AZ-104 (AZ-104) — Questions 451525

1170 questions total · 16pages · All types, answers revealed

Page 6

Page 7 of 16

Page 8
451
MCQeasy

An administrator needs two non-overlapping VNets in the same region to communicate directly over private IP addresses without deploying a gateway. What should be configured?

A.VNet peering between the two virtual networks.
B.A site-to-site VPN gateway connection.
C.A service endpoint on both subnets.
D.A route table with default routes to each VNet.
AnswerA

VNet peering provides private, low-latency communication between virtual networks when their address spaces do not overlap.

Why this answer

VNet peering enables direct connectivity between two Azure virtual networks using private IP addresses across the Microsoft backbone, without requiring a gateway or public internet. It supports non-overlapping address spaces in the same region and provides low-latency, high-bandwidth communication. This matches the requirement exactly.

Exam trap

The trap here is that candidates confuse VNet peering with VPN gateways or service endpoints, assuming a gateway is always required for cross-VNet communication or that service endpoints can connect VNets, when in fact peering is the direct, gateway-free solution for private IP connectivity.

How to eliminate wrong answers

Option B is wrong because a site-to-site VPN gateway connection requires a VPN gateway in each VNet, incurs additional cost and latency, and is not needed for direct private IP communication within the same region. Option C is wrong because service endpoints extend a VNet's private address space to Azure PaaS services (like Storage or SQL), not to another VNet; they do not enable VNet-to-VNet traffic. Option D is wrong because route tables with default routes (0.0.0.0/0) direct traffic to a network virtual appliance or internet, not to another VNet; custom routes can influence traffic but cannot establish direct VNet-to-VNet connectivity without peering or a gateway.

452
MCQmedium

A web API running in an Azure App Service needs to read and write blobs in a storage account. The operations team does not want to store secrets in app settings or rotate credentials manually. What should they enable on the App Service?

A.A storage account access key stored in Key Vault
B.A system-assigned managed identity
C.A shared access signature embedded in the application settings
D.A service endpoint on the App Service integration subnet
AnswerB

A system-assigned managed identity lets the app authenticate without storing any credentials.

Why this answer

A system-assigned managed identity allows the App Service to authenticate to Azure Storage without storing any secrets. The identity is automatically managed by Azure AD, and the App Service can use it to obtain an OAuth 2.0 token for accessing blob storage via RBAC. This eliminates the need for manual credential rotation and secret storage.

Exam trap

The trap here is that candidates often confuse managed identities with Key Vault integration, thinking that storing a key in Key Vault solves the secret rotation problem, but the access key itself is still a long-lived secret that requires manual rotation and is stored in the app settings as a reference.

How to eliminate wrong answers

Option A is wrong because storing a storage account access key in Key Vault still requires the App Service to authenticate to Key Vault (which could use a managed identity), but the question explicitly wants to avoid storing secrets in app settings and rotating credentials manually; the access key itself is a long-lived secret that must be rotated. Option C is wrong because a shared access signature (SAS) is a token that must be generated, stored, and rotated, which violates the requirement to avoid manual credential rotation and secret storage. Option D is wrong because a service endpoint on the App Service integration subnet only restricts network access to the storage account; it does not provide any authentication mechanism for the App Service to read and write blobs.

453
MCQeasy

A production resource group must not be deleted accidentally, but administrators still need to update resources inside it. Which lock should you apply to the resource group?

A.ReadOnly lock
B.CanNotDelete lock
C.Contributor role
D.Azure Policy deny assignment
AnswerB

CanNotDelete blocks deletion while still allowing administrators to update resources normally.

Why this answer

The CanNotDelete lock (option B) is correct because it prevents deletion of the resource group while still allowing all other operations, including updates to resources within it. This lock type is specifically designed to protect against accidental deletion without blocking read, write, or modify actions, which aligns perfectly with the requirement that administrators need to update resources inside the group.

Exam trap

The trap here is that candidates often confuse RBAC roles (like Contributor) with resource locks, mistakenly thinking that assigning a role can prevent deletion, whereas locks are a separate governance mechanism that override role-based permissions for specific operations.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all write operations, including updates to resources, which would block administrators from modifying resources inside the group. Option C is wrong because the Contributor role is an Azure RBAC role that grants permissions to manage resources but does not provide a lock mechanism to prevent deletion; it can be overridden by other permissions or bypassed by users with higher roles. Option D is wrong because an Azure Policy deny assignment is used to enforce compliance rules (e.g., restricting resource types or locations) and is not designed to block deletion of a resource group; it can be complex to configure and may inadvertently block updates if not scoped correctly.

454
MCQmedium

A hub VNet already has a VPN gateway connected to on-premises. A spoke VNet must send on-premises traffic through the hub gateway without deploying its own gateway. Which peering settings are needed?

A.Enable forwarded traffic on both peerings and add a route table to the spoke subnet.
B.Enable gateway transit on the hub peering and use remote gateways on the spoke peering.
C.Create a private endpoint in the spoke VNet and route on-premises traffic through it.
D.Deploy a second VPN gateway in the spoke and connect it in active-active mode.
AnswerB

This combination lets the spoke VNet use the hub gateway for on-premises connectivity.

Why this answer

Option B is correct because it enables gateway transit on the hub-side peering connection and uses remote gateways on the spoke-side peering connection. This configuration allows the spoke VNet to route on-premises traffic through the hub's VPN gateway without deploying its own gateway, leveraging the hub as a transit point.

Exam trap

The trap here is that candidates often confuse 'forwarded traffic' with 'gateway transit' — forwarded traffic only allows VNet-to-VNet traffic forwarding, while gateway transit specifically enables a spoke to use a hub's VPN gateway for external connectivity.

How to eliminate wrong answers

Option A is wrong because enabling forwarded traffic on both peerings only allows traffic to be forwarded between VNets but does not enable the spoke to use the hub's VPN gateway; a route table on the spoke subnet is needed for custom routing but is insufficient without gateway transit. Option C is wrong because a private endpoint is used for secure access to Azure PaaS services over a private IP, not for routing on-premises traffic through a hub VPN gateway. Option D is wrong because deploying a second VPN gateway in the spoke defeats the purpose of avoiding a separate gateway and does not utilize peering settings; active-active mode is a redundancy feature, not a transit solution.

455
MCQmedium

An administrator is troubleshooting inbound HTTPS to a VM. The subnet NSG has these custom rules: Deny-Internet-Inbound at priority 150, Allow-HTTPS-Admin at priority 200, and the default deny rules remain in place. The administrator’s client is on the internet and should be able to reach the VM on TCP 443. What change will fix the problem?

A.Move the allow rule to a lower priority number than the deny rule.
B.Change the allow rule source from Internet to Any and keep the same priority.
C.Create a route table to the VM subnet so traffic reaches the VM faster.
D.Associate an application security group with the VM and leave the rules unchanged.
AnswerA

NSG rules are evaluated in priority order, and the lowest number wins. Because the deny rule at 150 is evaluated before the allow rule at 200, inbound HTTPS is blocked even though an allow rule exists. Making the allow rule higher priority than the deny rule, such as 100, lets the permitted traffic match first and be accepted.

Why this answer

The correct answer is A because Network Security Group (NSG) rules are evaluated in priority order, with lower numbers evaluated first. The Deny-Internet-Inbound rule at priority 150 is evaluated before the Allow-HTTPS-Admin rule at priority 200, so the deny rule blocks the inbound HTTPS traffic before the allow rule can be processed. Moving the allow rule to a lower priority number (e.g., 140) ensures it is evaluated first, permitting the traffic from the internet on TCP 443.

Exam trap

The trap here is that candidates often assume NSG rules are evaluated in the order they are listed or that allow rules automatically override deny rules, but Azure NSGs strictly evaluate by priority number, so a deny rule with a lower number will block traffic even if an allow rule with a higher number exists.

How to eliminate wrong answers

Option B is wrong because changing the source from 'Internet' to 'Any' does not change the priority evaluation order; the deny rule at priority 150 will still block the traffic regardless of the source. Option C is wrong because route tables control the path traffic takes through the network, not the filtering of traffic; they do not override NSG rules or fix the priority issue. Option D is wrong because associating an application security group (ASG) with the VM does not alter the priority of existing NSG rules; the deny rule at priority 150 will still be evaluated first and block the traffic.

456
MCQmedium

A finance team stores PDF statements in Azure Blob Storage. The workload must survive a zone failure in the primary region, and if the entire region becomes unavailable, auditors still need read-only access to the copies in the secondary region. Which redundancy option should you choose?

A.ZRS, because it keeps copies across zones but does not replicate to another region.
B.RA-GZRS, because it combines zone redundancy with geo-replication and read access to the secondary region.
C.LRS, because it keeps three copies in a single datacenter and is sufficient for regional resilience.
D.GRS, because it provides geo-replication and always allows direct reads from the secondary region.
AnswerB

RA-GZRS is designed for exactly this requirement. It replicates data across zones in the primary region and also asynchronously replicates to a paired secondary region. The read-access feature means you can still retrieve data from the secondary endpoint if the primary region is unavailable, which is useful for audit or continuity scenarios.

Why this answer

RA-GZRS (Read-Access Geo-Zone-Redundant Storage) is the correct choice because it combines zone redundancy (synchronous replication across Azure availability zones within the primary region) with geo-replication (asynchronous replication to a secondary region), and crucially enables read access to the secondary region even when the primary is unavailable. This meets the requirement to survive a zone failure (via ZRS) and provide read-only access during a full regional outage (via the read-access geo-replication endpoint).

Exam trap

The trap here is that candidates often confuse GRS with RA-GRS, forgetting that standard GRS does not allow direct reads from the secondary region without a manual or automatic failover, while RA-GZRS (and RA-GRS) explicitly provide that read access.

How to eliminate wrong answers

Option A (ZRS) is wrong because while it protects against zone failures by replicating data synchronously across availability zones, it does not replicate to a secondary region, so it cannot provide read-only access during a full regional outage. Option C (LRS) is wrong because it replicates data only within a single datacenter (three copies in one storage scale unit), offering no protection against a zone failure or a full regional outage. Option D (GRS) is wrong because although it provides geo-replication to a secondary region, it does not allow direct reads from the secondary region unless a failover is initiated; the read-access capability requires the RA prefix (RA-GRS or RA-GZRS).

457
Multi-Selecteasy

A team wants an Azure VM in a subnet to reach a storage account securely without opening the account to the entire internet. Which two configuration choices can be used to achieve this? Select two.

Select 2 answers
A.Private endpoint
B.Service endpoint
C.Enable anonymous blob access
D.Move the account to the Archive tier
E.Apply a delete lock to the storage account
AnswersA, B

A private endpoint gives the storage account a private IP address in the virtual network.

Why this answer

Private endpoint (A) assigns a private IP address from the VM's subnet to the storage account, enabling secure connectivity over the Microsoft backbone network without exposing the account to the public internet. Service endpoint (B) extends the virtual network identity to the storage account via its public endpoint but restricts access to traffic originating from the specified subnet, also avoiding full internet exposure. Both options satisfy the requirement for secure, subnet-restricted access.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, thinking both are interchangeable, but service endpoints still use the storage account's public endpoint (just restricted by subnet), while private endpoints use a private IP from the subnet, making private endpoints the more secure choice for scenarios requiring complete isolation from the internet.

458
MCQmedium

A route table contains these entries: 10.0.0.0/8 with next hop Virtual appliance, and 10.1.1.0/24 with next hop Virtual network gateway. Which next hop will Azure use for traffic to 10.1.1.5?

A.Virtual appliance, because the broader 10.0.0.0/8 route was created first.
B.Virtual network gateway, because the /24 route is more specific than the /8 route.
C.Internet, because Azure always prefers the default system route for public addresses.
D.None, because Azure ignores overlapping route entries in the same table.
AnswerB

The most specific matching prefix wins, so the /24 route takes precedence for 10.1.1.5.

Why this answer

Azure uses the most specific route prefix (longest prefix match) to determine the next hop for traffic. For destination 10.1.1.5, the route 10.1.1.0/24 (prefix length 24) is more specific than 10.0.0.0/8 (prefix length 8), so the next hop Virtual network gateway is selected, regardless of the order in which routes were created.

Exam trap

The trap here is that candidates mistakenly believe route creation order or the 'broader' route being created first determines priority, but Azure always uses the most specific prefix match, not the order of route entries.

How to eliminate wrong answers

Option A is wrong because Azure does not use route creation order to resolve overlapping routes; it always uses the longest prefix match (most specific route). Option C is wrong because the destination 10.1.1.5 is within the private IP range defined by the user-defined routes, and Azure does not fall back to the default Internet route when a more specific custom route exists. Option D is wrong because Azure does not ignore overlapping route entries; it evaluates them and selects the most specific match, and overlapping routes are allowed in the same route table.

459
MCQeasy

A security admin wants Key Vault audit logs and metrics sent to a Log Analytics workspace for later search. Which Azure setting should be configured on the vault?

A.Diagnostic settings
B.Azure Policy assignment
C.Network security group
D.Action group
AnswerA

Diagnostic settings send resource logs and metrics from the vault to Log Analytics.

Why this answer

Diagnostic settings in Azure Key Vault allow you to stream platform logs and metrics to various destinations, including a Log Analytics workspace. By configuring diagnostic settings on the vault, you can send audit logs (e.g., AuditEvent) and metrics (e.g., ServiceApiLatency) to Log Analytics for querying with KQL, enabling security analysis and monitoring.

Exam trap

The trap here is that candidates confuse diagnostic settings (which export logs/metrics) with action groups (which send notifications) or Azure Policy (which enforces rules), leading them to select a wrong option that does not actually stream data to Log Analytics.

How to eliminate wrong answers

Option B is wrong because Azure Policy assignment is used to enforce compliance rules across resources (e.g., requiring encryption), not to route logs to a Log Analytics workspace. Option C is wrong because a network security group (NSG) filters traffic at the subnet or NIC level and cannot send logs to Log Analytics; NSG flow logs require a separate diagnostic setting on the NSG itself. Option D is wrong because an action group defines notification actions (e.g., email, SMS) for alerts, not log or metric streaming to a Log Analytics workspace.

460
Multi-Selectmedium

An employee deleted one spreadsheet from a Windows VM that is protected by Azure Backup. The VM must stay online while the administrator recovers only that file. Which two restore methods are supported? Select two.

Select 2 answers
A.Use file recovery from the recovery point in the Azure portal.
B.Use the file recovery script or PowerShell mount workflow from the recovery point.
C.Restore the entire VM to a new VM and copy the file back manually.
D.Restore the disks from backup and attach them to the running VM.
E.Use Azure Site Recovery failover to expose the file.
AnswersA, B

The portal file-recovery workflow lets you restore a single file without restoring the whole VM.

Why this answer

Option A is correct because Azure Backup's file-level recovery feature in the Azure portal allows you to mount a recovery point as a drive on the running Windows VM, enabling you to browse and copy individual files without restoring the entire VM. This method supports selective file recovery while the VM remains online, meeting the requirement. Option B is also correct because the file recovery script (or PowerShell mount workflow) performs the same mount operation programmatically, providing an alternative way to access and recover the specific spreadsheet from the recovery point.

Exam trap

The trap here is that candidates often confuse Azure Backup's file-level recovery with full VM restore or disk restore operations, assuming that granular recovery requires stopping the VM or using a separate disaster recovery service like Azure Site Recovery.

461
MCQhard

A storage account has a blob private endpoint in VNet-A. A VM in peered VNet-B can reach the storage account by private IP, but name resolution for the storage account still returns the public IP address. The private DNS zone privatelink.blob.core.windows.net is already linked only to VNet-A. What should the administrator do next?

A.Create a second private endpoint in VNet-B for the same storage account.
B.Enable a service endpoint on VNet-B and remove the private endpoint.
C.Add a user-defined route in VNet-B that points the storage FQDN to the private IP.
D.Create a virtual network link from the private DNS zone to VNet-B.
AnswerD

Private endpoint access depends on correct DNS resolution to the private endpoint IP. Because the private DNS zone is linked only to VNet-A, VNet-B does not receive the private name mapping. Linking the zone to VNet-B allows resources in the peered VNet to resolve the blob endpoint name to the private IP as intended.

Why this answer

The private DNS zone `privatelink.blob.core.windows.net` is linked only to VNet-A, so VMs in VNet-B cannot resolve the storage account's FQDN to its private IP. By creating a virtual network link from the private DNS zone to VNet-B, the zone's records become available for resolution in VNet-B, allowing the VM to resolve the storage FQDN to the private endpoint's IP address instead of the public IP.

Exam trap

The trap here is that candidates assume private endpoint connectivity alone ensures name resolution, but they forget that DNS resolution requires the private DNS zone to be linked to the peered VNet, not just the VNet where the endpoint resides.

How to eliminate wrong answers

Option A is wrong because creating a second private endpoint in VNet-B for the same storage account is unnecessary and would create duplicate endpoints; the existing private endpoint in VNet-A is already reachable via peering, and the issue is DNS resolution, not connectivity. Option B is wrong because enabling a service endpoint on VNet-B and removing the private endpoint would revert to public IP connectivity, defeating the purpose of private connectivity and introducing security risks. Option C is wrong because adding a user-defined route (UDR) in VNet-B that points the storage FQDN to the private IP is not how DNS resolution works; UDRs control traffic routing based on IP prefixes, not FQDN resolution, and cannot override DNS responses.

462
MCQmedium

A storage account has public network access disabled. An application runs on a VM in a VNet and must access the storage account over a private IP address. The team also wants the storage name to resolve to a private address inside the VNet without changing application code. What should the administrator create?

A.A service endpoint on the subnet and a storage account firewall rule allowing that subnet.
B.A private endpoint for the storage account and a corresponding private DNS zone link.
C.An account SAS token with read/write permissions for the application.
D.Allow trusted Microsoft services to bypass the storage firewall.
AnswerB

A private endpoint places the storage service on a private IP inside the VNet, and DNS integration allows the storage FQDN to resolve to that private address. That combination meets both requirements: private connectivity and no application code changes. This is the standard pattern when public network access is disabled.

Why this answer

A private endpoint assigns the storage account a private IP from the VNet, making it accessible over a private IP address. A corresponding private DNS zone link (e.g., privatelink.blob.core.windows.net) ensures the storage account name resolves to that private IP inside the VNet without modifying application code, meeting both requirements.

Exam trap

The trap here is that candidates confuse service endpoints with private endpoints, assuming both provide private IP connectivity, when only private endpoints assign a private IP and require a private DNS zone for name resolution.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not provide a private IP address; it only extends the VNet identity to the storage account over the public endpoint, so the storage name would still resolve to a public IP. Option C is wrong because an SAS token controls authentication and authorization, not network-level private IP connectivity or DNS resolution. Option D is wrong because allowing trusted Microsoft services bypasses the firewall but still uses the public endpoint and public IP, failing to provide private IP access and private DNS resolution.

463
MCQmedium

After a private endpoint for an Azure Blob Storage account is created, VMs in the same VNet still resolve the storage name to the public IP address. The administrator wants the name to resolve to the private endpoint address instead. What should be configured?

A.Link the private DNS zone for blob storage to the virtual network.
B.Create a route table that sends storage traffic to the private endpoint subnet.
C.Enable a service endpoint on the subnet that hosts the VMs.
D.Assign a public IP address to the private endpoint subnet.
AnswerA

Private endpoints require private DNS so clients resolve the storage name to the endpoint's private IP instead of the public address. For Blob Storage, the relevant zone is the privatelink.blob.core.windows.net zone, and it must be linked to the VNet used by the clients. Once linked, Azure can answer DNS queries with the private endpoint address, which makes access work consistently without manual hosts file edits.

Why this answer

When a private endpoint is created for Azure Blob Storage, the private DNS zone (privatelink.blob.core.windows.net) must be linked to the virtual network to enable automatic resolution of the storage account's FQDN to the private endpoint's private IP address. Without this link, VMs in the VNet continue to use public DNS resolution, which returns the public IP. Linking the private DNS zone to the VNet ensures that DNS queries from VMs resolve to the private endpoint address via Azure's DNS infrastructure.

Exam trap

The trap here is that candidates often confuse network-level controls (like route tables or service endpoints) with DNS resolution, assuming they can redirect traffic to the private endpoint without addressing how the name is resolved to an IP.

How to eliminate wrong answers

Option B is wrong because a route table controls network traffic flow (next hop) but does not affect DNS name resolution; it cannot change how the storage account's FQDN resolves to an IP address. Option C is wrong because a service endpoint provides direct connectivity to Azure services over the Microsoft backbone but does not alter DNS resolution; the storage name would still resolve to the public IP unless a private DNS zone is linked. Option D is wrong because assigning a public IP address to the private endpoint subnet defeats the purpose of a private endpoint, which is to use a private IP from the VNet; it would not change DNS resolution behavior and would expose the endpoint publicly.

464
MCQmedium

An operations team needs to let helpdesk staff restart virtual machines and view their properties only in RG-Dev. The staff must not be able to manage virtual networks, disks, or delete any resources. What is the best built-in role assignment?

A.Assign Reader at the subscription scope so the staff can view the VMs.
B.Assign Virtual Machine Contributor at the RG-Dev scope.
C.Assign Contributor at the RG-Dev scope.
D.Assign Virtual Machine Administrator Login at the RG-Dev scope.
AnswerB

Virtual Machine Contributor allows managing virtual machines, including restart operations, while avoiding broader control over networking resources. Assigning it at the resource group scope limits access to only RG-Dev, which matches the least-privilege requirement.

Why this answer

The Virtual Machine Contributor role at the RG-Dev scope grants the exact permissions needed: it allows restarting VMs and viewing their properties while explicitly preventing management of virtual networks, disks, or deletion of resources. This built-in role includes the 'Microsoft.Compute/virtualMachines/restart/action' and read permissions, but excludes write/delete on networking and storage resources, meeting all requirements.

Exam trap

The trap here is that candidates often choose Contributor (Option C) thinking it's a safe middle ground, but it actually grants full management rights including deletion, which violates the explicit restriction in the question.

How to eliminate wrong answers

Option A is wrong because the Reader role at subscription scope provides read-only access to all resources, but does not include the 'restart' action required for helpdesk staff. Option C is wrong because the Contributor role at RG-Dev scope grants full management rights, including the ability to delete resources and manage virtual networks and disks, which violates the restriction. Option D is wrong because Virtual Machine Administrator Login only provides login access via RDP/SSH and does not include the 'restart' action or view VM properties in the Azure portal.

465
MCQmedium

A user accidentally deleted a nested folder tree from an Azure file share yesterday. Other folders were modified after the deletion and must not be rolled back. The administrator wants to restore only the deleted folder tree. What is the best recovery method?

A.Use a file share snapshot and copy the deleted folder tree back into the live share.
B.Delete the current share and restore the whole share from the most recent backup.
C.Change the share’s access tier from Hot to Cool and then refresh the folder view.
D.Enable soft delete for blobs in the same storage account and recover the folder from there.
AnswerA

A snapshot captures the file share at a point in time, which allows the administrator to browse the earlier state and restore only the deleted folders. This is ideal when the goal is targeted recovery without reverting later changes elsewhere in the share.

Why this answer

Azure file share snapshots provide a point-in-time, read-only copy of the entire file share. By mounting a snapshot taken before the accidental deletion, the administrator can browse the snapshot's directory structure and copy only the deleted folder tree back into the live share. This approach restores the lost data without affecting any other files or folders that were modified after the snapshot was taken, meeting the requirement to avoid rolling back other changes.

Exam trap

The trap here is that candidates may confuse Azure file share snapshots with blob soft delete or assume that restoring from a full backup is the only option, failing to recognize that snapshots allow granular, non-destructive recovery of specific folders without affecting other changes.

How to eliminate wrong answers

Option B is wrong because deleting the current share and restoring the whole share from the most recent backup would roll back all modifications made after the backup, including the changes that must not be rolled back. Option C is wrong because changing the access tier from Hot to Cool does not recover deleted data; it only changes the storage tier's pricing and performance characteristics, and refreshing the folder view has no effect on deleted items. Option D is wrong because soft delete for blobs applies to Azure Blob Storage, not to Azure Files; file shares do not support blob soft delete, and the recovery mechanism for files is file share snapshots, not blob-level recovery.

466
MCQmedium

You have two virtual networks in the same Azure region named VNet-App and VNet-DB. Resources in the two networks must communicate privately over the Azure backbone without using VPN gateways. What should you configure?

A.Virtual network peering
B.A site-to-site VPN
C.A network security group
D.An Azure Firewall policy only
AnswerA

VNet peering enables private communication between the VNets over the Azure backbone.

Why this answer

Virtual network peering connects two Azure virtual networks in the same region via the Microsoft backbone infrastructure, enabling private IP communication without a VPN gateway or public internet. This is the correct solution because it meets the requirement for private, low-latency connectivity between VNet-App and VNet-DB using Azure's high-speed backbone.

Exam trap

The trap here is that candidates often confuse network security groups (NSGs) or Azure Firewall as connectivity solutions, when they are only security controls that require an existing network path (like peering) to function.

How to eliminate wrong answers

Option B is wrong because a site-to-site VPN requires a VPN gateway in each virtual network and routes traffic over the public internet or ExpressRoute, which adds latency and cost, and is unnecessary for intra-region peering. Option C is wrong because a network security group (NSG) is a stateful firewall that filters traffic at the subnet or NIC level but does not provide connectivity between virtual networks. Option D is wrong because an Azure Firewall policy alone cannot establish network connectivity; it is a security rule set applied to Azure Firewall, which itself requires a gateway or peering to route traffic between VNets.

467
Multi-Selecthard

A reporting server will run an analytics engine that needs 8 vCPUs and 64 GiB of RAM. Average CPU use is expected to stay moderate, but the workload is memory heavy and should not use a burstable SKU. Which two deployment choices best align with the requirement? Select two.

Select 2 answers
A.Select a memory-optimized VM family.
B.Choose a size with at least 8 vCPUs and 64 GiB of RAM.
C.Choose a burstable B-series size to lower cost.
D.Pick a compute-optimized F-series size because CPU use is only moderate.
E.Select the smallest VM size that supports managed disks.
AnswersA, B

Correct. Memory-optimized families are intended for workloads where RAM is more important than raw CPU throughput.

Why this answer

Option A is correct because the workload is memory heavy, and memory-optimized VM families (e.g., E-series) are designed with a higher memory-to-vCPU ratio to handle such workloads efficiently. Option B is correct because the requirement explicitly states 8 vCPUs and 64 GiB of RAM, so selecting a size that meets these exact specifications is necessary, regardless of family, as long as it is not burstable.

Exam trap

The trap here is that candidates may assume a moderate CPU workload automatically calls for a compute-optimized SKU (F-series), ignoring the memory-heavy requirement that necessitates a memory-optimized family.

468
MCQmedium

An operations team wants device-generated log messages collected centrally so engineers can review interface changes, warnings, and errors from one place. Which technology is most directly associated with that goal?

A.Syslog
B.NetFlow
C.DHCP relay
D.Port security
AnswerA

This is correct because Syslog is used for centralized event and log reporting.

Why this answer

Syslog (A) is the standard protocol for collecting and centralizing log messages from network devices, servers, and other infrastructure. It allows engineers to forward interface changes, warnings, and errors to a central syslog server, enabling unified review and alerting. This directly matches the goal of centralized device-generated log collection.

Exam trap

The trap here is that candidates confuse NetFlow (traffic flow analysis) with syslog (log message collection), because both involve network monitoring, but NetFlow does not capture device-generated log messages like interface changes or errors.

Why the other options are wrong

B

NetFlow is primarily used for monitoring and analyzing network traffic rather than collecting log messages. It provides flow data but does not centralize log messages for review.

C

DHCP relay is primarily used to forward DHCP packets between clients and servers across different subnets, not for collecting log messages. It does not provide centralized logging capabilities for interface changes, warnings, or errors.

D

Port security is a feature used to control access to a switch port by limiting the devices that can connect, but it does not collect or centralize log messages for review. It focuses on securing network access rather than log management.

469
MCQmedium

A storage account must stay online for applications, but administrators have a temporary freeze on configuration changes. Users can still view the account, but attempts to change the access tier, create a container, or update networking all fail. What most likely caused the behavior?

A.A CanNotDelete lock was applied to the storage account.
B.A ReadOnly lock was applied to the storage account.
C.An Azure Policy audit assignment was applied to the storage account.
D.The account was moved to a different subscription.
AnswerB

ReadOnly is the correct explanation because it blocks write operations on the locked scope. That includes changing account settings, creating child resources such as containers, and modifying networking configuration. Read-only access still allows users to view the resource, which matches the symptom described in the scenario. This lock is useful when all configuration changes must be paused.

Why this answer

A ReadOnly lock (Azure Resource Manager lock) prevents any modification to the storage account, including changing the access tier, creating containers, or updating networking settings, while still allowing read operations like viewing the account. This matches the described behavior exactly because the lock is applied at the resource scope and blocks all write/delete operations, but does not affect read access.

Exam trap

The trap here is that candidates often confuse CanNotDelete locks with ReadOnly locks, mistakenly thinking that a deletion-prevention lock also blocks modifications, when in fact only ReadOnly locks block all write operations.

How to eliminate wrong answers

Option A is wrong because a CanNotDelete lock prevents deletion of the storage account but still allows modifications such as changing the access tier, creating containers, or updating networking — it does not block write operations. Option C is wrong because an Azure Policy audit assignment only evaluates and logs compliance without enforcing a deny effect; it does not actively block configuration changes. Option D is wrong because moving a storage account to a different subscription does not inherently block configuration changes; the account remains fully functional and modifiable after the move, unless additional locks or policies are applied.

470
MCQmedium

Based on the exhibit, what does the query return?

A.All successful deallocate operations on virtual machines during the last 24 hours.
B.Failed deallocate operations on virtual machines during the last 24 hours.
C.Any operations related to starting or restarting virtual machines in the last 24 hours.
D.Administrative changes made only from the Azure portal in the last 24 hours.
AnswerB

The query filters the AzureActivity table to the last 24 hours, selects the virtual machine deallocate operation, and then limits results to records whose status is Failed. That combination means it returns only failed deallocation events for virtual machines in the time window shown.

Why this answer

The query filters for 'Status' equal to 'Failed' and 'Operation' equal to 'Deallocate Virtual Machines', returning only failed deallocate operations. The time filter restricts results to the last 24 hours. Therefore, the query returns failed deallocate operations on virtual machines during the last 24 hours.

Exam trap

The trap here is that candidates may overlook the explicit 'Status' filter and assume the query returns all deallocate operations, or confuse 'deallocate' with 'start' or 'restart' operations, leading them to select a wrong answer.

How to eliminate wrong answers

Option A is wrong because the query explicitly filters for 'Status' equal to 'Failed', not 'Succeeded', so it does not return successful deallocate operations. Option C is wrong because the query filters for 'Operation' equal to 'Deallocate Virtual Machines', not operations related to starting or restarting virtual machines. Option D is wrong because the query does not filter by 'Caller' or 'Source' to isolate Azure portal changes; it returns all failed deallocate operations regardless of the management interface used.

471
MCQhard

A stateless API must run 4 to 12 identical Windows VMs, scale out automatically when average CPU stays above 70% for 10 minutes, and distribute instances to improve resiliency. Deployments are defined in Bicep. Which Azure compute service should be used?

A.A single Azure VM with an autoscale setting
B.A virtual machine scale set with autoscale enabled
C.An availability set with manual VM resizing
D.Azure Container Instances running one container per request
AnswerB

VM scale sets are designed for many identical instances and work naturally with autoscale profiles.

Why this answer

A virtual machine scale set (VMSS) with autoscale enabled is the correct choice because it supports running multiple identical Windows VMs, can automatically scale out when average CPU exceeds 70% for 10 minutes, and distributes instances across fault domains and availability zones for resiliency. Bicep deployments natively define VMSS configurations, making it the ideal compute service for stateless, scalable API workloads.

Exam trap

The trap here is that candidates confuse autoscale settings (which only apply to scale sets or PaaS services) with individual VMs, or assume an availability set provides autoscaling, when in fact it only ensures fault tolerance for a static number of VMs.

How to eliminate wrong answers

Option A is wrong because a single Azure VM cannot scale out to multiple instances; autoscale settings apply only to scale sets or App Service plans, not individual VMs. Option C is wrong because an availability set provides high availability for a fixed set of VMs but does not support autoscaling or dynamic resizing based on CPU thresholds; manual resizing is not automated scaling. Option D is wrong because Azure Container Instances (ACI) runs containers, not Windows VMs, and scaling per request is not based on average CPU metrics over 10 minutes; ACI is designed for containerized workloads, not VM-based stateless APIs.

472
MCQhard

You need to retain Azure Firewall logs for long-term analysis in a Log Analytics workspace and also archive them in a storage account for compliance. What should you configure on the Azure Firewall resource?

A.Diagnostic settings
B.A resource lock
C.An availability set
D.A VNet peering connection
AnswerA

This is the Azure-native mechanism for routing logs and metrics to monitoring destinations.

Why this answer

Diagnostic settings on the Azure Firewall resource allow you to stream platform logs and metrics to a Log Analytics workspace for long-term analysis and to a storage account for archival and compliance. This is the only configuration that simultaneously supports both destinations for the firewall's log data.

Exam trap

The trap here is that candidates may confuse resource locks or VNet peering with logging configurations, but only diagnostic settings provide the dual-destination log routing required for both analysis and compliance archival.

How to eliminate wrong answers

Option B is wrong because a resource lock prevents accidental deletion or modification of the Azure Firewall resource but does not capture, route, or retain any log data. Option C is wrong because an availability set is a VM placement construct for high availability and has no role in log collection or storage. Option D is wrong because VNet peering connects virtual networks for private IP communication and does not handle logging, monitoring, or data archival.

473
MCQmedium

A company has a virtual machine in a subnet that must access an Azure Storage account. The storage account should remain reachable through its public endpoint, but access must be limited to that subnet, and the traffic should stay on the Azure backbone rather than the internet. Which feature should the administrator configure on the subnet?

A.A private endpoint for the storage account.
B.A service endpoint for Microsoft.Storage.
C.A site-to-site VPN connection to the storage account.
D.An application security group assigned to the storage account.
AnswerB

A service endpoint extends the subnet's identity to the storage service and keeps traffic on the Azure backbone while still using the storage account's public endpoint. This fits when the organization wants network restriction by subnet without introducing a private IP for the service. The storage firewall can then allow only the selected subnet.

Why this answer

A service endpoint for Microsoft.Storage extends the virtual network identity to the storage account, allowing traffic from the subnet to the storage account's public endpoint to be routed over the Azure backbone network rather than the internet. This satisfies the requirement to limit access to the subnet while keeping the public endpoint reachable and traffic within Azure's infrastructure.

Exam trap

The trap here is that candidates often confuse private endpoints with service endpoints, mistakenly thinking a private endpoint is required to keep traffic on the Azure backbone, but a private endpoint removes public endpoint access, whereas a service endpoint preserves it while still routing traffic internally.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP address to the storage account within the virtual network, which removes access through the public endpoint entirely, contradicting the requirement that the storage account remain reachable through its public endpoint. Option C is wrong because a site-to-site VPN connection is used to connect on-premises networks to Azure, not to restrict access from a specific subnet to a PaaS service while preserving public endpoint access. Option D is wrong because an application security group is a logical grouping of virtual machines for network security policy enforcement, not a feature that can be assigned to a storage account or that controls network-level access to Azure PaaS services.

474
MCQmedium

A spoke VM can connect to a hub VM by IP address after peering is configured, but it cannot resolve internal host names such as app01.corp.local. The hub has a DNS server at 10.50.1.4 that hosts those records. What should the administrator configure so the spoke VMs use that DNS server?

A.Add an NSG rule allowing UDP and TCP port 53 between the VNets.
B.Set the spoke VNet's custom DNS server to 10.50.1.4.
C.Create a private endpoint for the hub DNS server.
D.Enable remote gateways on the spoke peering.
AnswerB

The spoke VNet must be told to use the DNS server that contains the internal zone records. By configuring 10.50.1.4 as the custom DNS server for the spoke VNet, new and existing VMs in that VNet can query the hub-based resolver for names such as app01.corp.local. Peering alone does not change DNS behavior, so the DNS server setting is the missing configuration.

Why this answer

Option B is correct because the spoke VNet must be configured to use a custom DNS server to override Azure's default internal name resolution. By setting the spoke VNet's DNS server to 10.50.1.4, all VMs in the spoke will query that server for hostname resolution, including app01.corp.local. This is a VNet-level setting that applies to all VMs in the spoke, and it does not require any changes to NSGs or peering configurations.

Exam trap

The trap here is that candidates often confuse VNet peering with DNS resolution, assuming that peering automatically enables name resolution across VNets, when in fact you must explicitly configure a custom DNS server or use Azure Private DNS Zones to resolve private hostnames.

How to eliminate wrong answers

Option A is wrong because NSG rules control traffic filtering, not DNS resolution configuration; UDP/TCP port 53 may already be allowed by default in VNet peering, and the issue is that the spoke VMs do not know which DNS server to query, not that traffic is blocked. Option C is wrong because a private endpoint is used to securely connect to Azure PaaS services (e.g., Azure SQL, Storage) over a private IP, not to redirect DNS queries from a VNet to a custom DNS server. Option D is wrong because enabling remote gateways on the spoke peering allows the spoke to use the hub's VPN/ExpressRoute gateway for outbound connectivity, but it does not configure the spoke's DNS resolver to point to the hub's DNS server.

475
MCQmedium

You deploy a Windows VM with an ARM template. During the first boot, it must install IIS, copy application files from storage, and run a bootstrap script. Which Azure feature should you add to the deployment?

A.A VM extension such as Custom Script Extension
B.An availability set
C.A managed disk snapshot
D.A public IP address
AnswerA

A VM extension can run scripted configuration tasks during or after deployment, which fits bootstrap automation.

Why this answer

The Custom Script Extension (CSE) is the correct Azure feature to use because it allows you to execute PowerShell or Bash scripts on a Windows or Linux VM during first boot. By adding the CSE to your ARM template, you can automate the installation of IIS, copy application files from Azure Storage (using the `fileUris` property), and run a bootstrap script after the OS is provisioned, ensuring the VM is fully configured without manual intervention.

Exam trap

The trap here is that candidates often confuse a VM extension (which runs scripts post-deployment) with a VM image (which bakes configuration into the OS disk), leading them to think a snapshot or availability set can achieve the same result, but neither can execute commands during first boot.

How to eliminate wrong answers

Option B is wrong because an availability set is a logical grouping of VMs to protect against infrastructure failures (e.g., rack-level faults) and does not provide any mechanism to install software or run scripts during deployment. Option C is wrong because a managed disk snapshot is a point-in-time copy of a disk used for backup or cloning, not for executing post-deployment configuration tasks like IIS installation or script execution. Option D is wrong because a public IP address provides inbound/outbound network connectivity to the VM but has no capability to run scripts or install applications; it is a networking resource, not a configuration tool.

476
MCQhard

You are planning a subnet for an application tier in a new spoke virtual network. The subnet must support 34 VM NICs, 5 private endpoints, and 6 extra IP addresses for short-term scale-out during maintenance windows. Azure reserves 5 IP addresses in every subnet. What is the smallest subnet prefix that meets the requirement?

A./27
B./26
C./25
D./28
AnswerB

A /26 provides 59 usable addresses after Azure reservations, which covers all required and buffer IPs.

Why this answer

The subnet must support 34 VM NICs, 5 private endpoints, and 6 extra IPs for scale-out, totaling 45 required IPs. Azure reserves 5 IP addresses in every subnet (first 4 and last 1). Therefore, the subnet needs at least 50 usable IP addresses.

A /26 subnet provides 64 total IPs, of which 59 are usable (64 - 5), meeting the requirement. /27 provides only 32 total IPs (27 usable), which is insufficient.

Exam trap

The trap here is that candidates often forget to add the 5 Azure-reserved IPs to the total requirement, leading them to incorrectly select /27 (thinking 34+5+6=45 fits in 32 usable IPs) or /28 (underestimating the scale-out need).

How to eliminate wrong answers

Option A is wrong because a /27 subnet provides only 32 total IP addresses (27 usable after Azure's 5 reserved IPs), which is less than the required 50 IPs. Option C is wrong because a /25 subnet provides 128 total IPs (123 usable), which far exceeds the requirement but is not the smallest prefix that meets it. Option D is wrong because a /28 subnet provides only 16 total IPs (11 usable), which is far too small for the 50 IPs needed.

477
MCQmedium

A hub VNet already has a VPN gateway connected to on-premises. A spoke VNet in the same region must reach on-premises networks through that existing gateway, and you do not want to deploy a separate VPN gateway in the spoke. What peering settings should you use?

A.Create peering only; the spoke will automatically use the hub gateway without extra settings.
B.Enable Use remote gateways on the hub peering and Allow gateway transit on the spoke peering.
C.Enable Allow gateway transit on the hub peering and Use remote gateways on the spoke peering.
D.Create a service endpoint from the spoke VNet to the on-premises network.
AnswerC

In a hub-spoke design, the hub VNet that owns the VPN gateway must allow gateway transit, and the spoke must be configured to use the remote gateway. This lets the spoke route on-premises traffic through the hub without deploying its own gateway. The direction of these settings matters, and reversing them breaks the design.

Why this answer

Option C is correct because to enable a spoke VNet to use a hub VNet's VPN gateway for on-premises connectivity without deploying a separate gateway, you must configure the hub peering with 'Allow gateway transit' and the spoke peering with 'Use remote gateways'. This allows the spoke to route traffic through the hub's VPN gateway, leveraging the existing site-to-site VPN connection to on-premises.

Exam trap

The trap here is confusing which peering direction gets which setting: candidates often mistakenly enable 'Use remote gateways' on the hub side and 'Allow gateway transit' on the spoke side, which is the reverse of the correct configuration.

How to eliminate wrong answers

Option A is wrong because simply creating a peering does not automatically enable gateway transit; the spoke VNet would not have a route to the hub's VPN gateway without explicit settings. Option B is wrong because it reverses the required settings: 'Use remote gateways' must be on the spoke peering (not the hub), and 'Allow gateway transit' must be on the hub peering (not the spoke). Option D is wrong because a service endpoint provides private connectivity to Azure PaaS services (like Azure Storage or SQL Database) over the Microsoft backbone, not to on-premises networks via a VPN gateway.

478
MCQeasy

A stateless web application must automatically add VM instances during business hours and remove them at night based on CPU usage. Which Azure service should be deployed?

A.Virtual machine scale set
B.Availability set
C.Azure Bastion
D.Proximity placement group
AnswerA

A virtual machine scale set is designed for identical VM instances that can scale out and scale in based on demand. It works well for stateless applications because instances can be added or removed without needing manual reconfiguration of each server. Autoscale rules can use metrics such as CPU percentage to change capacity automatically.

Why this answer

Virtual Machine Scale Sets (VMSS) are designed to automatically scale the number of VM instances in or out based on metrics like CPU usage, and they support scheduled scaling to align with business hours. This makes them the correct choice for a stateless web application that needs to add instances during business hours and remove them at night, as VMSS can integrate with Azure Autoscale to adjust capacity based on both performance metrics and time schedules.

Exam trap

The trap here is that candidates often confuse an availability set (which provides high availability) with a scale set (which provides auto-scaling), leading them to select availability set when the question explicitly requires automatic scaling based on CPU and time schedules.

How to eliminate wrong answers

Option B (Availability set) is wrong because an availability set only provides high availability by distributing VMs across fault and update domains; it does not support automatic scaling based on CPU usage or time-based schedules. Option C (Azure Bastion) is wrong because it is a fully managed PaaS service that provides secure RDP/SSH connectivity to VMs directly from the Azure portal, with no capability for scaling VM instances. Option D (Proximity placement group) is wrong because it is used to reduce network latency between VMs by ensuring they are physically close in an Azure datacenter, and it has no functionality for automatic scaling or instance management.

479
Multi-Selecteasy

A team wants a storage option that stays available if one availability zone in the primary region fails. Which two redundancy options meet that requirement? Select two.

Select 2 answers
A.Zone-redundant storage (ZRS).
B.Geo-zone-redundant storage (GZRS).
C.Locally redundant storage (LRS).
D.Geo-redundant storage (GRS).
E.Read-access geo-redundant storage (RA-GRS).
AnswersA, B

ZRS replicates data across multiple availability zones in the primary region, which helps the storage remain available if one zone fails.

Why this answer

Zone-redundant storage (ZRS) synchronously replicates data across three Azure availability zones within the primary region. If one zone fails, the data remains accessible from the other zones, ensuring high availability without requiring failover to a secondary region.

Exam trap

The trap here is that candidates often confuse geo-redundant options (GRS/RA-GRS) as providing zone-level protection, but they only use LRS in the primary region, which does not survive a single availability zone failure.

480
MCQmedium

You plan to run a web application on Azure virtual machines and need protection against a single datacenter failure within an Azure region. Which deployment option should you use?

A.An availability set only
B.Availability zones
C.A proximity placement group
D.A single VM with premium SSD
AnswerB

Availability zones provide resilience against the failure of a single datacenter in a region.

Why this answer

Availability Zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying your VMs across two or more zones protects against a single datacenter failure because if one zone goes down, the application continues running in the other zone. This meets the requirement for datacenter-level fault tolerance within a single region.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack-level failures within one datacenter) with availability zones (which protect against full datacenter failures), leading them to select the cheaper or more familiar option without recognizing the critical difference in fault domain scope.

How to eliminate wrong answers

Option A is wrong because an availability set protects against failures within a single datacenter (e.g., rack or update domain failures) but does not protect against an entire datacenter outage. Option C is wrong because a proximity placement group is designed to reduce network latency between VMs by placing them close together, which actually increases the risk of a single datacenter failure affecting all VMs. Option D is wrong because a single VM with premium SSD provides no redundancy at all; if the datacenter hosting that VM fails, the application becomes completely unavailable.

481
MCQhard

Third-party support engineers connect from the public internet and need browser-based RDP and SSH access to Azure VMs that have only private IPs. The security team will not allow public IPs on the VMs, inbound 3389 or 22 from the internet, or a client VPN on each laptop. What should you deploy?

A.Azure Bastion
B.VPN Gateway with point-to-site configuration
C.A public load balancer with inbound NAT rules
D.A NAT gateway attached to the VM subnet
AnswerA

Azure Bastion provides secure browser-based RDP and SSH access without exposing the VMs to public IP-based inbound traffic.

Why this answer

Azure Bastion provides secure, seamless browser-based RDP and SSH connectivity to Azure VMs directly from the Azure portal over TLS, without requiring public IPs on the VMs or exposing inbound RDP/SSH ports (3389/22) to the internet. It uses a hardened bastion host deployed in a dedicated subnet, which brokers the connection via the Azure portal, satisfying the security team's constraints of no public IPs on VMs, no inbound internet access to those ports, and no client VPN software.

Exam trap

The trap here is that candidates often confuse Azure Bastion with a NAT gateway or VPN Gateway, mistakenly thinking any 'gateway' solution provides inbound RDP/SSH access, but Bastion is the only option that delivers browser-based connectivity without public IPs, client VPNs, or open inbound ports.

How to eliminate wrong answers

Option B (VPN Gateway with point-to-site configuration) is wrong because it requires installing a VPN client on each laptop, which the security team explicitly prohibits, and it still relies on the VMs having private IPs but does not inherently block inbound RDP/SSH from the internet if misconfigured. Option C (A public load balancer with inbound NAT rules) is wrong because it requires public IPs on the load balancer and inbound NAT rules that map to RDP/SSH ports on the VMs, directly violating the 'no inbound 3389 or 22 from the internet' rule. Option D (A NAT gateway attached to the VM subnet) is wrong because a NAT gateway only provides outbound internet connectivity for VMs (source network address translation), not inbound RDP/SSH access from the internet.

482
MCQmedium

An NSG is associated with a subnet. It contains these inbound rules: - Priority 100: Deny TCP 443 from Internet to Any - Priority 200: Allow TCP 443 from 203.0.113.0/24 to Any A tester at 203.0.113.10 browses to the VM's HTTPS endpoint in that subnet. What happens?

A.The request is allowed because the more specific source range matches first.
B.The request is denied because the priority 100 deny rule matches before the allow rule.
C.The request is denied only if the VM has no public IP address.
D.The request is allowed because default NSG rules always override custom rules.
AnswerB

Azure NSGs evaluate rules by priority, and the lowest number is processed first. Both rules match this HTTPS traffic, but the deny rule at priority 100 is considered before the allow rule at priority 200. Because the first match wins, the packet is blocked even though the source is in the allowed range.

Why this answer

The correct answer is B. Network Security Group (NSG) rules are evaluated in priority order, from lowest to highest numeric value. The priority 100 rule explicitly denies TCP 443 from the Internet (which includes the 203.0.113.0/24 range), and it is evaluated before the priority 200 allow rule.

Since the deny rule matches first, the traffic is blocked regardless of the more specific source IP in the allow rule.

Exam trap

The trap here is that candidates mistakenly believe NSG rules are evaluated based on the specificity of the source or destination (like a firewall with longest-prefix matching), but Azure NSGs strictly use priority-based evaluation where lower numeric priority wins.

How to eliminate wrong answers

Option A is wrong because NSG rules are processed by priority number, not by specificity of the source range; a lower priority number (100) is evaluated before a higher one (200), so the deny rule matches first. Option C is wrong because NSG rules apply to traffic destined for any VM in the subnet, regardless of whether the VM has a public IP address; the NSG filters traffic at the subnet level before it reaches the VM. Option D is wrong because default NSG rules have higher priority numbers (65000 and above) and are evaluated after custom rules; custom rules always take precedence over default rules when they match.

483
MCQmedium

A finance application is deployed in a single resource group named rg-finance-app. The team must manage only the resources in that group and must not receive permissions for other resource groups in the subscription. Where should the Contributor role be assigned?

A.At the management group that contains the subscription.
B.At the subscription scope.
C.At the rg-finance-app resource group scope.
D.At each individual resource in the resource group.
AnswerC

Resource group scope is the narrowest scope that still covers all resources for the finance application. Any resource inside that group inherits the assignment, while resources in other groups remain unaffected. This gives the team exactly the access needed without expanding permissions to unrelated workloads.

Why this answer

The Contributor role must be assigned at the rg-finance-app resource group scope to restrict permissions exclusively to that group. This ensures the team can manage only the resources within that resource group, without inheriting permissions to other resource groups in the subscription. Role assignments in Azure are inherited from higher scopes (management group, subscription) down to lower scopes, so assigning at the resource group scope is the most specific and restrictive level that meets the requirement.

Exam trap

The trap here is that candidates often choose the subscription scope (Option B) thinking it is the simplest way to grant access, but they overlook that it would grant permissions to all resource groups in the subscription, violating the requirement to restrict access to only rg-finance-app.

How to eliminate wrong answers

Option A is wrong because assigning the Contributor role at the management group scope would grant the team Contributor permissions to all subscriptions and resource groups within that management group, including other resource groups outside rg-finance-app. Option B is wrong because assigning at the subscription scope would grant Contributor permissions to every resource group in the subscription, violating the requirement to restrict access only to rg-finance-app. Option D is wrong because assigning the role at each individual resource is unnecessary and inefficient; Azure RBAC supports inheritance from the resource group scope, so a single assignment at the resource group level covers all resources within it, and assigning per resource would also be overly granular and harder to manage.

484
MCQeasy

Two application VMs run in the same Azure region. The business wants to reduce the chance that both VMs are rebooted during planned host maintenance, but a datacenter outage is not part of the requirement. What should the administrator configure?

A.Availability set
B.Availability zone
C.Azure Load Balancer
D.Virtual machine scale set
AnswerA

An availability set spreads VMs across fault domains and update domains within a datacenter. This reduces the chance that all instances are affected by the same host maintenance event. It is the correct choice when the goal is host-level resilience rather than protection against an entire datacenter outage.

Why this answer

An availability set ensures that VMs are placed on different fault domains and update domains within the same Azure datacenter. This configuration guarantees that during planned host maintenance, only one update domain is rebooted at a time, reducing the chance that both VMs are rebooted simultaneously. Since the requirement explicitly excludes a datacenter outage, an availability set is the correct choice to protect against planned maintenance events.

Exam trap

The trap here is that candidates often confuse availability zones (which protect against datacenter outages) with availability sets (which protect against planned maintenance and hardware failures within a single datacenter), leading them to select availability zones even when the requirement explicitly excludes datacenter-level failures.

How to eliminate wrong answers

Option B is wrong because availability zones protect against datacenter-level failures by placing VMs in physically separate datacenters, which is overkill and not required when only planned host maintenance is the concern. Option C is wrong because Azure Load Balancer distributes traffic across VMs but does not influence the placement or reboot behavior during host maintenance. Option D is wrong because a virtual machine scale set provides auto-scaling and high availability through fault domains, but it is designed for identical, scalable workloads and does not inherently reduce the chance of both VMs being rebooted during planned maintenance unless configured with an availability set or zones, which is not the direct solution for this specific requirement.

485
MCQeasy

Based on the exhibit, which identity type should be used so the on-premises build server can authenticate to Azure without using a human account password?

A.System-assigned managed identity
B.User-assigned managed identity
C.Service principal
D.Azure Storage access key
AnswerC

A service principal is the correct choice for non-Azure automation that needs to authenticate to Azure without using a person’s credentials. It can be paired with a certificate or secret and used by build and deployment tools running outside Azure.

Why this answer

A service principal is the correct identity type for an on-premises build server to authenticate to Azure without a human account password because it represents a non-human identity that can be assigned to applications, services, and automation tools. Service principals authenticate using client secrets or certificates, enabling secure, password-less authentication via OAuth 2.0 client credentials grant flow, which is ideal for automated build pipelines.

Exam trap

The trap here is that candidates often confuse managed identities (which are Azure-resource-bound) with service principals (which are application identities), leading them to choose a managed identity option even though the on-premises server cannot host an Azure-managed identity.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to a specific Azure resource (e.g., an Azure VM or App Service) and cannot be used for on-premises servers; it is not exportable or usable outside of Azure. Option B is wrong because a user-assigned managed identity, while independent of a specific resource, is still an Azure-only identity that cannot be assigned to an on-premises machine; it requires an Azure resource to host it. Option D is wrong because an Azure Storage access key is a shared secret for accessing Azure Storage accounts, not an identity for authentication to Azure AD; it does not support OAuth 2.0 or role-based access control and is not suitable for authenticating a build server to Azure services beyond storage.

486
MCQmedium

You need to move infrequently accessed blob data automatically from the Hot tier to the Cool tier after 30 days to reduce cost. What should you configure?

A.Blob soft delete
B.Lifecycle management rules
C.A private endpoint
D.A CanNotDelete lock
AnswerB

Lifecycle management automates tier transitions such as Hot to Cool.

Why this answer

Azure Blob Storage lifecycle management rules allow you to automatically transition blobs from the Hot tier to the Cool tier based on age or other conditions. By configuring a rule that moves blobs to the Cool tier after 30 days from creation or last modification, you reduce storage costs for infrequently accessed data without manual intervention.

Exam trap

The trap here is that candidates confuse blob soft delete (which only handles recovery) with lifecycle management (which handles automated tiering and deletion), leading them to choose soft delete when the question asks about cost optimization through tier transitions.

How to eliminate wrong answers

Option A is wrong because blob soft delete protects against accidental deletion or overwrite by retaining deleted blobs for a specified retention period, but it does not automate tier transitions. Option C is wrong because a private endpoint provides secure network connectivity to the storage account over a private IP address in your virtual network, and has no role in data lifecycle management. Option D is wrong because a CanNotDelete lock prevents deletion of the storage account or container as a whole, but does not affect blob tiering or cost optimization.

487
MCQhard

A subnet has a user-defined route for 0.0.0.0/0 that sends traffic to a network virtual appliance at 10.1.0.4. The same virtual network is peered to a hub VNet that has a system route for 10.50.16.0/20. A VM in the subnet sends traffic to 10.50.18.25. Which next hop will Azure use?

A.Internet, because the default route overrides more specific routes.
B.Network virtual appliance at 10.1.0.4, because user-defined routes always win over system routes.
C.Virtual network peering, because the /20 peering route is more specific than 0.0.0.0/0.
D.None, because Azure disables routing when a subnet has both peering and a UDR.
AnswerC

Azure first selects the most specific matching prefix. The destination 10.50.18.25 falls inside the /20 peering route, which is more specific than the 0.0.0.0/0 forced-tunneling route. Because the longest prefix wins, traffic is sent over the peering path rather than to the NVA or the internet.

Why this answer

Azure uses the most specific route (longest prefix match) to determine next hop. The destination 10.50.18.25 falls within the 10.50.16.0/20 range of the peering route, which is more specific than the 0.0.0.0/0 UDR. Therefore, the traffic is routed via the virtual network peering, not the NVA.

Exam trap

The trap here is that candidates assume user-defined routes always override system routes, but Azure uses longest prefix match first, so a more specific system route (like a peering route) will take precedence over a less specific UDR.

How to eliminate wrong answers

Option A is wrong because Azure does not use the default route (0.0.0.0/0) when a more specific route (10.50.16.0/20) exists; longest prefix match applies. Option B is wrong because user-defined routes do not always win over system routes; route specificity takes precedence, and the peering route is a system route with a longer prefix. Option D is wrong because Azure does not disable routing when both peering and a UDR exist; it evaluates all routes and selects the most specific match.

488
MCQmedium

Based on the exhibit, the company will deploy two identical web server VMs in East US 2 behind a load balancer. The service must keep running if one datacenter in the region becomes unavailable. Which deployment choice best meets the requirement?

A.Place both VMs in an availability set so Azure can spread them across fault domains.
B.Place one VM in each of two availability zones and front them with the load balancer.
C.Place both VMs in one availability zone because all zones in a region share failure domains.
D.Deploy a single VM because Azure automatically replicates it across the region.
AnswerB

Availability zones place each VM in a separate datacenter boundary, which protects against one zone failure. If you distribute the web servers across zones, the load balancer can continue sending traffic to the remaining healthy instance when a zone becomes unavailable. This design matches the requirement to survive a datacenter outage within the region.

Why this answer

Option B is correct because deploying one VM in each of two availability zones within East US 2 ensures that the VMs are physically separated across distinct datacenters, each with independent power, cooling, and networking. If one datacenter (zone) fails, the other zone remains operational, and the load balancer automatically directs traffic to the healthy VM. This meets the requirement of keeping the service running if one datacenter in the region becomes unavailable.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack-level failures within one datacenter) with availability zones (which protect against full datacenter outages), leading them to choose Option A as a sufficient solution.

How to eliminate wrong answers

Option A is wrong because an availability set only spreads VMs across fault domains within a single datacenter, not across multiple datacenters; a datacenter-level outage would still affect all VMs in the set. Option C is wrong because placing both VMs in one availability zone means they share the same datacenter failure boundary; a zone failure would take down both VMs. Option D is wrong because a single VM does not provide high availability; Azure does not automatically replicate a single VM across a region—it only provides redundancy at the storage or data level, not compute failover.

489
MCQmedium

Based on the exhibit, which KQL query should you use in a scheduled query alert to trigger only when five or more failed events occur within any 15-minute window?

A.CustomAppLogs_CL | where TimeGenerated >= ago(15m) | where Status_s == 'Failed' | summarize FailedCount=count() by bin(TimeGenerated, 1h) | where FailedCount >= 5
B.CustomAppLogs_CL | where TimeGenerated >= ago(1h) | where Status_s == 'Failed' | summarize FailedCount=count() by bin(TimeGenerated, 15m) | where FailedCount >= 5
C.CustomAppLogs_CL | where TimeGenerated >= ago(1h) | summarize FailedCount=count() by bin(TimeGenerated, 15m) | where FailedCount >= 5
D.CustomAppLogs_CL | where TimeGenerated >= ago(1h) | where Status_s == 'Failed' | summarize FailedCount=count() by bin(TimeGenerated, 15m) | where FailedCount > 0
AnswerB

This query filters to the recent hour, keeps only failed events, groups them into 15-minute bins, and returns only bins with five or more failures. That matches the alert requirement directly.

Why this answer

Option B is correct because it filters for 'Failed' events in the last hour, groups them into 15-minute bins using `bin(TimeGenerated, 15m)`, and then counts them. The `where FailedCount >= 5` condition triggers the alert only when five or more failed events occur within any single 15-minute window, matching the requirement exactly.

Exam trap

The trap here is that candidates often confuse the lookback period (`ago(1h)`) with the aggregation window (`bin(..., 15m)`), leading them to pick Option A with a 1-hour bin, which fails to meet the 'any 15-minute window' requirement.

How to eliminate wrong answers

Option A is wrong because it uses `bin(TimeGenerated, 1h)`, which groups events into 1-hour bins, not 15-minute windows, so it cannot detect five failures within any 15-minute period. Option C is wrong because it omits the `where Status_s == 'Failed'` filter, counting all events regardless of status, which would trigger on non-failed events. Option D is wrong because it uses `where FailedCount > 0`, which triggers on any single failed event in a 15-minute window, not the required threshold of five or more.

490
MCQmedium

An NSG attached to a subnet contains these inbound rules: Deny-All-Inbound at priority 200, Allow-HTTPS-Admin at priority 250 from 203.0.113.20/32, and Allow-HTTPS-Internet at priority 300. A VM in the subnet cannot receive HTTPS from the admin workstation even though the source IP is correct. What should the administrator change?

A.Change the protocol from TCP to Any on the allow rule.
B.Move the Allow-HTTPS-Admin rule to a priority number lower than 200.
C.Associate a NAT gateway with the subnet.
D.Enable service endpoint policies on the subnet.
AnswerB

NSG rules are processed in priority order, and the lowest number wins. Because Deny-All-Inbound is at priority 200, it is evaluated before the allow rule at 250 and blocks the traffic. Moving the allow rule to a smaller number than 200 lets the admin workstation's HTTPS traffic match the allow rule first.

Why this answer

The Deny-All-Inbound rule at priority 200 blocks all traffic, including HTTPS from the admin workstation, because NSG rules are evaluated in priority order (lowest number first). The Allow-HTTPS-Admin rule at priority 250 is never reached since the deny rule with a higher priority (lower number) matches first. To allow the admin traffic, the allow rule must have a priority lower than 200 (e.g., 150) so it is evaluated before the deny rule.

Exam trap

The trap here is that candidates assume a higher priority number means higher precedence, but in Azure NSGs, a lower numeric priority value (e.g., 200) is evaluated before a higher one (e.g., 250), so the deny rule blocks the traffic before the allow rule is checked.

How to eliminate wrong answers

Option A is wrong because changing the protocol from TCP to Any would not bypass the priority issue; the Deny-All-Inbound rule at priority 200 still blocks all traffic regardless of protocol. Option C is wrong because a NAT gateway provides outbound internet connectivity for a subnet, not inbound access control, and does not affect NSG rule evaluation. Option D is wrong because service endpoint policies secure outbound traffic to Azure services (e.g., Storage, SQL) and do not influence inbound NSG rule priority or allow inbound HTTPS traffic.

491
Multi-Selecthard

Two virtual networks are in different subscriptions. VNet-A uses 10.20.0.0/16 and VNet-B uses 10.20.128.0/17. A design review also states that traffic between two spoke VNets should flow through a hub VNet instead of directly between spokes. Which two statements are correct? Select two.

Select 2 answers
A.The two VNets cannot be peered until one address space is changed because the ranges overlap.
B.VNet peering is transitive, so spoke-to-spoke traffic will automatically use the hub peering.
C.To reach another spoke through the hub, you need an explicit design such as gateway transit or routing controls.
D.Overlapping CIDR blocks are allowed if the VNets are placed in separate resource groups.
E.If the hub has a VPN gateway, spoke traffic to other spokes is routed automatically without additional configuration.
AnswersA, C

Azure peering does not allow overlapping address spaces, even across subscriptions.

Why this answer

Option A is correct because VNet peering in Azure requires that the address spaces of the peered VNets do not overlap. VNet-A uses 10.20.0.0/16 and VNet-B uses 10.20.128.0/17, which are overlapping ranges (10.20.128.0/17 is a subset of 10.20.0.0/16). Azure will reject the peering request until one of the address spaces is changed to eliminate the overlap.

Exam trap

The trap here is that candidates often assume VNet peering is transitive (like in some other cloud providers) or that a VPN gateway automatically routes spoke-to-spoke traffic, but Azure requires explicit routing configuration for transitive traffic through a hub.

492
MCQeasy

A production workload must continue running if one entire Azure datacenter in the region becomes unavailable. The region supports availability zones, and you want the strongest placement option for a single VM. What should you choose?

A.Availability zone
B.Availability set
C.Proximity placement group
D.Managed disk snapshot
AnswerA

An availability zone places the VM in a separate datacenter within the region, helping protect against a full datacenter failure.

Why this answer

An availability zone protects against an entire datacenter failure by placing the VM in a physically separate zone within the region, each with independent power, cooling, and networking. This is the strongest placement option for a single VM because it guarantees isolation from other zones, ensuring the workload continues if one datacenter fails. Availability sets only protect against rack-level failures within the same datacenter, not a full datacenter outage.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack failures) with availability zones (which protect against datacenter failures), leading them to choose the cheaper or more familiar option without recognizing the requirement for full datacenter resilience.

How to eliminate wrong answers

Option B is wrong because an availability set only distributes VMs across multiple fault domains and update domains within a single datacenter, providing no protection if the entire datacenter becomes unavailable. Option C is wrong because a proximity placement group is designed to minimize network latency by co-locating VMs as close as possible, often within the same datacenter, which increases the risk of a single point of failure. Option D is wrong because a managed disk snapshot is a backup/recovery mechanism for disks, not a placement or high-availability feature; it cannot keep a VM running during a datacenter outage.

493
MCQeasy

You want to send a storage account's read, write, and delete events to a Log Analytics workspace for later investigation. Which feature should you configure?

A.Diagnostic settings for the storage account
B.An action group
C.A metric alert rule
D.A Recovery Services vault
AnswerA

Diagnostic settings are used to export platform logs and metrics from an Azure resource to a workspace, storage account, or event hub.

Why this answer

Diagnostic settings on a storage account allow you to stream resource logs, including read, write, and delete operations (stored in the StorageRead, StorageWrite, and StorageDelete log categories), to a Log Analytics workspace. This is the correct feature for capturing and analyzing these events for later investigation.

Exam trap

The trap here is that candidates often confuse diagnostic settings (which stream logs) with metric alerts (which monitor numeric thresholds) or action groups (which define notification actions), leading them to pick an option that handles alerts rather than log collection.

How to eliminate wrong answers

Option B is wrong because an action group is a collection of notification preferences (e.g., email, SMS, webhook) triggered by alert rules, not a destination for streaming logs. Option C is wrong because a metric alert rule monitors numeric metrics (e.g., latency, throughput) and triggers notifications when thresholds are breached, it does not capture or send log data like read/write/delete events. Option D is wrong because a Recovery Services vault is used for backup and disaster recovery (e.g., Azure Backup, Site Recovery), not for collecting operational logs from a storage account.

494
MCQeasy

Based on the exhibit, what inbound NSG rule should the administrator add to allow only the web tier to reach the app tier on TCP 8080?

A.Source: WebASG, Destination: AppASG, Protocol: TCP, Port: 8080, Priority: 250
B.Source: Internet, Destination: VirtualNetwork, Protocol: TCP, Port: 8080, Priority: 250
C.Source: AppASG, Destination: WebASG, Protocol: TCP, Port: 8080, Priority: 250
D.Source: WebASG, Destination: AppASG, Protocol: TCP, Port: 8080, Priority: 350
AnswerA

This rule uses application security groups to target the web tier and app tier precisely. Priority 250 is evaluated before the deny rule at 300, so the allowed web-to-app traffic can pass while everything else remains blocked.

Why this answer

Option A is correct because the inbound NSG rule must allow traffic from the web tier (source: WebASG) to the app tier (destination: AppASG) on TCP port 8080. A priority of 250 is lower than the default rules (65000+) and ensures this rule is evaluated before any higher-numbered deny rules, while being high enough to leave room for more specific rules if needed.

Exam trap

The trap here is that candidates often confuse the source and destination in NSG rules, mistakenly thinking the rule should allow the app tier to receive traffic from the web tier by setting the source to AppASG and destination to WebASG, which is the reverse of the required direction.

How to eliminate wrong answers

Option B is wrong because it sets the source to 'Internet' and destination to 'VirtualNetwork', which would allow any internet traffic to reach any VM in the virtual network on TCP 8080, not just the web tier to the app tier. Option C is wrong because it reverses the source and destination (AppASG to WebASG), which would allow the app tier to initiate connections to the web tier on TCP 8080, opposite of the requirement. Option D is wrong because it uses a priority of 350, which is higher than the default deny rule (65000) but still lower than the default allow rules; however, the question does not specify a need for a specific priority value, and 250 is a more common choice for custom rules, but the key issue is that priority 350 is not inherently wrong—the trap is that the question expects the lowest possible priority number to ensure evaluation order, but 250 is acceptable; however, the correct answer must match the exhibit's implied priority range, and 350 is too high to guarantee precedence over other potential rules.

495
MCQmedium

A legal department archived a 120-GB blob three weeks ago. They now need the file available for review later today, and waiting more than a day would delay a court filing. What should the administrator do to make the blob readable as quickly as possible?

A.Copy the blob to a new container and leave it in the Archive tier until the users need it.
B.Start rehydration from Archive and choose High priority.
C.Change the access tier from Archive directly to Cool and then download the blob immediately.
D.Enable soft delete on the container and restore the blob from deleted items.
AnswerB

Archive blobs cannot be read immediately. To make the blob available within the shortest practical time, the administrator should rehydrate it and select High priority so Azure processes the request faster than the standard option.

Why this answer

Option B is correct because rehydrating a blob from the Archive tier with High priority typically makes the blob readable within 1 hour, meeting the urgent same-day requirement. The Archive tier is offline, so the blob must be rehydrated (changed to an online tier like Hot or Cool) before it can be accessed. High-priority rehydration is designed for time-sensitive scenarios like this court filing deadline.

Exam trap

The trap here is that candidates may think changing the access tier directly (Option C) is instantaneous, but Azure requires a rehydration process that can take up to 15 hours for standard priority, making High-priority rehydration (Option B) the only viable choice for same-day access.

How to eliminate wrong answers

Option A is wrong because copying a blob while it remains in the Archive tier does not change its offline status; the copy would also be in the Archive tier and still require rehydration before reading. Option C is wrong because changing the access tier directly from Archive to Cool triggers a standard-priority rehydration that can take up to 15 hours, which exceeds the 'later today' requirement and would delay the court filing. Option D is wrong because soft delete is used to recover accidentally deleted blobs, not to restore blobs that are in the Archive tier; the blob was archived, not deleted, so soft delete does not apply.

496
MCQmedium

An administrator added a user to an Entra security group that already has Contributor on a resource group. The role assignment is correct, but the user still gets 'You do not have access' in the Azure portal 5 minutes later. What is the most likely next step?

A.Change the role assignment from the group to the subscription.
B.Have the user sign out and sign back in to refresh the access token.
C.Delete and recreate the resource group.
D.Assign Owner directly to the user.
AnswerB

This refreshes token claims so the portal can recognize the new group membership.

Why this answer

When a user is added to a security group that already has a role assignment, the new permissions take effect immediately in Azure RBAC, but the user's existing access token (which is cached by the Azure portal) does not include the new group membership claims. The token must be refreshed by signing out and signing back in, or by closing and reopening the browser, to force a new token acquisition that includes the updated role assignments.

Exam trap

The trap here is that candidates assume Azure RBAC changes are instantaneous and overlook the client-side token caching mechanism, leading them to incorrectly modify the role assignment or scope instead of simply refreshing the user's session.

How to eliminate wrong answers

Option A is wrong because changing the role assignment scope from the resource group to the subscription does not address the token caching issue; it would only broaden the scope of permissions, but the user still holds a stale token. Option C is wrong because deleting and recreating the resource group is an unnecessary destructive action that does not resolve the token refresh problem; the role assignment on the existing resource group is correct. Option D is wrong because assigning Owner directly to the user bypasses the group-based assignment but still suffers from the same token caching issue; the user would need to refresh their token regardless.

497
MCQmedium

Based on the exhibit, which Azure feature should the administrator use to install software and run the bootstrap script during VM provisioning?

A.Azure VM Custom Script Extension
B.A network security group rule allowing RDP from the Internet
C.An availability set with two fault domains
D.A managed disk snapshot restored as the operating system disk
AnswerA

The Custom Script Extension is designed to run scripts after deployment and is commonly used for first-boot configuration. It can download files, execute installation commands, and automate bootstrap tasks without requiring manual sign-in. This matches the requirement to install IIS, copy application files, and run bootstrap.ps1 as part of provisioning.

Why this answer

The Azure VM Custom Script Extension (CSE) is the correct feature because it allows the administrator to execute scripts (such as installing software or running a bootstrap script) during VM provisioning or after the VM is running. The extension downloads the script from Azure Storage or a public URL and executes it using the local system account, making it ideal for post-deployment configuration tasks.

Exam trap

The trap here is that candidates often confuse network security group rules (which control traffic) or availability sets (which provide redundancy) with the ability to run scripts, but only the Custom Script Extension can execute code during VM provisioning.

How to eliminate wrong answers

Option B is wrong because a network security group (NSG) rule allowing RDP from the Internet only opens port 3389 for remote desktop access; it does not install software or run scripts. Option C is wrong because an availability set with two fault domains is a high-availability feature that distributes VMs across separate hardware racks to protect against datacenter failures; it has no capability to execute scripts or install software. Option D is wrong because a managed disk snapshot restored as the operating system disk creates a new VM from a point-in-time copy of a disk; it does not run any scripts or install additional software during provisioning.

498
MCQmedium

A company wants to stop users from deploying resources in any region except East US and West US. Users still need to be able to create resources if they choose an approved region. Which Azure feature should the administrator use?

A.Azure RBAC with a Contributor role at the subscription scope.
B.Azure Policy with a deny effect assigned at the appropriate scope.
C.A resource lock at the subscription level.
D.A tag requirement in Azure RBAC.
AnswerB

Azure Policy is designed for compliance and enforcement. A policy that checks the location property and uses a deny effect can block deployments outside the approved regions while still allowing valid deployments in East US or West US. This meets the requirement without changing the users' general ability to create resources.

Why this answer

Azure Policy with a deny effect can enforce that resource deployments are only allowed in specified regions (East US and West US) by evaluating the location property of the resource against a policy definition. When a user attempts to deploy a resource in a non-approved region, the policy engine rejects the request before any resource creation begins, ensuring compliance without blocking approved regions.

Exam trap

The trap here is confusing Azure Policy (which can enforce location restrictions with a deny effect) with Azure RBAC (which controls permissions but not resource properties) or resource locks (which protect against deletion/modification, not creation).

How to eliminate wrong answers

Option A is wrong because Azure RBAC with a Contributor role at the subscription scope grants broad permissions to create and manage resources but does not restrict the region where resources can be deployed; it lacks the ability to enforce location constraints. Option C is wrong because a resource lock at the subscription level (e.g., CanNotDelete or ReadOnly) prevents deletion or modification of all resources but does not restrict the region in which new resources can be created. Option D is wrong because a tag requirement in Azure RBAC is not a valid feature; Azure RBAC does not enforce tag requirements, and tags alone cannot block resource creation in disallowed regions.

499
MCQmedium

Two VNets are peered successfully, and a VM in the spoke can reach a private endpoint in the hub by IP address. However, the VM cannot resolve the storage account name to the private endpoint FQDN. The private DNS zone is linked only to the hub VNet. What should the administrator do?

A.Add a route table to the spoke subnet pointing to the private endpoint IP.
B.Link the private DNS zone to the spoke VNet as well.
C.Enable gateway transit on the peering connection.
D.Create an NSG rule to allow DNS traffic to the storage account.
AnswerB

Private DNS zones must be linked to every VNet that needs to resolve the private endpoint name through Azure-provided DNS behavior. Since the spoke VNet is not linked to the zone, its VM does not receive the private endpoint record and cannot resolve the storage account FQDN correctly. Linking the zone to the spoke VNet allows name resolution to return the private IP.

Why this answer

The VM can reach the private endpoint by IP, confirming that network connectivity (peering and routing) is working. However, name resolution fails because the private DNS zone, which contains the private endpoint FQDN mapping, is linked only to the hub VNet. By linking the private DNS zone to the spoke VNet (option B), the spoke VMs will use Azure-provided DNS to resolve the storage account name to the private IP, enabling seamless name resolution across the peered VNets.

Exam trap

The trap here is that candidates often assume that VNet peering automatically extends DNS resolution for private endpoints, but in reality, each VNet must be explicitly linked to the private DNS zone for name resolution to work across the peering.

How to eliminate wrong answers

Option A is wrong because adding a route table to the spoke subnet pointing to the private endpoint IP would force traffic to the private endpoint IP for all destinations, which is unnecessary and could break routing; the issue is DNS resolution, not routing. Option C is wrong because gateway transit is used to allow a spoke VNet to use a VPN gateway or ExpressRoute gateway in the hub VNet, which is unrelated to DNS resolution of private endpoints. Option D is wrong because an NSG rule to allow DNS traffic to the storage account is irrelevant; DNS queries are sent to Azure's DNS resolver (168.63.129.16) or a custom DNS server, not directly to the storage account, and the storage account itself does not serve DNS.

500
MCQmedium

A VM in a spoke subnet must send all traffic destined for 172.16.0.0/12 to a firewall appliance at 10.1.1.4. All other destinations should continue to use Azure system routes. Which user-defined route should the administrator add to the subnet route table?

A.Destination 0.0.0.0/0 with next hop Internet.
B.Destination 172.16.0.0/12 with next hop Virtual appliance and next hop address 10.1.1.4.
C.Destination 172.16.0.0/12 with next hop Virtual network gateway.
D.Destination 172.16.0.0/12 with next hop None.
AnswerB

A UDR should match the exact destination prefix that must be redirected. By adding 172.16.0.0/12 with next hop type Virtual appliance and the firewall private IP, Azure sends only that traffic to the appliance. All other traffic continues to follow the built-in system routes.

Why this answer

Option B is correct because a user-defined route (UDR) with destination 172.16.0.0/12 and next hop type 'Virtual appliance' (with IP 10.1.1.4) overrides the default Azure system route for that prefix, forcing all traffic to the 172.16.0.0/12 range through the firewall at 10.1.1.4. This satisfies the requirement while leaving all other destinations (including 0.0.0.0/0) to be handled by Azure's default system routes.

Exam trap

The trap here is that candidates often confuse the 'Virtual appliance' next hop with 'Virtual network gateway' or assume a default route (0.0.0.0/0) is needed, but the requirement specifically limits the forced tunneling to only the 172.16.0.0/12 range, not all traffic.

How to eliminate wrong answers

Option A is wrong because a 0.0.0.0/0 route with next hop Internet would send all traffic (including 172.16.0.0/12) to the internet, bypassing the firewall entirely. Option C is wrong because next hop 'Virtual network gateway' is used for VPN or ExpressRoute traffic, not for directing traffic to a firewall appliance; it would route the 172.16.0.0/12 traffic to a gateway instead of the firewall. Option D is wrong because next hop 'None' drops all traffic destined for 172.16.0.0/12, which does not meet the requirement to send it to the firewall.

501
MCQmedium

A policy at the management group denies storage accounts that allow public network access. One legacy storage account in RG-Legacy must stay public for 30 days while a migration runs, and the team does not want to change the policy for everyone else. What should the administrator create?

A.A resource lock on the storage account
B.A policy exemption for that storage account
C.A second policy assignment with higher priority
D.A custom RBAC role for the migration team
AnswerB

A policy exemption is designed for temporary or justified exceptions to an assignment without weakening the control for all other resources. It lets the legacy storage account remain out of compliance for the approved period while the deny policy continues to apply everywhere else under the management group.

Why this answer

A policy exemption allows specific resources to be excluded from the effect of a policy initiative without modifying the original policy definition. In this scenario, the management group policy denies storage accounts with public network access, but the legacy account needs to remain public temporarily. By creating a policy exemption (with 'exempt' category) for that specific storage account, the administrator can bypass the deny effect for 30 days while the policy continues to apply to all other resources.

Exam trap

The trap here is that candidates confuse policy exemptions with resource locks or RBAC, thinking that locking the resource or assigning permissions can bypass policy enforcement, but only a policy exemption can create a targeted exception without altering the policy definition.

How to eliminate wrong answers

Option A is wrong because a resource lock prevents accidental deletion or modification of the storage account but does not override Azure Policy deny effects; the policy would still block the account's public access configuration. Option C is wrong because a second policy assignment with higher priority does not exist in Azure Policy; policy assignments are evaluated based on the closest scope (inheritance), not priority, and a second assignment would only add another layer of enforcement, not create an exception. Option D is wrong because a custom RBAC role controls who can manage resources (permissions) but does not alter the enforcement of Azure Policy; the policy's deny effect applies regardless of the user's role.

502
MCQhard

Your company has two Azure subscriptions named Dev-Sub and Prod-Sub. You need to ensure that a user can create resource groups only in Dev-Sub and nowhere else. What should you do?

A.Assign the Contributor role at the Dev-Sub subscription scope.
B.Assign the Owner role at the tenant root scope.
C.Assign the Reader role at the Dev-Sub subscription scope.
D.Assign the Contributor role at the management group scope that contains both subscriptions.
AnswerA

Contributor at the Dev-Sub scope allows resource group creation within that subscription only.

Why this answer

The Contributor role allows a user to create and manage resources, including resource groups, within the assigned scope. By assigning this role at the Dev-Sub subscription scope, the user gains the necessary permissions to create resource groups only in that subscription, as Azure RBAC permissions are inherited downward but not across sibling scopes. This ensures the user cannot create resource groups in Prod-Sub or any other subscription.

Exam trap

The trap here is that candidates often confuse the Contributor role with the Reader role, or incorrectly assume that assigning a role at a management group scope can be used to limit permissions to a single subscription, not realizing that management group scope inheritance applies to all child subscriptions.

How to eliminate wrong answers

Option B is wrong because assigning the Owner role at the tenant root scope grants full administrative access over all subscriptions in the tenant, including Prod-Sub, which violates the requirement to restrict resource group creation to Dev-Sub only. Option C is wrong because the Reader role allows read-only access to resources and does not include the permission to create resource groups (Microsoft.Resources/subscriptions/resourceGroups/write). Option D is wrong because assigning the Contributor role at a management group scope that contains both subscriptions grants the user Contributor permissions in both Dev-Sub and Prod-Sub, allowing resource group creation in both, not just Dev-Sub.

503
MCQeasy

Based on the exhibit, which image source should the administrator use to deploy the same approved server build again?

A.A public marketplace Windows Server image.
B.A custom image stored in Azure Compute Gallery.
C.A snapshot of the VM operating system disk.
D.A temporary disk attached to the VM.
AnswerB

A custom image in Azure Compute Gallery is intended for repeatable deployment of a standardized, generalized VM build. It preserves the patched operating system, installed agent, and line-of-business software so future VMs can be created from the same baseline across environments and subscriptions.

Why this answer

A custom image stored in Azure Compute Gallery (formerly Shared Image Gallery) is the correct choice because it allows the administrator to capture a generalized VM image that includes the exact OS configuration, applications, and settings of the approved server build. This image can then be used repeatedly to deploy identical VMs, ensuring consistency across deployments. Azure Compute Gallery supports versioning and replication across regions, making it the ideal solution for maintaining and distributing a standardized server build.

Exam trap

The trap here is that candidates often confuse a snapshot with a custom image, not realizing that a snapshot is not generalized and cannot be used to deploy multiple identical VMs without manual Sysprep and conversion to a managed image.

How to eliminate wrong answers

Option A is wrong because a public marketplace Windows Server image is a generic, unconfigured base image that does not include the specific applications, patches, or customizations of the approved server build, so it cannot replicate the same build. Option C is wrong because a snapshot of the VM operating system disk captures the disk state at a point in time but is not generalized (it retains the original computer name, SID, and user accounts), and deploying from a snapshot would create a VM with the same identity, leading to conflicts and not a clean, reusable image. Option D is wrong because a temporary disk attached to the VM is a local, ephemeral disk used for temporary storage (e.g., page files) and is not persisted; it cannot be used to deploy a new VM, let alone replicate a server build.

504
Multi-Selecthard

A web app uses a managed identity to read blobs from a storage account. Security now wants to ensure no future requests can authenticate with shared keys and the app should continue to use secretless access. Which two changes should the administrator make? Select two.

Select 2 answers
A.Assign the Storage Blob Data Reader role to the managed identity on the storage account or container.
B.Disable shared key access on the storage account.
C.Generate a service SAS and place it in an app setting.
D.Rotate the storage account keys weekly.
E.Grant Reader access to the resource group because it includes the storage account.
AnswersA, B

The data-plane role authorizes blob reads for the managed identity without storing secrets in the application.

Why this answer

Option A is correct because assigning the Storage Blob Data Reader role to the managed identity enables Azure RBAC-based, secretless access to blobs. This aligns with the requirement to use managed identities for authentication, eliminating the need for keys or SAS tokens. Option B is correct because disabling shared key access on the storage account enforces the security policy that no future requests can authenticate using shared keys, while the managed identity continues to work via Azure AD authentication.

Exam trap

The trap here is that candidates often confuse disabling shared key access with rotating keys or using SAS tokens, thinking those actions also enforce secretless access, but only disabling shared key access actually blocks key-based authentication while managed identity continues to work seamlessly.

505
MCQeasy

Based on the exhibit, which subnet prefix should be used for Subnet A so it can support about 30 VM NICs?

A./28
B./27
C./26
D./25
AnswerC

A /26 subnet is the smallest option listed that can support about 30 VM NICs after Azure reserves its five addresses. /26 provides 64 total addresses and enough usable IPs for the requirement, leaving a little room for growth. This is the most efficient choice among the options shown.

Why this answer

Option C (/26) is correct because a /26 subnet provides 64 IP addresses (2^(32-26) = 64), of which 62 are usable for VM NICs after reserving the network address and broadcast address. This comfortably supports about 30 VM NICs while leaving room for growth.

Exam trap

The trap here is that candidates often forget Azure reserves five IP addresses per subnet (not just the network and broadcast), leading them to incorrectly choose /27 thinking 30 usable IPs are enough, when in reality only 25 are available.

How to eliminate wrong answers

Option A (/28) is wrong because a /28 subnet provides only 16 IP addresses total, with 14 usable — far too few for about 30 VM NICs. Option B (/27) is wrong because a /27 subnet provides 32 IP addresses total, with 30 usable — this exactly matches the requirement but leaves no room for growth or Azure reserved addresses (Azure reserves the first four and last address in each subnet), reducing usable IPs to 27, which is insufficient. Option D (/25) is wrong because a /25 subnet provides 128 IP addresses total, with 126 usable — this is excessive for supporting about 30 VM NICs and wastes IP address space.

506
MCQhard

A storage account must remain reachable through its public endpoint for an on-premises integration server, but only one Azure subnet should be allowed to access it from Azure. The team does not want private endpoints or DNS changes. What should the administrator configure?

A.Add a private endpoint and disable public network access
B.Enable a service endpoint on the subnet and add that subnet to the storage account networking rules
C.Create a SAS token restricted to that subnet
D.Assign Storage Blob Data Reader to the subnet
AnswerB

A service endpoint lets traffic from the chosen Azure subnet reach the storage account over the Microsoft backbone while still using the account's public endpoint. Adding the subnet to the storage account firewall rules then restricts Azure access to only that subnet. This meets the requirement to keep public access available for the on-premises integration server while tightly limiting Azure-based access without private endpoints or DNS changes.

Why this answer

Option B is correct because a service endpoint extends the virtual network identity to the storage account, allowing you to restrict access to a specific subnet while keeping the public endpoint enabled for on-premises access. This meets the requirement of allowing only one Azure subnet to access the storage account from Azure without using private endpoints or DNS changes.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that service endpoints require disabling public access or that private endpoints are the only way to restrict subnet access, when in fact service endpoints allow selective subnet access while keeping the public endpoint active.

How to eliminate wrong answers

Option A is wrong because adding a private endpoint and disabling public network access would block the on-premises integration server from reaching the storage account via its public endpoint, which contradicts the requirement. Option C is wrong because a SAS token restricts access based on the token's permissions and expiry, not by subnet; SAS tokens cannot restrict access to a specific Azure subnet. Option D is wrong because assigning Storage Blob Data Reader to a subnet is not a valid configuration; Azure RBAC roles are assigned to identities (users, groups, service principals), not to subnets.

507
MCQmedium

A storage account experiences a brief regional platform issue. The team wants an alert whenever Azure marks the resource as unavailable, even if no custom metric changes are detected. What should the administrator use?

A.A metric alert on the account's transaction count.
B.A Resource Health alert for the storage account.
C.A diagnostic setting that sends logs only to a storage account.
D.An Azure Policy assignment that denies writes to the storage account.
AnswerB

Resource Health alerts are designed to notify administrators when Azure determines that a specific resource is unavailable or degraded because of a platform issue. This works even when ordinary metrics do not change in a useful way. It is the correct choice when the requirement is to detect service or infrastructure problems that Azure reports at the resource level rather than workload performance issues.

Why this answer

A Resource Health alert is designed to monitor the health of Azure resources and trigger notifications when Azure detects that the resource is unavailable due to platform issues, even if no custom metric thresholds are breached. This alert uses signals from the Azure Resource Health service, which tracks the current and historical health status of resources, making it the correct choice for detecting regional platform unavailability without relying on custom metrics.

Exam trap

The trap here is that candidates often confuse metric alerts (which require custom metric thresholds) with Resource Health alerts (which detect platform-level unavailability), leading them to choose a metric-based option like transaction count instead of the health-specific alert.

How to eliminate wrong answers

Option A is wrong because a metric alert on transaction count monitors performance metrics (e.g., latency, throttling) and would not trigger solely for resource unavailability due to a platform issue; it requires metric threshold breaches. Option C is wrong because a diagnostic setting that sends logs to a storage account only archives logs for analysis, it does not generate alerts for resource unavailability. Option D is wrong because an Azure Policy assignment that denies writes is a governance control to prevent configuration changes, not a monitoring or alerting mechanism for resource health events.

508
MCQeasy

A file server VM is corrupted after a bad change. The team needs to recover the whole machine to the latest recovery point, not just one file. Which restore workflow should they use?

A.Restore virtual machine
B.File and folder recovery
C.Modify the backup policy
D.Create an action group
AnswerA

This workflow restores the full VM from the chosen recovery point.

Why this answer

Option A is correct because Azure Backup's 'Restore virtual machine' workflow creates a new VM from the latest recovery point, restoring the entire machine state including OS, applications, and data. This is the appropriate method when the goal is to recover the full VM after corruption, as it uses the VM-level restore point stored in the Recovery Services vault.

Exam trap

The trap here is that candidates confuse 'File and folder recovery' (which is for granular file-level restore) with full VM recovery, or mistakenly think modifying the backup policy can retroactively restore a corrupted VM.

How to eliminate wrong answers

Option B is wrong because 'File and folder recovery' is designed for granular restoration of individual files or folders from a VM backup, not for recovering the entire VM. Option C is wrong because modifying the backup policy changes future backup schedules or retention, but does not perform any restore operation. Option D is wrong because an action group is a notification and automation mechanism for Azure Monitor alerts, not a restore workflow for Azure Backup.

509
Multi-Selecthard

A support engineer must start and restart one specific virtual machine from the Azure portal, but must not be able to delete the VM, change networking, or grant access to others. Which two actions should be included in a custom role? Select two.

Select 2 answers
A.Microsoft.Compute/virtualMachines/start/action grants the ability to start the VM without broader management permissions.
B.Microsoft.Compute/virtualMachines/restart/action permits a controlled restart operation on the target VM.
C.Microsoft.Compute/virtualMachines/delete gives the ability to remove the VM from the subscription.
D.Microsoft.Network/networkInterfaces/write is needed because a VM start or restart always requires NIC modification rights.
E.Microsoft.Authorization/roleAssignments/write would let the engineer grant access to other users and manage permissions.
AnswersA, B

This action is the precise permission needed to power on a virtual machine. It is narrower than Contributor and does not expose unrelated capabilities such as deleting the VM or changing attached resources. Using this action supports least privilege for operational support tasks.

Why this answer

Option A is correct because Microsoft.Compute/virtualMachines/start/action is a specific permission that allows starting a VM without granting broader management capabilities like deletion or network changes. This action is part of the Azure RBAC role definition and can be included in a custom role to limit the support engineer's scope to only starting the VM.

Exam trap

The trap here is that candidates may think network interface write permissions are required for VM operations, but start and restart only need compute-level actions, not network modifications.

510
Drag & Dropmedium

Arrange the steps to configure Azure Load Balancer with a backend pool.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create LB, configure frontend and backend, add probes, rules, then associate VMs.

511
MCQmedium

A storage account must be reachable only from a single Azure VNet. The team wants the storage account to have a private IP in that VNet and wants to disable public network access. Which solution should the administrator implement?

A.Configure a service endpoint on the subnet and keep public network access enabled.
B.Create a private endpoint for the storage account and disable public network access.
C.Assign a shared access signature and rely on IP-based firewall rules.
D.Use a route table to force traffic to the storage account over the virtual network gateway.
AnswerB

A private endpoint places a private IP address in the VNet for the storage service, allowing traffic to stay on the private network path. Disabling public network access ensures the service cannot be reached through its public endpoint.

Why this answer

A private endpoint assigns the storage account a private IP from the VNet, making it accessible only within that VNet over a private connection. Disabling public network access ensures no traffic can reach the storage account from the internet, meeting both requirements. This is the only option that provides a private IP and blocks all public access.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming a service endpoint provides a private IP, when in fact it only provides a public endpoint with a VNet source identity.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP to the storage account; it only extends the VNet identity to the service via public endpoints, and keeping public network access enabled violates the requirement to disable public access. Option C is wrong because a shared access signature (SAS) provides delegated access via the public endpoint, and IP-based firewall rules still rely on the public endpoint, neither of which gives the storage account a private IP or disables public network access. Option D is wrong because a route table with forced tunneling over a virtual network gateway does not assign a private IP to the storage account and does not disable public network access; it only influences traffic routing, not the storage account's accessibility.

512
MCQmedium

A web app running in Azure App Service must upload images to a blob container without storing any account keys, passwords, or connection strings in configuration. The app uses only one Azure resource. What should the administrator configure?

A.A system-assigned managed identity on the App Service and an Azure RBAC role on the storage account.
B.The storage account key, because it is the simplest way to authenticate an application securely.
C.A shared access signature embedded in the app settings, because SAS is the same as managed identity.
D.An anonymous public container with write access disabled on the account.
AnswerA

A system-assigned managed identity is ideal when one Azure resource needs to access storage without secrets. The identity is created and deleted with the App Service, and RBAC can grant only the storage permissions required. This removes the need to embed keys or connection strings and aligns with credential-free application access.

Why this answer

A system-assigned managed identity allows the App Service to authenticate to Azure Storage without storing any credentials in configuration. By assigning the RBAC role (e.g., Storage Blob Data Contributor) to that identity, the app can securely upload images using Azure AD authentication, meeting the requirement of no account keys, passwords, or connection strings.

Exam trap

The trap here is that candidates often confuse shared access signatures (SAS) with managed identities, thinking SAS can be used without storing secrets, but SAS tokens still require a key to generate and must be stored or regenerated, whereas managed identity eliminates all stored credentials.

How to eliminate wrong answers

Option B is wrong because storing the storage account key in configuration violates the requirement to avoid any keys or secrets, and it introduces a security risk if the key is exposed. Option C is wrong because a shared access signature (SAS) is a token that must be stored or generated with a key, and it is not equivalent to managed identity; managed identity uses Azure AD tokens without any stored secrets. Option D is wrong because an anonymous public container with write access disabled prevents any uploads, and enabling write access would expose the container to unauthenticated users, violating security best practices.

513
MCQhard

An administrator wants a storage account to be accessible only from one subnet. The storage account should still use its public FQDN, the team does not want a private IP address in the VNet, and they do not want to manage private DNS zones. Which solution should be used?

A.Create a private endpoint and disable public network access.
B.Enable a service endpoint on the subnet and restrict the storage firewall to that subnet.
C.Peer the subnet to a dedicated storage VNet and route traffic through peering.
D.Assign a route table with a host route to the storage account.
AnswerB

A service endpoint allows the subnet to access the storage account over the Azure backbone while the storage account still uses its public FQDN and does not require a private IP in the VNet. Because the administrator also wants to avoid private DNS zone management, this is the best fit. The storage firewall can then be restricted to the specific subnet.

Why this answer

Option B is correct because a service endpoint allows the storage account to be accessed from a specific subnet while still using the public FQDN. By enabling a service endpoint on the subnet and configuring the storage firewall to allow traffic only from that subnet, the administrator meets all requirements: no private IP, no private DNS zones, and access restricted to one subnet.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that only private endpoints can restrict network access, but service endpoints combined with firewall rules achieve the same restriction without changing the endpoint type or requiring DNS management.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP address to the storage account within the VNet, which the team explicitly does not want, and it also requires managing private DNS zones. Option C is wrong because VNet peering does not restrict access to a single subnet; it connects entire VNets and still requires the storage account to be accessible via private IP or public endpoint, and it does not eliminate the need for private DNS. Option D is wrong because a route table with a host route does not enforce access control; it only influences network traffic routing and cannot restrict which subnet can access the storage account.

514
Multi-Selecteasy

An analyst needs a blob that is currently in the Archive tier to be downloadable within the next hour. Which two actions should the administrator take? Select two.

Select 2 answers
A.Change the blob access tier from Archive to Hot or Cool.
B.Choose High priority rehydration for the tier change.
C.Download the blob directly from the Archive tier without changing its tier.
D.Delete the blob and restore it from a soft delete snapshot.
E.Add a lifecycle rule to move the blob to Archive again after it is downloaded.
AnswersA, B

A blob in Archive is offline and cannot be read until it is rehydrated into an online tier. Moving it to Hot or Cool starts that rehydration process and makes the blob available again. This is the required administrative step when a previously archived blob must be downloaded for use.

Why this answer

Option A is correct because to make a blob in the Archive tier accessible for download, you must first change its access tier to Hot or Cool. This initiates a rehydration process that moves the blob data from offline storage to an online tier, making it available for read operations. The rehydration can take up to 15 hours, but selecting High priority rehydration (Option B) can reduce this to under 1 hour, meeting the analyst's requirement.

Exam trap

The trap here is that candidates may think blobs in the Archive tier can be downloaded directly or that deleting and restoring from soft delete bypasses the rehydration requirement, but neither action changes the offline storage status of the blob.

515
MCQeasy

Based on the exhibit, what should the administrator configure so the alert sends email and SMS when CPU stays above the threshold?

A.Create a diagnostic setting on the virtual machine and send metrics to a Log Analytics workspace.
B.Associate an Azure Monitor action group with the alert rule.
C.Enable boot diagnostics on the virtual machine so the CPU threshold can be reported.
D.Apply a resource lock to the virtual machine to prevent the CPU from increasing further.
AnswerB

An action group is the notification target for Azure Monitor alerts. It can send email, SMS, push notifications, and other responses when the alert condition is met.

Why this answer

An Azure Monitor action group defines the notification channels (e.g., email, SMS) and actions to trigger when an alert fires. Associating an action group with the alert rule enables the administrator to send both email and SMS when the CPU threshold is breached. Without an action group, the alert rule can only log the condition but cannot deliver notifications.

Exam trap

The trap here is that candidates confuse diagnostic settings (which export data) with action groups (which deliver notifications), or they mistakenly think boot diagnostics or resource locks can influence alert delivery or CPU behavior.

How to eliminate wrong answers

Option A is wrong because a diagnostic setting sends metrics to a Log Analytics workspace for analysis or storage, but it does not directly trigger notifications; alerts still require an action group for email/SMS delivery. Option C is wrong because boot diagnostics captures serial console output and screenshots for troubleshooting boot failures, not CPU performance metrics or alert notifications. Option D is wrong because a resource lock prevents accidental deletion or modification of the virtual machine, but it has no effect on CPU utilization or alerting behavior.

516
MCQmedium

You need to ensure that all new resources deployed to a subscription automatically receive a CostCenter tag with a default value if the tag is omitted during deployment. Which Azure governance feature should you use?

A.A resource lock
B.An Azure Policy with an append or modify effect
C.A management group lock
D.A custom RBAC role
AnswerB

Azure Policy can add the required tag automatically when resources are created.

Why this answer

Azure Policy with an append or modify effect can automatically add a CostCenter tag with a default value to resources that are missing it during deployment. The append effect adds the tag and value at creation time, while the modify effect (using a 'addOrReplace' operation) can also update existing resources. This ensures governance compliance without manual intervention.

Exam trap

The trap here is confusing Azure Policy (which enforces and automatically applies tags) with resource locks or RBAC roles, which manage permissions or prevent changes but do not automatically add missing tags.

How to eliminate wrong answers

Option A is wrong because a resource lock prevents accidental deletion or modification of resources but does not enforce tagging or add default values. Option C is wrong because a management group lock applies only to the management group itself, not to resources within subscriptions, and cannot add tags. Option D is wrong because a custom RBAC role controls permissions for who can perform actions but does not automatically apply tags or enforce governance rules.

517
MCQmedium

You need to deploy a set of identical Azure virtual machines that can automatically scale out during demand spikes and scale in when usage falls. Which Azure feature should you use?

A.An availability set
B.A Virtual Machine Scale Set
C.A Recovery Services vault
D.Boot diagnostics
AnswerB

Scale Sets provide fleet management and autoscaling for identical VMs.

Why this answer

A Virtual Machine Scale Set (VMSS) is the correct Azure feature because it is designed specifically to deploy and manage a set of identical, load-balanced VMs that can automatically scale out (increase instance count) during demand spikes and scale in (decrease instance count) when usage falls, using autoscale rules based on metrics like CPU or memory.

Exam trap

The trap here is that candidates often confuse an availability set (which provides high availability) with a scale set (which provides both high availability and automatic scaling), leading them to pick Option A when the question explicitly asks for automatic scaling.

How to eliminate wrong answers

Option A is wrong because an availability set is a logical grouping of VMs to protect against rack-level failures and maintenance events, but it does not provide any automatic scaling capabilities. Option C is wrong because a Recovery Services vault is used for backup and disaster recovery (e.g., Azure Backup, Site Recovery), not for deploying or scaling VMs. Option D is wrong because boot diagnostics captures serial console output and screenshots for troubleshooting VM boot failures, but it has no role in scaling or deploying multiple VMs.

518
Multi-Selecteasy

A team wants one Azure Files share to be used by both Windows and Linux virtual machines. Which two mounting approaches are valid? Select two.

Select 2 answers
A.Map the share on Windows by using the built-in SMB client.
B.Mount the share on Linux by using an SMB/CIFS client such as mount.cifs.
C.Mount the share on Linux by using the Azure Blob service endpoint.
D.Use an Azure VPN gateway to make the file share mount possible.
E.Use an Azure load balancer to present the share to both VMs.
AnswersA, B

Windows can mount Azure Files shares through SMB using File Explorer, net use, or PowerShell. This is the normal Windows client approach.

Why this answer

Option A is correct because Windows includes a built-in SMB client that can directly map an Azure Files share using its UNC path (e.g., \\storageaccount.file.core.windows.net\sharename). This leverages the SMB 3.0 protocol, which Azure Files supports over the public internet with encryption, requiring no additional gateway or VPN.

Exam trap

The trap here is that candidates assume Azure Files requires a VPN or ExpressRoute for secure mounting, but Azure Files SMB 3.0 with encryption works securely over the public internet, making options like D unnecessary.

519
MCQmedium

A hub VNet is peered to two spoke VNets. The spokes can reach the hub, but they cannot communicate with each other through the hub. The administrator wants centralized inspection in the hub. What should be deployed and configured?

A.An Azure Firewall or other NVA in the hub, plus user-defined routes and forwarding support.
B.Only additional peering links between the hub and both spokes.
C.A private endpoint in the hub for each spoke subnet.
D.A service endpoint on each spoke subnet to the hub VNet.
AnswerA

Peering is non-transitive, so centralized inspection requires a forwarder and explicit routing.

Why this answer

Option A is correct because Azure Firewall or an NVA in the hub can inspect traffic between spokes, but by default, Azure routing does not forward spoke-to-spoke traffic through the hub. To force this traffic through the firewall, you must configure user-defined routes (UDRs) on the spoke subnets with a next hop of the firewall's private IP, and enable IP forwarding on the NVA. This setup enables centralized inspection and transitive routing through the hub.

Exam trap

The trap here is that candidates assume VNet peering is transitive by default, similar to a router, but Azure explicitly requires UDRs and a forwarding device to enable spoke-to-spoke communication through a hub.

How to eliminate wrong answers

Option B is wrong because adding more peering links between the hub and spokes does not enable transitive routing; VNet peering is non-transitive by default, so spokes cannot communicate through the hub without explicit routes. Option C is wrong because a private endpoint in the hub provides private connectivity to a specific Azure service (e.g., Storage, SQL) from spoke subnets, but it does not route general IP traffic between spokes or enable inspection. Option D is wrong because a service endpoint extends a VNet's identity to an Azure service over the Microsoft backbone, but it does not route traffic between VNets or provide any forwarding or inspection capability.

520
MCQmedium

A private endpoint was created for Azure SQL Database in VNet A. A VM in peered VNet B can reach other resources, but it resolves the SQL server name to the public IP and connection attempts fail because public network access is disabled. What is the best fix?

A.Add an outbound NSG rule allowing TCP 1433 to the internet.
B.Link the appropriate private DNS zone to VNet B.
C.Assign a public IP address to the private endpoint.
D.Replace the private endpoint with a service endpoint.
AnswerB

Clients in VNet B must resolve the SQL server name to the private endpoint address. Linking the private DNS zone to VNet B allows the VM to receive the correct private IP mapping through DNS.

Why this answer

When public network access is disabled on an Azure SQL Database, the private endpoint in VNet A provides a private IP address for the SQL server. However, for VMs in peered VNet B to resolve the SQL server's fully qualified domain name (FQDN) to that private IP instead of the public IP, the private DNS zone (typically `privatelink.database.windows.net`) must be linked to VNet B. Without this link, DNS resolution falls back to the public IP, causing connection failures because public access is disabled.

Exam trap

The trap here is that candidates assume DNS resolution works automatically across peered VNets, but private DNS zones are not transitive and must be explicitly linked to each peered VNet for private IP resolution to succeed.

How to eliminate wrong answers

Option A is wrong because adding an outbound NSG rule allowing TCP 1433 to the internet does not fix DNS resolution; the VM already can reach other resources, and the issue is that the SQL server name resolves to a public IP, which is unreachable due to disabled public network access. Option C is wrong because a private endpoint does not use a public IP address; assigning a public IP to it would break the private connectivity model and is not supported. Option D is wrong because replacing the private endpoint with a service endpoint would expose the SQL server to the entire VNet B via its public IP (though over the Azure backbone), but public network access is disabled, so service endpoints would also fail; moreover, service endpoints do not provide private IP resolution and lack the network isolation that private endpoints offer.

521
Multi-Selecteasy

A project team adds and removes contractors every month. The admin wants Azure access to update automatically when membership changes without editing role assignments for each person. Which two actions should the admin take? Select two.

Select 2 answers
A.Create a Microsoft Entra ID security group for the contractors.
B.Assign the Azure RBAC role directly to each contractor user account.
C.Assign the Azure RBAC role to the security group.
D.Create a management group for the contractors.
E.Use a resource lock to control access.
AnswersA, C

A security group gives the administrator one place to manage a changing set of users. When contractors join or leave, membership can be updated without rewriting Azure role assignments. This is the standard way to delegate access for a team or project that changes often.

Why this answer

Option A is correct because creating a Microsoft Entra ID security group for contractors allows the admin to manage membership dynamically. When contractors are added or removed from the group, their Azure access updates automatically without needing to edit individual role assignments. This leverages group-based RBAC, where the group is assigned the role, and membership changes propagate to Azure RBAC.

Exam trap

The trap here is that candidates often confuse management groups (Option D) with security groups, thinking they can be used for access control, but management groups are for organizing subscriptions and applying policies, not for assigning RBAC roles to users.

522
MCQhard

You create a private endpoint for an Azure Storage account and disable public network access on the account. A VM in a peered VNet cannot reach the storage account by name. The private endpoint resides in VNet-App. What is the most likely missing configuration?

A.A private DNS zone linked so the relevant VNet can resolve the storage account to the private endpoint IP
B.An NSG rule allowing outbound DNS to 8.8.8.8
C.A Recovery Services vault in the peered VNet
D.A public IP address on the private endpoint NIC
AnswerA

Without correct DNS integration, clients continue resolving the public name instead of the private endpoint address.

Why this answer

When you create a private endpoint for an Azure Storage account and disable public network access, the storage account's public DNS name must resolve to the private endpoint's private IP address within the VNet. This requires a private DNS zone (privatelink.blob.core.windows.net) linked to the VNet where the VM resides. Without that DNS zone link, the VM in the peered VNet will resolve the storage account name to the public IP, which is unreachable because public access is disabled, causing the connection failure.

Exam trap

The trap here is that candidates assume VNet peering automatically extends DNS resolution for private endpoints, but Azure requires explicit private DNS zone links to each VNet that needs to resolve the private endpoint name.

How to eliminate wrong answers

Option B is wrong because outbound DNS to 8.8.8.8 is not required; Azure VMs use Azure DNS (168.63.129.16) by default, and the issue is DNS resolution to the private endpoint IP, not internet DNS access. Option C is wrong because a Recovery Services vault is unrelated to private endpoint connectivity; it is used for backup and disaster recovery, not for network name resolution. Option D is wrong because a private endpoint NIC does not use a public IP address; it is assigned a private IP from the VNet subnet, and adding a public IP would defeat the purpose of a private endpoint.

523
MCQmedium

An administrator assigned a modify policy at the subscription scope to add a CostCenter tag to new virtual machines. New VMs now have the tag, but older VMs in the subscription still do not. What must the administrator do to bring the existing VMs into compliance?

A.Reassign the policy at the resource group scope.
B.Create a remediation task for the noncompliant resources.
C.Add a resource lock to the subscription.
D.Move the VMs to another resource group and back again.
AnswerB

Policy assignments evaluate both existing and new resources, but a modify effect needs remediation to update already deployed resources. The remediation task tells Azure Policy to apply the configured effect to noncompliant resources that were created before the assignment or before the policy changed. That is the step that fills in the missing tag on the older virtual machines.

Why this answer

The modify effect policy assigned at the subscription scope automatically applies the CostCenter tag to new resources during creation, but it does not retroactively update existing noncompliant resources. To bring older VMs into compliance, the administrator must create a remediation task, which triggers Azure Policy's deployment engine to evaluate and apply the defined modify effect (e.g., adding the missing tag) to existing noncompliant resources using a managed identity.

Exam trap

The trap here is that candidates assume a policy assigned with a modify effect automatically applies to existing resources, but Azure Policy's modify effect only applies to new resources unless a remediation task is explicitly created and run.

How to eliminate wrong answers

Option A is wrong because reassigning the same policy at the resource group scope does not change the effect or retroactively apply tags; Azure Policy does not automatically remediate existing resources regardless of scope. Option C is wrong because a resource lock prevents accidental deletion or modification but has no effect on policy compliance or tag assignment. Option D is wrong because moving VMs to another resource group and back does not trigger policy evaluation or remediation; Azure Policy evaluates resources based on their current state, not their movement history.

524
Multi-Selecteasy

A team needs to understand Azure RBAC inheritance. Which two statements are correct? Select two.

Select 2 answers
A.A role assignment at a resource group scope applies to resources inside that group.
B.A role assignment at subscription scope applies to all resource groups and resources in that subscription.
C.A role assignment at a resource scope automatically applies to all other resources in the subscription.
D.A role assignment at management group scope applies only to the subscription where it was created.
E.A role assignment at a resource group scope is broader than a subscription scope.
AnswersA, B

RBAC permissions flow downward within the scope where the assignment is made. A resource group assignment automatically covers the resources inside that resource group, which is why groups are useful for managing several related resources together.

Why this answer

Option A is correct because Azure RBAC inheritance follows a hierarchical scope model: a role assignment at a resource group scope applies to all resources within that resource group, as the resource group is the parent scope for its child resources. This means any user or group assigned a role at the resource group level automatically inherits those permissions for every resource (e.g., VMs, storage accounts) inside that group, without needing separate assignments.

Exam trap

The trap here is that candidates often confuse the direction of RBAC inheritance, mistakenly thinking a narrower scope (like resource group) applies to broader scopes (like subscription), or that assignments at a resource scope propagate to other resources in the same subscription, when in fact inheritance only flows downward from parent to child scopes.

525
MCQmedium

A Windows VM and a Linux VM in Azure must use the same shared working folder for application files. The team does not want to run a separate file server, and both VMs must be able to mount the share by using native operating system tools. What should the administrator deploy?

A.An Azure Blob container mounted as a local NTFS volume on both VMs
B.An Azure Files share mounted from Windows by using SMB and from Linux by using SMB or the Azure Files mount command
C.A managed disk attached to both VMs in read-write mode
D.An Azure Queue storage account with application-level file synchronization
AnswerB

Azure Files is designed for shared file access from both Windows and Linux. It provides a managed file share that can be mounted with native tools, avoiding the need to operate a separate file server. This matches the requirement for a common working folder accessible from both operating systems.

Why this answer

Option B is correct because Azure Files provides fully managed SMB (Server Message Block) file shares that can be mounted natively from both Windows (using SMB) and Linux (using SMB or the dedicated Azure Files mount command). This meets the requirement of a shared working folder without needing a separate file server, and both operating systems can use their native tools to access the share.

Exam trap

The trap here is that candidates may confuse Azure Blob storage (object storage) with Azure Files (file shares) and assume Blob can be mounted locally, or they may incorrectly think a managed disk can be attached to multiple VMs simultaneously without understanding the limitations of shared disk attachments.

How to eliminate wrong answers

Option A is wrong because Azure Blob containers cannot be mounted as a local NTFS volume; they are object storage accessed via HTTPS/REST APIs, not block-level or file-level storage, and do not support native OS mounting without third-party tools. Option C is wrong because a managed disk cannot be attached to multiple VMs in read-write mode simultaneously; Azure managed disks support shared disk attachments only with specific configurations (e.g., Azure Shared Disks) and typically require cluster-aware file systems, not native OS mounting for a simple shared folder. Option D is wrong because Azure Queue storage is a messaging service for asynchronous communication, not a file storage solution, and it cannot be mounted or used as a shared working folder for application files.

Page 6

Page 7 of 16

Page 8