AZ-104 (AZ-104) — Questions 376450

1170 questions total · 16pages · All types, answers revealed

Page 5

Page 6 of 16

Page 7
376
MCQeasy

Based on the exhibit, the team wants a readable, repeatable deployment definition stored in source control. Which approach should they use for the Azure resources?

A.Azure Policy because it enforces the deployment automatically.
B.Bicep because it provides a concise declarative syntax for Azure deployments.
C.A runbook in Azure Automation because it is always easier to read than templates.
D.A resource lock because it prevents unauthorized changes to the deployment.
AnswerB

Bicep is the best choice because it is a declarative Azure language that is easier to read and maintain than raw ARM JSON. It works well in source control, supports code review, and is commonly used to define repeatable infrastructure deployments.

Why this answer

Bicep is a domain-specific language (DSL) that provides a concise, declarative syntax for deploying Azure resources. It is designed to be more readable than ARM templates and can be stored in source control, enabling repeatable, version-controlled deployments. This directly meets the team's requirement for a readable, repeatable deployment definition.

Exam trap

The trap here is that candidates often confuse governance tools (Azure Policy) or operational scripts (runbooks) with infrastructure-as-code solutions, overlooking that Bicep is the native, declarative language designed specifically for repeatable Azure resource deployments.

How to eliminate wrong answers

Option A is wrong because Azure Policy is a governance tool that enforces compliance rules on existing resources, not a mechanism for defining and deploying infrastructure. Option C is wrong because runbooks in Azure Automation are primarily for process automation and orchestration tasks, not for declarative infrastructure deployment; they are typically written in PowerShell or Python and are less readable than Bicep templates for defining resources. Option D is wrong because a resource lock is a safeguard that prevents deletion or modification of resources, not a deployment definition or template.

377
MCQhard

You have a virtual machine scale set that must increase the number of instances automatically when average CPU utilization exceeds 75 percent and decrease when utilization drops below 30 percent. What should you configure?

A.An Azure Monitor autoscale rule on the scale set
B.A boot diagnostics configuration
C.An availability set
D.A custom script extension
AnswerA

Autoscale rules support scaling out and in based on CPU thresholds.

Why this answer

Azure Monitor autoscale rules allow you to define conditions for automatically scaling out (increasing instances) when average CPU utilization exceeds a threshold (e.g., 75%) and scaling in (decreasing instances) when it drops below a lower threshold (e.g., 30%). These rules are applied directly to the virtual machine scale set, enabling dynamic scaling based on performance metrics.

Exam trap

The trap here is that candidates may confuse autoscale rules with other VM configuration options like boot diagnostics or custom script extensions, not realizing that autoscaling is a dedicated feature of Azure Monitor applied to scale sets.

How to eliminate wrong answers

Option B is wrong because boot diagnostics configuration captures serial console output and screenshots for troubleshooting VM boot failures, not for scaling decisions. Option C is wrong because an availability set is a logical grouping of VMs for high availability within a single region, not a mechanism for autoscaling based on CPU utilization. Option D is wrong because a custom script extension runs scripts on VMs for post-deployment configuration or software installation, not for monitoring or triggering scale events.

378
Multi-Selecthard

RG-Prod is locked during a change freeze with a CanNotDelete lock. Administrators still need to keep the environment healthy without removing the lock. Which three actions can still be completed? Select three.

Select 3 answers
A.Change the size of an existing virtual machine in the resource group.
B.Delete an unused storage account from the resource group.
C.Add or update a tag on an existing resource.
D.Delete the entire resource group to rebuild it from scratch.
E.Create a new storage account in the locked resource group.
AnswersA, C, E

CanNotDelete blocks deletion, but it does not block normal write operations such as resizing an existing VM.

Why this answer

A CanNotDelete lock prevents deletion of resources but allows all management operations that do not involve deletion. Changing the size of an existing virtual machine is a modification operation, not a deletion, so it is permitted under this lock type.

Exam trap

The trap here is that candidates often confuse CanNotDelete with ReadOnly locks, thinking all modifications are blocked, or they assume creating new resources is prevented by a lock, but CanNotDelete only blocks deletion, not creation or modification.

379
MCQmedium

A subnet has a user-defined route for 0.0.0.0/0 that sends traffic to a network virtual appliance at 10.10.1.4. The VM in the subnet still reaches an Azure Storage account using the public endpoint, but the administrator expected all outbound traffic to go through the NVA. What is the most likely reason?

A.Azure always ignores user-defined routes for storage traffic.
B.The storage account traffic is using a more specific route than the 0.0.0.0/0 route.
C.NSG outbound rules override user-defined routes in Azure.
D.The subnet needs a public IP address assigned to each VM for the route to take effect.
AnswerB

Route selection prefers the most specific matching prefix. If a more specific route exists for the storage destination, it can win over the default route to the NVA. This is why forced tunneling designs must be checked against specific system or learned routes. Understanding route precedence is essential when traffic does not follow the default next hop that appears to be in place.

Why this answer

The most likely reason is that the storage account traffic is using a more specific route than the 0.0.0.0/0 route. Azure uses longest prefix match routing, so a route with a smaller prefix (e.g., a specific public IP range for Azure Storage) will take precedence over the default route. The 0.0.0.0/0 route only applies when no more specific route exists, and Azure automatically adds platform routes for Azure services like Storage, which can override user-defined routes.

Exam trap

The trap here is that candidates often assume a default route (0.0.0.0/0) will catch all outbound traffic, forgetting that Azure's platform routes for Azure services (like Storage) can be more specific and take precedence over user-defined routes.

How to eliminate wrong answers

Option A is wrong because Azure does not ignore user-defined routes for storage traffic; it respects them unless a more specific route (like a service tag or platform route) exists. Option C is wrong because NSG outbound rules do not override user-defined routes; NSGs filter traffic based on rules, but routing decisions are made by the route table, not NSGs. Option D is wrong because a public IP address on a VM is not required for a user-defined route to take effect; the route applies to all outbound traffic from the subnet regardless of public IP assignment.

380
MCQmedium

Two VM scale sets named Web and App run in separate subnets. The App subnet NSG already contains Deny-All-Inbound at priority 300. The business wants only the Web tier to connect to the App tier on TCP 8443, and any new scale-out instances must be included automatically. What should the administrator add?

A.A rule that allows TCP 8443 from the current Web subnet address range to the App subnet.
B.An inbound allow rule using source WebASG, destination AppASG, TCP 8443, with a priority lower than 300.
C.A load balancer NAT rule that maps port 8443 from the Internet to the App tier.
D.A service endpoint for Microsoft.Web on both subnets.
AnswerB

Application security groups let you target groups of VMs by workload rather than by static IPs. A rule that allows TCP 8443 from WebASG to AppASG will automatically include future scale-set instances as they join the ASGs. The rule must also have a lower priority number than the existing deny rule, otherwise the deny will win first.

Why this answer

Option B is correct because it uses an Application Security Group (ASG) as the source and destination, which automatically includes all current and future VM instances in the Web and App scale sets. The rule allows TCP 8443 from WebASG to AppASG with a priority lower than 300 (e.g., 250) so it is evaluated before the Deny-All-Inbound rule at priority 300. This ensures that only the Web tier can connect to the App tier on the specified port, and new scale-out instances are included automatically without manual NSG updates.

Exam trap

The trap here is that candidates often choose a static subnet-based rule (Option A) because it seems simpler, failing to recognize that ASGs are required to automatically include new scale-out instances without manual NSG updates.

How to eliminate wrong answers

Option A is wrong because it uses a static subnet address range, which does not automatically include new scale-out instances that may have different IP addresses, and it would require manual updates to the NSG rule. Option C is wrong because a load balancer NAT rule maps inbound traffic from the Internet to the App tier, which violates the requirement that only the Web tier should connect, and it exposes the App tier to external access. Option D is wrong because a service endpoint for Microsoft.Web enables secure connectivity to Azure Web services (like Azure App Service) but does not control traffic between VMs in different subnets or scale sets.

381
MCQmedium

Based on the exhibit, which Network Watcher tool should the administrator use to identify the exact NSG rule that is blocking TCP 1433 traffic?

A.Connection troubleshoot
B.IP flow verify
C.Next hop
D.Packet capture
AnswerB

IP flow verify returns whether a flow is allowed or denied and shows the matching NSG rule.

Why this answer

IP flow verify is the correct Network Watcher tool because it tests whether a packet is allowed or denied to or from a specific virtual machine based on a 5-tuple (source IP, destination IP, source port, destination port, and protocol). By specifying TCP 1433 as the destination port, the tool evaluates all effective security rules (NSG and ASG) and returns the exact rule name and direction that is blocking the traffic.

Exam trap

The trap here is that candidates often confuse 'Connection troubleshoot' (which tests end-to-end connectivity but not rule-level blocking) with 'IP flow verify' (which explicitly evaluates NSG rules), leading them to select A instead of B.

How to eliminate wrong answers

Option A is wrong because Connection troubleshoot checks end-to-end connectivity (including latency, packet loss, and routing) but does not pinpoint which specific NSG rule is blocking traffic; it only reports that connectivity failed. Option C is wrong because Next hop shows the next hop type and IP address for a packet but does not evaluate NSG rules or indicate whether traffic is allowed or denied. Option D is wrong because Packet capture captures raw network packets for analysis but does not interpret NSG rules or identify which rule is blocking traffic; it requires manual inspection of the capture.

382
MCQmedium

You need to prevent accidental deletion of a resource group while still allowing administrators to create and modify resources inside it. Which Azure lock should you apply?

A.ReadOnly
B.CanNotDelete
C.Delete lock
D.No lock and a budget alert
AnswerB

A CanNotDelete lock prevents deletion while still permitting updates.

Why this answer

The CanNotDelete lock prevents deletion of the resource group while still allowing all operations (read, write, modify) on resources within it. This lock type is designed specifically to protect against accidental deletion without restricting administrative actions like creating or updating resources.

Exam trap

The trap here is that candidates confuse the CanNotDelete lock with the ReadOnly lock, mistakenly thinking ReadOnly still allows modifications, or they invent a non-existent 'Delete lock' option because it sounds plausible.

How to eliminate wrong answers

Option A is wrong because ReadOnly lock prevents all write operations, including creating and modifying resources, which contradicts the requirement to allow administrators to create and modify resources. Option C is wrong because 'Delete lock' is not a valid Azure lock type; Azure only supports CanNotDelete and ReadOnly locks. Option D is wrong because a budget alert only sends notifications when spending exceeds a threshold and does not prevent deletion of the resource group.

383
MCQmedium

An administrator is deploying a new VPN gateway in an existing VNet. The GatewaySubnet currently uses a /28 range, and the deployment fails because the selected gateway configuration does not have enough available IP addresses. What is the best action?

A.Move one of the gateway's NICs into a normal workload subnet.
B.Expand GatewaySubnet to a larger range, such as /27, and redeploy the VPN gateway.
C.Create a private endpoint inside GatewaySubnet to reserve extra addresses.
D.Enable BGP so the gateway needs fewer IP addresses.
AnswerB

GatewaySubnet is a dedicated subnet for VPN gateway resources, and the gateway requires enough free IP addresses to deploy and operate. If the current prefix is too small for the chosen configuration, the correct fix is to expand the subnet to a larger size, such as /27, if the VNet address space allows it. After resizing, the administrator can retry the gateway deployment with adequate capacity.

Why this answer

The GatewaySubnet requires a minimum /27 range to support most VPN gateway SKUs, as Azure reserves several IP addresses for internal use and the gateway instances need at least 3–6 usable IPs depending on the SKU. Expanding the subnet to /27 provides enough addresses (32 total, minus reserved) to satisfy the gateway's allocation requirements, allowing the deployment to succeed.

Exam trap

The trap here is that candidates assume a /28 subnet is always sufficient because it works for smaller gateways, but they overlook that larger SKUs or active-active configurations require more IPs, and Azure's reservation of 5 addresses per subnet further reduces usable space.

How to eliminate wrong answers

Option A is wrong because moving a gateway's NIC into a normal workload subnet violates the Azure requirement that all gateway VMs must reside exclusively in the GatewaySubnet; placing NICs elsewhere breaks connectivity and is not supported. Option C is wrong because a private endpoint does not reserve IP addresses for the gateway; it is used for secure access to PaaS services and does not increase the available IP count in the GatewaySubnet. Option D is wrong because enabling BGP does not reduce the number of IP addresses the gateway needs; BGP is a routing protocol that adds configuration complexity but does not change the subnet size requirement.

384
MCQmedium

A build server hosted in a company datacenter must deploy ARM templates to a target resource group in Azure without storing a user password. The server is not running in Azure, and the team wants to authorize deployments with Azure RBAC. What should be configured?

A.A service principal authenticated with a certificate and assigned RBAC on the target scope
B.A system-assigned managed identity on the build server
C.A personal user account with multifactor authentication
D.A shared access signature for the resource group
AnswerA

This works from outside Azure and supports noninteractive authentication with Azure RBAC authorization.

Why this answer

A service principal authenticated with a certificate is the correct approach because it allows non-Azure resources (like an on-premises build server) to authenticate to Azure without storing a user password. The certificate-based authentication satisfies the requirement to avoid storing a password, and assigning RBAC on the target resource group grants the service principal the necessary permissions to deploy ARM templates. This method is secure, supports automation, and aligns with Azure AD application registration best practices.

Exam trap

The trap here is that candidates may confuse managed identities (which are Azure-only) with service principals, or mistakenly think a SAS token can be used for RBAC-based ARM deployments, when SAS is strictly for Storage access.

How to eliminate wrong answers

Option B is wrong because a system-assigned managed identity can only be assigned to Azure resources (e.g., Azure VMs, App Services), not to an on-premises build server; it cannot be used outside Azure. Option C is wrong because a personal user account with multifactor authentication would require interactive login or storing user credentials, which violates the requirement to avoid storing a password and is not suitable for automated deployments. Option D is wrong because a shared access signature (SAS) is used to delegate access to Azure Storage resources (e.g., blobs, containers), not to authorize ARM template deployments to a resource group; SAS tokens do not support Azure RBAC.

385
MCQmedium

A project team adds and removes contractors every few weeks. The team needs Azure access to follow membership changes without updating role assignments for each person. What should the administrator use to delegate the access?

A.Assign the Azure role directly to each contractor user account.
B.Create a Microsoft Entra security group, add the contractors, and assign the Azure role to the group.
C.Use a Microsoft 365 group and assign the Azure role to it.
D.Create a management group for the contractors and assign the role there.
AnswerB

A security group is the best delegation target because membership can change without editing the RBAC assignment. The role remains stable, while adding or removing users from the group immediately changes who receives the permissions. This is the standard least-administration approach for a team whose membership changes often.

Why this answer

Option B is correct because assigning an Azure role to a Microsoft Entra security group allows the administrator to manage access by simply adding or removing contractors from the group, without needing to update role assignments for each individual. This leverages Azure RBAC's support for group-based assignments, which automatically propagate role permissions to new members and revoke them from removed members.

Exam trap

The trap here is that candidates might confuse Microsoft 365 groups (which are primarily for collaboration and may not support all Azure RBAC roles) with security groups, or incorrectly think that management groups are appropriate for individual user access delegation.

How to eliminate wrong answers

Option A is wrong because directly assigning the Azure role to each contractor user account would require manual updates every time a contractor is added or removed, which is inefficient and error-prone for frequent membership changes. Option C is wrong because Microsoft 365 groups, while they can be used for some Azure role assignments, are primarily designed for collaboration and may not support all Azure RBAC roles or scenarios; security groups are the recommended and more flexible choice for this purpose. Option D is wrong because a management group is a container for organizing subscriptions and applying governance policies, not for managing individual user access; assigning a role at the management group level would apply to all subscriptions within it, which is overly broad and not suitable for delegating access to specific contractors.

386
MCQhard

A media company stores project video assets in Azure Blob Storage. The business requires the data to survive a single availability zone outage in the primary region. In addition, if the primary region becomes unavailable, operations staff must still be able to read the most recently replicated copy from the secondary region right away, even if writes are temporarily unavailable. Which redundancy option best meets this requirement?

A.ZRS
B.GZRS
C.RA-GRS
D.RA-GZRS
AnswerD

Read-access geo-zone-redundant storage combines zone resilience with geo-replication and secondary read access.

Why this answer

RA-GZRS (Read-Access Geo-Zone-Redundant Storage) is correct because it combines zone-redundant storage (ZRS) within the primary region to survive a single availability zone outage, and geo-redundant storage (GRS) to replicate data to a secondary region. The 'RA' prefix enables read access to the secondary region immediately after a primary region failure, allowing operations staff to read the most recently replicated copy even if writes are temporarily unavailable.

Exam trap

The trap here is that candidates often confuse GZRS with RA-GZRS, forgetting that GZRS alone does not provide read access to the secondary region; the 'RA' prefix is required for immediate read access during a primary region outage.

How to eliminate wrong answers

Option A (ZRS) is wrong because while it survives a single availability zone outage within the primary region, it does not replicate data to a secondary region, so it cannot provide read access during a primary region outage. Option B (GZRS) is wrong because although it provides zone-redundant storage in the primary region and geo-replication to a secondary region, it does not include read access to the secondary region; the secondary copy is only available for failover (which requires a manual or Microsoft-initiated process), not immediate reads. Option C (RA-GRS) is wrong because it provides read access to the secondary region, but it uses locally redundant storage (LRS) in the primary region, which does not survive a single availability zone outage (LRS replicates within a single data center, not across zones).

387
MCQeasy

A line-of-business app runs on a single Azure VM in a region that supports availability zones. The business wants the VM to keep running if one datacenter in the region becomes unavailable. Which deployment choice best meets this requirement?

A.Availability set
B.Availability zone
C.Proximity placement group
D.Virtual machine scale set
AnswerB

An availability zone places the VM in a distinct datacenter within the region, helping the workload survive a datacenter-level outage.

Why this answer

An availability zone is a physically separate datacenter within an Azure region, with independent power, cooling, and networking. Deploying the VM to a specific zone ensures it remains operational if another zone's datacenter fails, meeting the requirement for single-VM resilience against a datacenter outage.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack-level failures) with availability zones (which protect against datacenter-level failures), leading them to choose the set when the question explicitly requires datacenter outage protection.

How to eliminate wrong answers

Option A is wrong because an availability set protects against rack-level failures within a single datacenter (e.g., hardware faults or updates), not against the loss of an entire datacenter. Option C is wrong because a proximity placement group is designed to reduce network latency by co-locating VMs, not to provide datacenter-level fault isolation. Option D is wrong because a virtual machine scale set provides scaling and high availability across zones or fault domains, but for a single VM it is unnecessary and does not inherently guarantee zone-level isolation unless explicitly configured with zones, which is not the simplest or most direct choice.

388
Multi-Selecteasy

An application needs more data disk capacity, but the VM can keep using the same managed disk. Which two statements are true when you resize a managed data disk? Select two.

Select 2 answers
A.You can increase the managed disk size without redeploying the VM.
B.You may need to extend the partition or filesystem inside the guest OS.
C.You must create a brand-new VM before resizing the disk.
D.Resizing a disk always shrinks it back to a smaller size.
E.The VM size must always change whenever disk capacity changes.
AnswersA, B

Managed disks can be expanded in Azure without rebuilding the VM or reinstalling the operating system.

Why this answer

Option A is correct because Azure managed disks support online resizing: you can increase the size of a managed data disk while the VM remains running, without any need to stop, deallocate, or redeploy the VM. This is possible because the underlying Azure storage infrastructure can extend the virtual hard disk (VHD) file without disrupting the VM's I/O operations. After the resize, the guest OS sees the new capacity, but the partition and filesystem must be extended manually.

Exam trap

The trap here is that candidates assume resizing a disk requires a VM restart or redeployment, but Azure allows online resizing for managed disks, and the only post-resize step is extending the partition inside the guest OS.

389
MCQhard

An operations team manages an Azure virtual machine scale set that hosts a stateless API. They already collect guest logs in Log Analytics, but they do not want to ingest extra performance data just to watch CPU. They need an alert when average CPU across the scale set stays above 80% for 10 minutes, and the notification must support email and a webhook. What should they configure?

A.Create a diagnostic setting on the scale set and build a log query alert for CPU samples.
B.Create an Azure Monitor metric alert on the scale set CPU metric and attach an action group.
C.Configure an autoscale rule and rely on its notification settings for alerting.
D.Install a monitoring extension that writes CPU readings to storage for later review.
AnswerB

Metric alerts evaluate platform metrics directly, so no extra log ingestion is needed. An action group is the correct notification mechanism for email, webhook, SMS, or other responses. This design is the lowest-overhead way to detect sustained CPU pressure on a VM scale set and notify operators quickly.

Why this answer

Option B is correct because Azure Monitor metric alerts can directly evaluate the 'Percentage CPU' metric from a virtual machine scale set without ingesting additional performance data into Log Analytics. By setting the aggregation to 'Average' and the threshold to 80% for a duration of 10 minutes, the alert triggers when the condition is met. An action group attached to the alert can send notifications via email and webhook simultaneously, meeting all requirements without extra data ingestion.

Exam trap

The trap here is that candidates often confuse metric alerts with log query alerts, assuming CPU monitoring requires Log Analytics ingestion, when in fact platform metrics are available natively and can be alerted on directly without extra data collection.

How to eliminate wrong answers

Option A is wrong because creating a diagnostic setting to send guest-level CPU samples to Log Analytics would ingest extra performance data, which the team explicitly wants to avoid, and log query alerts require querying that ingested data, adding cost and complexity. Option C is wrong because autoscale rules are designed to scale resources based on metrics, not to send alert notifications; their notification settings only inform about scaling events, not sustained CPU thresholds, and they do not support email or webhook directly. Option D is wrong because installing a monitoring extension to write CPU readings to storage does not provide real-time alerting; it only stores data for later review, and the team needs immediate notification via email and webhook.

390
MCQhard

A Recovery Services vault protects 40 VMs by using one daily backup policy that retains recovery points for 7 days. One finance VM must keep daily recovery points for 30 days, but the other VMs should remain on the 7-day policy. What should the administrator do?

A.Edit the existing policy so all protected VMs inherit 30-day retention.
B.Create a second backup policy with 30-day retention and assign only the finance VM to it.
C.Move the finance VM to another resource group so it gets different retention automatically.
D.Apply a resource lock to the finance VM to preserve its recovery points longer.
AnswerB

Backup policy settings apply to the items associated with that policy. To give one VM a longer retention period without changing the others, the administrator should create a separate policy and assign only the finance VM to that policy. This preserves the standard 7-day policy for the rest of the fleet while meeting the special retention requirement.

Why this answer

Option B is correct because Azure Backup allows multiple backup policies within a single Recovery Services vault, and you can assign different policies to different VMs. By creating a second policy with 30-day retention and assigning only the finance VM to it, the administrator meets the requirement without affecting the other 39 VMs that continue using the existing 7-day policy.

Exam trap

The trap here is that candidates may think a single vault can only have one backup policy, or that moving a VM to another resource group or applying a resource lock will affect backup retention, when in fact backup policies are independent of resource groups and locks only protect the resource, not its backup data.

How to eliminate wrong answers

Option A is wrong because editing the existing policy to 30-day retention would apply the change to all 40 VMs, violating the requirement to keep the other VMs on a 7-day policy. Option C is wrong because moving a VM to another resource group does not change its backup retention settings; backup policies are assigned per VM within a vault, not inherited from the resource group. Option D is wrong because a resource lock prevents accidental deletion or modification of the VM itself, but it does not extend the retention period of recovery points in the Recovery Services vault.

391
Multi-Selecthard

A department has 12 subscriptions under a management group named Corp. New resources must be deployed only in East US or West US and must include a CostCenter tag. A pilot subscription must be exempt from these rules during testing. Which two actions should you take? Select two.

Select 2 answers
A.Assign an initiative containing both policy definitions at the Corp management-group scope.
B.Create a policy exemption for the pilot subscription.
C.Assign the policies individually at each resource group.
D.Use the Owner role at the management-group scope.
E.Use a resource lock instead of Azure Policy.
AnswersA, B

A management-group assignment applies the same governance to current and future subscriptions underneath it.

Why this answer

Option A is correct because assigning an initiative (a collection of policy definitions) at the Corp management-group scope ensures that all 12 subscriptions inherit both the location restriction and the CostCenter tag requirement. This is the most efficient and scalable way to enforce governance across multiple subscriptions without repeating assignments.

Exam trap

The trap here is that candidates may think individual policy assignments at each resource group (Option C) are acceptable, but Azure Policy is designed to be assigned at higher scopes (management group or subscription) for inheritance, and they may also confuse RBAC roles (Option D) with policy enforcement.

392
MCQmedium

Engineers need a single Log Analytics workspace to investigate incidents by querying Windows event logs from a VM and Azure resource logs from a storage account. What should the administrator configure?

A.Create a resource lock on the workspace and let each team send emails when incidents happen.
B.Use Azure Monitor Agent with a data collection rule for the VM and diagnostic settings for the storage account, both sending data to the same workspace.
C.Move the VM and storage account into the same availability set so their logs appear together.
D.Enable a private endpoint for the workspace and disable all diagnostic collection.
AnswerB

VM guest logs require the Azure Monitor Agent and a data collection rule, while storage account platform logs are exported with diagnostic settings. Sending both to one Log Analytics workspace gives the team a single place to correlate incidents with KQL.

Why this answer

Option B is correct because Azure Monitor Agent (AMA) with a data collection rule (DCR) collects Windows event logs from VMs, and diagnostic settings on a storage account send Azure resource logs to the same Log Analytics workspace. This centralizes both data sources for unified querying and incident investigation.

Exam trap

The trap here is that candidates may confuse availability sets (a VM high-availability feature) with log aggregation, or assume that a resource lock or private endpoint somehow enables data collection, when in fact only proper data collection agents and diagnostic settings can route logs to a workspace.

How to eliminate wrong answers

Option A is wrong because a resource lock prevents accidental deletion or modification of the workspace but does not collect or route any log data; it cannot enable log ingestion. Option C is wrong because an availability set is a VM placement configuration for high availability and has no effect on log aggregation or workspace connectivity. Option D is wrong because a private endpoint restricts network access to the workspace but does not enable log collection; disabling diagnostic collection would stop all data ingestion, making investigation impossible.

393
MCQmedium

Based on the exhibit, where should the Network Contributor role be assigned so the engineer can manage only VNet-vm and its subnets, but not other resources in rg-platform?

A.Assign Network Contributor at the management group scope.
B.Assign Network Contributor at the subscription scope.
C.Assign Network Contributor at the resource group scope for rg-platform.
D.Assign Network Contributor at the VNet-vm resource scope.
AnswerD

Assigning the role directly to the virtual network limits access to that specific network object and its child subnets while excluding unrelated resources in the same resource group.

Why this answer

Option D is correct because assigning the Network Contributor role at the VNet-vm resource scope grants the engineer permissions to manage only that specific virtual network and its subnets, while preventing any access to other resources within the rg-platform resource group. This follows the principle of least privilege by scoping the role assignment to the exact resource that needs to be managed.

Exam trap

The trap here is that candidates often assume assigning a role at the resource group scope is sufficient to limit access to a specific resource, but they overlook that resource group scope grants permissions to all resources of that type within the group, not just the intended one.

How to eliminate wrong answers

Option A is wrong because assigning Network Contributor at the management group scope would grant permissions to manage all virtual networks and networking resources across all subscriptions and resource groups under that management group, far exceeding the requirement to manage only VNet-vm. Option B is wrong because assigning Network Contributor at the subscription scope would allow the engineer to manage all virtual networks and networking resources within the entire subscription, including resources outside rg-platform. Option C is wrong because assigning Network Contributor at the resource group scope for rg-platform would grant permissions to manage all virtual networks and networking resources within that resource group, not just VNet-vm and its subnets.

394
Matchingmedium

A response team is designing notification paths for Azure Monitor alerts. Match each action group receiver or action to the outcome it provides.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Delivers the alert to a mailbox or distribution list.

Sends a text message to an on-call phone number.

Calls an external HTTPS endpoint such as a ticketing or orchestration system.

Runs custom code after the alert fires.

Starts a scripted remediation runbook in Azure Automation.

Why these pairings

Email/SMS/Push/Voice are direct notifications; ITSM connector creates tickets; Automation runbook runs scripts; Webhook sends to external services like Teams; Push notifications target mobile apps.

395
MCQhard

Based on the exhibit, what should the administrator change to allow only the web tier to reach the app tier on TCP 8443?

A.Move the allow rule for WebTier-ASG to a priority lower than 100.
B.Change the deny rule source from VirtualNetwork to Internet.
C.Associate the NSG with the virtual machine NIC instead of the subnet.
D.Replace the ASG destination with the subnet address range.
AnswerA

The deny rule at priority 100 matches all traffic from VirtualNetwork to AppTier-ASG on TCP 8443, including the web tier. The allow rule must evaluate first.

Why this answer

The exhibit shows a default-deny NSG rule at priority 100 that blocks all traffic from VirtualNetwork to VirtualNetwork. To allow only the web tier (WebTier-ASG) to reach the app tier (AppTier-ASG) on TCP 8443, the administrator must move the allow rule for WebTier-ASG to a priority lower than 100 (e.g., 90). This ensures the allow rule is evaluated before the deny rule, as NSG rules are processed in priority order (lowest number first).

Exam trap

The trap here is that candidates often overlook the default-deny rule at priority 100 and assume any allow rule will work regardless of priority, failing to realize that NSG rules are processed in strict priority order and a higher-priority deny will override a lower-priority allow.

How to eliminate wrong answers

Option B is wrong because changing the deny rule source from VirtualNetwork to Internet would block internet traffic but still block the web tier's traffic to the app tier, as the web tier is within the same virtual network. Option C is wrong because associating the NSG with the VM NIC instead of the subnet would only apply the NSG to that specific VM, not to all VMs in the app tier, and would not resolve the priority conflict between the allow and deny rules. Option D is wrong because replacing the ASG destination with the subnet address range would remove the granularity of the application security group, potentially allowing unintended traffic from other subnets, and does not address the rule priority issue.

396
MCQmedium

A reporting server VM will run an analytics engine that uses a large in-memory cache. Required minimums are 8 vCPUs and 64 GiB of RAM, and the workload benefits more from memory than from extra compute. Which Azure VM series is the best fit?

A.B-series, because burstable credits handle temporary spikes economically
B.D-series, because it balances general-purpose CPU and memory
C.E-series, because it provides memory-optimized sizing for data-intensive workloads
D.F-series, because it is optimized for high CPU throughput
AnswerC

E-series VMs are memory optimized, which makes them a strong fit when the workload needs more RAM relative to CPU. A server running an in-memory cache or analytics engine benefits from that higher memory footprint, and the family includes sizes that satisfy the stated minimums.

Why this answer

The E-series (specifically Ev3, Esv3, or Ebsv5) is memory-optimized, offering the highest memory-to-vCPU ratio among Azure general-purpose families. With a requirement of 64 GiB RAM and only 8 vCPUs, the workload benefits more from memory than compute, making the E-series the best fit. D-series provides balanced ratios but not the memory density needed, while F-series and B-series are compute- or burst-oriented and lack sufficient memory per vCPU.

Exam trap

The trap here is that candidates see '8 vCPUs and 64 GiB RAM' and assume a general-purpose D-series is sufficient, overlooking that the workload benefits more from memory than compute, which directly points to the memory-optimized E-series as the most cost-effective and performant choice.

How to eliminate wrong answers

Option A is wrong because B-series is a burstable, general-purpose family designed for workloads with low average CPU usage and occasional spikes; it does not guarantee sustained 8 vCPUs or provide the high memory-to-vCPU ratio required for a large in-memory cache. Option B is wrong because D-series is a general-purpose family with a balanced CPU-to-memory ratio (typically 4 GiB per vCPU), which would require more vCPUs to reach 64 GiB RAM, wasting compute resources and cost. Option D is wrong because F-series is compute-optimized, offering high CPU throughput but only 2 GiB of RAM per vCPU, far below the 8 GiB per vCPU needed for this memory-intensive workload.

397
MCQmedium

Based on the exhibit, what should you do so the report can open the file tomorrow morning?

A.Change the blob to the Hot access tier and allow it to rehydrate before the report runs.
B.Change the blob to the Cool access tier only, because Cool is always immediately readable.
C.Create a snapshot of the archived blob and use the snapshot instead.
D.Enable versioning on the storage account so the file becomes readable again.
AnswerA

Archive blobs are offline and cannot be read until they are rehydrated to an online tier. Moving the blob to Hot is the appropriate action when access is needed soon, because it restores immediate read availability after the rehydration completes.

Why this answer

The blob is currently in the Archive access tier, which requires manual rehydration (changing the tier to Hot or Cool) before it can be read. Rehydration can take up to 15 hours, so changing the blob to the Hot access tier now and allowing it to complete rehydration before the report runs tomorrow ensures the file is available for reading.

Exam trap

The trap here is that candidates assume the Cool access tier is always immediately readable, forgetting that blobs in the Archive tier must be rehydrated to any online tier before access, and that rehydration time is significant.

How to eliminate wrong answers

Option B is wrong because the Cool access tier is not immediately readable for blobs currently in the Archive tier; rehydration is required regardless of the target tier, and Cool tier blobs are only immediately readable if they were never archived. Option C is wrong because you cannot create a snapshot of an archived blob; snapshots require the blob to be in a readable state (Hot or Cool), and the snapshot itself would also be inaccessible until the base blob is rehydrated. Option D is wrong because enabling versioning does not make an archived blob readable; versioning creates new versions of the blob, but the existing archived version remains in the Archive tier and still requires rehydration to be accessed.

398
MCQeasy

A company has two application VMs in the same Azure region. The main requirement is to reduce downtime during planned host maintenance. The business does not require protection from a complete datacenter outage. Which option should you choose?

A.Availability zones
B.Availability set
C.Virtual machine scale set
D.Proximity placement group
AnswerB

An availability set spreads VMs across update domains and fault domains within a datacenter boundary. That helps reduce downtime during planned maintenance and some hardware issues. Since the requirement does not include protection from an entire datacenter outage, an availability set is the right and simpler choice.

Why this answer

An availability set distributes VMs across multiple fault domains and update domains within a single Azure datacenter. During planned host maintenance, Azure updates one update domain at a time, ensuring that only a subset of VMs are rebooted simultaneously, thereby reducing downtime. This meets the requirement of protecting against planned maintenance without needing cross-datacenter redundancy.

Exam trap

The trap here is that candidates often confuse availability zones (which protect against datacenter-level failures) with availability sets (which protect against rack-level failures and planned maintenance), leading them to over-engineer the solution with zones when the requirement explicitly excludes datacenter outage protection.

How to eliminate wrong answers

Option A is wrong because availability zones protect against a complete datacenter outage by placing VMs in physically separate datacenters within a region, which is unnecessary and more costly given the requirement only to reduce downtime during planned host maintenance. Option C is wrong because a virtual machine scale set is designed for auto-scaling and load balancing of identical VMs, not specifically for reducing downtime during planned maintenance; while it can use availability sets or zones, the core purpose and cost model are mismatched. Option D is wrong because a proximity placement group is used to minimize network latency between VMs by ensuring they are physically close, which does not address downtime during planned maintenance and can actually increase risk by placing VMs in the same failure domain.

399
MCQmedium

You need to ensure engineers cannot delete a production resource group, but they must still be able to start and stop VMs and change network rules during maintenance. Which resource lock should you apply to the resource group?

A.No lock
B.ReadOnly
C.CanNotDelete
D.Azure Policy deny assignment
AnswerC

This prevents deletion while still allowing normal write operations on the resources.

Why this answer

The CanNotDelete lock prevents deletion of the resource group while allowing all other operations, including starting/stopping VMs and modifying network rules. This meets the requirement because engineers retain full management capabilities except for deletion, which is explicitly blocked at the resource group scope.

Exam trap

The trap here is that candidates confuse ReadOnly with CanNotDelete, assuming any lock will block all operations, when in fact ReadOnly blocks all write operations (including start/stop and network changes) while CanNotDelete only blocks deletion.

How to eliminate wrong answers

Option A is wrong because no lock would allow engineers to delete the resource group, violating the requirement to prevent deletion. Option B is wrong because a ReadOnly lock prevents all write operations, including starting/stopping VMs and changing network rules, which are explicitly required during maintenance. Option D is wrong because an Azure Policy deny assignment can block specific actions but is not the intended mechanism for resource-level deletion protection; resource locks are the correct Azure governance tool for this purpose.

400
MCQmedium

You need to view recommendations about underutilized virtual machines, security improvements, and cost-saving opportunities in Azure. Which service should you use?

A.Azure Advisor
B.Azure Policy
C.Network Watcher
D.Azure Backup
AnswerA

Azure Advisor is the Azure service for recommendations and optimization guidance.

Why this answer

Azure Advisor provides personalized best-practice recommendations related to reliability, security, performance, operational excellence, and cost.

401
MCQhard

A finance department stores spreadsheets in an Azure file share. Yesterday a user deleted a subfolder tree, but other folders were modified after that point and must not be rolled back. The administrator wants to restore only the deleted subfolder tree to its state from yesterday. What should the administrator use?

A.Restore the entire share from Azure Backup to the yesterday recovery point.
B.Use the Azure Files snapshot taken before the deletion and copy back only the required folders.
C.Enable blob soft delete on the storage account and then recover the folders.
D.Create a new file share and use synchronization to merge the deleted content.
AnswerB

A snapshot provides point-in-time data, letting the administrator restore only the deleted folder tree.

Why this answer

Option B is correct because Azure Files supports snapshot-based restore at the share level. By taking a snapshot before the deletion, the administrator can mount that snapshot as a read-only copy of the share, then copy back only the deleted subfolder tree without affecting any modifications made to other folders after the snapshot was taken. This meets the requirement of restoring only the deleted content while preserving later changes.

Exam trap

The trap here is that candidates confuse Azure Files snapshots with Azure Backup or blob soft delete, assuming any recovery mechanism can selectively restore without understanding that only snapshots allow granular copy-back without affecting current data.

How to eliminate wrong answers

Option A is wrong because restoring the entire share from Azure Backup to the yesterday recovery point would roll back all folders to that point in time, including the modifications made after the deletion, which violates the requirement to preserve those changes. Option C is wrong because blob soft delete applies only to Azure Blob Storage (block blobs, append blobs, page blobs), not to Azure Files (SMB file shares); it cannot recover deleted folders in a file share. Option D is wrong because creating a new file share and using synchronization (e.g., Azure File Sync) would not recover the deleted subfolder tree from a previous state; synchronization merges current content and does not provide point-in-time recovery of deleted items.

402
MCQmedium

An application uploads documents by using one of the storage account access keys. The team wants to rotate keys without interrupting uploads. Which process should the administrator follow?

A.Regenerate both keys at the same time so the account is fully refreshed.
B.Switch the app to the secondary key, regenerate the primary key, and then update the app back later.
C.Disable shared key authorization before rotating the keys.
D.Delete the storage account and create a new one with the same name.
AnswerB

Azure Storage provides two account keys so you can rotate credentials with no downtime. The correct approach is to move the application to the secondary key first, verify that it works, regenerate the primary key, and then later rotate the app back if needed. This preserves access throughout the process and avoids a period where the application has no valid key.

Why this answer

Option B is correct because it follows the safe key rotation pattern: switch the application to use the secondary key, regenerate the primary key (which invalidates the old primary key), and then later update the application back to the primary key if desired. This ensures the application never loses access during the rotation, as it always has a valid key in use.

Exam trap

The trap here is that candidates may think regenerating both keys at once is acceptable, not realizing that the application would lose access immediately, or they may overcomplicate the solution by disabling authorization or recreating the account.

How to eliminate wrong answers

Option A is wrong because regenerating both keys simultaneously would leave the application without a valid key, causing immediate upload failures. Option C is wrong because disabling shared key authorization before rotating keys would block all access using keys, including the application's current key, causing downtime. Option D is wrong because deleting and recreating the storage account would change the account endpoints and require reconfiguration of all clients, causing significant disruption and potential data loss.

403
MCQmedium

A subnet must send traffic to on-premises networks through a VPN gateway, but internet-bound traffic should use the Azure platform's normal outbound path and not be forced through a virtual appliance. The administrator wants to avoid creating a 0.0.0.0/0 user-defined route. Which design meets the requirement?

A.Associate a route table that contains only the specific on-premises prefixes and leave gateway route propagation enabled.
B.Add a 0.0.0.0/0 route to the VPN gateway and disable gateway route propagation.
C.Create a service endpoint for the subnet and use it as the default next hop.
D.Attach an NSG rule that allows on-premises traffic and blocks all internet traffic.
AnswerA

This lets the subnet use specific routes for on-premises destinations through the VPN gateway while leaving the default internet route untouched. Because there is no 0.0.0.0/0 UDR, Azure can use the normal system route for internet traffic. Keeping gateway route propagation enabled also allows learned gateway routes to appear when appropriate.

Why this answer

Option A is correct because it uses a route table with only the specific on-premises prefixes, which forces traffic destined for those prefixes through the VPN gateway, while leaving gateway route propagation enabled. With gateway propagation enabled, the VPN gateway's learned routes (including the 0.0.0.0/0 route from the on-premises network) are not automatically added to the subnet's route table unless explicitly propagated; instead, the subnet's effective routes combine the user-defined routes (UDRs) for on-premises prefixes with the Azure default system routes, which include a 0.0.0.0/0 route to the internet. This ensures internet-bound traffic uses the Azure platform's normal outbound path without a forced tunnel through the virtual appliance or VPN gateway.

Exam trap

The trap here is that candidates often assume that to send traffic to on-premises networks, they must create a 0.0.0.0/0 UDR to the VPN gateway, but the correct approach is to use specific prefix routes and leave gateway propagation enabled to avoid overriding the default internet path.

How to eliminate wrong answers

Option B is wrong because adding a 0.0.0.0/0 route to the VPN gateway and disabling gateway route propagation would force all internet-bound traffic through the VPN gateway, which violates the requirement that internet traffic should use the Azure platform's normal outbound path. Option C is wrong because a service endpoint does not act as a default next hop for internet traffic; it only provides direct connectivity to Azure PaaS services over the Azure backbone, and it cannot replace a 0.0.0.0/0 route or control outbound internet routing. Option D is wrong because an NSG rule that blocks all internet traffic would prevent the subnet from reaching the internet entirely, which contradicts the requirement that internet-bound traffic should use the normal outbound path; NSGs are stateful filters, not routing mechanisms.

404
MCQmedium

A development subnet must access an Azure Storage account privately, but the security team does not want to create a private IP in the VNet. They only want the subnet identity to be extended to the storage service. Which feature should the administrator configure?

A.Private endpoint
B.Service endpoint
C.Azure Front Door
D.Network security group outbound rule
AnswerB

A service endpoint extends the VNet and subnet identity to the supported Azure service without creating a private IP address in the VNet. That fits the requirement exactly because the team wants private access semantics from the subnet while avoiding a private endpoint. It is the correct choice when the main goal is to restrict service access to a subnet rather than provide a private IP-based connection.

Why this answer

A service endpoint extends the VNet identity to the Azure Storage service, allowing traffic from the subnet to reach the storage account over the Azure backbone network without requiring a private IP. This meets the requirement of private access without creating a private IP in the VNet, as the subnet's identity is used for access control via the storage account firewall.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming both require a private IP, but service endpoints use the subnet's identity without assigning a private IP, which is the key distinction tested in this question.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP address from the VNet to the storage account, which directly contradicts the security team's requirement to avoid creating a private IP in the VNet. Option C is wrong because Azure Front Door is a global load balancer and application delivery service that operates at the edge, not a feature for extending subnet identity to a storage service for private access. Option D is wrong because a network security group outbound rule controls traffic filtering but does not extend subnet identity or provide private connectivity to Azure Storage.

405
Multi-Selectmedium

A contractor pool changes every month. The operations team wants Azure role access to stay the same when people join or leave, without editing role assignments for each person. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create a security group in Microsoft Entra ID for the contractor pool.
B.Assign the Azure role directly to each contractor account.
C.Create a Microsoft 365 group and use it for VM sign-in.
D.Assign the Azure role to the security group rather than to individual users.
E.Use a user-assigned managed identity for each contractor.
AnswersA, D

A security group is the right identity container for changing membership. Contractors can be added or removed from the group without touching the Azure RBAC assignment itself, which keeps access administration simple and consistent over time.

Why this answer

Option A is correct because creating a security group in Microsoft Entra ID (formerly Azure AD) allows the administrator to manage membership dynamically or manually as contractors join or leave. By assigning the Azure role to this security group (Option D), role assignments remain constant; only group membership changes, eliminating the need to edit individual role assignments. This approach leverages Azure RBAC's support for security groups as assignable principals, ensuring consistent access control.

Exam trap

The trap here is that candidates often confuse Microsoft 365 groups (used for collaboration and Entra ID join) with security groups (used for RBAC assignments), leading them to select Option C instead of A.

406
MCQhard

A container group runs a one-time import job that writes data to an external system. If the job succeeds, the container must stop and stay stopped. If the job fails, it should automatically retry by restarting. Which restart policy should the administrator choose?

A.Always
B.Never
C.OnFailure
D.Manual
AnswerC

OnFailure matches a batch-style workload that should retry after an error but remain stopped after a successful run. It allows the container group to restart when the process exits unsuccessfully while avoiding unnecessary reruns after completion.

Why this answer

The OnFailure restart policy is correct because it instructs Azure Container Instances (ACI) to restart the container only when the process exits with a non-zero exit code, indicating failure. For a one-time import job that must stop permanently on success (exit code 0) and retry on failure, OnFailure matches this exact behavior without unnecessary restarts.

Exam trap

The trap here is that candidates often confuse 'OnFailure' with 'Always' for retry scenarios, not realizing that 'Always' restarts even after success, which would break the 'stop on success' requirement.

How to eliminate wrong answers

Option A (Always) is wrong because it would restart the container regardless of exit code, causing the successful job to run repeatedly instead of stopping. Option B (Never) is wrong because it would not restart the container on failure, leaving the job uncompleted without any retry. Option D (Manual) is wrong because Azure Container Instances does not support a 'Manual' restart policy; the valid policies are Always, Never, and OnFailure.

407
MCQmedium

You need to control inbound and outbound traffic to resources in a subnet by allowing or denying traffic based on IP address, port, and protocol. Which Azure feature should you use?

A.A network security group
B.A route table
C.A private DNS zone
D.Azure Advisor
AnswerA

NSGs are the Azure feature used to allow or deny traffic based on rule criteria.

Why this answer

A network security group (NSG) is the correct Azure feature because it contains security rules that allow or deny inbound and outbound traffic at the subnet or network interface level based on source/destination IP address, port, and protocol (TCP, UDP, or Any). This directly matches the requirement to control traffic by these three parameters.

Exam trap

The trap here is that candidates often confuse a route table (which controls traffic routing) with an NSG (which controls traffic filtering), especially since both are associated with subnets in the Azure portal.

How to eliminate wrong answers

Option B is wrong because a route table controls the path that network traffic takes (next hop) rather than filtering traffic based on IP, port, and protocol. Option C is wrong because a private DNS zone is used for name resolution within a virtual network, not for traffic filtering. Option D is wrong because Azure Advisor provides recommendations for best practices (cost, security, reliability, performance) but does not enforce traffic rules.

408
MCQmedium

Based on the exhibit, the alert rule is firing, but the operations team is not receiving any notification. What should you change to make the alert send an email when the condition is met?

A.Increase the evaluation frequency to 15 minutes so Azure sends a summary notification.
B.Attach an action group that includes the required email recipient.
C.Create a diagnostic setting on the virtual machine and send logs to a storage account.
D.Move the virtual machine into a different resource group so the alert can notify the team.
AnswerB

Azure Monitor alerts need an action group to deliver notifications or trigger automation. In this case the rule is already evaluating correctly, but no action is configured, so the alert has nowhere to send the notification. Attaching an action group with the operations email address fixes the issue without changing the threshold or scope.

Why this answer

An alert rule in Azure Monitor requires an action group to define the notification actions (e.g., email, SMS) when the alert fires. Without an action group attached to the alert rule, no notifications are sent, even if the condition is met. Option B correctly identifies that attaching an action group containing the required email recipient will enable email notifications.

Exam trap

The trap here is that candidates often assume increasing evaluation frequency or moving resources will fix notification delivery, but the core requirement is that an action group must be attached to the alert rule to define the notification channel.

How to eliminate wrong answers

Option A is wrong because increasing the evaluation frequency to 15 minutes does not enable email notifications; it only changes how often the alert condition is checked, and summary notifications are unrelated to action groups. Option C is wrong because creating a diagnostic setting to send logs to a storage account is for log collection and retention, not for alert notifications; it does not trigger email delivery. Option D is wrong because moving the virtual machine to a different resource group has no effect on alert notification delivery; action groups are independent of resource group membership.

409
Multi-Selecteasy

A Python app running on an Azure VM must upload blobs to one container in a storage account. The app must not store a storage account key or SAS token on the VM. Which two actions should the administrator take? Select two.

Select 2 answers
A.Enable a system-assigned managed identity on the VM.
B.Assign the Storage Blob Data Contributor role to that managed identity at the container scope.
C.Store the storage account access key in an environment variable on the VM.
D.Generate a service SAS and copy it into the application configuration.
E.Assign the Contributor role on the resource group to the managed identity.
AnswersA, B

A system-assigned managed identity lets the VM request Azure access tokens without storing secrets on the server. The identity is automatically created and tied to that VM, which fits a simple single-VM app. This is the safest starting point when a workload must authenticate to Azure Storage without an account key or SAS token.

Why this answer

A system-assigned managed identity on the VM allows Azure AD authentication without storing any credentials on the VM. By assigning the Storage Blob Data Contributor role to that identity at the container scope, the app can use Azure AD tokens to authenticate and upload blobs, eliminating the need for a storage account key or SAS token.

Exam trap

The trap here is that candidates often confuse the Contributor role (which grants management-level access) with the Storage Blob Data Contributor role (which grants data-plane access), and may overlook that scoping the role to the container (rather than the storage account or resource group) is the most secure and correct approach.

410
Matchinghard

Match each Recovery Services vault setting or feature to the behavior an administrator should expect after changing it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Keeps deleted backup items recoverable for a limited retention period.

Stops future backups but preserves existing recovery points in the vault.

Stops protection and removes stored recovery points after the deletion process completes.

Allows restore operations from the secondary region when the vault uses geo-redundant storage and the feature is enabled.

Why these pairings

Changing replication to GRS replicates all existing recovery points. Soft delete retains deleted data for 14 days. Changing storage replication after backup requires reconfiguration.

Custom managed identity grants specific resource access. Diagnostics settings send logs to Log Analytics. Cross Region Restore enables restore in paired region with GRS.

411
MCQmedium

Based on the exhibit, which Azure feature should the administrator add so ownership and chargeback information remains visible even if resources are moved between resource groups?

A.Management groups
B.Tags
C.Resource locks
D.Role assignments
AnswerB

Tags are designed to attach flexible metadata directly to resources, and the values remain useful for filtering and chargeback reporting.

Why this answer

Tags are metadata key-value pairs that can be assigned to Azure resources and resource groups. They persist even when resources are moved between resource groups, making them ideal for tracking ownership and chargeback information across organizational boundaries. Unlike other options, tags are specifically designed for cost tracking, ownership attribution, and resource categorization.

Exam trap

The trap here is that candidates confuse Resource locks (which prevent deletion) with metadata persistence, or assume Role assignments follow resources across moves, when in fact RBAC assignments are scoped to the original resource group and are lost upon relocation.

How to eliminate wrong answers

Option A is wrong because Management groups provide hierarchical governance for subscriptions (e.g., policy and RBAC inheritance), but they do not attach metadata to individual resources that survives resource group moves. Option C is wrong because Resource locks prevent accidental deletion or modification of resources but do not carry ownership or chargeback data. Option D is wrong because Role assignments control access permissions via Azure RBAC and are tied to the resource's scope; they do not persist as metadata when a resource is moved to a different resource group (the role assignment is lost unless re-applied).

412
MCQmedium

A company has frontend and backend VMs in the same subnet. Security rules must allow the frontend tier to reach only the backend tier on TCP 443, without assigning rules to individual VM IP addresses. What should the administrator use in the NSG rule?

A.A user-defined route that sends frontend traffic to the backend subnet.
B.A network security group rule that references both subnets by address prefix only.
C.Application security groups for the frontend and backend VMs.
D.A VNet peering connection between the two tiers.
AnswerC

ASGs let you group VMs by workload role and reference those groups in NSG rules.

Why this answer

Option C is correct because Application Security Groups (ASGs) allow you to group VMs logically by their application tier (e.g., frontend, backend) without relying on individual IP addresses. You can then create an NSG rule that uses the frontend ASG as the source and the backend ASG as the destination, restricting traffic to TCP 443. This meets the requirement of not assigning rules to individual VM IPs while ensuring only frontend VMs can reach backend VMs within the same subnet.

Exam trap

The trap here is that candidates assume subnet-based NSG rules are sufficient for tier isolation, but since both tiers share the same subnet, a subnet-to-subnet rule would allow all VMs in that subnet to communicate, failing the requirement to restrict traffic to only frontend-to-backend on TCP 443.

How to eliminate wrong answers

Option A is wrong because a user-defined route (UDR) controls the next hop for traffic (e.g., forcing it through a firewall or virtual appliance), not the security filtering of allowed traffic; it does not restrict which VMs can communicate on TCP 443. Option B is wrong because referencing both subnets by address prefix would allow any VM in the frontend subnet to communicate with any VM in the backend subnet, but since both tiers are in the same subnet, a subnet-based rule would allow all VMs in that subnet to communicate with each other, failing to isolate the frontend and backend tiers. Option D is wrong because VNet peering connects separate virtual networks, not tiers within the same subnet; it is irrelevant for intra-subnet traffic filtering.

413
MCQmedium

Based on the exhibit, the business says the workload must keep running if an entire Azure region becomes unavailable. Is Azure Backup alone sufficient, and what should you add if it is not?

A.Yes. Azure Backup alone provides continuous service during a regional outage.
B.No. Add Azure Site Recovery or another replication and failover design for regional resilience.
C.Yes. Increasing the backup retention period will keep the application online.
D.No. Configure an action group so operators receive faster notifications during outages.
AnswerB

Azure Backup is for restore after data loss or corruption, not for continuously running the workload elsewhere. A full regional outage requires disaster recovery replication and failover, which Azure Site Recovery provides for supported workloads. That design keeps a secondary copy ready in another region so users can fail over when the primary region is unavailable.

Why this answer

Azure Backup is designed to protect data by creating recovery points that can be used to restore data to a different region, but it does not provide continuous service or automatic failover during a regional outage. To keep the workload running without interruption, you need Azure Site Recovery (ASR) or a custom replication and failover solution that replicates the entire workload to a secondary region and enables automatic or manual failover. Therefore, Azure Backup alone is insufficient for high availability during a regional disaster.

Exam trap

The trap here is that candidates confuse backup (data protection) with disaster recovery (application continuity), assuming that having backups in another region automatically keeps the workload running during an outage.

How to eliminate wrong answers

Option A is wrong because Azure Backup is a backup and restore service, not a disaster recovery or high availability solution; it does not provide continuous service or automatic failover during a regional outage. Option C is wrong because increasing backup retention only keeps more historical recovery points, which does not help keep the application running during an outage—it only extends the window for point-in-time restores. Option D is wrong because configuring an action group only sends notifications to operators; it does not provide any mechanism to keep the workload running or automatically fail over to another region.

414
Multi-Selecteasy

Which two statements about application security groups and service tags are correct? Select two.

Select 2 answers
A.An application security group lets you reference a set of virtual machines in NSG rules.
B.A service tag is a Microsoft-managed label for a service or address range.
C.Application security groups are used to assign Azure roles.
D.Service tags are custom labels you create for your own subscriptions.
E.Service tags create a private IP address for a service.
AnswersA, B

Correct because ASGs let you group VMs logically and then use the group name in NSG rules.

Why this answer

Option A is correct because an application security group (ASG) allows you to group virtual machines logically, and then reference that group as a source or destination in network security group (NSG) rules. This simplifies rule management by decoupling the rule from individual VM IP addresses or NICs, enabling dynamic membership based on application tiers.

Exam trap

The trap here is confusing application security groups (which handle network traffic filtering) with Azure RBAC roles (which handle access control), and assuming service tags are user-defined labels rather than Microsoft-managed, dynamic IP prefix groups.

415
MCQmedium

Based on the exhibit, the team wants to validate that a protected Azure VM can be recovered without affecting production. Which restore approach best meets the requirement?

A.Use Replace existing VM so the test uses the production name and disks.
B.Restore the VM to a separate resource group or test environment from the latest recovery point.
C.Export a snapshot and assume that proves the VM can boot successfully.
D.Enable Site Recovery failover, because backup restore and failover are identical.
AnswerB

Restoring to a separate resource group creates an isolated test copy of the VM. That lets the team validate recovery from a recent backup without touching the production workload or its current disks.

Why this answer

Restoring the VM to a separate resource group or test environment from the latest recovery point creates an isolated copy of the VM that does not interact with production resources. This approach validates recoverability without risking production name conflicts, IP address overlaps, or accidental data modification. Azure Backup's restore-to-new-location option explicitly supports this isolation by allowing you to choose a different resource group, virtual network, and storage account.

Exam trap

The trap here is that candidates confuse 'Replace existing VM' with a non-disruptive test, not realizing that this option directly modifies the production VM's disks and metadata, which would cause downtime and data loss if the test fails.

How to eliminate wrong answers

Option A is wrong because 'Replace existing VM' overwrites the production VM's disks and configuration, which directly affects production and violates the requirement to avoid impact. Option C is wrong because exporting a snapshot only captures a point-in-time disk image; it does not validate that the VM can boot, that applications start correctly, or that network and configuration dependencies are met. Option D is wrong because Site Recovery failover is designed for disaster recovery and replication, not for backup validation; performing a failover can disrupt replication and may incur costs, and backup restore and failover are fundamentally different processes with different recovery point objectives and consistency guarantees.

416
MCQmedium

An operations team maintains a hardened Windows Server image with application prerequisites and monitoring tools already installed. They want to deploy future VMs from the same versioned image in multiple subscriptions and promote a new build only after testing. Which Azure feature should they use?

A.A managed disk snapshot created from one of the VMs
B.An Azure Compute Gallery image version
C.A custom script extension installed during VM provisioning
D.An availability set containing the VMs
AnswerB

A gallery image version provides a reusable, versioned VM image that can be shared and deployed consistently.

Why this answer

An Azure Compute Gallery (formerly Shared Image Gallery) allows you to store and manage multiple versions of a custom VM image, replicate them across regions, and share them across subscriptions. This enables the team to maintain a hardened, versioned image, deploy VMs from it in multiple subscriptions, and promote a new build only after testing by creating a new image version.

Exam trap

The trap here is that candidates often confuse a managed disk snapshot with a reusable image, but snapshots lack versioning, cross-subscription sharing, and the ability to promote builds after testing, which are core requirements for this scenario.

How to eliminate wrong answers

Option A is wrong because a managed disk snapshot captures only the state of a single disk at a point in time and cannot be versioned, shared across subscriptions, or used to deploy VMs with application prerequisites and monitoring tools in a repeatable manner. Option C is wrong because a custom script extension runs during VM provisioning to install software or apply configurations, but it does not create a reusable, versioned image that can be shared across subscriptions and promoted after testing. Option D is wrong because an availability set is a logical grouping of VMs to provide high availability within a single subscription, and it has no role in image management, versioning, or cross-subscription deployment.

417
MCQmedium

You need to be notified whenever the average CPU usage of VM-App01 exceeds 80 percent for 10 minutes. The solution must send an email to the operations team automatically. What should you configure?

A.Create an Azure Monitor metric alert and link it to an action group.
B.Create an Azure Advisor recommendation alert.
C.Create an activity log alert for the virtual machine.
D.Create a subscription budget alert.
AnswerA

This is the standard way to send automated notifications based on CPU thresholds.

Why this answer

Option A is correct because Azure Monitor metric alerts can evaluate performance counters like CPU usage over a specified time window (e.g., 10 minutes) and trigger an action group when the threshold (80%) is exceeded. The action group can be configured with an email notification to the operations team, meeting the requirement automatically.

Exam trap

The trap here is confusing activity log alerts (which track management-plane operations) with metric alerts (which track performance data), leading candidates to choose Option C when they need real-time metric-based monitoring.

How to eliminate wrong answers

Option B is wrong because Azure Advisor recommendations are proactive suggestions for cost, security, reliability, and performance optimization, not real-time monitoring alerts based on metric thresholds. Option C is wrong because activity log alerts trigger on Azure resource management events (e.g., VM start/stop, configuration changes), not on performance metrics like CPU usage. Option D is wrong because subscription budget alerts monitor cost spending against a defined budget, not VM-level performance metrics.

418
Multi-Selecthard

A Windows VM in VNet-App must access an Azure Files share over a private IP address. The storage account must not be reachable through its public endpoint, and the VM should resolve the file share name without custom host-file entries. Which three actions are required? Select three.

Select 3 answers
A.Create a private endpoint for the file service in VNet-App.
B.Create and link the private DNS zone privatelink.file.core.windows.net to VNet-App.
C.Disable public network access on the storage account.
D.Enable a service endpoint for Microsoft.Storage on the subnet instead of a private endpoint.
E.Grant the VM's managed identity the Storage File Data SMB Share Reader role to create the private path.
AnswersA, B, C

A private endpoint places the storage service on a private IP in the virtual network.

Why this answer

Option A is correct because a private endpoint assigns a private IP address from VNet-App to the Azure Files service, enabling the VM to access the file share over a private IP without traversing the public internet. This is required to meet the requirement that the storage account must not be reachable through its public endpoint.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, thinking both provide private IP access, but service endpoints only provide a public endpoint route through the VNet and do not block public internet access.

419
MCQeasy

A stateless web application needs a group of identical Azure VMs that can automatically add more instances during the workday and remove them at night based on CPU usage. What should the administrator deploy?

A.An availability set with two VMs
B.A virtual machine scale set with autoscale rules
C.A single VM with a larger disk
D.An Azure Policy assignment to increase CPU capacity
AnswerB

A scale set is designed for identical VMs that can expand or shrink automatically based on demand.

Why this answer

A virtual machine scale set (VMSS) with autoscale rules is the correct solution because it provides a group of identical, load-balanced VMs that can automatically scale out (add instances) during high CPU usage in the workday and scale in (remove instances) at night based on CPU thresholds. This matches the stateless, elastic requirement perfectly, as VMSS is designed for horizontal scaling of identical instances with autoscale policies tied to metrics like CPU percentage.

Exam trap

The trap here is that candidates often confuse availability sets (which provide fault tolerance but no scaling) with virtual machine scale sets (which provide both scaling and high availability), or they mistakenly think Azure Policy can dynamically adjust compute resources, when it only enforces configuration rules.

How to eliminate wrong answers

Option A is wrong because an availability set only provides high availability by distributing VMs across fault and update domains, but it does not support automatic scaling based on CPU usage; you would need to manually add or remove VMs. Option C is wrong because a single VM with a larger disk addresses vertical scaling (increasing resources of one instance), not horizontal scaling (adding/removing identical instances), and it cannot automatically adjust capacity based on CPU load. Option D is wrong because Azure Policy is a governance tool used to enforce compliance rules (e.g., restricting VM sizes), not to dynamically increase compute capacity or trigger autoscaling actions.

420
MCQmedium

A VM-based application must connect to Azure SQL Database over a private IP inside the VNet. The SQL server name must resolve to that private IP, and public network access must remain disabled. What should the administrator deploy?

A.A service endpoint for Microsoft.Sql on the subnet.
B.A private endpoint for the SQL server and a private DNS zone linked to the VNet.
C.A user-defined route that points SQL traffic to the Internet.
D.An NSG rule that allows TCP 1433 from the subnet to Azure SQL.
AnswerB

Private endpoints place the PaaS service behind a private IP address in the virtual network. For name resolution to work correctly, the SQL server name must also resolve through a private DNS zone linked to the VNet. This design keeps public network access disabled while allowing the VM to reach Azure SQL entirely over private connectivity. It is the right fit when both private IP access and DNS integration are required.

Why this answer

A private endpoint assigns the Azure SQL Database a private IP from the VNet, ensuring traffic stays within the Microsoft backbone. A private DNS zone linked to the VNet allows the SQL server name (e.g., server.database.windows.net) to resolve to that private IP, meeting the requirement for name resolution. Public network access is disabled via the SQL server's firewall settings, which is a prerequisite for private endpoint connectivity.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming both provide private IP connectivity, but service endpoints only provide source VNet identity and do not assign a private IP to the Azure service.

How to eliminate wrong answers

Option A is wrong because a service endpoint for Microsoft.Sql does not assign a private IP to the SQL server; it only extends the VNet's identity to the Azure SQL service, and the SQL server still uses a public endpoint, which cannot be used when public network access is disabled. Option C is wrong because a user-defined route pointing SQL traffic to the Internet would force traffic out to the public internet, violating the requirement for private IP connectivity and disabling public access. Option D is wrong because an NSG rule allowing TCP 1433 from the subnet to Azure SQL does not change the fact that the SQL server's public endpoint is used; it only controls firewall-level access, not private IP resolution or disabling public network access.

421
MCQmedium

A web tier and an app tier run on separate Azure VMs in the same region. Each VM's NIC is added to an application security group named WebASG or AppASG. The administrator must allow only the web tier to connect to the app tier on TCP 8443, and future VM scale-outs must be included automatically. Which NSG rule should be created?

A.An inbound rule that uses the current web VM's private IP as the source and the current app VM's private IP as the destination.
B.An inbound rule with source WebASG, destination AppASG, protocol TCP, and destination port 8443.
C.A route table that sends TCP 8443 traffic from the web subnet to the app subnet.
D.An Azure Firewall application rule collection that permits all traffic between the two subnets.
AnswerB

Using application security groups is the best fit because the rule follows the role of the VM, not a fixed IP address. When new web or app VMs are added to their respective ASGs, the NSG rule automatically covers them. This provides least-privilege connectivity between tiers while keeping the configuration maintainable during scale-out and redeployment events.

Why this answer

Option B is correct because application security groups (ASGs) allow you to configure network security as a natural extension of an application's structure, enabling you to group VMs by their roles (e.g., web tier, app tier) and define rules based on those groups. By creating an inbound NSG rule with source WebASG and destination AppASG on TCP port 8443, any VM added to WebASG can initiate traffic to any VM in AppASG, and future scale-outs are automatically included without manual IP updates. This approach is dynamic, scalable, and aligns with the requirement for automatic inclusion of new VMs.

Exam trap

The trap here is that candidates often confuse network security groups (NSGs) with route tables, thinking that routing can enforce access control, or they default to using static IP addresses in NSG rules, missing the dynamic, group-based capability of application security groups that automatically includes new VMs.

How to eliminate wrong answers

Option A is wrong because it uses static private IP addresses as source and destination, which would require manual updates whenever VMs are added or removed during scale-outs, failing the 'future VM scale-outs must be included automatically' requirement. Option C is wrong because a route table controls the path traffic takes between subnets, not the security policy; it does not filter traffic based on port or protocol, and it cannot enforce that only the web tier can connect to the app tier on TCP 8443. Option D is wrong because an Azure Firewall application rule collection is designed for filtering outbound HTTP/HTTPS traffic based on FQDNs, not for controlling inbound inter-VM traffic within the same region; it is an over-engineered and costly solution that does not leverage the simpler, native ASG capability.

422
MCQeasy

A stateless web service must handle traffic spikes by adding or removing instances automatically based on CPU usage. Which Azure service fits best?

A.One larger standalone VM
B.Availability set with two VMs
C.Virtual machine scale set with autoscale
D.Recovery Services vault backup
AnswerC

A VM scale set with autoscale is designed for stateless workloads that need automatic instance scaling based on metrics.

Why this answer

A Virtual Machine Scale Set (VMSS) with autoscale is the correct choice because it automatically adjusts the number of VM instances based on CPU utilization metrics, enabling the stateless web service to handle traffic spikes by scaling out (adding instances) and scaling in (removing instances) as needed. This aligns with the requirement for a stateless, elastic, and automated scaling solution.

Exam trap

The trap here is that candidates often confuse high availability (provided by availability sets) with autoscaling, or assume a single large VM can handle spikes via vertical scaling, ignoring the need for horizontal, automated scaling for stateless workloads.

How to eliminate wrong answers

Option A is wrong because a single large standalone VM cannot scale out or in; it only supports vertical scaling (resizing), which requires downtime and cannot handle traffic spikes dynamically. Option B is wrong because an availability set provides high availability through fault and update domains but does not include autoscaling capabilities; it only distributes a fixed number of VMs across physical hardware. Option D is wrong because a Recovery Services vault is used for backup and disaster recovery, not for compute scaling or handling traffic spikes.

423
Multi-Selecthard

A customer-facing service needs to survive a single datacenter outage in a zone-supported region. You do not need cross-region failover, but you do need Azure to spread instances without manual placement errors. Which two deployment choices satisfy that goal? Select two.

Select 2 answers
A.Place the VMs in different availability zones within the same region.
B.Use an availability set and expect it to cover a zone outage.
C.Deploy the workload in a zone-enabled virtual machine scale set.
D.Keep all instances in one zone and rely on the load balancer.
E.Use a paired region for automatic in-region zone balancing.
AnswersA, C

Spreading the workload across multiple availability zones protects against a datacenter-level failure within the region. It also keeps traffic local to the region, which matches the requirement that cross-region failover is not needed.

Why this answer

Option A is correct because availability zones are physically separate datacenters within a region, each with independent power, cooling, and networking. Placing VMs in different zones ensures that a single datacenter outage does not affect all instances, meeting the survivability requirement without manual placement errors. Azure automatically distributes VMs across selected zones, eliminating human error in instance placement.

Exam trap

The trap here is confusing availability sets (which protect against rack failures within a single datacenter) with availability zones (which protect against full datacenter outages), leading candidates to incorrectly select Option B as a valid solution for zone-level resilience.

424
MCQeasy

A company wants to group several subscriptions for Finance, HR, and Engineering so that the same governance settings can be applied above the subscription level. What should the administrator create?

A.A management group
B.A resource group
C.A tag
D.A resource lock
AnswerA

Management groups are designed to contain subscriptions and provide a hierarchy above the subscription level. Policies, access controls, and other governance settings can be assigned at the management group level and inherited by the subscriptions underneath it, which makes them the correct choice for organizing Finance, HR, and Engineering subscriptions together.

Why this answer

A management group is the correct choice because it allows you to organize multiple Azure subscriptions into a hierarchy and apply governance policies, role-based access control (RBAC), and compliance settings at a scope above the subscription level. By creating a management group for Finance, HR, and Engineering, the administrator can enforce consistent Azure Policy initiatives and RBAC assignments across all three subscriptions, ensuring uniform governance without needing to configure each subscription individually.

Exam trap

The trap here is that candidates often confuse management groups with resource groups, thinking resource groups can span subscriptions, but resource groups are strictly scoped to a single subscription and cannot aggregate governance across multiple subscriptions.

How to eliminate wrong answers

Option B is wrong because a resource group is a logical container for resources within a single subscription, not a mechanism to group multiple subscriptions or apply governance above the subscription level. Option C is wrong because a tag is a metadata key-value pair used for organizing resources and cost tracking, but it cannot enforce governance settings like policies or RBAC across subscriptions. Option D is wrong because a resource lock prevents accidental deletion or modification of a resource or resource group, but it operates at the resource or resource group level and cannot group subscriptions or apply governance above the subscription scope.

425
Multi-Selectmedium

A stateless web tier must survive a datacenter outage in a region that supports availability zones, and the number of instances should increase during business hours. Which three actions should the administrator take? Select three.

Select 3 answers
A.Deploy the workload as a virtual machine scale set instead of a standalone VM.
B.Enable zone distribution for the scale set in a region that supports availability zones.
C.Configure autoscale so the instance count can change according to demand.
D.Place all instances in a single availability set and scale them manually.
E.Deploy only one zonal VM and use snapshots to recover if the datacenter fails.
AnswersA, B, C

A VM scale set is the Azure compute service designed for identical, horizontally scalable instances. It gives the administrator a single resource to manage for deployment, scaling, and placement across multiple instances.

Why this answer

A virtual machine scale set (VMSS) provides automatic scaling and high availability across multiple instances, which is essential for a stateless web tier that must survive a datacenter outage. By deploying as a scale set instead of a standalone VM, the administrator gains the ability to distribute instances across availability zones and configure autoscale rules to adjust capacity based on demand, meeting both the resilience and elasticity requirements.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack failures) with availability zones (which protect against datacenter outages), leading them to select option D instead of the correct zone distribution in option B.

426
MCQeasy

A support engineer needs to search a Log Analytics workspace for only failed sign-in records. Which KQL query should they use?

A.SigninLogs | where ResultType == 0
B.SigninLogs | where ResultType != 0
C.SigninLogs | summarize count()
D.SigninLogs | project UserPrincipalName
AnswerB

Filtering for values other than zero is a common way to return failed sign-in records in SigninLogs.

Why this answer

Option B is correct because in Azure AD sign-in logs, a `ResultType` of 0 indicates a successful sign-in, while any non-zero value (e.g., 50125, 53003) indicates a failure. The KQL query `SigninLogs | where ResultType != 0` filters for all records where the result type is not zero, thus returning only failed sign-in records.

Exam trap

The trap here is that candidates may mistakenly think `ResultType == 0` indicates a failure, when in fact 0 means success, and they overlook that non-zero values represent various failure codes.

How to eliminate wrong answers

Option A is wrong because `ResultType == 0` filters for successful sign-ins, not failures. Option C is wrong because `summarize count()` returns a count of all sign-in records without any filtering for failures. Option D is wrong because `project UserPrincipalName` only selects the user principal name column, discarding all other data and not filtering for failed sign-ins.

427
MCQhard

Your company must retain Azure Activity Log data beyond the default retention period and make it available for long-term analysis. What should you configure?

A.Diagnostic settings for the Activity Log
B.A ReadOnly lock on the subscription
C.An availability set
D.NSG flow logs only
AnswerA

Diagnostic settings export Activity Log data to supported long-term destinations.

Why this answer

Diagnostic settings for the Activity Log allow you to stream the log to a Log Analytics workspace, storage account, or Event Hubs, thereby extending retention beyond the default 90 days (for storage) or indefinitely (in Log Analytics). This is the only mechanism that enables long-term retention and analysis of Azure Activity Log data.

Exam trap

The trap here is that candidates often confuse the default 90-day retention of the Activity Log with the ability to extend it via a simple lock or by enabling NSG flow logs, not realizing that only diagnostic settings provide the export and retention control needed for long-term analysis.

How to eliminate wrong answers

Option B is wrong because a ReadOnly lock on the subscription prevents accidental deletion or modification of resources but does not affect log retention or data collection. Option C is wrong because an availability set is a logical grouping of VMs to ensure high availability across fault and update domains; it has no relation to log retention or analysis. Option D is wrong because NSG flow logs capture IP traffic through a Network Security Group and are used for network monitoring and security analysis, not for retaining the Azure Activity Log (which records control-plane operations).

428
MCQmedium

A web app in VNet1 must access a storage account by using a private IP address, and the storage account has public network access disabled. The app resolves the storage FQDN from inside the VNet. What should you deploy?

A.A service endpoint on the subnet so the storage account gets a private IP.
B.A private endpoint for the storage account and the required private DNS zone linkage.
C.A storage account firewall rule that allows the VNet and a public DNS record update.
D.A SAS token created for the application service principal.
AnswerB

A private endpoint gives the storage account a private IP address inside the virtual network, which is exactly what the scenario requires. Because the app must resolve the storage FQDN from within the VNet, private DNS is also needed so name resolution points to the private address instead of the public endpoint. This is the standard design for fully private access to Azure Storage.

Why this answer

A private endpoint assigns the storage account a private IP address from the VNet, enabling access via a private IP while public network access is disabled. The required private DNS zone linkage ensures the storage FQDN resolves to that private IP from within the VNet, meeting both requirements.

Exam trap

The trap here is confusing service endpoints (which only provide source VNet identity and no private IP) with private endpoints (which provide a true private IP and DNS resolution), leading candidates to choose option A incorrectly.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP to the storage account; it only extends the VNet identity to the service, and the storage account still uses a public IP. Option C is wrong because a storage account firewall rule allows traffic from the VNet but does not provide a private IP, and a public DNS record update would not resolve to a private IP inside the VNet. Option D is wrong because a SAS token provides delegated access via the public endpoint, which is disabled, and does not involve private IP resolution or VNet integration.

429
MCQhard

A media archive stores large video files that must survive a zone failure in the primary region and also be replicated to a paired region for disaster recovery. The archive team does not want anyone to read from the secondary region during normal operations, and cost should be lower than the read-access variant. Which redundancy option should you configure?

A.LRS, because it keeps copies in a single datacenter and is the lowest-cost option.
B.ZRS, because it protects against zone failures but not regional outages.
C.GZRS, because it adds zone redundancy and geo-replication without enabling secondary read access.
D.RA-GRS, because the read-access copy is needed whenever data is replicated to another region.
AnswerC

GZRS matches the requirement precisely. It protects the data from a zone failure by distributing copies across availability zones in the primary region. It also replicates the data to a paired secondary region for disaster recovery. Because the team does not want secondary read access during normal operations, the non-read-access version is the correct and typically lower-cost choice compared with RA-GZRS.

Why this answer

GZRS (Geo-Zone-Redundant Storage) is correct because it combines zone redundancy (three copies across availability zones in the primary region) with geo-replication to a paired secondary region, but crucially does not enable read access to the secondary region by default. This satisfies the requirement to survive a zone failure, provide disaster recovery to a paired region, and prevent reads from the secondary during normal operations, all at a lower cost than RA-GRS which includes secondary read access.

Exam trap

The trap here is that candidates often confuse GZRS with RA-GRS, assuming geo-replication always includes read access to the secondary region, but GZRS explicitly omits that read-access feature to lower cost while still providing zone and geo redundancy.

How to eliminate wrong answers

Option A is wrong because LRS (Locally Redundant Storage) keeps three copies within a single datacenter and does not protect against a zone failure (which spans multiple datacenters) nor provides geo-replication to a paired region. Option B is wrong because ZRS (Zone-Redundant Storage) protects against zone failures within the primary region but does not replicate data to a paired region for disaster recovery. Option D is wrong because RA-GRS (Read-Access Geo-Redundant Storage) enables read access to the secondary region, which violates the requirement that no one should read from the secondary region during normal operations, and it also costs more than GZRS.

430
MCQeasy

A monthly report file must automatically move to a cheaper online tier after 90 days in Azure Blob Storage. Which feature should the administrator configure?

A.Blob lifecycle management
B.Archive rehydration policy
C.Snapshot retention
D.Storage account failover
AnswerA

Lifecycle management can automatically transition blobs between tiers based on age or other rules, reducing manual administration.

Why this answer

Blob lifecycle management is the correct feature because it allows administrators to define rules that automatically transition blobs to a cheaper access tier (e.g., from Hot to Cool) after a specified number of days. This policy operates at the storage account or container level and can move data to the Cool or Archive tier based on age, meeting the requirement of moving the report file after 90 days without manual intervention.

Exam trap

The trap here is that candidates may confuse 'archive rehydration' (which moves data from Archive to a cheaper tier? No, it moves to an online tier) with lifecycle management, or think snapshot retention can handle tiering, but snapshots are only for versioning and recovery, not cost-based tier transitions.

How to eliminate wrong answers

Option B is wrong because archive rehydration policy is used to restore blobs from the Archive tier back to an online tier (Hot or Cool) for access, not to move data to a cheaper tier. Option C is wrong because snapshot retention manages the number of point-in-time snapshots of a blob, not the automatic tiering of the base blob based on age. Option D is wrong because storage account failover is a disaster recovery feature that switches the primary region to a secondary region in the event of an outage, unrelated to data lifecycle tiering.

431
MCQhard

You have an application that writes heavily to Azure-managed disks and requires the highest consistent IOPS and lowest latency. Which disk type should you choose?

A.Standard HDD
B.Standard SSD
C.Premium SSD v2
D.Archive storage
AnswerC

Premium SSD v2 is optimized for high IOPS and low latency workloads.

Why this answer

Premium SSD v2 is the correct choice because it is designed for high-performance workloads, offering sub-millisecond latency and the highest consistent IOPS among Azure managed disks. It supports up to 80,000 IOPS per disk and 1,200 MB/s throughput, making it ideal for write-heavy applications that demand low latency and predictable performance.

Exam trap

The trap here is that candidates often confuse Premium SSD v2 with standard Premium SSD, assuming the older tier provides the same performance, but Premium SSD v2 offers significantly higher IOPS and lower latency due to its independent provisioning model and NVMe support.

How to eliminate wrong answers

Option A is wrong because Standard HDD provides the lowest IOPS (up to 2,000 per disk) and highest latency (10-20 ms), making it unsuitable for write-heavy, low-latency workloads. Option B is wrong because Standard SSD offers moderate IOPS (up to 6,000 per disk) and latency (3-10 ms), which cannot match the consistent high IOPS and sub-millisecond latency required. Option D is wrong because Archive storage is a blob storage tier for infrequently accessed data, not a disk type for virtual machines, and it has retrieval times in hours, making it completely inappropriate for active write operations.

432
Multi-Selectmedium

Your company plans to migrate on-premises file shares to Azure Files. You need to choose the appropriate Azure Files configuration for different scenarios. Which three of the following statements are correct? (Choose three.)

Select 3 answers
.Azure Files supports SMB protocol, which allows mounting file shares from Windows, Linux, and macOS clients.
.Azure file shares can be accessed over the internet using SMB 3.0 with encryption, provided port 445 is open.
.Azure Files supports NFS protocol only for Premium file shares.
.Azure file shares can be used as a backing store for Azure SQL Managed Instance databases.
.Azure Files supports both SMB and NFS protocols for Standard file shares.
.Azure Files requires a VPN or ExpressRoute for any access from on-premises.

Why this answer

Azure Files supports the SMB protocol, which is compatible with Windows, Linux, and macOS clients. This allows file shares to be mounted across different operating systems, making it a versatile solution for hybrid environments.

Exam trap

The trap here is that candidates often assume Azure Files requires a VPN or ExpressRoute for on-premises access, but SMB 3.0 with encryption can work over the internet if port 445 is open, and they may also incorrectly think NFS is supported on Standard file shares.

433
Matchingmedium

Match each access scenario to the SAS or key type that best fits it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

User delegation SAS

Service SAS

Account SAS

Storage account key

Why these pairings

Interactive logins use user delegation SAS; automated backups use system-assigned managed identity; cross-tenant access requires a service principal with certificate; VM patching uses system-assigned managed identity; app access to SQL uses user-assigned managed identity; key rotation uses storage account access keys.

434
MCQhard

You are deploying a stateless web application on Azure virtual machines. The solution must automatically add and remove instances based on CPU demand and allow all instances to be managed as one logical group. Which Azure compute feature should you deploy?

A.A Virtual Machine Scale Set
B.An availability set
C.A Recovery Services vault
D.Boot diagnostics
AnswerA

Scale Sets provide autoscaling and centralized management for identical VM instances.

Why this answer

A Virtual Machine Scale Set (VMSS) is the correct Azure compute feature because it automatically manages a group of identical, load-balanced VMs that can scale in and out based on CPU demand using autoscale rules. It treats all instances as a single logical group, enabling unified management, patching, and application deployment, which is exactly what the stateless web application requires.

Exam trap

The trap here is that candidates often confuse an availability set (which provides high availability) with a scale set (which provides both high availability and automatic scaling), leading them to select availability set when the question explicitly requires automatic scaling and logical group management.

How to eliminate wrong answers

Option B (availability set) is wrong because it only provides high availability by distributing VMs across fault and update domains, but it does not support automatic scaling or management as a single logical group. Option C (Recovery Services vault) is wrong because it is a backup and disaster recovery service for Azure VMs and on-premises workloads, not a compute feature for scaling or grouping instances. Option D (boot diagnostics) is wrong because it is a troubleshooting feature that captures serial console output and screenshots for VM boot failures, with no capability for scaling or logical grouping.

435
MCQeasy

Based on the exhibit, which restore option should the administrator use to recover only the deleted file while keeping the VM online?

A.Restore the entire virtual machine to the latest recovery point.
B.Use File Recovery from the Recovery Services vault.
C.Redeploy the VM from the original image.
D.Disable backup protection and then re-enable it.
AnswerB

File Recovery is designed for exactly this scenario: recovering one or more files or folders from a VM backup without restoring the whole virtual machine. The VM stays online, users can continue working, and the administrator mounts the recovery point to copy back only the missing spreadsheet. This minimizes downtime and avoids overwriting unrelated data on the VM.

Why this answer

Option B is correct because Azure Backup's File Recovery feature allows you to mount a recovery point as a drive on the VM, enabling you to browse and restore individual files without affecting the running VM. This avoids the need to restore the entire VM or take it offline, which is essential for recovering only the deleted file while maintaining availability.

Exam trap

The trap here is that candidates may assume restoring the entire VM is the only way to recover files, overlooking the File Recovery option that provides granular, online file-level restore without impacting the running VM.

How to eliminate wrong answers

Option A is wrong because restoring the entire virtual machine to the latest recovery point would overwrite the current VM state, potentially causing downtime and data loss, and it recovers the entire VM rather than just the single deleted file. Option C is wrong because redeploying the VM from the original image would recreate the VM from scratch, losing all current data and configurations, and does not target the specific deleted file. Option D is wrong because disabling and re-enabling backup protection does not restore any data; it only stops and restarts the backup schedule, leaving the deleted file unrecovered.

436
MCQmedium

A Windows file server VM must mount an Azure file share by using domain credentials instead of a storage account key. The organization already manages users in Active Directory Domain Services. Which authentication option should be configured for Azure Files?

A.Shared key authentication, because it is the default for Azure file shares.
B.Identity-based authentication with Active Directory Domain Services.
C.A service SAS created for the share and mapped as a network drive.
D.Anonymous access with public network restrictions disabled.
AnswerB

Azure Files can use identity-based authentication so Windows clients access the share with their domain identities instead of storage keys. In an environment that already has Active Directory Domain Services, that is the appropriate configuration for SMB-based access. It supports centralized identity management, aligns with existing Windows admin practices, and avoids embedding account keys in scripts or connection strings.

Why this answer

Azure Files supports identity-based authentication using Active Directory Domain Services (AD DS), which allows domain-joined Windows VMs to mount Azure file shares using their existing domain credentials instead of a storage account key. This enables Kerberos-based authentication and preserves NTFS permissions, meeting the requirement to avoid shared key access.

Exam trap

The trap here is that candidates may confuse shared key authentication (Option A) as the only supported method for Azure Files, overlooking the identity-based authentication capability that integrates with on-premises AD DS for domain-joined VMs.

How to eliminate wrong answers

Option A is wrong because shared key authentication uses the storage account key, not domain credentials, and is not the correct method for identity-based access. Option C is wrong because a service SAS provides time-limited delegated access via a token, not domain authentication, and cannot be mapped as a network drive using domain credentials. Option D is wrong because anonymous access disables authentication entirely and is not supported for Azure file shares with domain credentials; public network restrictions are unrelated to authentication method.

437
MCQhard

An administrator has already increased the size of a managed data disk attached to a running Windows VM. Azure now shows the larger disk size, but the application still cannot use the new capacity. What should the administrator do next?

A.Detach the disk, shrink it, and reattach it to refresh the filesystem.
B.Expand the partition or volume inside the guest operating system.
C.Convert the data disk to a shared disk so Windows can auto-detect the size increase.
D.Redeploy the virtual machine to apply the new disk size.
AnswerB

After Azure grows the managed disk, the operating system still needs to recognize and consume that extra space. Expanding the partition or volume inside the guest OS is the required next step so the application can use the larger capacity.

Why this answer

When a managed data disk attached to a running Windows VM is resized in Azure, the underlying virtual hard disk (VHD) expands, but the guest operating system does not automatically recognize the new unallocated space. The administrator must use the Disk Management tool (diskmgmt.msc) or the diskpart command to extend the volume or partition into the unallocated space. This is a standard operating system task, not an Azure control-plane action.

Exam trap

The trap here is that candidates assume Azure automatically applies the size change to the guest OS, when in fact the administrator must manually extend the partition inside the operating system using disk management tools.

How to eliminate wrong answers

Option A is wrong because shrinking the disk would reduce capacity, not add it, and detaching/reattaching does not refresh the filesystem or recognize new space; the partition must be extended inside the OS. Option C is wrong because converting to a shared disk is unrelated to capacity detection; shared disks are for multi-VM cluster scenarios and do not trigger automatic partition expansion. Option D is wrong because redeploying the VM only moves it to a new host with the same disk configuration; it does not extend the partition inside the guest OS.

438
MCQmedium

A contractor must import data into one blob container for six hours. The contractor should not receive the storage account key, and access must be limited to that container only. Which credential should the administrator generate?

A.A storage account access key, because it can be copied into the import tool.
B.A user delegation SAS, because it is signed with Microsoft Entra credentials and is time limited.
C.A shared key connection string, because it works with any tool that needs blob access.
D.A managed identity token, because the contractor can use it outside Azure directly.
AnswerB

A user delegation SAS is the most appropriate credential when you want temporary, scoped access to blob data without exposing the storage account key. It is generated using Microsoft Entra authorization, can be constrained to a specific container, and can expire after six hours. That combination gives the contractor only the access needed for the import task while keeping the underlying account credentials protected.

Why this answer

A user delegation SAS is signed with Microsoft Entra credentials (formerly Azure AD) and can be scoped to a specific blob container with a time limit. This meets the requirement of granting the contractor access only to that container for six hours without exposing the storage account key.

Exam trap

The trap here is that candidates often confuse a user delegation SAS with a service SAS or account SAS, mistakenly thinking any SAS is sufficient, but only a user delegation SAS avoids using the storage account key and can be precisely scoped to a single container with time-bound access.

How to eliminate wrong answers

Option A is wrong because a storage account access key grants full administrative access to the entire storage account, not just a single container, and it cannot be time-limited. Option C is wrong because a shared key connection string includes the storage account access key, which would expose full account access to the contractor. Option D is wrong because a managed identity token is designed for Azure resources to authenticate to Azure services, not for external users or tools outside Azure, and it cannot be scoped to a single container.

439
MCQmedium

An administrator is deploying a new storage account for an application. The account must support blob containers, an Azure Files share, lifecycle rules for blobs, and standard access tiers. The application does not need premium performance for a single data service. Which storage account kind should be chosen?

A.BlobStorage, because it is optimized only for block blob workloads.
B.General-purpose v1, because it can host any storage object type.
C.General-purpose v2, because it supports blobs, files, access tiers, and lifecycle management.
D.BlockBlobStorage, because it is the best choice for any application that stores files.
AnswerC

General-purpose v2 is the recommended all-purpose storage account type for most Azure workloads. It supports blobs and files in the same account, offers Hot, Cool, and Archive access tiers, and supports lifecycle management for blobs. That combination matches the application requirements without forcing a premium specialized account.

Why this answer

General-purpose v2 (GPv2) storage accounts are the correct choice because they support all storage object types (blobs, files, queues, tables), standard access tiers (hot, cool, archive), and lifecycle management policies for blobs. This meets all the stated requirements without needing premium performance for a single data service.

Exam trap

The trap here is that candidates often confuse BlobStorage (which supports only blobs and lifecycle management) with General-purpose v2 (which supports blobs, files, lifecycle management, and access tiers), leading them to select BlobStorage when the requirement includes Azure Files shares.

How to eliminate wrong answers

Option A is wrong because BlobStorage accounts are optimized exclusively for block blob workloads and do not support Azure Files shares or lifecycle management policies. Option B is wrong because General-purpose v1 accounts lack support for standard access tiers and lifecycle management, and they are legacy accounts with fewer features. Option D is wrong because BlockBlobStorage accounts are premium-performance accounts designed only for block blobs and append blobs, not for Azure Files shares or standard access tiers.

440
MCQmedium

Two virtual networks were created in different subscriptions. VNet-A uses 10.4.0.0/16 and VNet-B uses 10.4.128.0/17. You try to create peering between them, but Azure rejects the request. What is the best fix?

A.Enable gateway transit on both VNets before creating the peering.
B.Add a route table to one VNet so the address spaces no longer overlap.
C.Change one VNet to a non-overlapping address range, then create the peering again.
D.Create a private endpoint between the two VNets instead of peering.
AnswerC

Azure virtual network peering requires non-overlapping address spaces, so renumbering is the correct fix.

Why this answer

VNet peering requires that the address spaces of the two virtual networks do not overlap. VNet-A uses 10.4.0.0/16, which covers 10.4.0.0 to 10.4.255.255, and VNet-B uses 10.4.128.0/17, which falls entirely within that range (10.4.128.0 to 10.4.255.255). Azure rejects the peering because overlapping address spaces would cause routing conflicts.

The only correct fix is to change one VNet's address space to a non-overlapping range, then recreate the peering.

Exam trap

The trap here is that candidates may think adding a route table or enabling gateway transit can fix the overlap, but Azure enforces a strict non-overlapping address space requirement for VNet peering at the time of creation, and no routing configuration can bypass this fundamental constraint.

How to eliminate wrong answers

Option A is wrong because gateway transit is used to allow a peered VNet to use a VPN gateway in another VNet, and it does not resolve overlapping address spaces; overlapping ranges still prevent peering regardless of gateway settings. Option B is wrong because route tables (user-defined routes) control traffic flow within a VNet but cannot change the underlying address space of the VNet; the address space overlap remains, so peering is still rejected. Option D is wrong because a private endpoint provides private connectivity to a specific Azure service (e.g., Storage, SQL) and is not a substitute for VNet peering; it cannot connect two entire VNets together.

441
MCQmedium

A company wants to peer a new spoke virtual network to an existing hub VNet. The hub uses 10.40.0.0/16, and the new spoke was created with 10.40.128.0/17 because that range seemed available in the branch office plan. Peering creation fails. What should the administrator do?

A.Add a second address prefix to the spoke VNet and keep the overlapping range.
B.Change the spoke VNet to a non-overlapping address space before peering.
C.Enable gateway transit on the hub VNet before retrying peering.
D.Create custom DNS records for the spoke VNet so the address ranges no longer conflict.
AnswerB

Azure VNet peering requires non-overlapping IP ranges. The spoke must use an address space that does not conflict with the hub or any connected network.

Why this answer

VNet peering requires that the address spaces of the peered virtual networks do not overlap. The hub uses 10.40.0.0/16, and the spoke uses 10.40.128.0/17, which is a subset of the hub’s range. Azure blocks peering when there is any overlap to prevent routing conflicts.

The correct fix is to change the spoke VNet to a non-overlapping address space, such as a different RFC 1918 range like 10.1.0.0/16, before attempting to peer.

Exam trap

The trap here is that candidates assume a subnet range like 10.40.128.0/17 is 'available' because it is not used by the hub’s subnets, but Azure VNet peering checks the entire VNet address space, not just the subnets, so any overlap at the VNet level causes failure.

How to eliminate wrong answers

Option A is wrong because adding a second address prefix to the spoke VNet does not resolve the overlap; Azure still sees the overlapping 10.40.128.0/17 range and will reject the peering, and overlapping address spaces cannot coexist in a peered topology. Option C is wrong because gateway transit is a feature that allows a spoke to use the hub’s VPN/ExpressRoute gateway, but it does not fix address space conflicts; peering will still fail due to overlapping ranges. Option D is wrong because custom DNS records are used for name resolution, not for routing or address space conflicts; overlapping IP ranges are a Layer 3 routing issue that DNS cannot resolve.

442
MCQeasy

You want to let a support engineer restart only the virtual machines in the Prod-Apps resource group, and any VM added later to that group should also be covered. Where should you assign the role?

A.At the subscription scope, because it will cover the resource group and future VMs.
B.At the Prod-Apps resource group scope, because the assignment will inherit to all VMs in that group.
C.At each VM resource scope, because role assignments never inherit.
D.At the management group scope, because it is the only scope that applies to VMs.
AnswerB

This is correct because the resource group is the narrowest scope that still covers all VMs in Prod-Apps, including any future VMs created there. Assigning the role at the group scope keeps access limited to the intended set of resources while still taking advantage of Azure RBAC inheritance for child resources.

Why this answer

Assigning the 'Virtual Machine Contributor' role at the Prod-Apps resource group scope ensures that the support engineer can restart all current and future VMs within that group. Role assignments in Azure RBAC are inherited by all child resources, so any VM added later to the resource group automatically receives the same permissions. This is the most efficient and maintainable approach for managing access to a dynamic set of resources.

Exam trap

The trap here is that candidates often confuse scope inheritance with the need to assign roles at the subscription level to cover future resources, not realizing that resource group scope inheritance already covers all current and future child resources within that group.

How to eliminate wrong answers

Option A is wrong because assigning at the subscription scope would grant the support engineer restart permissions on all VMs across every resource group in the subscription, which is overly broad and violates the principle of least privilege. Option C is wrong because role assignments in Azure RBAC do inherit from parent scopes to child resources; assigning at each VM individually would be administratively burdensome and would not automatically cover VMs added later. Option D is wrong because the management group scope is used to organize subscriptions and apply governance policies across multiple subscriptions, not to directly manage access to VMs within a single resource group; assigning at that scope would be too broad and would not specifically target the Prod-Apps resource group.

443
MCQmedium

A support desk needs to reset the local administrator password on specific virtual machines by using the VMAccess extension and restart those VMs. They must not be able to resize the machines, change networking, or manage disks. What should the administrator create?

A.Assign the Virtual Machine Contributor built-in role at the subscription scope
B.Assign the Contributor role at the resource group scope
C.Create a custom role with only the required VM actions and assign it at the virtual machine scope
D.Use an Azure Policy assignment to allow the VMAccess extension
AnswerC

A custom role is the least-privilege option when built-in roles are too broad. By including only the actions needed for VM password reset and restart, and assigning the role at the virtual machine scope, the administrator restricts the support desk to exactly one workload and prevents changes to disks, networking, or sizing.

Why this answer

Option C is correct because the support desk needs only specific actions (reset local admin password via VMAccess extension and restart VMs) without permissions to resize, change networking, or manage disks. A custom role at the VM scope allows you to grant precisely the required Microsoft.Compute/virtualMachines/runCommand/action and Microsoft.Compute/virtualMachines/restart/action, while excluding broader management actions. This follows the principle of least privilege and prevents unintended modifications to other resources.

Exam trap

The trap here is that candidates often choose a built-in role like Virtual Machine Contributor or Contributor, mistakenly believing it provides only VM management, but these roles include broader permissions like resizing and disk management, which are explicitly prohibited in the scenario.

How to eliminate wrong answers

Option A is wrong because the Virtual Machine Contributor built-in role at subscription scope grants full control over VMs, including resizing, networking changes, and disk management, which exceeds the required permissions. Option B is wrong because the Contributor role at resource group scope provides full management access to all resources in that group, including the ability to resize VMs, modify networking, and manage disks, violating the least-privilege requirement. Option D is wrong because Azure Policy assignments enforce compliance rules (e.g., allowed extensions) but do not grant permissions; they cannot authorize the support desk to run the VMAccess extension or restart VMs.

444
MCQeasy

Based on the exhibit, a shared resource group contains a production virtual machine and a storage account. Administrators must be able to update settings, but they must not be able to delete either resource by mistake. Which lock should be applied at the resource group scope?

A.ReadOnly lock, because it prevents all changes and keeps resources fully protected.
B.CanNotDelete lock, because it allows updates but blocks deletion.
C.No lock is needed because Azure RBAC already prevents deletion by default.
D.Management group lock, because all changes in the tenant must be blocked centrally.
AnswerB

CanNotDelete is the correct choice when administrators still need to modify resource settings but must be prevented from deleting the resources. Applied at the resource group scope, it protects both the VM and the storage account from accidental deletion while preserving normal update operations.

Why this answer

The CanNotDelete lock (option B) is correct because it allows administrators to update settings on the production VM and storage account while preventing accidental deletion of either resource. This lock operates at the resource group scope, applying to all resources within it, and is the appropriate choice for the stated requirement of allowing updates but blocking deletions.

Exam trap

The trap here is that candidates often confuse ReadOnly locks with CanNotDelete locks, mistakenly thinking that preventing all changes is safer, but the question explicitly requires allowing updates, making ReadOnly locks too restrictive.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all changes, including updates to settings, which contradicts the requirement that administrators must be able to update settings. Option C is wrong because Azure RBAC does not prevent deletion by default; RBAC controls who can perform actions, but without a lock, users with Contributor or Owner roles can delete resources. Option D is wrong because a management group lock applies to all subscriptions within the management group hierarchy, not just a single resource group, and would be overly broad for this specific requirement.

445
Multi-Selectmedium

A contractor must manage only VM1 and VM2 in rg-prod. The contractor must not be able to manage any other resource in the resource group. Which two role assignment scopes should you create? Select two.

Select 2 answers
A.Assign the role at the VM1 resource scope.
B.Assign the role at the VM2 resource scope.
C.Assign the role at the rg-prod resource group scope.
D.Assign the role at the subscription scope.
E.Assign the role at the management group scope.
AnswersA, B

A resource-scope assignment on VM1 grants access only to that single virtual machine, which supports least privilege and prevents the contractor from touching unrelated resources.

Why this answer

Assigning the role at the VM1 resource scope (Option A) is correct because Azure RBAC allows you to scope a role assignment to an individual resource, such as a virtual machine. This grants the contractor permissions to manage only VM1, without affecting any other resources in the resource group. The same logic applies to VM2, making the resource-level scope the precise way to restrict management to just those two VMs.

Exam trap

The trap here is that candidates often default to assigning roles at the resource group scope for simplicity, overlooking that resource-level scoping is available and required when the goal is to restrict access to individual resources within a group.

446
MCQmedium

You create a private endpoint for an Azure Storage account. Virtual machines in VNet-App must resolve the storage account name to the private IP address of the endpoint. What should you configure?

A.A private DNS zone linked to VNet-App
B.A user-defined route on the subnet
C.An additional public IP address
D.An Azure Firewall policy
AnswerA

A private DNS zone provides the required private name resolution.

Why this answer

A private DNS zone linked to VNet-App is required because Azure Private Endpoint uses a private IP address from the virtual network, but the storage account's fully qualified domain name (FQDN) must resolve to that private IP within the VNet. By linking a private DNS zone (e.g., `privatelink.blob.core.windows.net`) to VNet-App and configuring an A record for the endpoint's private IP, VMs can resolve the storage account name to the correct private address. Without this, DNS resolution would fall back to the public IP, defeating the purpose of the private endpoint.

Exam trap

The trap here is that candidates often confuse network-level controls (like UDRs or firewalls) with DNS resolution, assuming they can force traffic to a private IP without configuring name resolution, but private endpoints require explicit DNS configuration to ensure the FQDN resolves to the private IP.

How to eliminate wrong answers

Option B is wrong because a user-defined route (UDR) controls network traffic flow (next-hop routing) at Layer 3, not DNS name resolution; it cannot map a hostname to an IP address. Option C is wrong because an additional public IP address is unrelated to private endpoint connectivity—private endpoints use private IPs, and adding a public IP would not influence DNS resolution within the VNet. Option D is wrong because an Azure Firewall policy governs traffic filtering and inspection, not DNS resolution; it does not create DNS records or manage name-to-IP mappings.

447
MCQmedium

The team already exports subscription activity logs to a Log Analytics workspace and wants an alert that can ignore delete operations performed by a known automation account. What should they create?

A.An activity log alert at the subscription scope
B.A scheduled query alert in Log Analytics using the AzureActivity table
C.A metric alert on the subscription
D.A diagnostic setting on the resource group
AnswerB

Because the activity logs are already in Log Analytics, a scheduled query alert gives the team full KQL flexibility. They can filter by operation name and exclude actions performed by the automation account before firing the alert. This is the best choice when alert logic must be more specific than a standard activity log rule.

Why this answer

Option B is correct because a scheduled query alert in Log Analytics can query the AzureActivity table to filter out delete operations performed by a specific automation account. This allows the alert to ignore those operations by excluding them in the query logic, which is not possible with activity log alerts that lack such granular filtering.

Exam trap

The trap here is that candidates often assume activity log alerts can filter by caller identity, but they only support static conditions like operation name or severity, not dynamic exclusion of specific principals.

How to eliminate wrong answers

Option A is wrong because activity log alerts at the subscription scope can only trigger on specific operations (e.g., delete) but cannot filter out operations based on the caller (e.g., a known automation account). Option C is wrong because metric alerts monitor performance metrics (e.g., CPU, memory) and cannot evaluate activity log data or filter delete operations. Option D is wrong because a diagnostic setting on a resource group only controls where logs are sent (e.g., to Log Analytics), not how alerts are created or filtered.

448
Multi-Selectmedium

You are responsible for monitoring and maintaining Azure resources for a large enterprise. Which four of the following actions or configurations can help you proactively identify performance bottlenecks, optimize costs, and ensure high availability? (Choose four.)

Select 4 answers
.Configuring Azure Monitor autoscale rules to scale out virtual machine scale sets based on CPU usage.
.Setting up Azure Service Health alerts to notify your team when Azure services in your region experience an outage.
.Enabling Azure Advisor recommendations for resizing underutilized virtual machines to reduce costs.
.Creating diagnostic settings to stream resource logs from Azure SQL Database to a Log Analytics workspace for query-based analysis.
.Using Azure Backup Center to perform an on-demand restore of a deleted virtual machine to its original state.
.Deploying Azure Traffic Manager with a failover routing method to reroute traffic away from a healthy endpoint.

Why this answer

Configuring Azure Monitor autoscale rules to scale out virtual machine scale sets based on CPU usage is correct because it proactively adjusts capacity in response to demand, preventing performance bottlenecks during spikes and reducing costs during low usage. This aligns with the goal of maintaining high availability and cost optimization through automated scaling.

Exam trap

The trap here is that candidates may confuse reactive recovery actions (like Backup Center restores) with proactive monitoring and optimization tasks, or misunderstand Traffic Manager's failover routing by assuming it reroutes away from a healthy endpoint instead of an unhealthy one.

449
MCQmedium

A production virtual machine is experiencing intermittent performance spikes. The operations team wants an alert when average CPU usage stays above 80 percent for 10 minutes and wants email and SMS notifications sent automatically. What should the administrator configure in Azure Monitor?

A.Create a log search alert on the VM performance data and attach a resource lock.
B.Create a metric alert on Percentage CPU and associate an action group with email and SMS receivers.
C.Assign an Azure Policy definition to the VM to stop it when CPU exceeds the threshold.
D.Enable diagnostic settings on the VM and send the data only to a storage account.
AnswerB

Metric alerts are the best fit for near real-time threshold monitoring of Azure platform metrics such as CPU. An action group delivers the notification channels, such as email and SMS, when the alert fires. This design meets both parts of the requirement: detect sustained CPU pressure and notify the operations team automatically without needing log ingestion or manual polling.

Why this answer

Option B is correct because Azure Monitor metric alerts can evaluate real-time performance counters like Percentage CPU against a threshold (e.g., 80%) over a specified duration (e.g., 10 minutes). By associating an action group with email and SMS receivers, the alert automatically triggers the desired notifications without requiring log ingestion or complex queries.

Exam trap

The trap here is that candidates confuse metric alerts (which evaluate live performance counters) with log search alerts (which require log ingestion and are slower), or mistakenly think Azure Policy can react to performance metrics instead of enforcing configuration rules.

How to eliminate wrong answers

Option A is wrong because a log search alert requires log data to be collected and queried, which adds latency and complexity; a resource lock prevents accidental deletion but does not send notifications. Option C is wrong because Azure Policy definitions enforce compliance rules (e.g., tagging, location) and cannot stop a VM based on performance metrics; they do not trigger alerts or notifications. Option D is wrong because enabling diagnostic settings to send data only to a storage account archives the data but does not create alerts or send email/SMS notifications.

450
MCQmedium

Your company has two subscriptions named Dev-Sub and Prod-Sub. A new administrator must be able to create resource groups only in Dev-Sub and must not have any permissions in Prod-Sub. What should you do?

A.Assign Contributor to the administrator at the management group scope.
B.Assign Contributor to the administrator at the Dev-Sub scope.
C.Assign Owner to the administrator at the resource group scope in Dev-Sub.
D.Assign Reader to the administrator at the Prod-Sub scope and Contributor at the tenant root group.
AnswerB

This limits the contributor permissions to Dev-Sub, which matches the requirement.

Why this answer

Option B is correct because assigning the Contributor role at the Dev-Sub scope grants the administrator full permissions to create and manage resource groups within that subscription, while the role assignment is scoped exclusively to Dev-Sub, ensuring no permissions in Prod-Sub. Azure RBAC is hierarchical, so a role assigned at a subscription scope applies to all resource groups within it, but does not cross subscription boundaries. This meets the requirement of allowing resource group creation only in Dev-Sub with no access to Prod-Sub.

Exam trap

The trap here is that candidates often confuse the scope required to create resource groups (subscription-level write permission) with the ability to manage existing resource groups (resource group-level permission), leading them to incorrectly choose Option C (Owner at resource group scope) which only allows management of that specific resource group, not creation of new ones.

How to eliminate wrong answers

Option A is wrong because assigning Contributor at the management group scope would grant permissions to all subscriptions under that management group, including Prod-Sub, violating the requirement that the administrator must have no permissions in Prod-Sub. Option C is wrong because assigning Owner at the resource group scope in Dev-Sub would only allow management of that specific resource group, not the ability to create new resource groups in Dev-Sub (creating a resource group requires write permission at the subscription scope). Option D is wrong because assigning Reader at the Prod-Sub scope grants read permissions in Prod-Sub, which violates the requirement of no permissions in Prod-Sub; additionally, Contributor at the tenant root group is overly broad and would grant permissions across all subscriptions.

Page 5

Page 6 of 16

Page 7