access.

Exam trap

The trap here is that candidates may confuse SAS tokens with storage account keys, thinking a key is simpler for external users, or mistakenly believe RBAC at a management group scope can be narrowed to a single container, when in fact RBAC for containers requires the scope to be the container itself (via Azure RBAC for Data Actions) and is not available at management group level.

How to eliminate wrong answers

Option B is wrong because sharing the storage account key grants full administrative access to the entire storage account (all containers, blobs, queues, tables, and settings), violating the requirement to limit access to a single container and avoid exposing the key. Option C is wrong because RBAC role assignments at the management group scope apply to all subscriptions and resources under that management group, not to a single blob container; RBAC can be scoped to a container only at the resource group or storage account level, not at the management group level. Option D is wrong because a private endpoint provides network-level isolation (private IP connectivity) but does not grant write permissions or control access to a specific container; it only ensures traffic stays on a private network, and permissions are still managed via keys, SAS, or RBAC.

317
MCQmedium

A web application is made up of several Azure resources that are deployed, updated, and retired together. The team wants one container for applying access control, tags, and deletion protection consistently to the whole application. What should they use?

A.A subscription dedicated to the application.
B.A resource group.
C.A management group.
D.A tag value that names the application.
AnswerB

A resource group is the standard lifecycle container for related Azure resources that are managed together. It lets administrators apply RBAC, tags, and locks to the application as a unit while keeping the workload separate from other applications. This is the most practical way to organize resources that are deployed and retired together.

Why this answer

A resource group is the correct container because it is a logical grouping of Azure resources that share the same lifecycle, allowing you to apply access control (RBAC), tags, and deletion protection (resource locks) consistently to all resources within the group. This aligns with the requirement to deploy, update, and retire resources together as a single unit.

Exam trap

The trap here is that candidates often confuse tags as a grouping mechanism for access control or deletion protection, but tags are purely metadata and cannot enforce RBAC or resource locks, whereas a resource group provides a true security and lifecycle boundary.

How to eliminate wrong answers

Option A is wrong because a dedicated subscription would provide a billing and policy boundary but is an overly broad and costly approach for a single application, and it does not inherently group resources for lifecycle management. Option C is wrong because a management group is used for organizing subscriptions and applying governance at scale (e.g., Azure Policy across multiple subscriptions), not for grouping resources within a single application. Option D is wrong because a tag value is metadata that can be used for filtering and cost tracking, but it does not provide a container for applying access control or deletion protection consistently; tags are not a security boundary and cannot enforce resource locks or RBAC.

318
MCQmedium

A business-critical storage account must survive a zone outage in the primary region and also keep a read-only copy in the paired region for reporting if the primary region becomes unavailable. Which redundancy option should you choose?

A.ZRS because it protects against a single datacenter failure.
B.RA-GZRS because it provides zone redundancy and read access to the secondary region.
C.GZRS because it provides a readable secondary region by default.
D.RA-GRS because it provides zone redundancy and read access to the secondary region.
AnswerB

RA-GZRS is the correct option because it combines zone-redundant storage in the primary region with geo-replication to the paired region, and it allows read access to the secondary copy. That matches both requirements: resilience to a zone outage and a readable secondary copy for reporting or failover scenarios. It is the highest-resilience option in this list.

Why this answer

Option B (RA-GZRS) is correct because it combines zone-redundant storage (ZRS) within the primary region, ensuring data survives a zone outage, with read-access geo-redundant storage (RA-GRS) to the paired region, providing a readable secondary copy for reporting if the primary region becomes unavailable. This meets both requirements: zone-level fault tolerance and read-only access to the secondary region during a primary outage.

Exam trap

The trap here is that candidates confuse GZRS (which requires a failover for read access) with RA-GZRS (which provides always-on read access to the secondary region), or mistakenly think RA-GRS offers zone redundancy when it only uses LRS in the primary region.

How to eliminate wrong answers

Option A is wrong because ZRS only protects against a single datacenter (zone) failure within the primary region but does not provide any replication to a secondary region, so it cannot serve a read-only copy for reporting if the primary region is unavailable. Option C is wrong because GZRS provides zone redundancy and geo-replication to a secondary region, but by default the secondary region is not readable; it requires a failover to become writable, and read access is not available without a separate configuration (RA-GZRS). Option D is wrong because RA-GRS provides read access to the secondary region but uses LRS (locally redundant storage) in the primary region, not zone redundancy, so it does not survive a zone outage in the primary region.

319
MCQmedium

A lifecycle rule moves blobs to the archive tier after 90 days. A file was archived 2 weeks ago, and a reporting job now needs to read it tomorrow morning. What should you expect?

A.The file is immediately readable, but only through the archive endpoint and at a higher request rate.
B.The file must be rehydrated to an online tier before it can be read, so access is delayed.
C.The file is permanently deleted when it enters archive, so the job must use a backup restore.
D.The file can be read immediately if the account has read-access geo-redundancy enabled.
AnswerB

Archive tier is offline storage. If a job needs the blob tomorrow, the blob must first be rehydrated to an online tier such as hot or cool. Rehydration takes time, so the data is not instantly available. This is an important operational consideration when lifecycle policies move data to archive based on age.

Why this answer

Option B is correct because blobs in the Azure Archive tier are offline and cannot be read directly. To access the data, you must first rehydrate the blob to an online tier (Hot, Cool, or Cold) using a copy or change-tier operation, which introduces a delay (typically up to 15 hours for standard priority rehydration). The file was archived only 2 weeks ago, so it is still in the Archive tier and requires rehydration before the reporting job can read it tomorrow morning.

Exam trap

The trap here is that candidates assume the Archive tier is simply a 'cold' storage that can be read slowly, but in reality it is an offline tier requiring explicit rehydration, which introduces significant latency.

How to eliminate wrong answers

Option A is wrong because the Archive tier is an offline tier; blobs are not immediately readable through any endpoint, and there is no 'archive endpoint' for direct reads — access requires rehydration to an online tier. Option C is wrong because blobs in the Archive tier are not deleted; they remain stored with the same data integrity and can be rehydrated when needed — permanent deletion only occurs if a lifecycle policy explicitly includes a delete action. Option D is wrong because read-access geo-redundancy (RA-GRS) provides read access to a secondary region during an outage, but it does not change the offline nature of the Archive tier — the blob must still be rehydrated before it can be read from any endpoint.

320
MCQhard

A platform team created a BlobStorage account for application logs. Later they discovered the same account must also host an Azure Files share for a Linux automation server, and lifecycle rules must continue to manage blob tiers. Standard performance is sufficient. What should they do?

A.Keep the BlobStorage account and add a private endpoint
B.Recreate the storage as a StorageV2 general-purpose v2 account
C.Convert the account to Premium Block Blob storage
D.Create a separate file server VM and keep the BlobStorage account unchanged
AnswerB

A StorageV2 account supports both blob features such as lifecycle management and Azure Files shares in the same account. The earlier BlobStorage kind is too limited for the file-share requirement, so the correct administrative action is to create a general-purpose v2 account and migrate the data. This also preserves standard performance and keeps the storage design simpler than splitting services across separate accounts.

Why this answer

A BlobStorage account is a specialized storage account that supports only block blobs and append blobs, not Azure Files shares. To host both blobs and Azure Files, you need a general-purpose v2 (StorageV2) account, which supports all Azure Storage services including blobs, files, queues, and tables, while also allowing lifecycle management policies for blob tiering. Recreating the account as StorageV2 meets both requirements without sacrificing blob lifecycle rules.

Exam trap

The trap here is that candidates assume a BlobStorage account can be 'upgraded' or that adding features like private endpoints or premium performance will enable Azure Files, when in fact the account kind is immutable after creation and must be recreated as StorageV2.

How to eliminate wrong answers

Option A is wrong because adding a private endpoint to a BlobStorage account does not enable Azure Files support; private endpoints control network access, not storage service capabilities. Option C is wrong because Premium Block Blob storage is designed for high-performance workloads with low latency and does not support Azure Files shares, nor does it allow lifecycle management rules for blob tiering (tiers are fixed). Option D is wrong because creating a separate file server VM introduces unnecessary complexity, cost, and management overhead, whereas the requirement can be met natively by using a StorageV2 account that supports both blobs and Azure Files.

321
MCQmedium

You want Azure to identify underutilized virtual machines and recommend ways to reduce cost and improve security posture. Which service should you use?

A.Azure Advisor
B.Azure Policy
C.Azure Backup
D.Virtual network peering
AnswerA

Azure Advisor provides recommendations for optimization and improvement.

Why this answer

Azure Advisor analyzes Azure resources and provides recommendations related to cost, security, reliability, performance, and operational excellence.

322
MCQmedium

An on-premises application connected through a site-to-site VPN must read data from an Azure Storage account. Public network access is disabled on the storage account, and the storage service must be reachable only by a private IP address inside Azure. Which solution should the administrator implement?

A.Enable a service endpoint on the on-premises network.
B.Create a private endpoint for the storage account in an Azure VNet.
C.Peer the on-premises network directly to the storage account.
D.Use a shared access signature and leave public network access enabled.
AnswerB

A private endpoint assigns the storage account a private IP address in a chosen Azure VNet, allowing access over private connectivity instead of the public internet. Because the on-premises application already reaches Azure through a site-to-site VPN, it can use that private path to access the endpoint when DNS is configured correctly. This meets the requirement to keep public access disabled while exposing the service privately.

Why this answer

A private endpoint assigns the storage account a private IP address from an Azure VNet, allowing the on-premises application to connect over the site-to-site VPN using that private IP. This ensures the storage service is reachable only within Azure's private network, even with public network access disabled. The private endpoint uses Azure Private Link to securely expose the storage account into the VNet, making it accessible via the VPN without traversing the public internet.

Exam trap

The trap here is confusing service endpoints with private endpoints: candidates often choose service endpoints because they also provide secure connectivity, but service endpoints do not assign a private IP and require public network access to be enabled, making them unsuitable when the requirement is to use only a private IP address.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP address; it extends the storage account's public endpoint to a VNet subnet via Azure backbone, but the storage account still uses a public IP and public network access must be enabled, which contradicts the requirement. Option C is wrong because VNet peering connects two Azure VNets, not an on-premises network to a storage account; on-premises connectivity requires a VPN or ExpressRoute, and peering does not involve storage accounts directly. Option D is wrong because it leaves public network access enabled, violating the requirement that the storage service must be reachable only by a private IP address inside Azure; a SAS token does not change the network accessibility.

323
MCQmedium

Based on the exhibit, you want the resource logs for the storage account to appear in Log Analytics so you can investigate read and write failures. What should you configure?

A.Create a metric alert rule on the storage account and link it to an action group.
B.Add a diagnostic setting that sends resource logs to the Log Analytics workspace.
C.Enable a resource lock so the storage account cannot be modified.
D.Move the storage account to a different subscription that already has Log Analytics enabled.
AnswerB

Diagnostic settings are the Azure Monitor feature used to route platform logs and metrics from a resource to destinations such as Log Analytics. Because the exhibit shows logs are disabled and no destination is configured, adding a diagnostic setting with the workspace selected is the correct way to make read and write events available for querying.

Why this answer

Diagnostic settings in Azure allow you to stream resource logs (such as StorageRead and StorageWrite logs) from a storage account directly to a Log Analytics workspace. By configuring a diagnostic setting with the appropriate log categories enabled, you can query and analyze read and write failures in Log Analytics without additional infrastructure.

Exam trap

The trap here is that candidates often confuse metric alerts (which monitor performance metrics) with diagnostic settings (which collect detailed resource logs), leading them to choose a metric-based solution when the question explicitly asks for log data to investigate failures.

How to eliminate wrong answers

Option A is wrong because a metric alert rule monitors performance metrics (e.g., latency, availability) and triggers actions via an action group, but it does not send resource logs to Log Analytics for investigation of read/write failures. Option C is wrong because a resource lock prevents accidental deletion or modification of the storage account, but it does not enable log collection or analysis. Option D is wrong because moving the storage account to a different subscription does not automatically enable log streaming to Log Analytics; you must still configure a diagnostic setting to send logs to the workspace.

324
MCQmedium

An external consultant from another company needs read-only access to a resource group and must sign in with their own work account. What should be created in Microsoft Entra ID?

A.A member user account in the company tenant
B.A guest user account
C.A Microsoft 365 group
D.A service principal
AnswerB

A guest user lets the consultant authenticate with their own organization credentials while being represented in your tenant as an external identity.

Why this answer

B is correct because a guest user account in Microsoft Entra ID (formerly Azure AD) allows an external user from another organization to sign in using their own work account (via B2B collaboration) and be granted read-only access to a specific resource group. This leverages the existing identity provider of the external consultant, eliminating the need to create a separate identity in the company tenant.

Exam trap

The trap here is that candidates often confuse a guest user with a member user, thinking a new identity must be created in the tenant, but the key requirement is that the external consultant signs in with their own work account, which only a guest user (B2B collaboration) supports.

How to eliminate wrong answers

Option A is wrong because creating a member user account in the company tenant would require the external consultant to manage a separate identity and password within your tenant, which violates the requirement that they sign in with their own work account. Option C is wrong because a Microsoft 365 group is a security or distribution group used for managing permissions and collaboration within the tenant, not an identity object that allows external users to authenticate. Option D is wrong because a service principal is an identity used by applications or automated tools to access Azure resources, not for individual human users to sign in with their own work account.

325
Multi-Selectmedium

Your company has a hybrid infrastructure with Azure VMs and on-premises servers. You need to configure Azure Monitor to collect and analyze performance and event data from all servers in a centralized workspace. Which three of the following steps are required to achieve this? (Choose three.)

Select 3 answers
.Deploy the Azure Monitor Agent on both Azure VMs and on-premises servers.
.Create a Log Analytics workspace in the same Azure region as your Azure VMs.
.Configure Data Collection Rules (DCRs) to specify which performance counters and events to collect.
.Install the Microsoft Monitoring Agent (MMA) on all servers and connect to a Log Analytics workspace.
.Enable Network Watcher to monitor network traffic between on-premises and Azure.
.Create a VM Insights solution in the Azure portal to automatically collect data from all Azure VMs.

Why this answer

The Azure Monitor Agent (AMA) is the current recommended agent for collecting telemetry from both Azure VMs and on-premises servers, replacing the legacy Microsoft Monitoring Agent (MMA). A Log Analytics workspace is required as the centralized data repository, and Data Collection Rules (DCRs) define exactly which performance counters and events to collect, enabling granular, scalable data ingestion without manual configuration per machine.

Exam trap

The trap here is that candidates often confuse the legacy Microsoft Monitoring Agent (MMA) with the current Azure Monitor Agent, or assume that VM Insights or Network Watcher can replace the need for explicit agent deployment and Data Collection Rules.

326
MCQmedium

A VM in VNet A can reach a storage account through a private endpoint, but when the VM resolves the storage account name it still gets the public IP address. What should you configure so name resolution returns the private endpoint address?

A.A user-defined route to the storage private endpoint
B.The private DNS zone linked to the VNet
C.A resource lock on the storage account
D.A managed identity for the VM
AnswerB

Linking the private DNS zone makes the storage name resolve to the private endpoint address.

Why this answer

When a private endpoint is created for a storage account, the DNS configuration must be updated so that the storage account's fully qualified domain name resolves to the private endpoint's private IP address instead of the public IP. Linking a private DNS zone (privatelink.blob.core.windows.net) to the virtual network and configuring a virtual network link ensures that the VM's DNS queries for the storage account are answered with the private endpoint IP. Without this, the VM continues to use the public IP from public DNS.

Exam trap

The trap here is that candidates confuse network-level routing (UDRs) with DNS resolution, assuming that directing traffic to the private endpoint IP via a route will fix name resolution, when in fact DNS must be explicitly configured to return the private IP.

How to eliminate wrong answers

Option A is wrong because a user-defined route (UDR) controls network traffic flow (next hop) and does not affect DNS name resolution; it cannot change what IP address a name resolves to. Option C is wrong because a resource lock prevents accidental deletion or modification of the storage account but has no impact on DNS resolution or private endpoint connectivity. Option D is wrong because a managed identity provides the VM with an Azure AD identity for authentication to Azure services, not for DNS name resolution or private endpoint routing.

327
MCQmedium

A company already uses the address space 10.20.0.0/16 for a hub virtual network and 10.21.0.0/16 on-premises. A new spoke virtual network will be peered to the hub and may later connect to the on-premises network. Which address space should the administrator choose for the spoke to avoid future routing conflicts?

A.10.20.64.0/19
B.10.21.0.0/16
C.10.22.0.0/16
D.10.20.128.0/17
AnswerC

This range does not overlap with either the hub VNet or the on-premises network. It also provides a full /16, which leaves enough room for multiple subnets and future growth while keeping peering and hybrid connectivity straightforward.

Why this answer

Option C (10.22.0.0/16) is correct because it is a unique, non-overlapping address space that does not conflict with the existing hub VNet (10.20.0.0/16) or the on-premises network (10.21.0.0/16). When a spoke VNet is peered to the hub and later connected to on-premises via VPN or ExpressRoute, Azure requires that all peered and connected address spaces be unique to avoid routing conflicts. Choosing a completely separate /16 ensures no future overlap.

Exam trap

The trap here is that candidates often assume any address space outside the hub's /16 is safe, but they forget to check for overlap with the on-premises network (10.21.0.0/16) or incorrectly think that a smaller subnet within the hub's range (like 10.20.64.0/19) can be used if it is not currently in use, ignoring that Azure requires completely non-overlapping ranges for peered VNets.

How to eliminate wrong answers

Option A (10.20.64.0/19) is wrong because it falls within the hub VNet's 10.20.0.0/16 range, causing an immediate IP address overlap that would prevent VNet peering from succeeding. Option B (10.21.0.0/16) is wrong because it exactly matches the on-premises address space, which would create a routing conflict when the spoke later connects to on-premises (Azure cannot distinguish between the on-premises network and the spoke VNet). Option D (10.20.128.0/17) is wrong because it is a subset of the hub's 10.20.0.0/16, overlapping with the hub VNet and breaking peering due to non-unique address ranges.

328
Multi-Selecteasy

A Windows VM mounts an Azure Files share by using SMB and identity-based authentication. Which two permission layers can affect access to folders in the share? Select two.

Select 2 answers
A.Azure RBAC permissions on the file share
B.NTFS permissions on files and folders
C.Network security group rules on the storage account
D.Blob access tier settings
E.Route table next-hop selection
AnswersA, B

Share-level RBAC determines whether the identity can connect to and use the Azure Files share.

Why this answer

Azure RBAC permissions on the file share (Option A) control whether a user or service principal can mount the share or perform management operations, such as listing or modifying share properties. When identity-based authentication is used (Kerberos or Azure AD Kerberos), RBAC roles like 'Storage File Data SMB Share Reader' or 'Contributor' are required to grant access at the share level before any file-level permissions apply.

Exam trap

The trap here is that candidates often confuse network-level controls (NSGs, route tables) with identity-based access controls, or incorrectly assume Blob access tiers apply to Azure Files shares, when in fact only RBAC and NTFS permissions govern folder access in this scenario.

329
MCQmedium

Based on the exhibit, a production VM must send an email and SMS notification if average CPU stays above 85% for 10 minutes. The team created the alert rule, but no one receives notifications when the condition is met. What should the administrator add to the alert rule?

A.Add a diagnostic setting that sends VM metrics to a Log Analytics workspace.
B.Attach an action group that includes email and SMS receivers.
C.Change the alert to use a log query instead of a metric condition.
D.Create a resource lock to prevent changes to the virtual machine.
AnswerB

Azure Monitor alert rules need an action group to trigger notifications or automation when the metric condition is met. The alert already evaluates correctly, but it has no notification target. Adding an action group with email and SMS receivers enables the response the business wants.

Why this answer

The alert rule is correctly configured to trigger when the average CPU exceeds 85% for 10 minutes, but notifications are not being sent because no action group is attached. An action group defines the notification channels (e.g., email, SMS, webhook) that fire when the alert is activated. Without an action group, the alert can fire silently, so the administrator must attach an action group containing the desired email and SMS receivers.

Exam trap

The trap here is that candidates may think the alert rule itself includes notification settings, but Azure separates the alert condition (metric/log) from the notification mechanism (action group), so you must explicitly attach an action group to receive alerts.

How to eliminate wrong answers

Option A is wrong because a diagnostic setting sends VM metrics to a Log Analytics workspace for analysis or archival, but it does not trigger notifications; notifications require an action group. Option C is wrong because the condition is already a metric (CPU percentage), and changing to a log query would require log data ingestion and is unnecessary; the existing metric alert is the correct approach for real-time CPU thresholds. Option D is wrong because a resource lock prevents accidental deletion or modification of the VM, but it has no effect on alert notifications.

330
MCQeasy

Based on the exhibit, an automation account must restart virtual machines and read network interface settings in RG-App. Built-in roles are too broad because they also allow actions the team does not want. What should the administrator do?

A.Assign the Reader role at RG-App, because reading permissions automatically include restart actions.
B.Create a custom role with only the required read and restart actions, then assign it at RG-App.
C.Assign Virtual Machine Contributor at the subscription scope so the automation account can reach all resources.
D.Create a management group and move RG-App into it so only the needed actions are exposed.
AnswerB

A custom role is the correct solution when built-in roles are broader than needed. By defining only the required VM restart action and read permissions for the VM and network interface, the administrator can keep permissions tightly limited to RG-App and avoid unnecessary capabilities such as deletion or network changes.

Why this answer

Option B is correct because built-in roles like Virtual Machine Contributor include actions beyond the required scope (e.g., write/delete operations), which the team wants to avoid. A custom role allows precise definition of only the needed actions: 'Microsoft.Compute/virtualMachines/restart/action' and 'Microsoft.Network/networkInterfaces/read'. Assigning this custom role at the RG-App scope ensures least privilege without exposing broader permissions.

Exam trap

The trap here is that candidates assume built-in roles like Reader or Virtual Machine Contributor are 'close enough' and overlook the need for custom roles to exclude unwanted write/delete actions, or they confuse management groups with a mechanism for fine-grained action filtering.

How to eliminate wrong answers

Option A is wrong because the Reader role does not include the 'Microsoft.Compute/virtualMachines/restart/action' permission; reading permissions do not automatically grant restart actions, as restart is a separate control-plane action. Option C is wrong because assigning Virtual Machine Contributor at the subscription scope grants write/delete permissions on all VMs in the subscription, which is broader than needed and violates the principle of least privilege. Option D is wrong because management groups do not expose or restrict specific actions; they are hierarchical containers for policy and RBAC inheritance, not a mechanism to filter actions at a resource group level.

331
Multi-Selecteasy

A batch container in Azure Container Instances should stop after a successful run and may retry only when the process fails. Which two restart policies are correct for that style of workload? Select two.

Select 2 answers
A.Never
B.OnFailure
C.Always
D.Manual
E.Scheduled
AnswersA, B

Never lets the container exit and stay stopped, which is useful for one-time batch jobs.

Why this answer

Option A (Never) is correct because it ensures the container does not restart after a successful run, which aligns with the requirement to stop after completion. Option B (OnFailure) is correct because it allows the container to retry only when the process fails, meeting the condition of restarting solely on failure. In Azure Container Instances, these two restart policies directly support batch workloads that should not restart on success but may retry on failure.

Exam trap

The trap here is that candidates often confuse the 'OnFailure' policy with 'Always' or think 'Never' means no restarts at all, missing that 'OnFailure' is the only policy that retries exclusively on failure, while 'Always' would restart even after success, which is incorrect for this batch workload scenario.

332
MCQhard

A storage account must be reachable only from a single subnet. The team wants to keep the storage public endpoint in place, avoid a private endpoint, and avoid managing any custom DNS records. Which change best meets the requirement?

A.Add a network security group rule to the subnet that allows outbound TCP 443 to the storage account.
B.Enable a service endpoint for Microsoft.Storage on the subnet and add the subnet to the storage account firewall allow list.
C.Create a private endpoint and set the storage account to use a private DNS zone.
D.Create a route table that sends storage traffic through an Azure Firewall appliance.
AnswerB

This is the correct approach when the service must remain on the public endpoint but be accessible only from a specific subnet. The service endpoint lets Azure recognize the subnet as an allowed source while traffic still uses the storage account's public FQDN. Adding that subnet to the storage firewall enforces the restriction without requiring private endpoints or custom DNS management.

Why this answer

Option B is correct because enabling a service endpoint for Microsoft.Storage on the subnet injects the subnet's identity into the traffic to the storage account, allowing the storage account firewall to permit access only from that subnet while keeping the public endpoint active. This avoids the need for a private endpoint, custom DNS records, or additional routing appliances, directly meeting the requirement of restricting access to a single subnet.

Exam trap

The trap here is that candidates often confuse network security groups (NSGs) with storage account firewalls, thinking an NSG rule on the subnet can restrict access to the storage account, when in fact the storage account firewall must explicitly allow the subnet via a service endpoint or virtual network rule to enforce subnet-level restriction.

How to eliminate wrong answers

Option A is wrong because adding an NSG rule that allows outbound TCP 443 to the storage account does not restrict inbound access to the storage account; the storage account's public endpoint remains open to all traffic, and the NSG only controls traffic within the subnet, not the storage account's firewall. Option C is wrong because creating a private endpoint would remove the public endpoint from use (or require disabling public access) and would involve managing private DNS zones or custom DNS records, which the team explicitly wants to avoid. Option D is wrong because creating a route table to send storage traffic through an Azure Firewall does not restrict access to a single subnet; it forces traffic through a firewall for inspection but still leaves the storage account's public endpoint accessible from any source, and it adds management overhead for the firewall and routing.

333
MCQhard

Your company stores monthly reports in Azure Blob Storage. The reports are rarely accessed, but when needed they must be read within seconds rather than hours. You need to minimize storage cost while preserving near-immediate availability. Which access tier should you use?

A.Hot
B.Cool
C.Archive
D.Premium
AnswerB

Cool minimizes cost for infrequently accessed data while keeping it available online.

Why this answer

Cool tier is correct because it offers low storage cost for infrequently accessed data while maintaining near-immediate (milliseconds) retrieval latency. The reports are rarely accessed but must be available within seconds, which Cool tier satisfies, whereas Archive would incur hours-long rehydration delays.

Exam trap

The trap here is that candidates often choose Archive tier thinking it is the cheapest option for rarely accessed data, but they overlook the critical requirement for 'within seconds' availability, which Archive cannot provide without a time-consuming rehydration process.

How to eliminate wrong answers

Option A is wrong because Hot tier has higher storage cost per GB, which is unnecessary for rarely accessed data and would not minimize storage cost. Option C is wrong because Archive tier, while cheapest for storage, requires manual rehydration that can take up to 15 hours, violating the 'within seconds' availability requirement. Option D is wrong because Premium tier is designed for high-performance, low-latency workloads (e.g., Azure Virtual Desktop) and incurs the highest cost, making it unsuitable for cost minimization on rarely accessed reports.

334
MCQhard

A subnet NSG contains these inbound rules: Priority 100 denies TCP 8443 from VirtualNetwork to any destination, Priority 110 allows TCP 8443 from AzureLoadBalancer to any destination, and Priority 200 allows TCP 8443 from ASG-Web to ASG-App. The app VM NIC has no additional inbound rules. Web servers are members of ASG-Web and the app VM is a member of ASG-App. The web tier still cannot connect to TCP 8443. What should the administrator change?

A.Move the allow rule for ASG-Web to ASG-App to a priority lower than 100.
B.Replace ASG-Web with the VirtualNetwork service tag in the allow rule.
C.Add a route table that sends TCP 8443 traffic to the app subnet.
D.Create a second NSG on the app NIC with an allow rule at priority 50.
AnswerA

NSG rules are processed in priority order, and the first matching rule wins. The deny rule at priority 100 matches traffic from the web tier because it comes from the same virtual network. Moving the specific allow rule to a lower number than 100 lets it match first while still keeping the source and destination restricted to the intended application security groups.

Why this answer

The correct answer is A because NSG rules are evaluated in priority order, from lowest to highest number. The deny rule at priority 100 explicitly blocks TCP 8443 from VirtualNetwork, which includes traffic from ASG-Web (since ASG-Web members are within the virtual network). The allow rule at priority 110 only permits traffic from AzureLoadBalancer, not from ASG-Web.

The allow rule at priority 200 is never evaluated because the deny rule at priority 100 matches first. By moving the allow rule for ASG-Web to ASG-App to a priority lower than 100 (e.g., 90), it will be evaluated before the deny rule, allowing the web servers to connect.

Exam trap

The trap here is that candidates often assume a more specific rule (like ASG-Web to ASG-App) will override a broader deny rule, but NSG priority is strictly numeric, not based on specificity, so a lower-priority allow rule is never evaluated if a higher-priority deny rule matches first.

How to eliminate wrong answers

Option B is wrong because replacing ASG-Web with the VirtualNetwork service tag would still match the deny rule at priority 100 (since VirtualNetwork includes all virtual network traffic, including ASG-Web), and the allow rule at priority 200 would still be blocked. Option C is wrong because route tables control traffic routing between subnets, not NSG rule evaluation; adding a route table does not bypass NSG deny rules. Option D is wrong because creating a second NSG on the app NIC with an allow rule at priority 50 would still be overridden by the subnet NSG's deny rule at priority 100, as NSGs are evaluated in order (subnet NSG first, then NIC NSG) and the subnet NSG deny would block the traffic before the NIC NSG allow is considered.

335
MCQeasy

Based on the exhibit, two development virtual networks must be peered so the workloads can exchange traffic directly. What should the administrator do first?

A.Create a VPN gateway in each VNet before attempting peering.
B.Change one VNet to a non-overlapping address space before creating the peering.
C.Add a user-defined route to each subnet so the VNets can ignore the overlap.
D.Enable service endpoints on both VNets to allow cross-network communication.
AnswerB

Azure VNet peering does not allow overlapping address spaces. The first step is to redesign one network so its address range does not intersect the other. After the address conflict is removed, peering can be created normally and traffic can flow directly between the VNets.

Why this answer

Azure Virtual Network peering requires that the address spaces of the peered VNets do not overlap. Overlapping address spaces cause routing conflicts because Azure cannot determine which VNet should receive traffic destined for the overlapping range. Therefore, the administrator must first change one VNet to a non-overlapping address space before creating the peering.

Exam trap

The trap here is that candidates often assume overlapping address spaces can be resolved with routing tweaks (like UDRs) or additional gateways, but Azure explicitly blocks VNet peering when address spaces overlap, requiring a non-overlapping address space as a prerequisite.

How to eliminate wrong answers

Option A is wrong because VPN gateways are not required for VNet peering; peering uses the Azure backbone network directly, not a VPN tunnel. Option C is wrong because user-defined routes cannot override the fundamental routing conflict caused by overlapping address spaces; Azure will still see the addresses as ambiguous and may drop or misroute traffic. Option D is wrong because service endpoints are used to secure access to Azure PaaS services (like Storage or SQL) from a VNet, not to enable direct traffic exchange between two peered VNets.

336
MCQmedium

A hub VNet contains a VPN gateway that provides access to on-premises resources. A spoke VNet is peered to the hub and must send on-premises traffic through the hub gateway without deploying its own gateway. What peering configuration is required?

A.Enable forwarded traffic on both peerings and disable gateway transit.
B.Enable gateway transit on the hub peering and Use remote gateways on the spoke peering.
C.Create a second VPN gateway in the spoke and peer the two gateways.
D.Configure the spoke subnet with a service endpoint to the hub gateway subnet.
AnswerB

This is the correct hub-and-spoke gateway sharing configuration. The hub peering must allow gateway transit, and the spoke peering must use the remote gateway in the hub. Together, these settings let the spoke route on-premises traffic through the hub VPN gateway without deploying a second gateway.

Why this answer

Option B is correct because to route spoke VNet traffic through the hub VPN gateway without deploying a separate gateway in the spoke, you must enable 'Use remote gateways' on the spoke peering and 'Gateway transit' on the hub peering. This configuration allows the spoke to use the hub's VPN gateway for on-premises connectivity, leveraging the transitive routing capability of VNet peering.

Exam trap

The trap here is that candidates often confuse 'forwarded traffic' with 'gateway transit'—forwarded traffic only allows traffic from a third VNet to pass through the peering, but it does not enable the hub's VPN gateway to be used by the spoke; gateway transit is the specific setting required for this scenario.

How to eliminate wrong answers

Option A is wrong because disabling gateway transit on the hub peering prevents the spoke from using the hub's VPN gateway, and enabling forwarded traffic alone does not provide gateway transit functionality. Option C is wrong because deploying a second VPN gateway in the spoke defeats the requirement to avoid deploying its own gateway and introduces unnecessary cost and complexity. Option D is wrong because service endpoints are used for secure access to Azure PaaS services (e.g., Azure Storage) over the Azure backbone, not for routing traffic to a VPN gateway or on-premises resources.

337
MCQeasy

A data disk was accidentally deleted from a VM. You have a snapshot of that disk from before the deletion. What should you create first to restore the data with minimal impact to the VM's OS disk?

A.A new managed disk from the snapshot
B.A new virtual machine
C.A new availability set
D.A larger VM size
AnswerA

A snapshot is a backup point for a disk, but it must be turned into a managed disk before it can be attached to a VM. Creating a new managed disk from the snapshot restores the data in a recoverable form while leaving the VM's OS disk untouched. After the new disk is created, you can attach it as a data disk. This is the normal restore path for a deleted or lost managed data disk.

Why this answer

A is correct because creating a new managed disk from the snapshot is the direct and minimal-impact method to restore the deleted data disk. Once the new managed disk is created, you can attach it to the existing VM without affecting the OS disk or requiring a VM rebuild. This approach avoids any downtime beyond the brief attachment operation.

Exam trap

The trap here is that candidates may think they need to recreate the entire VM (Option B) to use the snapshot, not realizing that a snapshot can be converted directly into a managed disk and attached to the existing VM without any OS disk impact.

How to eliminate wrong answers

Option B is wrong because creating a new virtual machine would be unnecessarily disruptive, requiring reconfiguration of all settings and applications, and does not directly restore the specific data disk. Option C is wrong because an availability set is a logical grouping for high availability, not a mechanism to restore disk data. Option D is wrong because resizing the VM to a larger size only changes compute resources and does not recover the deleted disk or its data.

338
MCQmedium

Based on the exhibit, compliance requires one backup every week to be kept for 52 weeks, in addition to the daily backups already configured. What should you change in the backup policy?

A.Increase the daily retention from 30 days to 365 days.
B.Add a weekly retention rule that keeps one weekly recovery point for 52 weeks.
C.Change the vault to use soft delete so backups are retained for 52 weeks.
D.Create a metric alert to warn the team when backups are older than seven days.
AnswerB

The requirement is specific: keep one backup each week for a year. That is a weekly retention requirement, not just longer daily retention. Adding a weekly retention rule to the Azure Backup policy satisfies the compliance need while preserving the existing daily backups for operational recovery.

Why this answer

The requirement is to retain one weekly backup for 52 weeks, in addition to the existing daily backups. Adding a weekly retention rule that keeps one recovery point per week for 52 weeks directly satisfies this requirement by ensuring that each weekly backup is retained for the full year, while daily backups remain unaffected. This is the correct approach because Azure Backup allows granular retention policies with multiple rules for different frequencies (daily, weekly, monthly, yearly).

Exam trap

The trap here is that candidates often confuse retention duration with backup frequency, mistakenly thinking that increasing daily retention to 365 days will satisfy the weekly requirement, when in fact it would retain all daily backups instead of just one per week.

How to eliminate wrong answers

Option A is wrong because increasing daily retention to 365 days would keep every daily backup for a year, not just one per week, which violates the compliance requirement of keeping only one weekly backup for 52 weeks and would significantly increase storage costs. Option C is wrong because soft delete is a data protection feature that prevents permanent deletion of backups for a configurable period (default 14 days), but it does not control retention duration or create weekly recovery points; it is unrelated to meeting the 52-week weekly retention requirement. Option D is wrong because a metric alert for backups older than seven days is a monitoring tool that notifies the team but does not change the backup policy to retain weekly backups for 52 weeks; it cannot enforce retention.

339
MCQeasy

An Azure Files share must stay available if one availability zone in its primary region fails. The business does not need replication to another region. Which redundancy option should you choose for the storage account?

A.Locally redundant storage (LRS)
B.Zone-redundant storage (ZRS)
C.Geo-redundant storage (GRS)
D.Read-access geo-redundant storage (RA-GRS)
AnswerB

ZRS stores synchronously replicated copies across availability zones in the same region, so the share remains available if one zone fails.

Why this answer

Zone-redundant storage (ZRS) synchronously replicates your Azure Files share across three Azure availability zones within the primary region. This ensures the share remains available if one zone fails, without requiring replication to another region. LRS only replicates within a single data center, while GRS and RA-GRS involve secondary region replication, which the business does not need.

Exam trap

The trap here is that candidates often choose LRS thinking it provides zone-level redundancy, but LRS only replicates within a single data center, not across zones, making it insufficient for the stated availability requirement.

How to eliminate wrong answers

Option A is wrong because locally redundant storage (LRS) replicates data three times within a single data center in a single availability zone, so it cannot survive a zone-level failure. Option C is wrong because geo-redundant storage (GRS) replicates data to a secondary region, which the business explicitly does not require, and it still uses LRS in the primary region, making it vulnerable to a zone failure. Option D is wrong because read-access geo-redundant storage (RA-GRS) also replicates to a secondary region and adds read access there, but the business does not need any cross-region replication, and like GRS, it relies on LRS in the primary region.

340
MCQmedium

Based on the exhibit, which identity should be granted the Contributor role so access can be managed centrally as team members change?

A.Assign Contributor to each user account individually.
B.Assign Contributor to a Microsoft Entra security group that contains the team members.
C.Assign Contributor to a managed identity.
D.Assign Contributor to the management group that contains rg-app.
AnswerB

A security group provides a single identity for access management. Updating group membership automatically changes access for all assigned members without rewriting RBAC assignments.

Why this answer

Assigning the Contributor role to a Microsoft Entra security group that contains the team members allows access to be managed centrally. As team members join or leave, you simply add or remove them from the group, and their permissions update automatically without needing to modify role assignments for each individual user. This aligns with Azure RBAC best practices for centralized identity governance.

Exam trap

The trap here is that candidates often think assigning roles to individual users (Option A) is simpler or more direct, overlooking the centralized management and scalability benefits of using a security group, or they confuse managed identities (Option C) with user identities, not realizing managed identities are for Azure resources, not human users.

How to eliminate wrong answers

Option A is wrong because assigning Contributor to each user account individually creates administrative overhead and does not scale; any team change requires manually updating each user's role assignment, which is not centrally managed. Option C is wrong because a managed identity is designed for Azure resources (e.g., VMs, App Services) to authenticate to Azure services, not for granting permissions to human team members; it cannot be used to centrally manage user access as team members change. Option D is wrong because assigning Contributor to the management group that contains rg-app would grant the role to all subscriptions and resources under that management group, which is overly broad and not a targeted way to manage access for a specific resource group; it also does not directly address managing team membership changes.

341
MCQmedium

You need an alert that emails administrators when CPU on VM-DB01 exceeds a threshold. Which two Azure Monitor components work together to achieve this?

A.A metric alert and an action group
B.A budget alert and a private DNS zone
C.A Recovery Services vault and a route table
D.An activity log export and a lock
AnswerA

This is the standard pairing for threshold-based alerting with notifications.

Why this answer

A metric alert monitors a specific performance metric (like CPU percentage) on a target resource (VM-DB01) and triggers when the value crosses a defined threshold. An action group defines the notification actions (e.g., sending an email to administrators) that execute when the alert fires. Together, they form the core alerting workflow in Azure Monitor: the metric alert evaluates the condition, and the action group delivers the response.

Exam trap

The trap here is that candidates confuse 'budget alerts' (cost-based) with 'metric alerts' (performance-based), or assume that activity logs capture VM-level metrics like CPU, when they only record control-plane events.

How to eliminate wrong answers

Option B is wrong because a budget alert monitors Azure spending against a cost threshold, not VM performance metrics, and a private DNS zone is used for custom domain name resolution within a virtual network, not for alerting. Option C is wrong because a Recovery Services vault manages backup and disaster recovery (e.g., Azure Backup, Site Recovery), not real-time performance monitoring, and a route table controls network traffic flow via user-defined routes, not alerting. Option D is wrong because an activity log export sends subscription-level operational events (e.g., resource creation) to a Log Analytics workspace or storage account, not CPU metrics, and a lock prevents accidental deletion or modification of resources, not alerting.

342
MCQmedium

You need to run a script inside an Azure virtual machine after deployment to install application prerequisites. Which feature should you use?

A.Azure Policy
B.A Custom Script Extension
C.Boot diagnostics
D.A proximity placement group
AnswerB

The Custom Script Extension runs scripts inside the VM.

Why this answer

The Custom Script Extension (CSE) is the correct feature because it allows you to run a script inside an Azure VM after deployment, making it ideal for installing application prerequisites. CSE downloads and executes scripts on the VM, supporting both Windows (via PowerShell) and Linux (via Bash) environments, and can be applied during initial provisioning or to an existing VM.

Exam trap

The trap here is that candidates often confuse Azure Policy (a governance tool) with the Custom Script Extension (a VM-level execution tool), mistakenly thinking Policy can run scripts to enforce configurations inside the VM, when in reality Policy only audits or remediates Azure resource properties, not guest OS actions.

How to eliminate wrong answers

Option A is wrong because Azure Policy is a governance tool that enforces compliance rules on Azure resources (e.g., requiring a specific VM size or tag), but it cannot execute scripts inside a VM. Option C is wrong because Boot diagnostics captures serial console output and screenshots for troubleshooting VM boot failures, not for running post-deployment scripts. Option D is wrong because a proximity placement group is used to reduce network latency between VMs by ensuring they are physically close in an Azure datacenter; it has no capability to execute scripts.

343
MCQmedium

Central IT wants to apply three related policy definitions—allowed Azure regions, required owner tag, and approved VM sizes—to all subscriptions in the Corp management group and report compliance as one package. What should the administrator create?

A.An initiative
B.A resource lock
C.A role assignment
D.A managed identity
AnswerA

An initiative groups multiple policy definitions into a single assignment and provides one compliance view for the set. That matches the requirement to apply several related governance controls together across the management group without managing each policy separately.

Why this answer

An initiative (also known as a policy set) in Azure Policy allows you to group multiple related policy definitions into a single package. By assigning the initiative to the Corp management group, all subscriptions under that management group inherit the three policies (allowed regions, required owner tag, approved VM sizes) as a bundle, and compliance is reported collectively for the entire initiative.

Exam trap

The trap here is that candidates may confuse a single policy definition with a policy initiative, or think that a resource lock or role assignment can enforce governance rules, when only an initiative can group multiple policies and report compliance as one package.

How to eliminate wrong answers

Option B is wrong because a resource lock prevents accidental deletion or modification of resources, but it does not enforce or report compliance on policy definitions. Option C is wrong because a role assignment grants permissions to users or services via Azure RBAC, not enforce governance rules like allowed regions or tags. Option D is wrong because a managed identity provides an Azure AD identity for applications to authenticate to Azure resources, not to define or enforce policy definitions.

344
MCQeasy

Based on the exhibit, which Azure connectivity option should the administrator use for the branch office?

A.Point-to-site VPN for each user laptop.
B.VNet peering between the branch office and Azure.
C.A service endpoint on the Azure subnet.
D.A site-to-site VPN connection to an Azure VPN gateway.
AnswerD

A site-to-site VPN is designed for a branch office network with a single edge device. It creates encrypted connectivity over the internet to Azure so users can reach private resources without setting up individual tunnels on every laptop.

Why this answer

A site-to-site VPN connection to an Azure VPN gateway (Option D) is the correct choice because it provides a persistent, encrypted tunnel between the branch office's on-premises network and Azure, enabling seamless connectivity for all users and devices at the branch without requiring per-user configuration. This aligns with the typical scenario where a branch office needs constant, secure access to Azure resources, and the VPN gateway supports IPsec/IKE protocols for site-to-site connections.

Exam trap

The trap here is that candidates often confuse VNet peering (Option B) as a hybrid connectivity solution, but it only works between Azure VNets and cannot connect on-premises networks, making site-to-site VPN the correct choice for branch office connectivity.

How to eliminate wrong answers

Option A is wrong because a point-to-site VPN requires each user laptop to individually establish a VPN connection, which is not scalable for a branch office with multiple users and does not provide network-level connectivity for all devices. Option B is wrong because VNet peering is used to connect virtual networks within Azure, not to connect an on-premises branch office to Azure; it does not support hybrid connectivity across the internet. Option C is wrong because a service endpoint is a feature that extends a VNet's private IP space to Azure PaaS services, but it does not provide any VPN or connectivity between an on-premises branch office and Azure; it only secures traffic to specific Azure services from within the VNet.

345
MCQmedium

A VM cannot connect to another VM on TCP 1433. You need to determine whether an NSG is blocking the flow and identify which rule applies. Which Network Watcher tool should you use?

A.Packet capture
B.IP flow verify
C.Connection troubleshoot
D.Effective routes
AnswerB

IP flow verify is the Network Watcher feature that tests a specific source, destination, protocol, and port against NSG rules. It shows whether the traffic is allowed or denied and which rule is responsible.

Why this answer

IP flow verify is the correct Network Watcher tool because it tests whether a packet is allowed or denied to or from a specific VM, based on a 5-tuple (source IP, destination IP, protocol, source port, destination port). For TCP 1433 (SQL Server), you can specify the exact flow parameters, and IP flow verify will evaluate all effective security rules, including NSG rules, and return the specific rule that allowed or denied the traffic.

Exam trap

The trap here is that candidates often confuse 'Connection troubleshoot' with 'IP flow verify' because both diagnose connectivity issues, but Connection troubleshoot provides a broader end-to-end path analysis without pinpointing the exact blocking rule, whereas IP flow verify is specifically designed to test a single flow and identify the exact NSG rule that applies.

How to eliminate wrong answers

Option A is wrong because Packet capture captures raw network traffic on a VM for analysis, but it does not evaluate NSG rules or identify which specific rule is blocking traffic; it requires manual inspection of captured packets. Option C is wrong because Connection troubleshoot checks end-to-end connectivity and can identify issues like NSG blocking, but it does not directly tell you which specific NSG rule is applying; it provides a diagnostic of the overall connection path. Option D is wrong because Effective routes shows the effective routing table for a VM or subnet, which is used for diagnosing routing issues, not for evaluating NSG rule evaluation or filtering decisions.

346
MCQmedium

A three-tier application uses separate web and app VMs that are scaled in and out regularly. The administrator must allow only the web tier to connect to the app tier on TCP 8080 without continually updating IP addresses. What should be configured in the NSG rule?

A.Use application security groups for the web and app tiers and reference those groups in the NSG rule.
B.Add a subnet-to-subnet peering connection between the web and app subnets.
C.Create a load balancer backend pool rule for TCP 8080.
D.Use a user-defined route that sends TCP 8080 traffic to the app tier.
AnswerA

Application security groups let the administrator group VMs by role rather than by IP address. The NSG rule can then allow traffic from the web ASG to the app ASG on TCP 8080. This is a good fit for environments that scale or change frequently because the NSG does not need constant editing whenever VM addresses change.

Why this answer

Application security groups (ASGs) allow you to group VMs logically by their application role (e.g., web tier, app tier) and reference those groups directly in NSG rules. This eliminates the need to maintain individual IP addresses or CIDR ranges when VMs scale in or out, because the NSG rule dynamically applies to all VMs in the ASG. By creating an inbound NSG rule that allows TCP 8080 from the web-tier ASG to the app-tier ASG, the administrator achieves the required connectivity without manual IP updates.

Exam trap

The trap here is that candidates often confuse network-level controls (like UDRs or VNet peering) with application-layer access control, or they incorrectly assume that a load balancer rule can replace a security rule for source-based filtering.

How to eliminate wrong answers

Option B is wrong because subnet-to-subnet peering is a VNet peering concept that connects entire virtual networks, not a mechanism to filter traffic between tiers within the same VNet; it does not replace the need for NSG rules to control port-specific access. Option C is wrong because a load balancer backend pool rule distributes incoming traffic to backend VMs, but it does not restrict which source tier can connect to the app tier on TCP 8080; it also requires static IP addresses or DNS names for the backend, not solving the dynamic IP update problem. Option D is wrong because a user-defined route (UDR) controls the next hop for traffic (e.g., forcing traffic through a firewall or virtual appliance), but it does not filter or allow traffic on a specific port; UDRs operate at the network layer (L3) and cannot enforce TCP port-based access control.

347
Multi-Selectmedium

A platform team must enforce two governance rules across every current and future subscription under a management group: only East US and West US deployments are allowed, and every resource must include an Environment tag. Which three actions should the administrator take? Select three.

Select 3 answers
A.Create a policy initiative that groups the governance requirements.
B.Assign the initiative at the management group scope.
C.Include both the allowed locations policy and the required Environment tag policy in the initiative.
D.Assign the policies separately to each existing subscription only.
E.Use an RBAC Contributor role to enforce region and tag compliance.
AnswersA, B, C

An initiative is the right container when multiple related policy definitions must be managed together. It simplifies assignment and reporting for a shared governance objective.

Why this answer

Option A is correct because a policy initiative (also known as a policy set) allows you to group multiple individual Azure Policy definitions into a single, reusable governance package. This simplifies assignment and ensures both the allowed locations and required tag policies are enforced together consistently across all subscriptions under the management group.

Exam trap

The trap here is that candidates often confuse RBAC with Azure Policy, mistakenly thinking a Contributor role can enforce compliance rules, when in fact RBAC controls who can act, while Azure Policy controls what is allowed.

348
MCQeasy

The finance team wants every resource created in one resource group to carry the same CostCenter tag automatically. They want to reduce manual entry and keep the tag value consistent. What should you configure?

A.Ask users to add the tag manually to every resource
B.Assign a Reader role to the finance team
C.Apply a CanNotDelete lock to the resource group
D.Use Azure Policy to inherit the CostCenter tag from the resource group
AnswerD

Azure Policy can enforce consistent tagging by inheriting a tag value from the resource group to child resources. This reduces manual work and helps ensure that new resources receive the same CostCenter value automatically. It is a governance control, so it is the right feature when the goal is standardization rather than access control.

Why this answer

Option D is correct because Azure Policy can enforce tag inheritance from a resource group to all resources within it using the 'Inherit a tag from the resource group' built-in policy effect. This ensures the CostCenter tag is automatically applied to every new or existing resource without manual entry, maintaining consistency and reducing administrative overhead.

Exam trap

The trap here is confusing Azure Policy's tag inheritance with Azure RBAC roles or resource locks, as candidates often mistakenly think a Reader role or a lock can enforce tag consistency, when only Policy can automatically apply tags at scale.

How to eliminate wrong answers

Option A is wrong because asking users to manually add the tag does not reduce manual entry and risks inconsistency or omission, defeating the goal of automation. Option B is wrong because assigning a Reader role to the finance team only grants read-only access to resources, not the ability to enforce or automate tag inheritance. Option C is wrong because applying a CanNotDelete lock prevents deletion of the resource group but does not affect tag assignment or inheritance.

349
MCQmedium

Based on the exhibit, the security team wants AppSubnet to access an Azure Storage account through the public endpoint, but only that subnet should be allowed. They do not want a private IP or DNS changes. What should the administrator configure?

A.Enable the Microsoft.Storage service endpoint on AppSubnet and add AppSubnet as a network rule on the storage account.
B.Create a private endpoint for the storage account and disable public access.
C.Attach a route table that sends storage traffic to the internet.
D.Grant the subnet a Reader role assignment on the storage account.
AnswerA

This keeps the storage account on its public endpoint while restricting access to the selected subnet. Service endpoints identify the traffic as coming from the approved VNet, and the storage firewall rule then allows only AppSubnet. Because no private IP or DNS change is needed, this is the best fit for the requirement.

Why this answer

Option A is correct because enabling the Microsoft.Storage service endpoint on AppSubnet allows traffic from that subnet to reach the storage account over the Azure backbone network using the public endpoint, without requiring a private IP or DNS changes. Adding AppSubnet as a network rule on the storage account restricts access exclusively to that subnet, fulfilling the security team's requirement.

Exam trap

The trap here is that candidates often confuse service endpoints (which use public endpoints with subnet-level restriction) with private endpoints (which use private IPs and DNS changes), leading them to choose the private endpoint option despite the explicit 'no private IP or DNS changes' constraint.

How to eliminate wrong answers

Option B is wrong because creating a private endpoint assigns a private IP to the storage account and changes DNS resolution, which violates the requirement of no private IP or DNS changes. Option C is wrong because attaching a route table that sends storage traffic to the internet does not restrict access to AppSubnet; it merely forces traffic out via the internet, bypassing Azure's service endpoint optimization and not enforcing subnet-level access control. Option D is wrong because granting the subnet a Reader role assignment on the storage account controls management-plane access (e.g., viewing storage account properties) but does not control data-plane access (e.g., reading/writing blobs), which is required for network-level restriction.

350
Multi-Selectmedium

A team wants to monitor average CPU on a small set of Linux VMs and OS disk free space, but they want the lowest telemetry ingestion cost possible. Which two actions should they take? Select two.

Select 2 answers
A.Use a metric alert for the VM CPU metric.
B.Install Azure Monitor Agent and collect only the disk-free-space counter by using a minimal data collection rule.
C.Enable full VM Insights for every guest performance counter.
D.Stream all syslog and event logs to a workspace before creating any alert.
E.Rely on Azure Resource Health to measure guest OS disk free space.
AnswersA, B

CPU is already exposed as a platform metric, so a metric alert avoids unnecessary log ingestion.

Why this answer

Option A is correct because metric alerts for VM CPU are based on platform metrics collected automatically by Azure, incurring no additional ingestion cost. This allows monitoring average CPU without any agent or data collection rule, making it the lowest-cost approach for that metric.

Exam trap

The trap here is that candidates often assume all monitoring requires agents and log ingestion, overlooking that platform metrics (like CPU) are free and agentless, while guest OS metrics (like disk space) can be collected with minimal cost by restricting the DCR to only the needed counter.

351
MCQhard

A data disk was accidentally deleted from a production VM. The team has a snapshot of that disk from the previous night and wants the fastest Azure-side recovery path with the least risk of overwriting the existing OS disk. What should the administrator do first?

A.Restore the entire virtual machine from the snapshot and overwrite the current instance.
B.Create a new managed disk from the snapshot, then attach that disk to the VM.
C.Convert the snapshot into a temporary storage account and copy the files back manually.
D.Recreate the VM from the same marketplace image and restore only the deleted disk later.
AnswerB

The snapshot contains the point-in-time disk state, so the correct first step is to create a new managed disk from it. Once the disk exists, it can be attached to the VM and the data recovered without disturbing the OS disk or other volumes.

Why this answer

Option B is correct because creating a new managed disk from the snapshot and attaching it to the VM is the fastest Azure-side recovery path. This approach directly reuses the existing OS disk without any risk of overwriting it, and the new data disk can be attached within minutes using the Azure portal, CLI, or PowerShell. It avoids any downtime for the VM beyond the brief attach operation.

Exam trap

The trap here is that candidates often assume restoring the entire VM from a snapshot is the fastest recovery method, but they overlook that this overwrites the OS disk and causes full downtime, whereas attaching a new disk from the snapshot is both faster and safer.

How to eliminate wrong answers

Option A is wrong because restoring the entire VM from the snapshot would overwrite the current OS disk, causing unnecessary downtime and risking data loss on the OS disk. Option C is wrong because converting a snapshot into a temporary storage account and manually copying files is inefficient, error-prone, and not a native Azure recovery method—snapshots are designed to create disks directly, not to be exported to storage accounts for manual file recovery. Option D is wrong because recreating the VM from a marketplace image would require reconfiguring the entire VM and then restoring the deleted disk later, which is slower and introduces more complexity and risk than simply attaching a disk from the snapshot.

352
MCQeasy

A VM in a subnet must send traffic to 172.16.0.0/16 through a network virtual appliance, but all other destinations should continue using the default Azure system routes. What should the administrator add to the subnet route table?

A.A route for 0.0.0.0/0 with next hop Virtual appliance.
B.A route for 172.16.0.0/16 with next hop Virtual appliance.
C.An NSG deny rule for all other destinations.
D.A service endpoint for the 172.16.0.0/16 network.
AnswerB

A specific user-defined route for the target prefix sends only that traffic to the appliance while other traffic still uses system routes.

Why this answer

Option B is correct because the requirement is to route traffic destined for 172.16.0.0/16 through a network virtual appliance (NVA) while leaving all other traffic to use the default Azure system routes. Adding a user-defined route (UDR) with destination 172.16.0.0/16 and next hop Virtual appliance overrides the default system route for that specific prefix, ensuring traffic to that range is forwarded to the NVA. All other destinations remain unaffected because the 0.0.0.0/0 default route is not modified.

Exam trap

The trap here is that candidates often confuse the 0.0.0.0/0 route (which controls all internet-bound traffic) with a specific prefix route, mistakenly thinking they must add a default route to force traffic through the NVA, when in fact only the specific destination prefix needs a custom route.

How to eliminate wrong answers

Option A is wrong because adding a route for 0.0.0.0/0 with next hop Virtual appliance would force all internet-bound and other external traffic through the NVA, which violates the requirement that only traffic to 172.16.0.0/16 should use the appliance. Option C is wrong because an NSG deny rule for all other destinations would block traffic to those destinations entirely, rather than allowing them to use default routes; NSGs are stateful filters, not routing controls. Option D is wrong because a service endpoint is used to secure direct connectivity to Azure PaaS services (like Azure Storage or SQL) over the Azure backbone, not to route traffic to an on-premises or virtual network range through an NVA.

353
MCQmedium

A VM sends traffic to 172.16.5.10, but the administrator suspects the traffic is taking an unexpected next hop. They want to see the effective route table applied to the VM NIC, including system routes, user-defined routes, and propagated routes. Which Network Watcher tool should be used?

A.IP flow verify
B.Effective routes
C.Packet capture
D.Connection troubleshoot
AnswerB

Effective routes displays the full route set that applies to a VM NIC, including system, user-defined, and propagated routes. That makes it the right tool when you need to understand why traffic is taking a particular next hop.

Why this answer

Effective routes is the correct Network Watcher tool because it displays the complete route table applied to a VM NIC, including system routes, user-defined routes (UDRs), and BGP-propagated routes from virtual network gateways. This allows the administrator to see exactly which next hop is selected for traffic to 172.16.5.10 based on the longest prefix match, identifying any unexpected routing behavior.

Exam trap

The trap here is that candidates often confuse IP flow verify (which checks NSG rules) with effective routes (which checks routing), leading them to pick A when the question explicitly asks about the route table and next hop, not firewall rules.

How to eliminate wrong answers

Option A is wrong because IP flow verify checks whether traffic is allowed or denied by network security groups (NSGs) for a specific source/destination IP and port, but it does not show the effective route table or next hop information. Option C is wrong because packet capture captures raw network traffic packets for deep inspection, but it does not provide a consolidated view of the effective routes applied to the NIC. Option D is wrong because Connection troubleshoot diagnoses connectivity issues by checking NSG rules, DNS resolution, and latency, but it does not display the effective route table or next hop selection.

354
Multi-Selecthard

A platform team maintains a hardened Windows VM with IIS, an agent, and local configuration files. They need to deploy 40 identical VMs in two regions, preserve version history, and roll back quickly if a new image causes problems. Which two actions should they take? Select two.

Select 2 answers
A.Generalize the source VM before capture by removing machine-specific state.
B.Create an image definition and image version in Azure Compute Gallery.
C.Place the target virtual machines in an availability set.
D.Attach a user-assigned managed identity to the source VM.
E.Enable boot diagnostics on the target virtual machines.
AnswersA, B

Correct. Generalizing removes unique computer-specific settings so the image can be safely cloned many times.

Why this answer

Option A is correct because generalizing the source VM with Sysprep (for Windows) removes machine-specific state like security identifiers (SIDs) and hostnames, making the VM suitable for creating a reusable, generalized image. This is a prerequisite for capturing an image that can be deployed to multiple VMs without conflicts. Without generalization, each VM would retain the original machine's identity, causing domain join and licensing issues.

Exam trap

The trap here is that candidates often confuse 'generalizing the source VM' with 'creating a snapshot' or 'using managed identities,' failing to recognize that Sysprep is mandatory for Windows images and that Azure Compute Gallery is the only service that provides versioning and cross-region replication for managed images.

355
MCQmedium

A reporting team stores read-only analytics files in Azure Blob Storage. The files must replicate to a paired region so they survive a regional outage, and analysts want to read the secondary copy through the secondary endpoint without waiting for failover. Which redundancy option should the administrator choose?

A.LRS
B.ZRS
C.GRS
D.RA-GRS
AnswerD

RA-GRS adds read access to the secondary region, which meets the analyst requirement without a failover event.

Why this answer

RA-GRS (Read-Access Geo-Redundant Storage) is the correct choice because it replicates data to a paired secondary region (geo-redundancy) and enables read access to the secondary copy via the secondary endpoint without requiring a failover. This meets the requirement for both regional disaster recovery and immediate read access to the secondary copy.

Exam trap

The trap here is that candidates often confuse GRS with RA-GRS, assuming that GRS automatically provides read access to the secondary copy, but in reality, GRS requires a failover to make the secondary endpoint readable, while RA-GRS explicitly enables read access without failover.

How to eliminate wrong answers

Option A (LRS) is wrong because it only replicates data within a single data center in the primary region, providing no protection against a regional outage. Option B (ZRS) is wrong because it replicates data synchronously across three availability zones within a single region, but does not replicate to a paired region, so it cannot survive a full regional outage. Option C (GRS) is wrong because while it replicates data to a paired region, it does not allow read access to the secondary copy unless a failover is initiated; the secondary endpoint is not available for reads until then.

356
Multi-Selectmedium

A company has many subscriptions arranged under a management group named Corp. The audit team needs Reader access to every current and future subscription in Corp, and the administrator wants only one role assignment to maintain. Which two actions should be taken? Select two.

Select 2 answers
A.Assign Reader at the Corp management group scope.
B.Ensure all existing and new subscriptions remain under the Corp management group.
C.Assign Reader separately on each subscription.
D.Assign Reader at the tenant root and remove the management group.
E.Create a resource group for each subscription and assign Reader there.
AnswersA, B

A management group assignment is inherited by subscriptions beneath that group. This gives the audit team a single place to manage access while automatically covering current and future child subscriptions.

Why this answer

Assigning the Reader role at the Corp management group scope grants read-only access to all current and future subscriptions within that management group. This is because Azure RBAC roles assigned at a management group are inherited by all child subscriptions, eliminating the need for individual assignments. This approach satisfies the requirement of a single role assignment that covers all subscriptions.

Exam trap

The trap here is that candidates may think Reader must be assigned at each subscription individually (Option C) or at the tenant root (Option D), overlooking the inheritance behavior of management groups that allows a single assignment to cover all current and future subscriptions under a management group.

357
MCQeasy

A company stores customer documents in Azure Blob Storage. The business requires the data to stay available if one availability zone in the region has an outage. Which redundancy option should the administrator choose?

A.Locally redundant storage (LRS)
B.Zone-redundant storage (ZRS)
C.Geo-redundant storage (GRS)
D.Read-access geo-redundant storage (RA-GRS)
AnswerB

ZRS keeps synchronous copies across multiple availability zones in the same region, which helps the storage remain available during a single-zone failure.

Why this answer

Zone-redundant storage (ZRS) replicates data synchronously across three Azure availability zones within a primary region, ensuring data remains accessible if one zone fails. This meets the requirement for intra-region zone-level fault tolerance without the cost or complexity of geo-replication.

Exam trap

The trap here is that candidates often confuse 'zone redundancy' with 'geo-redundancy' and pick GRS or RA-GRS, not realizing that those options protect against region-wide outages, not zone-level failures within a single region.

How to eliminate wrong answers

Option A is wrong because Locally redundant storage (LRS) replicates data three times within a single data center in one availability zone, so an entire zone outage would make data unavailable. Option C is wrong because Geo-redundant storage (GRS) replicates data to a paired secondary region for cross-region disaster recovery, but it does not protect against a single zone outage within the primary region unless combined with ZRS (i.e., GZRS). Option D is wrong because Read-access geo-redundant storage (RA-GRS) adds read access to the secondary region but still does not provide zone-level redundancy within the primary region; it also incurs higher cost and latency for the geo-replication feature.

358
Drag & Dropmedium

Order the steps to set up Azure Site Recovery for on-premises to Azure.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create vault, configure, install agent, enable replication, then test failover.

359
MCQhard

You need to resize a production VM from Standard_D2s_v5 to Standard_D4s_v5 by using Azure CLI. `az vm list-vm-resize-options` shows the target size, but `az vm resize` fails while the VM is running. Which action should you take first?

A.Run `az vm stop`, then resize the VM.
B.Run `az vm deallocate`, then resize the VM, then start it again.
C.Run `az vm restart`, then resize the VM.
D.Run `az vm generalize`, then recreate the VM from the image.
AnswerB

Azure often requires the VM to be deallocated before a size change succeeds because the target size may need different host resources. Deallocation releases the current compute allocation, which lets Azure place the VM on compatible hardware. After resizing, you start the VM again and the new size takes effect. This is the key difference between stop and deallocate in Azure operations.

Why this answer

Option B is correct because resizing a VM to a different size often requires the VM to be in a deallocated state, especially when the new size is in a different hardware cluster or when the VM is currently running and the resize operation fails. The `az vm deallocate` command releases the underlying hardware resources, allowing the VM to be resized to any available size, including Standard_D4s_v5, and then you can start it again. This is a common requirement for production VMs when live resizing is not supported or fails.

Exam trap

The trap here is that candidates often confuse 'stop' with 'deallocate' — while both halt the VM, only deallocate releases the underlying hardware reservation, which is necessary for resizing across different hardware clusters or when live resize fails.

How to eliminate wrong answers

Option A is wrong because `az vm stop` only stops the VM but does not release the underlying hardware allocation, which may still prevent resizing to a different size if the target size is not available on the current host. Option C is wrong because `az vm restart` simply reboots the VM without changing its allocation state, so it does not resolve the underlying hardware constraint that caused the resize failure. Option D is wrong because `az vm generalize` prepares the VM for image creation by removing machine-specific information, which is unnecessary and destructive for a simple resize operation; it would require recreating the VM from the image, not just resizing it.

360
Multi-Selecthard

VM-App01 is responding slowly and appears to be on a degraded Azure host. You must keep the VM resource, keep its disks and NIC, and move it to fresh infrastructure before further troubleshooting. Which two actions can achieve that goal? Select two.

Select 2 answers
A.Redeploy the VM.
B.Delete the VM and recreate it from the OS disk.
C.Capture the VM into a generalized image.
D.Stop/deallocate the VM.
E.Convert the VM to an availability set.
AnswersA, D

Redeploying a VM instructs Azure to move it to new underlying infrastructure while preserving the VM resource and attached disks. It is a direct response when you suspect the current host is unhealthy.

Why this answer

Redeploying the VM (Option A) moves the VM to a new Azure host node while preserving the VM resource, its disks, and NIC. This is the correct action because it resolves host-level degradation without deleting or recreating the VM. Stopping/deallocating the VM (Option D) releases the underlying hardware lease, which forces the VM to be placed on a new host when started again, also preserving the VM resource, disks, and NIC.

Exam trap

The trap here is that candidates often confuse 'Redeploy' with 'Delete and recreate' or think that stopping the VM is insufficient, but in Azure, stop/deallocate is the standard way to force a host migration while keeping the VM resource intact.

361
MCQhard

Your company wants to enforce a standard list of allowed Azure regions for all new resource deployments across several subscriptions. You need a centralized governance solution that can be assigned once and inherited by the child subscriptions. What should you use?

A.An Azure Policy assigned at the management group scope
B.A custom RBAC role assigned at each subscription
C.A CanNotDelete lock on each subscription
D.A budget alert on each subscription
AnswerA

A management group policy assignment is inherited by child subscriptions and can restrict allowed locations centrally.

Why this answer

Azure Policy assigned at the management group scope is the correct centralized governance solution because it enforces a standard list of allowed Azure regions across all subscriptions under that management group. Policies at the management group level are inherited by all child subscriptions, ensuring consistent compliance without requiring individual assignment per subscription.

Exam trap

The trap here is confusing Azure Policy (which enforces rules on resource properties) with RBAC (which controls access permissions), leading candidates to incorrectly choose a custom RBAC role thinking it can restrict regions.

How to eliminate wrong answers

Option B is wrong because a custom RBAC role controls permissions (who can do what) but does not enforce resource configuration rules like allowed regions. Option C is wrong because a CanNotDelete lock prevents deletion of resources but does not restrict which regions can be used for new deployments. Option D is wrong because a budget alert monitors spending and triggers notifications, but it does not enforce regional restrictions or prevent deployments in non-allowed regions.

362
MCQmedium

A subnet contains several application servers. You need to allow inbound TCP 3389 only from a management subnet named Subnet-Mgmt and deny RDP from all other sources. What should you do?

A.Create an NSG rule allowing TCP 3389 from the Subnet-Mgmt address range and rely on the default deny afterward.
B.Create a route table that sends RDP traffic to the management subnet.
C.Deploy a private endpoint for each application server.
D.Enable service endpoints on the application subnet.
AnswerA

This is the correct way to permit RDP from a specific source while denying other sources.

Why this answer

Option A is correct because Network Security Groups (NSGs) in Azure filter traffic based on rules that are evaluated in priority order. By creating an inbound rule that allows TCP 3389 (RDP) from the Subnet-Mgmt address range, and relying on the default implicit deny rule that blocks all other inbound traffic, you effectively restrict RDP access to only the management subnet. No additional configuration is needed to deny traffic from other sources, as the default deny handles that automatically.

Exam trap

The trap here is that candidates often think they need to explicitly create a deny rule for all other sources, not realizing that NSGs have a built-in default deny rule that automatically blocks traffic not matching any allow rule.

How to eliminate wrong answers

Option B is wrong because route tables control the path traffic takes through the network, not the permission to access a resource; sending RDP traffic to the management subnet via a route does not deny RDP from other sources and could actually route traffic incorrectly. Option C is wrong because private endpoints are used to securely access Azure PaaS services (like Azure SQL or Storage) over a private IP address, not to filter inbound RDP traffic to application servers; they do not provide network-level access control for VM RDP. Option D is wrong because service endpoints extend a virtual network's private address space to Azure services (like Azure Storage or SQL Database) to improve security, but they do not filter inbound RDP traffic to VMs; they are unrelated to RDP access control.

363
MCQmedium

An operations team needs to start and deallocate every virtual machine in RG-App and read VM settings, but they must not be able to delete VMs or manage networking resources. What is the best Azure RBAC solution?

A.Assign the Virtual Machine Contributor role at the subscription scope
B.Create a custom role and assign it at the RG-App resource group scope
C.Assign the Reader role at the resource group scope
D.Assign the Owner role at the resource group scope
AnswerB

A custom role can include only the start, deallocate, and read actions needed for that resource group.

Why this answer

Option B is correct because the required permissions—starting, deallocating, and reading VM settings—are not fully covered by any built-in role, and the custom role must be scoped to RG-App to avoid granting broader access. A custom role allows combining Microsoft.Compute/virtualMachines/start/action, Microsoft.Compute/virtualMachines/deallocate/action, and Microsoft.Compute/virtualMachines/read, while explicitly excluding delete and networking management actions. Assigning at the resource group scope ensures the permissions apply only to resources within RG-App.

Exam trap

The trap here is that candidates often choose Virtual Machine Contributor (Option A) because it seems to cover VM operations, but they overlook that it includes delete and networking management permissions, and that scoping at subscription level grants excessive access beyond the RG-App resource group.

How to eliminate wrong answers

Option A is wrong because Virtual Machine Contributor at subscription scope grants the ability to delete VMs and manage networking resources (e.g., virtual networks), which violates the requirement to prevent deletion and networking management. Option C is wrong because Reader role provides read-only access (Microsoft.Compute/virtualMachines/read) but does not include the start or deallocate actions, so the team cannot perform the required operations. Option D is wrong because Owner role at resource group scope grants full control, including deletion of VMs and management of all networking resources, which exceeds the required permissions and violates the restrictions.

364
MCQmedium

Backend virtual machines are rebuilt frequently and often receive different private IP addresses. An administrator must allow the frontend tier to reach the backend tier on TCP 8443 without editing NSG rules every time the backend IP changes. What should the administrator use in the NSG rule?

A.A static private IP address for each backend VM.
B.An Application Security Group that contains the backend VMs.
C.A user-defined route pointing frontend traffic to the backend subnet.
D.A private endpoint for the backend tier.
AnswerB

Application Security Groups let the administrator group backend VMs logically and reference that group in NSG rules instead of individual IP addresses. This is ideal when backend IPs change or VMs are replaced. The NSG rule remains stable while the backend membership changes, which reduces operational overhead and improves consistency.

Why this answer

An Application Security Group (ASG) allows you to group backend VMs logically and reference that group in a Network Security Group (NSG) rule. When backend VMs are rebuilt and receive new private IPs, you simply add the new VMs to the same ASG, and the existing NSG rule (which references the ASG as the destination) automatically applies to the new IPs without any manual rule edits. This decouples security policy from dynamic IP addresses, making it the ideal solution for frequently changing backend IPs.

Exam trap

The trap here is that candidates often confuse Application Security Groups (logical grouping for NSG rules) with User-Defined Routes (path control) or Private Endpoints (PaaS connectivity), leading them to pick a routing or endpoint solution instead of the correct security-grouping mechanism.

How to eliminate wrong answers

Option A is wrong because assigning a static private IP address to each backend VM would require manual reconfiguration or scripting every time a VM is rebuilt, and it does not scale or automate the process of keeping the NSG rule valid when VMs are replaced. Option C is wrong because a user-defined route (UDR) controls the next hop for traffic (routing path), not the security filtering of traffic; it cannot replace an NSG rule that allows or denies traffic on TCP 8443. Option D is wrong because a private endpoint is used to securely connect to Azure PaaS services (e.g., Azure SQL, Storage) over a private IP, not to group and secure traffic between frontend and backend VMs within a virtual network.

365
Multi-Selecteasy

A support engineer finds a blob that was moved to the Archive tier by a lifecycle rule and must download it today. Which two actions are required before the blob can be read? Select two.

Select 2 answers
A.Change the blob access tier from Archive to Hot or Cool.
B.Wait until the rehydration operation finishes.
C.Download the blob directly from Archive without any tier change.
D.Disable the lifecycle management policy for the storage account.
E.Create a new container and copy the archived blob into it.
AnswersA, B

Archived blobs are offline, so the blob must first be rehydrated into an online tier such as Hot or Cool before it can be read.

Why this answer

Option A is correct because a blob in the Archive tier is offline and cannot be read directly. You must change its access tier to Hot or Cool (a process called rehydration) to make it available for download. This tier change initiates an asynchronous operation that moves the blob from the archived state to an online tier.

Exam trap

The trap here is that candidates often think they can directly download or copy an archived blob without rehydration, overlooking that Archive tier blobs are offline and require a tier change operation to become readable.

366
MCQeasy

A team wants to keep Azure platform logs for a storage account in a central location and analyze them with queries. The logs should be queryable together with other Azure resource logs. What destination should the administrator choose for the diagnostic setting?

A.A Log Analytics workspace
B.A storage account only
C.An action group
D.A management group
AnswerA

A Log Analytics workspace is the destination used for centralized log storage and KQL-based analysis across resources.

Why this answer

A Log Analytics workspace is the correct destination because it allows you to collect Azure platform logs (such as resource logs, activity logs, and metrics) from multiple resources into a central location. These logs can then be queried together using Kusto Query Language (KQL) across different resource types, enabling cross-resource analysis and correlation. This meets the requirement for queryable logs alongside other Azure resource logs.

Exam trap

The trap here is that candidates often confuse a storage account as a valid destination for log analysis because it can store logs, but they overlook that it lacks native querying capabilities and cannot integrate with other resource logs for cross-analysis.

How to eliminate wrong answers

Option B is wrong because a storage account only stores logs as blobs or files, which are not directly queryable with KQL and cannot be analyzed together with other resource logs in real time. Option C is wrong because an action group is used to send notifications (e.g., email, SMS) or trigger automated actions based on alerts, not to store or query logs. Option D is wrong because a management group is a scope for managing governance, policy, and compliance across multiple subscriptions, not a destination for diagnostic log data.

367
MCQeasy

A storage account must be reachable only from resources in one Azure subnet, and public network access should not be used. Which configuration best meets this requirement?

A.Enable blob versioning on the storage account
B.Create a private endpoint for the storage account in the subnet
C.Assign a ReadOnly lock to the storage account
D.Enable a shared access signature
AnswerB

A private endpoint gives the storage account a private IP address in the subnet, so traffic stays on private network paths.

Why this answer

A private endpoint assigns the storage account a private IP address from the specified Azure subnet, effectively bringing the storage account into the virtual network. This ensures that all traffic to the storage account stays within the Microsoft Azure backbone network and never traverses the public internet, meeting the requirement to restrict access exclusively to resources in that subnet while disabling public network access.

Exam trap

The trap here is that candidates often confuse network-level access controls (private endpoints) with data-level access controls (SAS tokens) or management-level controls (locks), mistakenly thinking a SAS token or a lock can restrict network access to a specific subnet.

How to eliminate wrong answers

Option A is wrong because enabling blob versioning only preserves previous versions of blobs for data protection and recovery; it does not restrict network access to a specific subnet. Option C is wrong because assigning a ReadOnly lock prevents accidental deletion or modification of the storage account but has no effect on network-level access control or subnet restriction. Option D is wrong because a shared access signature (SAS) provides delegated, time-limited access to storage resources but still relies on the public endpoint and does not restrict access to a specific subnet or disable public network access.

368
MCQeasy

Based on the exhibit, what should the administrator do so the hub and spoke can be peered successfully?

A.Keep the current ranges and enable gateway transit on the peering.
B.Change the spoke VNet to a non-overlapping address space.
C.Add another subnet inside the spoke VNet and reuse the current address space.
D.Create a network security group on the spoke subnet before peering.
AnswerB

Azure VNet peering requires unique, non-overlapping IP ranges. Changing the spoke to a different CIDR block resolves the conflict and allows the peering to be created.

Why this answer

VNet peering requires that the address spaces of the peered VNets do not overlap. Overlapping IP ranges cause routing conflicts and prevent successful peering. Changing the spoke VNet to a non-overlapping address space resolves this issue and allows the peering to be established.

Exam trap

The trap here is that candidates may think overlapping subnets can be worked around by using NSGs or gateway transit, but Azure VNet peering strictly requires non-overlapping VNet address spaces at the time of peering creation.

How to eliminate wrong answers

Option A is wrong because enabling gateway transit on the peering does not resolve overlapping address spaces; it only allows the spoke to use the hub's VPN/ExpressRoute gateway, but the peering itself will still fail if IP ranges overlap. Option C is wrong because adding another subnet within the same overlapping address space does not eliminate the conflict; the entire VNet address space must be unique for peering to succeed. Option D is wrong because creating a network security group (NSG) on the spoke subnet does not affect the underlying IP address overlap; NSGs filter traffic but do not resolve routing conflicts caused by overlapping ranges.

369
MCQeasy

A company hosts documents in Azure Blob Storage. The files must remain available if one availability zone in the region fails. Which redundancy option should the administrator choose?

A.LRS, because it keeps three copies within one datacenter.
B.ZRS, because it stores copies across multiple availability zones in the region.
C.GRS, because it automatically makes the account available in another region for reads.
D.RA-GRS, because it is the only option that keeps a secondary copy.
AnswerB

ZRS places copies of the data across availability zones in the same region, which helps the storage remain available during a zone failure.

Why this answer

B is correct because Zone-Redundant Storage (ZRS) synchronously replicates data across three Azure availability zones within a primary region, ensuring data remains accessible if one zone fails. This meets the requirement for high availability within a single region without relying on a secondary region.

Exam trap

The trap here is that candidates often confuse LRS (three copies in one datacenter) with zone-level redundancy, or they incorrectly assume GRS or RA-GRS are needed for intra-region availability, when ZRS is the correct choice for zone failure protection within a single region.

How to eliminate wrong answers

Option A is wrong because Locally Redundant Storage (LRS) replicates data three times within a single datacenter, not across availability zones, so it does not protect against an entire zone failure. Option C is wrong because Geo-Redundant Storage (GRS) replicates data to a secondary region, but it does not provide zone-level redundancy within the primary region; it also does not automatically enable reads from the secondary region without manual failover or RA-GRS. Option D is wrong because Read-Access Geo-Redundant Storage (RA-GRS) provides a secondary read-only copy in another region, but it is not the only option with a secondary copy (GRS also has one), and it does not address zone failure within the primary region.

370
MCQeasy

A line-of-business app must keep serving users if an entire Azure region becomes unavailable. Is Azure Backup by itself enough to meet this requirement?

A.Yes, because backup alone guarantees immediate failover to another region
B.No, you also need disaster recovery replication such as Azure Site Recovery
C.Yes, as long as the VM has a backup policy
D.Yes, if diagnostic settings are enabled on the VM
AnswerB

Azure Backup protects data for recovery, but it does not keep the application running during a regional outage. Disaster recovery replication is needed for failover capability.

Why this answer

Azure Backup is designed to protect data by creating recovery points that can be used to restore VMs or files, but it does not provide automatic failover or continuous replication to another region. To meet the requirement of keeping an app running during a regional outage, you need a disaster recovery solution like Azure Site Recovery, which replicates VMs to a secondary region and enables orchestrated failover with minimal downtime.

Exam trap

The trap here is that candidates confuse data protection (backup) with high availability/disaster recovery, assuming that having backups automatically means the application can continue running during a regional outage.

How to eliminate wrong answers

Option A is wrong because Azure Backup alone does not guarantee immediate failover; it requires manual restore processes that can take significant time and do not provide automatic traffic redirection. Option C is wrong because having a backup policy only ensures data is backed up, not that the app can continue serving users during a regional outage without additional replication. Option D is wrong because diagnostic settings on a VM are used for monitoring and logging, not for disaster recovery or failover capabilities.

371
MCQmedium

A storage account named stfinance01 contains critical data. Administrators must still be able to read and modify the data, but no one should be able to delete the storage account accidentally. What should you configure?

A.A CanNotDelete lock on stfinance01.
B.A ReadOnly lock on stfinance01.
C.A policy assignment that audits storage accounts.
D.An NSG rule denying outbound traffic from the subnet.
AnswerA

This prevents accidental deletion while allowing permitted write operations.

Why this answer

A CanNotDelete lock on stfinance01 prevents the storage account from being deleted while still allowing administrators to read and modify data. This lock type blocks delete operations at the resource level, but does not restrict read or write access, which is exactly what the requirement specifies.

Exam trap

The trap here is that candidates often confuse resource locks with role-based access control (RBAC) or network security groups, thinking a ReadOnly lock or NSG rule can prevent accidental deletion, but only a CanNotDelete lock directly blocks delete operations at the resource level.

How to eliminate wrong answers

Option B is wrong because a ReadOnly lock would prevent administrators from modifying data, which violates the requirement that they must still be able to read and modify the data. Option C is wrong because a policy assignment that audits storage accounts only evaluates compliance and generates logs; it does not prevent deletion of the storage account. Option D is wrong because an NSG rule denying outbound traffic from the subnet controls network traffic at the subnet level, not resource-level deletion permissions, and has no effect on Azure Resource Manager delete operations.

372
MCQeasy

Based on the exhibit, a Windows VM must install IIS and run a configuration script automatically right after deployment. The administrator does not want to sign in to the VM manually. Which Azure feature should be used?

A.Azure Policy with a modify effect.
B.Virtual machine extension, such as the Custom Script Extension.
C.An availability set.
D.A private endpoint.
AnswerB

A VM extension is designed to run guest-level tasks after the VM is created. The Custom Script Extension can download and execute a script to install IIS or perform configuration without requiring manual sign-in. This is the standard Azure feature for simple post-deployment automation on a VM.

Why this answer

The Custom Script Extension (CSE) is the correct Azure feature because it allows you to run PowerShell or Bash scripts on a VM after deployment without manual sign-in. By specifying the script in the VM's deployment template or via Azure CLI/Portal, IIS can be installed and the configuration script executed automatically during provisioning. This aligns with the requirement for zero-touch post-deployment automation.

Exam trap

The trap here is that candidates often confuse Azure Policy (which can only audit or remediate resource configurations at the ARM level) with the ability to run guest OS scripts, mistakenly thinking a 'modify effect' can install software, when in fact it cannot execute code inside the VM.

How to eliminate wrong answers

Option A is wrong because Azure Policy with a modify effect is used to enforce compliance rules (e.g., ensuring a tag exists) and cannot execute arbitrary scripts like installing IIS or running a configuration script; it operates at the resource management layer, not inside the guest OS. Option C is wrong because an availability set is a logical grouping of VMs to ensure high availability across fault and update domains; it has no capability to run scripts or install software. Option D is wrong because a private endpoint provides a private IP address for secure connectivity to Azure PaaS services (e.g., Storage, SQL) over a virtual network; it does not execute scripts or configure the VM's operating system.

373
MCQeasy

Based on the exhibit, three Azure virtual machines run the same automation script. The VMs are rebuilt often, and the team wants one identity that can be reused across all three VMs and retained even if a VM is replaced. Which identity type should the administrator use?

A.System-assigned managed identity on each VM, because each VM gets the same identity automatically.
B.A user-assigned managed identity attached to all three VMs.
C.An Azure AD guest user account, because the same account can sign in from every VM.
D.A shared storage account key, because it can be used by multiple VMs without extra configuration.
AnswerB

A user-assigned managed identity is independent of any single VM and can be attached to multiple resources. That makes it ideal when several VMs need the same identity and the identity must survive if a VM is deleted, rebuilt, or replaced during maintenance or scaling.

Why this answer

A user-assigned managed identity is the correct choice because it is created as a standalone Azure resource and can be assigned to multiple VMs. Unlike system-assigned identities, which are tied to the lifecycle of a single VM, a user-assigned identity persists independently and remains available even when VMs are rebuilt or replaced. This allows the automation script to use the same identity across all three VMs without needing to reconfigure permissions after each rebuild.

Exam trap

The trap here is that candidates confuse system-assigned and user-assigned managed identities, assuming that 'system-assigned' means the same identity is automatically shared across all VMs, when in fact each system-assigned identity is unique and tied to a single VM's lifecycle.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM; when a VM is deleted, the identity is also deleted, so it cannot be reused across multiple VMs or retained after VM replacement. Option C is wrong because an Azure AD guest user account is designed for external collaboration and cannot be used as a VM identity for Azure resource access; it would require interactive sign-in and does not support the automated, non-interactive authentication needed by a script. Option D is wrong because a shared storage account key is a static secret that must be securely stored and rotated, and it does not provide a managed identity for Azure AD authentication; using keys also violates the principle of least privilege and introduces security risks.

374
MCQmedium

A contractor should be able to view resources in one resource group for 30 days. When the contract ends, removing the contractor from the group should immediately remove access. What is the best approach?

A.Assign Reader directly to the contractor's user account at the resource group scope.
B.Assign Reader to an Entra ID group and add the contractor to that group.
C.Assign Reader at the subscription scope to the contractor so access is simple.
D.Create a CanNotDelete lock on the resource group until the contract ends.
AnswerB

Group-based role assignment is the best operational choice because access follows group membership rather than individual user objects. When the contractor is removed from the group, the RBAC assignment no longer applies to that person. It also makes temporary access easier to manage and reduces the risk of forgotten direct permissions.

Why this answer

Assigning the Reader role to an Entra ID group and adding the contractor as a member allows centralized access management. When the contractor is removed from the group, the role assignment is immediately revoked because Azure RBAC evaluates group membership at the time of authorization. This meets the 30-day requirement and ensures instant access removal upon contract termination.

Exam trap

The trap here is that candidates often confuse access control mechanisms, mistakenly thinking a resource lock (CanNotDelete) can restrict read access, or that assigning a role at a broader scope is simpler without considering the security implications of over-permissioning.

How to eliminate wrong answers

Option A is wrong because assigning Reader directly to the contractor's user account requires manual deletion of the role assignment to remove access, which is less efficient and prone to delay or oversight. Option C is wrong because assigning Reader at the subscription scope grants access to all resource groups in the subscription, violating the principle of least privilege and potentially exposing resources beyond the intended group. Option D is wrong because a CanNotDelete lock prevents deletion of the resource group but does not control read access; the contractor would still be able to view resources even after the contract ends.

375
MCQmedium

Based on the exhibit, every resource created in RG-Finance must automatically receive CostCenter=FIN, but deployments should not fail if the tag is omitted. What should you configure?

A.Assign an Azure Policy with the Modify effect at RG-Finance.
B.Assign an RBAC role that forces all users to enter the tag.
C.Apply a ReadOnly lock to the resource group.
D.Use Azure Policy with a Deny effect at the management group.
AnswerA

Modify is the right policy effect when you want Azure to add or update a tag without failing the deployment. Assigning it at the resource group ensures the requirement applies only to RG-Finance and keeps the CostCenter value consistent.

Why this answer

Option A is correct because the Azure Policy 'Modify' effect can automatically add the CostCenter=FIN tag to resources in RG-Finance without causing deployment failures if the tag is omitted. Unlike 'Deny', which blocks non-compliant deployments, 'Modify' uses a remediation task to append the missing tag after creation, ensuring compliance without disruption.

Exam trap

The trap here is confusing the 'Modify' effect with the 'Deny' effect; candidates often choose 'Deny' because it enforces compliance, but fail to notice the requirement that deployments should not fail if the tag is omitted.

How to eliminate wrong answers

Option B is wrong because RBAC roles control permissions (who can do what), not resource tagging; they cannot force tag entry or automatically apply tags. Option C is wrong because a ReadOnly lock prevents any modifications to resources in the resource group, including tag updates, which would block the automatic addition of the CostCenter tag. Option D is wrong because the Deny effect would reject any deployment that omits the CostCenter tag, causing failures, which contradicts the requirement that deployments should not fail.

Page 4

Page 5 of 16

Page 6