AZ-104 (AZ-104) — Questions 526600

1170 questions total · 16pages · All types, answers revealed

Page 7

Page 8 of 16

Page 9
526
MCQmedium

A team is creating a new spoke VNet that will later be peered to an existing hub VNet and connected to on-premises networks. The proposed address space for the spoke is 10.60.1.0/24. The hub already uses 10.60.0.0/16. What should the administrator do before deploying the spoke?

A.Use the proposed address space because the spoke subnet is smaller than the hub address space.
B.Choose a non-overlapping address space for the spoke, such as 10.61.1.0/24.
C.Create a private endpoint in the spoke to separate its routing table from the hub.
D.Enable gateway transit on the hub peering before creating the spoke.
AnswerB

VNet peering requires non-overlapping address spaces. Because 10.60.1.0/24 is contained inside the hub's 10.60.0.0/16 range, the spoke cannot be safely peered as proposed. The correct fix is to pick a different CIDR block that does not overlap with the hub or any other connected network, such as 10.61.1.0/24.

Why this answer

Option B is correct because VNet address spaces must not overlap when peered or connected via VPN/ExpressRoute. The proposed spoke address 10.60.1.0/24 falls within the hub's 10.60.0.0/16 range, creating an overlap that would prevent successful peering and routing. A non-overlapping address space like 10.61.1.0/24 ensures unique IP ranges, allowing proper route propagation and connectivity.

Exam trap

The trap here is that candidates mistakenly think a smaller subnet within a larger address space is acceptable for VNet peering, but Azure requires completely non-overlapping address spaces to avoid routing ambiguity.

How to eliminate wrong answers

Option A is wrong because using a subnet that is a subset of the hub's address space still causes overlap; Azure VNet peering requires non-overlapping address spaces regardless of subnet size. Option C is wrong because a private endpoint does not separate routing tables; it provides private connectivity to PaaS services and does not resolve address space overlap issues. Option D is wrong because enabling gateway transit on the hub peering is a configuration step done after the VNets are created and peered, not a prerequisite for deploying the spoke; it also does not fix overlapping address spaces.

527
MCQeasy

Based on the exhibit, the administrator cannot create VNet peering between the hub and spoke networks. What should be changed?

A.Change the hub VNet to use a smaller subnet mask.
B.Change the spoke VNet address space so it does not overlap the hub.
C.Add a route table to the spoke VNet before creating peering.
D.Enable a service endpoint on both VNets.
AnswerB

This is the correct fix because Azure VNet peering requires non-overlapping IP ranges. The exhibit shows the spoke range sits inside the hub range, which causes the peering attempt to fail. Readdressing the spoke to a unique CIDR block resolves the conflict and allows the peering to be created.

Why this answer

VNet peering requires that the address spaces of the peered VNets do not overlap. Overlapping address spaces cause routing conflicts because Azure cannot distinguish between resources in the hub and spoke when IP addresses are identical or within the same CIDR range. Changing the spoke VNet address space to a non-overlapping range resolves this issue and allows peering to be established.

Exam trap

The trap here is that candidates often confuse VNet peering prerequisites with routing or security features, mistakenly thinking route tables or service endpoints are required, when the core requirement is non-overlapping address spaces.

How to eliminate wrong answers

Option A is wrong because changing the hub VNet to use a smaller subnet mask does not resolve address overlap; it only reduces the number of available IPs in the hub, but the spoke address space still overlaps. Option C is wrong because route tables are used to control traffic flow after peering is established, not as a prerequisite for creating peering; peering itself does not require a route table. Option D is wrong because service endpoints are used to secure Azure service access to a VNet, not to enable VNet peering; peering is a Layer 3 connectivity feature independent of service endpoints.

528
MCQeasy

A production VM is using too much CPU. You want Azure to notify the operations team by email when Average Percentage CPU stays above 80 percent for 5 minutes. What should you configure?

A.A diagnostic setting on the VM
B.A metric alert rule linked to an action group
C.A Log Analytics workspace only
D.An Azure Policy assignment
AnswerB

A metric alert rule watches a platform metric such as CPU percentage and evaluates it against a threshold over time. Linking the alert to an action group lets Azure send the notification to the operations team by email or other channels when the condition is met.

Why this answer

A metric alert rule monitors a specific metric (e.g., Percentage CPU) and triggers when a condition (e.g., above 80% for 5 minutes) is met. Linking the alert to an action group allows Azure to send email notifications to the operations team. This is the correct Azure Monitor feature for threshold-based, metric-driven notifications.

Exam trap

The trap here is that candidates confuse diagnostic settings (which only route data) with alert rules (which evaluate conditions and trigger actions), leading them to select Option A thinking it can send notifications directly.

How to eliminate wrong answers

Option A is wrong because a diagnostic setting on the VM sends metrics and logs to a destination (e.g., Log Analytics, Storage, Event Hubs) but does not itself evaluate thresholds or send email notifications. Option C is wrong because a Log Analytics workspace alone is a storage and query environment; it cannot generate proactive email alerts without a configured alert rule. Option D is wrong because an Azure Policy assignment enforces compliance rules (e.g., requiring a specific VM size) and is not designed for metric-based monitoring or notification.

529
Multi-Selecteasy

A new spoke virtual network will peer with an existing hub that uses 10.10.0.0/16 and an on-premises network that uses 10.20.0.0/16. Which two address spaces could you assign to the new spoke without overlapping those ranges? Select two.

Select 2 answers
A.10.11.0.0/16
B.10.10.128.0/17
C.192.168.50.0/24
D.10.20.1.0/24
E.10.10.1.0/24
AnswersA, C

Correct because this range does not overlap with the existing hub or on-premises address spaces.

Why this answer

Option A (10.11.0.0/16) is correct because it is a distinct subnet within the private 10.0.0.0/8 range that does not overlap with the hub's 10.10.0.0/16 or the on-premises 10.20.0.0/16. Azure virtual network peering requires non-overlapping address spaces to enable direct routing between resources without conflict.

Exam trap

The trap here is that candidates often assume any /16 or /24 within the 10.0.0.0/8 range is safe, but they must check for subnet overlap with both the hub and on-premises networks, not just the hub's primary range.

530
Multi-Selecthard

A Modify policy adds CostCenter=042 to resources in RG-Finance. New resources are tagged correctly, but existing virtual machines remain untagged. What three requirements must be met for the assignment to update the existing resources? Select three.

Select 3 answers
A.Create a remediation task for the policy assignment.
B.Ensure the policy assignment has a managed identity.
C.Grant that identity permission to update the target resources or tags at the assigned scope.
D.Recreate the virtual machines before the policy can evaluate them.
E.Change the effect from Modify to Audit to trigger the tag operation.
AnswersA, B, C

Existing resources are not changed automatically by a Modify assignment; remediation is needed to bring them into compliance.

Why this answer

Option A is correct because a remediation task is required to apply a Modify effect policy to existing non-compliant resources. The Modify effect only tags new resources automatically; existing resources remain untagged until a remediation task is triggered, which uses the policy's managed identity to update the resource tags.

Exam trap

The trap here is that candidates assume the Modify effect automatically updates existing resources, but it only applies to new resources; a remediation task is mandatory for existing resources, and the managed identity must have appropriate permissions (e.g., Tag Contributor) at the scope.

531
MCQhard

Your application stores compliance records in Azure Blob Storage. The records must remain in a write-once-read-many state for three years and must not be altered or deleted during that period. What should you configure?

A.Blob soft delete
B.Immutable blob storage with a time-based retention policy
C.Lifecycle management to move data to Archive
D.A shared access signature
AnswerB

This enforces write-once-read-many protection for the specified period.

Why this answer

Immutable blob storage with a time-based retention policy enforces a WORM (Write-Once, Read-Many) state, preventing any modification or deletion of blobs for a specified retention period. This meets the requirement of keeping compliance records unaltered for three years, as the policy locks the data at the storage level, overriding any user permissions or delete operations.

Exam trap

The trap here is that candidates often confuse soft delete (which only recovers deleted blobs) with immutability, or think lifecycle management or SAS can enforce retention, but neither prevents modification or deletion during the required period.

How to eliminate wrong answers

Option A is wrong because blob soft delete only protects against accidental deletion by retaining deleted blobs for a configurable period, but it does not prevent modification or enforce a write-once-read-many state. Option C is wrong because lifecycle management moves blobs to Archive tier based on age or last access, but it does not prevent deletion or modification during the retention period; Archive tier blobs can still be deleted or overwritten by authorized users. Option D is wrong because a shared access signature (SAS) provides delegated access to blobs with permissions and expiry, but it does not enforce immutability or prevent alteration/deletion by users with valid SAS tokens or other permissions.

532
MCQmedium

You need to ensure that a user can view cost data for Azure resources but cannot create or modify those resources. Which built-in role should you assign at the required scope?

A.Owner
B.Contributor
C.Reader
D.User Access Administrator
AnswerC

Reader is the least-privileged role for view-only access.

Why this answer

The Reader role provides read-only access to Azure resources, including cost data, while explicitly preventing any create, modify, or delete actions. This is the correct built-in role for a user who needs to view cost information but not manage resources.

Exam trap

The trap here is that candidates often confuse the Contributor role (which allows resource management but not access control) with the Reader role, or incorrectly assume that viewing cost data requires a specialized role like Cost Management Reader, when in fact the standard Reader role at the subscription scope includes cost data access.

How to eliminate wrong answers

Option A is wrong because the Owner role grants full access to all resources, including the ability to create, modify, and delete them, as well as delegate access to others. Option B is wrong because the Contributor role allows creating and managing all types of Azure resources, though it cannot grant access to others. Option D is wrong because the User Access Administrator role is specifically designed to manage user access to Azure resources, not to view cost data, and it includes the ability to assign roles, which is not required.

533
MCQhard

A release team needs to deploy the same hardened Windows image to VMs in three regions. They must keep approved versions, replicate images to each region, and be able to roll back to an earlier approved version without uploading a new VHD. What should they use as the image source?

A.A managed disk snapshot captured from one reference VM
B.An Azure Compute Gallery image definition with image versions
C.A single unmanaged VHD stored in a storage account
D.A custom script extension that installs the operating system settings after deployment
AnswerB

Compute Gallery supports versioned, replicated images that can be reused and rolled back cleanly.

Why this answer

Azure Compute Gallery (formerly Shared Image Gallery) allows you to store multiple versions of a custom image definition, replicate them across regions, and manage rollbacks by simply changing which image version is referenced during deployment. This meets all requirements: hardened Windows image, multi-region replication, version control, and rollback without uploading a new VHD.

Exam trap

The trap here is that candidates often confuse managed disk snapshots with images, not realizing that snapshots lack the versioning, replication, and deployment flexibility that Azure Compute Gallery provides for multi-region scenarios.

How to eliminate wrong answers

Option A is wrong because a managed disk snapshot is a point-in-time copy of a disk, not an image; it cannot be directly used to deploy VMs in multiple regions with versioning and rollback capabilities. Option C is wrong because a single unmanaged VHD in a storage account lacks built-in versioning, regional replication, and the ability to roll back to an earlier approved version without uploading a new VHD. Option D is wrong because a custom script extension configures settings after deployment, but does not provide an image source for the OS; it cannot serve as the base image for multi-region deployment or version rollback.

534
MCQmedium

You need to choose a storage redundancy option that provides the lowest cost and protects data against local hardware failure within a single datacenter only. Which redundancy option should you select?

A.LRS
B.ZRS
C.GRS
D.GZRS
AnswerA

LRS provides local redundancy within a single datacenter at the lowest cost.

Why this answer

LRS (Locally Redundant Storage) replicates data three times within a single datacenter (or availability zone) in the same region, protecting against local hardware failures such as disk or server crashes. It is the lowest-cost redundancy option because it does not incur the additional replication costs of cross-zone or cross-region copying. This meets the requirement of protecting data against local hardware failure within a single datacenter only.

Exam trap

The trap here is that candidates often confuse LRS with ZRS, mistakenly thinking ZRS is also single-datacenter, when in fact ZRS spans multiple datacenters (availability zones) and costs more, failing the 'lowest cost' and 'single datacenter' constraints.

How to eliminate wrong answers

Option B (ZRS) is wrong because it replicates data synchronously across three Azure availability zones within a region, which spans multiple datacenters and incurs higher cost than LRS. Option C (GRS) is wrong because it replicates data to a secondary region (hundreds of miles away) for disaster recovery, providing geo-redundancy at a significantly higher cost than LRS. Option D (GZRS) is wrong because it combines zone-redundant storage (ZRS) with geo-replication to a secondary region, offering the highest durability and cost, far exceeding the single-datacenter scope required.

535
MCQmedium

A network team wants all routers to send log messages to a centralized server at 192.0.2.50. Which command should be added to the router configuration?

A.snmp-server host 192.0.2.50
B.archive 192.0.2.50
C.ntp server 192.0.2.50
D.logging host 192.0.2.50
AnswerD

This is correct because `logging host` identifies the destination Syslog server.

Why this answer

The correct command is 'logging host 192.0.2.50' because it configures the router to send syslog messages to a centralized syslog server at that IP address. Syslog is the standard protocol (UDP port 514) used by network devices for event logging, and the 'logging host' command directs the router to forward all configured logging levels to the specified server.

Exam trap

Microsoft often tests the distinction between syslog (logging host) and SNMP (snmp-server host), as candidates confuse sending log messages with sending SNMP traps, but SNMP traps are for specific events like interface status changes, not general syslog messages.

Why the other options are wrong

A

The command 'snmp-server host 192.0.2.50' is used to configure a Simple Network Management Protocol (SNMP) trap destination, not for sending log messages. Therefore, it does not fulfill the requirement of sending logs to a centralized server.

B

The command 'archive 192.0.2.50' is incorrect because it is used for configuring archive settings, not for sending log messages to a centralized server. Log messages require the 'logging host' command instead.

C

The command 'ntp server 192.0.2.50' is used to configure a Network Time Protocol server for time synchronization, not for sending log messages to a centralized server.

536
Multi-Selecthard

A scheduled script runs on several Azure VMs. The VMs are rebuilt often, and the script must always use the same Azure identity across every rebuild without storing secrets on disk. Which two steps should the administrator take? Select two.

Select 2 answers
A.Create a user-assigned managed identity.
B.Assign that user-assigned identity to each VM that runs the script.
C.Use a system-assigned managed identity on one VM and clone it.
D.Store a service principal secret in the script configuration.
E.Use a shared access signature to authenticate to Azure Resource Manager.
AnswersA, B

Correct. A user-assigned managed identity is independent of any one VM and can outlive rebuilds.

Why this answer

A user-assigned managed identity is the correct choice because it is an Azure identity that exists independently of any VM and can be assigned to multiple VMs. When a VM is rebuilt, you simply assign the same user-assigned identity to the new VM, and the script can authenticate using the identity's client ID without storing any secrets on disk. This ensures the script always uses the same identity across rebuilds, as the identity's credentials are managed entirely by Azure and rotated automatically.

Exam trap

The trap here is that candidates often confuse system-assigned managed identities with user-assigned ones, mistakenly thinking a system-assigned identity can be reused across VM rebuilds, when in fact it is deleted when the VM is deleted and cannot be transferred.

537
Multi-Selecteasy

An application runs in a subnet and must reach a storage account over the public endpoint, but only that subnet should be allowed. The team does not want to use a private endpoint. Which two configurations should the administrator use? Select two.

Select 2 answers
A.Enable the Microsoft.Storage service endpoint on the subnet.
B.Add the subnet to the storage account's virtual network rules.
C.Create a private endpoint for the storage account.
D.Assign the Reader role to the subnet.
E.Turn on blob soft delete.
AnswersA, B

A service endpoint extends the subnet identity to the storage service so the subnet can be authorized without a private IP address.

Why this answer

Enabling the Microsoft.Storage service endpoint on the subnet (A) ensures that traffic from the subnet to the storage account's public endpoint is routed through the Azure backbone network and uses the source IP of the subnet's virtual network, allowing the storage account firewall to identify the traffic. Adding the subnet to the storage account's virtual network rules (B) then explicitly permits only that subnet's traffic, denying all other public endpoint access. Together, these two configurations restrict access to the storage account's public endpoint exclusively to the specified subnet without requiring a private endpoint.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming private endpoints are required for subnet-specific access, but service endpoints plus virtual network rules achieve the same restriction on the public endpoint without the cost or complexity of private endpoints.

538
MCQmedium

A company has 15 branch Windows file servers that must show the same shared drive content. Users should keep working during short WAN outages, and local servers should cache frequently used files. Which Azure feature should you deploy?

A.Azure Blob Storage with lifecycle rules, because it can present files to multiple branches.
B.Azure File Sync, because it synchronizes on-premises file servers with an Azure file share and supports cloud tiering.
C.A private endpoint to Blob Storage, because it provides local caching for SMB file shares.
D.A managed disk shared across the branch servers, because it gives the same content to all locations.
AnswerB

Azure File Sync is designed for this exact scenario. It keeps an Azure file share as the central source of truth while synchronizing branch servers and optionally tiering infrequently used files to the cloud. That gives users local performance, file-share consistency, and better resilience during temporary WAN disruptions. It is the best fit when multiple Windows servers need synchronized file content.

Why this answer

Azure File Sync is the correct choice because it synchronizes on-premises Windows file servers with an Azure file share, enabling multi-site file server consolidation. It supports cloud tiering, which caches frequently accessed files locally on each branch server while freeing up space by tiering cold data to the cloud. This ensures users can continue working during short WAN outages, as local caches provide access to synced files even when connectivity is lost.

Exam trap

The trap here is that candidates often confuse Azure Blob Storage with Azure Files, assuming blob storage can serve SMB file shares directly, but Azure Blob Storage does not support SMB protocol natively without Azure Files or third-party tools.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage with lifecycle rules is designed for object storage (blobs), not SMB file shares, and cannot present the same shared drive content to multiple Windows file servers via SMB without additional services like Azure NetApp Files or Azure Files. Option C is wrong because a private endpoint to Blob Storage provides secure network connectivity but does not offer local caching for SMB file shares; it only enables private IP access to blob storage, not file-level synchronization or caching. Option D is wrong because a managed disk cannot be shared across multiple branch servers simultaneously; Azure shared disks support only a limited number of cluster nodes (e.g., 2-3) and are not designed for wide-area file synchronization or caching across 15 locations.

539
MCQeasy

An application team needs Contributor access only for the resources in rg-app. They must not manage any other resources in the subscription. At what scope should you assign the role?

A.Management group scope
B.Subscription scope
C.Resource group scope
D.Resource scope
AnswerC

A resource group scope limits Contributor access to only the resources contained in rg-app.

Why this answer

The Contributor role assigned at the resource group scope grants the application team full management access to all resources within rg-app, but no access to resources in other resource groups or at the subscription level. This meets the requirement of restricting permissions to only that specific resource group.

Exam trap

The trap here is that candidates often confuse 'resource group scope' with 'subscription scope' and assume Contributor at the subscription level is required for managing a group of resources, not realizing that resource group scope provides the exact isolation needed.

How to eliminate wrong answers

Option A is wrong because management group scope applies permissions to all subscriptions and resource groups under that management group, which would grant Contributor access to resources far beyond rg-app. Option B is wrong because subscription scope would give the team Contributor access to every resource group and resource within the entire subscription, violating the requirement to restrict access to only rg-app. Option D is wrong because resource scope would limit access to a single resource (e.g., a specific VM or storage account), which is too granular and would not allow the team to manage all resources within rg-app as a group.

540
MCQhard

A production subscription contains 20 virtual machines across two resource groups. Operations needs an email and SMS notification whenever any single VM's average Percentage CPU stays above 85 for 10 minutes. The alert should be managed as one rule, and evaluation must happen independently for each VM. What should the administrator configure?

A.Create a log query alert that uses the Heartbeat table and the existing action group.
B.Create one metric alert scoped to the 20 VM resources, using Percentage CPU and the shared action group.
C.Create one subscription-wide metric alert and average CPU across all virtual machines.
D.Configure diagnostic settings on each VM and use the action group for threshold processing.
AnswerB

A metric alert is the correct signal for CPU threshold monitoring, and scoping the rule to the VM resources lets Azure evaluate each VM independently while keeping a single alert definition. The action group handles the email and SMS delivery. This avoids creating 20 separate rules and prevents fleet-wide averaging from hiding one overloaded server. It is the simplest design that still evaluates each VM separately.

Why this answer

Option B is correct because a single metric alert rule can be scoped to multiple resources (up to 20 VMs) in Azure Monitor, allowing independent evaluation of each VM's Percentage CPU metric. When the average CPU exceeds 85% for 10 minutes on any individual VM, the alert fires and triggers the shared action group to send email and SMS notifications. This meets the requirement of one rule with per-VM independent evaluation.

Exam trap

The trap here is that candidates assume a single alert rule cannot monitor multiple VMs independently, leading them to choose option C (subscription-wide average) or option D (diagnostic settings), when in fact Azure Monitor supports multi-resource metric alerts with per-resource evaluation.

How to eliminate wrong answers

Option A is wrong because a log query alert using the Heartbeat table would require collecting CPU data via Log Analytics, which is unnecessary overhead and does not directly evaluate the Percentage CPU metric per VM; also, Heartbeat does not contain CPU utilization data. Option C is wrong because a subscription-wide metric alert averages CPU across all VMs, which would not trigger when a single VM exceeds 85% — it would only fire if the average of all 20 VMs exceeds 85%. Option D is wrong because diagnostic settings stream metrics to a destination (e.g., Log Analytics or Storage), but they do not perform threshold processing or trigger alerts; alert rules must be created separately to evaluate the metric data.

541
MCQmedium

Frontend VMs in one subnet must reach backend VMs on TCP 8443. The backend VMs are rebuilt frequently, so their private IP addresses change often. The administrator wants to avoid updating NSG rules every time the backend IPs change. What should be used in the NSG rule?

A.Application Security Groups for the frontend and backend tiers.
B.A service endpoint on the backend subnet.
C.A route table with a next hop of Virtual network gateway.
D.A private endpoint for each backend VM.
AnswerA

Application Security Groups let you reference groups of VMs in NSG rules instead of individual IP addresses. That is ideal when backend IPs change often because the rule continues to target the backend application tier rather than a specific address. The administrator can place the frontend VMs in one ASG and the backend VMs in another, then allow TCP 8443 between those groups without constantly editing the NSG.

Why this answer

Application Security Groups (ASGs) allow you to group VMs logically by function (e.g., frontend, backend) and reference those groups in NSG rules. Since the backend VMs are rebuilt frequently and their private IPs change, using ASGs in the NSG rule (source = frontend ASG, destination = backend ASG, port = 8443) eliminates the need to update IP addresses manually. The NSG rule remains valid as long as the VMs are assigned to the correct ASG, regardless of IP changes.

Exam trap

The trap here is that candidates often confuse Application Security Groups with Network Security Groups themselves, or think that service endpoints or private endpoints are designed for VM-to-VM communication, when in fact they are for securing access to Azure PaaS services.

How to eliminate wrong answers

Option B is wrong because a service endpoint extends your VNet to Azure service resources (e.g., Azure Storage, SQL Database) over the Azure backbone, not to other VMs within the same VNet; it does not help with dynamic IPs between frontend and backend VMs. Option C is wrong because a route table with a next hop of Virtual network gateway forces traffic through a VPN gateway or ExpressRoute, which adds latency and is unnecessary for intra-VNet communication; it does not address NSG rule updates. Option D is wrong because a private endpoint assigns a private IP from your VNet to an Azure PaaS service (e.g., Azure SQL, Storage), not to a VM; it cannot be used to make backend VMs reachable via a static NSG rule when their IPs change.

542
MCQmedium

Based on the exhibit, which address space can you assign to the new spoke virtual network so it can be peered to the hub and later connected to on-premises without an IP overlap?

A.10.50.128.0/17
B.10.51.0.0/16
C.10.52.0.0/16
D.10.50.0.0/24
AnswerC

This range does not overlap either existing network and is valid for peering and later hybrid connectivity.

Why this answer

Option C (10.52.0.0/16) is correct because it does not overlap with the hub virtual network's address space (10.50.0.0/16) or the on-premises network (10.51.0.0/16). This allows the spoke VNet to be peered to the hub and later connected to on-premises via a gateway in the hub without IP address conflicts, which is a requirement for successful VNet peering and VPN/ExpressRoute connectivity.

Exam trap

The trap here is that candidates often assume any address outside the hub's exact /16 is safe, forgetting to check the on-premises range (10.51.0.0/16), leading them to pick option B, which overlaps with on-premises and would break hybrid connectivity.

How to eliminate wrong answers

Option A (10.50.128.0/17) is wrong because it falls within the hub VNet's 10.50.0.0/16 range, causing an IP overlap that would prevent VNet peering. Option B (10.51.0.0/16) is wrong because it overlaps with the on-premises network's 10.51.0.0/16 address space, which would cause routing conflicts when connecting via the hub's gateway. Option D (10.50.0.0/24) is wrong because it is a subset of the hub VNet's 10.50.0.0/16 range, resulting in an immediate IP overlap that blocks peering.

543
MCQmedium

You need to run a scheduled script on an Azure virtual machine every time the VM starts. Which feature should you use?

A.Boot diagnostics
B.A Custom Script Extension
C.Azure Policy
D.An availability set
AnswerB

The Custom Script Extension is used to run scripts on Azure VMs.

Why this answer

The Custom Script Extension (CSE) is the correct choice because it allows you to run a script on an Azure VM during startup by configuring it as part of the VM's provisioning or by using a scheduled task triggered at boot. CSE downloads and executes scripts from Azure Storage or GitHub, making it ideal for custom initialization tasks that must run every time the VM starts.

Exam trap

The trap here is confusing Boot diagnostics (which only provides logs/screenshots) with a feature that actually executes code, leading candidates to select A instead of B.

How to eliminate wrong answers

Option A is wrong because Boot diagnostics captures serial console output and screenshots for troubleshooting boot failures, but it does not execute custom scripts. Option C is wrong because Azure Policy enforces compliance rules on Azure resources (e.g., tagging, location restrictions) and cannot run scripts on VMs. Option D is wrong because an availability set is a logical grouping for high availability across fault and update domains, not a mechanism to execute scripts.

544
MCQmedium

Administrators need to connect to Windows and Linux VMs from the Azure portal using a browser. The VMs do not have public IP addresses, and the security team does not want a VPN client installed on admin laptops. Which service should be deployed?

A.Azure VPN Gateway
B.Azure Load Balancer
C.A network security group with RDP and SSH rules
D.Azure Bastion
AnswerD

Azure Bastion provides secure browser-based RDP and SSH to VMs that have no public IP addresses. It keeps management traffic inside Azure and avoids exposing administrative ports to the internet or requiring a client VPN on the administrator's device.

Why this answer

Azure Bastion provides secure, seamless RDP and SSH connectivity to Azure VMs directly from the Azure portal over TLS, without requiring public IP addresses on the VMs or a VPN client on the admin's laptop. It uses a hardened bastion host deployed in the same virtual network, acting as a jump server that brokers browser-based connections, meeting both the security and connectivity requirements.

Exam trap

The trap here is that candidates often confuse Azure Bastion with a VPN gateway or assume that an NSG with RDP/SSH rules alone is sufficient for secure browser-based access, overlooking the requirement for no public IPs and no client software.

How to eliminate wrong answers

Option A is wrong because Azure VPN Gateway requires a VPN client installed on admin laptops to establish a site-to-site or point-to-site tunnel, which the security team explicitly does not want. Option B is wrong because Azure Load Balancer distributes network traffic across multiple VMs for high availability and scaling, but does not provide secure administrative access or browser-based RDP/SSH connectivity. Option C is wrong because a network security group (NSG) with RDP and SSH rules only controls inbound traffic to VMs; it does not eliminate the need for public IP addresses or provide browser-based access, and exposing RDP/SSH directly (even with NSG rules) violates the security team's requirement to avoid public exposure.

545
MCQeasy

An archive of legal documents is accessed only a few times each month, but when someone needs a document it must open immediately without a rehydration wait. Which access tier should be used?

A.Hot tier
B.Cool tier
C.Archive tier
D.Geo-redundant storage (GRS)
AnswerB

Cool tier keeps data online and immediately available while reducing cost for infrequent access.

Why this answer

The Cool tier is designed for data that is infrequently accessed but must be available immediately when needed, with a lower storage cost than Hot tier but higher access costs. Since the archive is accessed only a few times per month and requires instant retrieval without rehydration delay, Cool tier meets both requirements, whereas Archive tier would impose a rehydration wait of up to 15 hours.

Exam trap

The trap here is that candidates confuse the 'Archive' tier name with the use case of 'archival data' and overlook the critical requirement for immediate access, mistakenly choosing Archive tier despite its mandatory rehydration delay.

How to eliminate wrong answers

Option A is wrong because the Hot tier is optimized for frequent access (multiple times per day) and has higher storage costs, making it cost-inefficient for data accessed only a few times per month. Option C is wrong because the Archive tier requires a rehydration process (taking up to 15 hours) before data can be read, which violates the requirement for immediate opening without wait. Option D is wrong because Geo-redundant storage (GRS) is a replication strategy (not an access tier) that provides durability across regions but does not address access frequency or rehydration latency.

546
MCQmedium

A team runs a Windows service on an Azure virtual machine that uploads invoices to Blob storage every few minutes. Security policy forbids storing account keys or long-lived SAS tokens on the VM. The service must authenticate without human interaction. What should the administrator configure?

A.Generate a SAS token with a 1-year expiry and store it in an encrypted file on the VM.
B.Assign the VM a managed identity and grant it Storage Blob Data Contributor on the container or storage account.
C.Share the storage account access key with the service account and rotate it monthly.
D.Create a storage firewall rule that allows the VM's public IP address and keep using anonymous access.
AnswerB

A managed identity lets the VM authenticate to Azure Storage without storing credentials. Granting Storage Blob Data Contributor provides the data-plane permissions needed to upload blobs while keeping access tied to Entra ID and RBAC. This satisfies the requirement for noninteractive authentication and avoids account keys or long-lived SAS tokens.

Why this answer

Option B is correct because assigning a managed identity to the VM allows it to authenticate to Azure Blob Storage without any secrets stored on the VM. The managed identity provides an automatically managed service principal in Azure AD, and by granting the Storage Blob Data Contributor role, the service obtains the necessary permissions to upload invoices. This satisfies the security policy forbidding account keys or long-lived SAS tokens and enables unattended authentication.

Exam trap

The trap here is that candidates may think a SAS token or access key is acceptable if encrypted or rotated, but the security policy explicitly forbids storing any secrets on the VM, making managed identity the only compliant option.

How to eliminate wrong answers

Option A is wrong because storing a SAS token with a 1-year expiry in an encrypted file on the VM violates the security policy that forbids storing long-lived SAS tokens on the VM, and the token could be compromised if the VM is breached. Option C is wrong because sharing the storage account access key with the service account violates the security policy forbidding account keys on the VM, and monthly rotation does not eliminate the risk of key exposure. Option D is wrong because anonymous access to Blob storage is disabled by default and cannot be used for authenticated uploads; a storage firewall rule allowing the VM's public IP does not provide authentication credentials, and the service would still lack authorization to write blobs.

547
MCQhard

A compliance team stores signed contract scans in Azure Blob Storage. The data must remain available if one zone in the primary region fails. If the entire primary region is unavailable, the team also needs to read the secondary copy while recovery work is underway. Which redundancy option should you choose for the storage account?

A.ZRS, because it protects against a single zone failure in one region.
B.GRS, because it keeps a geo-replicated copy but does not provide zone redundancy in the primary region.
C.GZRS, because it combines zone redundancy with geo-replication and supports failover recovery.
D.RA-GZRS, because it combines zone redundancy, geo-replication, and read access to the secondary region.
AnswerD

RA-GZRS is the only option listed that satisfies both requirements simultaneously. It protects against a zone failure in the primary region through zone-redundant storage and also keeps a geo-replicated secondary copy in another region. The read-access feature lets administrators or applications read from the secondary endpoint during a regional outage or while validating recovery, which is exactly what the scenario requires.

Why this answer

RA-GZRS (Read-Access Geo-Zone-Redundant Storage) is the correct choice because it provides synchronous zone-level redundancy within the primary region (protecting against a single zone failure) and asynchronous geo-replication to a secondary region. Additionally, it enables read access to the secondary region at all times, allowing the compliance team to read the secondary copy immediately if the primary region becomes unavailable, without waiting for a failover.

Exam trap

The trap here is that candidates often confuse GZRS with RA-GZRS, overlooking that GZRS does not provide read access to the secondary region unless a failover is performed, while the question explicitly requires the ability to read the secondary copy immediately during primary region unavailability.

How to eliminate wrong answers

Option A is wrong because ZRS only protects against a single zone failure within the primary region but does not provide any geo-replication or read access to a secondary region if the entire primary region fails. Option B is wrong because GRS provides geo-replication but lacks zone redundancy in the primary region, meaning a single zone failure could disrupt availability before geo-failover occurs. Option C is wrong because GZRS combines zone redundancy and geo-replication but does not allow read access to the secondary region unless a failover is initiated, which does not meet the requirement for immediate read access during recovery.

548
MCQmedium

An employee deleted one spreadsheet stored on a Windows VM that is protected by Azure Backup. The administrator must recover only that file without restoring the entire VM. What should be used?

A.A full VM restore to replace the existing virtual machine.
B.The file recovery process from the Recovery Services vault recovery point.
C.Blob rehydration from Archive tier in the storage account.
D.A restore point collection operation in Azure Compute.
AnswerB

Azure Backup supports file-level recovery by mounting a selected recovery point and allowing the administrator to copy out individual files or folders. This is the best option when the goal is to restore one deleted spreadsheet without replacing the entire virtual machine. It minimizes disruption and avoids overwriting other current VM data that was not affected.

Why this answer

Azure Backup for Azure VMs supports file-level recovery from a recovery point without restoring the entire VM. The file recovery process mounts the recovery point as an iSCSI target on the VM, allowing the administrator to browse and copy the deleted spreadsheet directly from the snapshot. This is the only option that provides granular, non-disruptive file restoration from a VM backup.

Exam trap

The trap here is that candidates confuse Azure Backup's file-level recovery with full VM restore or blob-level operations, assuming that file recovery requires a full VM restore or that the file is stored in Azure Blob Storage rather than on the VM's disk.

How to eliminate wrong answers

Option A is wrong because a full VM restore would replace the entire virtual machine, causing downtime and unnecessary overhead when only a single file needs recovery. Option C is wrong because Blob rehydration from Archive tier applies to Azure Blob Storage, not to files within a VM backup; the spreadsheet is stored on the VM's OS or data disk, not in a storage account's blob container. Option D is wrong because a restore point collection operation in Azure Compute is used for creating and managing VM restore points for disaster recovery scenarios, not for granular file recovery from an existing backup.

549
MCQeasy

Based on the exhibit, what should the administrator deploy to monitor CPU and free disk space on a small set of VMs while keeping telemetry cost low?

A.Deploy Azure Monitor Agent and collect only the required performance counters with a data collection rule.
B.Enable diagnostic settings on each VM and send all guest logs to a storage account.
C.Install Application Insights on each VM and enable request tracing.
D.Create a resource lock on each VM to preserve the current state.
AnswerA

Azure Monitor Agent with a targeted data collection rule is the cost-aware choice because it collects only the specific performance data needed. The administrator can scope the rule to the five VMs and include just CPU and disk free space counters, avoiding broad log ingestion. This meets the monitoring requirement without paying to send unnecessary telemetry to Log Analytics.

Why this answer

Option A is correct because Azure Monitor Agent (AMA) is the modern, cost-effective agent for collecting performance counters like CPU and free disk space from VMs. By using a Data Collection Rule (DCR) to specify only the required counters, the administrator minimizes data ingestion volume, directly controlling telemetry costs. This approach avoids the overhead of sending all guest logs or using more expensive monitoring tools.

Exam trap

The trap here is that candidates often confuse Azure Monitor Agent with the older Log Analytics agent or mistakenly think diagnostic settings to storage accounts are free, overlooking that storage write operations and data retention incur costs.

How to eliminate wrong answers

Option B is wrong because enabling diagnostic settings to send all guest logs to a storage account incurs storage costs and generates unnecessary data, increasing telemetry cost without providing real-time monitoring for CPU and disk space. Option C is wrong because Application Insights is designed for application performance monitoring (APM) and request tracing, not for OS-level performance counters like CPU and disk space; it also adds cost and complexity for a small set of VMs. Option D is wrong because a resource lock prevents accidental deletion or modification of resources but does not collect any telemetry or monitor performance metrics.

550
Multi-Selectmedium

Two workloads have different resilience requirements. Workload A must stay available if a single datacenter in the region fails. Workload B only needs protection from planned maintenance and a single hardware host failure. Which two deployment models should the administrator use? Select two.

Select 2 answers
A.Availability Zones for Workload A
B.Availability Set for Workload B
C.Virtual Machine Scale Set without zones
D.Proximity Placement Group
E.Single VM with premium SSD
AnswersA, B

Zones protect the workload from a datacenter-level outage.

Why this answer

Workload A requires protection against a full datacenter failure within a region. Availability Zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying VMs across multiple zones ensures that if one zone (datacenter) fails, the workload remains available in another zone.

Workload B only needs protection from planned maintenance and a single hardware host failure. An Availability Set distributes VMs across multiple fault domains (hardware hosts) and update domains (planned maintenance cycles), providing resilience against these specific failure scenarios without requiring zone-level separation.

Exam trap

The trap here is that candidates often confuse Availability Zones with Availability Sets, mistakenly thinking an Availability Set can protect against a full datacenter failure, or they assume a Virtual Machine Scale Set inherently provides zone-level resilience without explicitly configuring zones.

551
MCQmedium

You have a storage account that stores infrequently accessed data that must remain available immediately when requested. You need to minimize storage costs. Which access tier should you use?

A.Premium
B.Hot
C.Cool
D.Archive
AnswerC

Cool is appropriate for infrequently accessed data that still needs immediate availability.

Why this answer

The Cool access tier is designed for data that is infrequently accessed but still requires immediate availability when requested, offering lower storage costs than the Hot tier while maintaining low latency access. Since the data must remain available immediately, the Archive tier is unsuitable due to its multi-hour retrieval latency, and the Premium tier is optimized for high-performance scenarios, not cost minimization.

Exam trap

The trap here is that candidates often choose Archive for its lowest storage cost, overlooking the critical requirement for immediate availability, which Archive cannot provide due to its mandatory rehydration latency.

How to eliminate wrong answers

Option A is wrong because the Premium tier uses SSD-backed storage with high transaction costs and is intended for low-latency, high-throughput workloads (e.g., VMs, databases), not for minimizing storage costs on infrequently accessed data. Option B is wrong because the Hot tier has higher storage costs per GB than Cool, making it suboptimal for infrequently accessed data where cost savings are prioritized. Option D is wrong because the Archive tier has the lowest storage cost but requires a multi-hour rehydration process (up to 15 hours for standard access) before data is available immediately, violating the requirement for immediate availability.

552
MCQmedium

A team runs a Windows VM in Azure that uploads invoices to a blob container. Security policy forbids storing storage account keys or long-lived SAS tokens on the VM. The app must keep working until the VM is deleted, and access should disappear automatically when the VM is removed. What should the administrator configure?

A.Assign the VM's managed identity the Storage Blob Data Contributor role on the storage account or container.
B.Create an account SAS token with write permissions and store it in a secure file on the VM.
C.Assign the Reader role on the storage account to the VM's computer account.
D.Enable shared key access and rotate the storage account keys regularly.
AnswerA

This uses Entra ID-based authorization without storing secrets on the VM. A managed identity is tied to the VM lifecycle, so when the VM is deleted, the identity is removed too. The Storage Blob Data Contributor role grants the data-plane permissions needed to upload blobs, while keeping access scoped to only the required storage resource.

Why this answer

Option A is correct because assigning the VM's managed identity the Storage Blob Data Contributor role on the storage account or container allows the VM to authenticate to Azure Blob Storage without storing any keys or tokens. Managed identities provide an automatically managed service principal in Azure AD, and the application can use the Azure Instance Metadata Service (IMDS) to obtain an access token. When the VM is deleted, the managed identity is automatically removed, and the role assignment becomes invalid, so access disappears immediately.

Exam trap

The trap here is that candidates confuse the Reader role (management plane) with data plane roles like Storage Blob Data Contributor, or they assume that storing a SAS token securely is acceptable despite the explicit policy forbidding it.

How to eliminate wrong answers

Option B is wrong because storing an account SAS token in a secure file on the VM violates the security policy that forbids storing long-lived tokens on the VM, and the token does not automatically expire when the VM is deleted. Option C is wrong because the Reader role on the storage account grants read-only access to the storage account's management plane (e.g., viewing account properties), not data plane operations like uploading blobs; the VM needs Storage Blob Data Contributor for write access to the container. Option D is wrong because enabling shared key access and rotating keys still requires storing the storage account key on the VM, which violates the security policy, and key rotation does not automatically revoke access when the VM is deleted.

553
Multi-Selecthard

A company wants encrypted connectivity between its on-premises network and an Azure VNet. The organization has one edge VPN device at headquarters, and the Azure design must support a classic site-to-site tunnel rather than individual user VPN connections. Which three prerequisites are required? Select three.

Select 3 answers
A.Deploy a virtual network gateway in a dedicated GatewaySubnet.
B.Assign a public IP address to the Azure VPN gateway.
C.Configure the on-premises VPN device with a public IP and supported IKE/IPsec settings.
D.Create a private endpoint for the headquarters network.
E.Enable Microsoft peering on the virtual network gateway.
AnswersA, B, C

Azure VPN gateways must be deployed into the special GatewaySubnet within the VNet.

Why this answer

A virtual network gateway must be deployed in a dedicated subnet called GatewaySubnet to host the VPN gateway resources. This subnet is required for the gateway to function and must be named exactly 'GatewaySubnet' to be recognized by Azure when creating a site-to-site VPN connection.

Exam trap

The trap here is that candidates may confuse private endpoints (used for PaaS services) or ExpressRoute peering with the prerequisites for a classic site-to-site VPN, which strictly requires a GatewaySubnet, a public IP on the gateway, and a compatible on-premises VPN device.

554
MCQeasy

A platform team must deploy the same group of Azure VMs every month from source control and wants the deployment to be repeatable and reviewable. Which approach should they use?

A.Manual portal deployment each month
B.A Bicep template in source control
C.A temporary virtual machine snapshot
D.A network security group rule collection
AnswerB

Bicep is an infrastructure-as-code language that is concise, readable, and well suited for Azure deployments. Storing the template in source control makes the deployment repeatable, auditable, and easy to modify over time. It is a strong choice when the team wants the same VM deployment every month.

Why this answer

Bicep is a domain-specific language (DSL) for deploying Azure resources declaratively. Storing a Bicep template in source control ensures the VM deployment is repeatable (same parameters produce identical infrastructure) and reviewable (changes are tracked via pull requests and commit history), meeting the team's requirements for infrastructure as code (IaC).

Exam trap

The trap here is that candidates may confuse a VM snapshot (a backup artifact) with a deployment template, or think manual portal steps can be 'repeatable' if documented, but Azure explicitly tests the concept that only IaC (Bicep/ARM) ensures true repeatability and auditability from source control.

How to eliminate wrong answers

Option A is wrong because manual portal deployment is not repeatable (prone to human error) and cannot be reviewed via source control, violating the core requirements. Option C is wrong because a temporary VM snapshot captures a point-in-time state of a single VM, not a repeatable deployment definition for a group of VMs, and it cannot be version-controlled or reviewed as code. Option D is wrong because a network security group (NSG) rule collection only defines inbound/outbound traffic rules for network interfaces/subnets, not the deployment of VMs themselves.

555
MCQeasy

Based on the exhibit, the workload must keep running if an entire datacenter in the region becomes unavailable. The region supports availability zones. What should you deploy?

A.An availability set with one update domain per VM.
B.Availability zones with the VMs distributed across zones.
C.A single VM with a premium SSD data disk.
D.An Azure proximity placement group.
AnswerB

Availability zones are the correct choice because they place resources in separate datacenters within the same region. That gives the application resilience if one datacenter or zone becomes unavailable. The scenario explicitly asks for datacenter-level protection, which is what zones are designed to provide.

Why this answer

Availability zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying VMs across multiple zones ensures that if one entire datacenter fails, the workload continues running in the other zone(s), meeting the requirement for regional datacenter-level resilience.

Exam trap

The trap here is confusing availability sets (which protect against rack-level failures) with availability zones (which protect against datacenter-level failures), leading candidates to choose an availability set when the question explicitly requires surviving an entire datacenter outage.

How to eliminate wrong answers

Option A is wrong because an availability set protects against failures within a single datacenter (e.g., rack or update failures) but cannot survive an entire datacenter outage. Option C is wrong because a single VM with a premium SSD data disk provides no redundancy at the datacenter level; if that datacenter fails, the VM and its disk are lost. Option D is wrong because a proximity placement group is used to minimize network latency between VMs, not to provide disaster recovery across datacenters.

556
MCQmedium

A company wants to peer a new spoke virtual network with an existing hub VNet. The hub uses 10.20.0.0/16. The spoke was created with 10.20.1.0/24 because that range was still available in the IPAM spreadsheet. VNet peering creation fails. What should the administrator do first?

A.Enable gateway transit on the hub and retry the peering.
B.Add a route table to the spoke subnet so the networks can communicate.
C.Change the spoke VNet address space to a non-overlapping range, then recreate or update peering.
D.Configure a custom DNS server in the spoke to translate the overlapping range.
AnswerC

VNet peering requires the two virtual networks to have non-overlapping IP address spaces. Because the hub already uses 10.20.0.0/16, the spoke cannot use 10.20.1.0/24. The administrator must renumber the spoke to a different range, such as 10.21.0.0/16 or another approved block, before peering can succeed.

Why this answer

VNet peering in Azure requires that the address spaces of the peered virtual networks do not overlap. The hub uses 10.20.0.0/16, and the spoke uses 10.20.1.0/24, which is a subset of the hub's range. This overlap causes the peering creation to fail.

The administrator must first change the spoke's address space to a non-overlapping range (e.g., 10.21.0.0/24) and then recreate or update the peering.

Exam trap

The trap here is that candidates may think overlapping address spaces can be resolved by routing or DNS changes, but Azure explicitly prohibits peering with overlapping ranges, and no configuration workaround exists—the address space must be changed.

How to eliminate wrong answers

Option A is wrong because enabling gateway transit is used to allow a spoke VNet to use the hub's VPN/ExpressRoute gateway, but it does not resolve address space overlap, which is the root cause of the failure. Option B is wrong because adding a route table to the spoke subnet cannot fix overlapping IP ranges; route tables control traffic flow but cannot change the fact that Azure blocks peering with overlapping address spaces. Option D is wrong because configuring a custom DNS server does not address IP address overlap; DNS translates names to IPs, but the underlying conflict of overlapping ranges remains and prevents peering from being established.

557
MCQeasy

The Azure portal shows that a storage service in the region is experiencing an outage that affects several Microsoft customers. The administrator wants to view official Azure status updates for that issue. Which Azure Monitor feature should be used?

A.Activity log
B.Service Health
C.Azure Advisor
D.Metrics explorer
AnswerB

Service Health provides Azure platform incident information, advisories, and status updates for impacted services and regions.

Why this answer

Service Health is the correct Azure Monitor feature because it provides a personalized view of the health of Azure services, regions, and resources, including real-time and historical information about service-impacting events such as outages. It also surfaces official root cause analyses and planned maintenance, making it the appropriate tool for an administrator to view official Azure status updates for a regional outage affecting multiple customers.

Exam trap

The trap here is that candidates often confuse the Activity log (which tracks resource-level operations) with Service Health (which tracks Azure platform-level health), leading them to select Activity log when they need official outage status updates.

How to eliminate wrong answers

Option A is wrong because the Activity log records control-plane operations (e.g., create, delete, update) on individual resources, not the health status of Azure services themselves. Option C is wrong because Azure Advisor provides proactive recommendations for cost, security, reliability, and performance optimization, not real-time or official outage status updates. Option D is wrong because Metrics explorer analyzes performance and usage metrics (e.g., CPU, latency) from Azure resources, but it cannot surface official Azure service health incidents or outage announcements.

558
MCQmedium

A VM in a subnet has both a subnet-level NSG and a NIC-level NSG. The subnet NSG allows inbound TCP 22 from the VirtualNetwork service tag, but the NIC NSG denies inbound TCP 22 from the same source. An administrator says the subnet rule should be enough because it allows the traffic. What is the actual behavior?

A.The allow rule wins because subnet NSGs always override NIC NSGs.
B.The traffic is blocked because a deny in either NSG is effective.
C.The traffic is allowed because service tags bypass NIC-level rules.
D.The connection succeeds unless a route table sends the traffic elsewhere.
AnswerB

Azure evaluates both NIC and subnet NSGs. If either one denies the packet, the connection is blocked even if the other NSG has an allow rule.

Why this answer

When both a subnet-level NSG and a NIC-level NSG are applied to a virtual machine, network traffic is evaluated against both NSGs. The effective rule is the most restrictive: if either NSG contains a deny rule that matches the traffic, the traffic is blocked. In this scenario, the NIC-level NSG explicitly denies inbound TCP 22 from the VirtualNetwork service tag, so even though the subnet NSG allows it, the deny at the NIC level takes precedence and the traffic is blocked.

Exam trap

The trap here is that candidates often assume subnet-level NSGs take precedence over NIC-level NSGs, but Azure actually applies both and the most restrictive rule (any deny) wins, making it critical to check both NSGs for conflicting rules.

How to eliminate wrong answers

Option A is wrong because subnet NSGs do not override NIC-level NSGs; instead, both NSGs are evaluated and the most restrictive rule applies, so a deny in either NSG blocks the traffic. Option C is wrong because service tags do not bypass NIC-level rules; NSG rules are evaluated in priority order within each NSG, and a deny rule in the NIC NSG will still block traffic regardless of the service tag. Option D is wrong because route tables control the path traffic takes, not the firewall rules; even if a route table sends traffic to the VM, the NIC NSG's deny rule will still block the connection.

559
MCQmedium

A support team must be able to start, stop, and restart virtual machines in one application resource group, but they must not create or delete VMs, modify disks, or manage networking. What is the best access approach?

A.Assign Contributor at the subscription scope so the team can manage all resources.
B.Create a custom RBAC role with only the required VM power actions and assign it at the resource group scope.
C.Assign Reader at the resource group scope and use Azure Policy to permit VM restarts.
D.Apply a resource lock to the resource group so the team can only make approved changes.
AnswerB

A custom role is appropriate when the built-in roles are broader than the actual task. By granting only the VM start, stop, and restart actions needed for that resource group, the administrator keeps permissions tightly limited. Assigning the role at the resource group scope also ensures the team cannot affect resources outside that application boundary.

Why this answer

Option B is correct because Azure RBAC allows you to create a custom role with specific actions like Microsoft.Compute/virtualMachines/start/action, Microsoft.Compute/virtualMachines/restart/action, and Microsoft.Compute/virtualMachines/deallocate/action, and assign it at the resource group scope. This grants the support team exactly the permissions needed to start, stop, and restart VMs without allowing VM creation, deletion, disk modification, or networking changes, adhering to the principle of least privilege.

Exam trap

The trap here is that candidates often confuse Azure Policy or resource locks with RBAC, thinking they can grant or restrict permissions, when in fact they are separate governance tools—Policy enforces rules, locks prevent changes, and only RBAC roles control who can perform actions.

How to eliminate wrong answers

Option A is wrong because assigning Contributor at the subscription scope grants full management access to all resources in the subscription, including the ability to create, delete, and modify VMs, disks, and networking, which violates the requirement to restrict those actions. Option C is wrong because the Reader role only allows read-only access and cannot perform any write actions like starting or restarting VMs; Azure Policy can audit or enforce compliance but cannot grant permissions to perform actions. Option D is wrong because a resource lock (e.g., CanNotDelete or ReadOnly) prevents deletion or modification of resources but does not grant specific permissions to start, stop, or restart VMs; it is a protection mechanism, not an access control method.

560
Multi-Selecthard

A business-critical application runs in a region that does not support availability zones. It uses two Azure VMs and must survive planned maintenance and a single host failure, but it does not need automatic scale-out. Which two actions should the administrator take? Select two.

Select 2 answers
A.Place both VMs in the same availability set
B.Deploy the VMs so Azure distributes them across fault and update domains within that set
C.Deploy the VMs in separate availability zones
D.Convert the workload to a single larger VM
E.Put the VMs in a proximity placement group
AnswersA, B

This is the standard design for spreading VMs across fault and update domains.

Why this answer

Option A is correct because an availability set provides redundancy within a single region that does not support availability zones, protecting against both planned maintenance (via update domains) and host failures (via fault domains). By placing both VMs in the same availability set, Azure ensures they are distributed across multiple fault domains (up to 3) and update domains (up to 20), so a single hardware failure or planned maintenance event does not affect both VMs simultaneously.

Exam trap

The trap here is that candidates often confuse availability zones with availability sets, assuming zones are always an option, but the question explicitly restricts the region to non-zone support, making the availability set the only viable redundancy mechanism.

561
MCQhard

A line-of-business web tier consists of two Azure VMs in a region that supports availability zones. The business requirement is to survive a full datacenter outage in that region without deploying to a second region. What should the administrator use?

A.An availability set with multiple update domains
B.Availability zones with the VMs placed in different zones
C.A proximity placement group for both VMs
D.A single-zone virtual machine scale set
AnswerB

Zones are isolated datacenter locations within a region, which protects against one datacenter becoming unavailable.

Why this answer

Availability zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Placing the two VMs in different zones ensures that if one entire datacenter fails, the other VM remains operational, meeting the requirement to survive a full datacenter outage without deploying to a second region.

Exam trap

The trap here is that candidates confuse availability sets (which protect within a datacenter) with availability zones (which protect across datacenters), leading them to choose an availability set despite the explicit requirement to survive a full datacenter outage.

How to eliminate wrong answers

Option A is wrong because an availability set protects against hardware failures within a single datacenter (via fault domains) and planned maintenance (via update domains), but it cannot survive a full datacenter outage since all VMs in an availability set reside in the same datacenter. Option C is wrong because a proximity placement group is designed to reduce network latency by co-locating VMs as close as possible, which actually increases the risk of a single datacenter outage affecting both VMs. Option D is wrong because a single-zone virtual machine scale set places all VM instances in the same availability zone, so a datacenter outage in that zone would take down the entire web tier.

562
Matchinghard

A platform team is tuning alerting for a production VM and the surrounding Azure resources. Match each Azure Monitor component to the function it performs in this design.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Evaluates a numeric Azure Monitor metric and fires when a threshold or dynamic condition is met.

Runs a KQL query against workspace data and fires when the query result matches the condition.

Delivers notifications or automation such as email, SMS, webhook, or runbook execution.

Exports resource logs and metrics to a destination such as Log Analytics, storage, or Event Hub.

Monitors subscription-level control-plane events such as deletes, writes, or policy actions.

Why these pairings

Azure Monitor Metrics handles numerical data, Logs handles log data; Application Insights is for app monitoring; Alerts notify on conditions; Workbooks and Dashboards are visualization tools.

563
Drag & Dropmedium

Order the steps to configure Azure Traffic Manager for geographic routing.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create profile, set geographic routing, add endpoints with mapping, configure monitoring, update DNS.

564
MCQeasy

A finance department wants several Windows virtual machines to map the same shared drive letter and work with the same files at the same time. Which Azure Storage service should you configure?

A.Azure Blob container
B.Azure Files share
C.Archive blob tier
D.Storage account access key only
AnswerB

Azure Files provides SMB-based file shares that Windows VMs can map as network drives, which matches shared-drive usage.

Why this answer

Azure Files provides fully managed file shares in the cloud that support the SMB protocol, allowing multiple Windows VMs to mount the same share with a consistent drive letter (e.g., Z:) and access the same files concurrently. This meets the finance department's requirement for shared access with a mapped drive letter, which Azure Blob storage cannot provide because it uses REST APIs rather than SMB.

Exam trap

The trap here is that candidates confuse Azure Blob storage (object storage) with Azure Files (file storage), assuming that any storage service can provide a mapped drive letter, but only Azure Files supports SMB-based file shares for concurrent VM access.

How to eliminate wrong answers

Option A is wrong because Azure Blob containers are object storage accessed via REST APIs or SDKs, not via a mapped drive letter, and they do not support concurrent file-level sharing with SMB. Option C is wrong because the Archive blob tier is a cost-optimized access tier for infrequently accessed blobs, not a storage service for shared file access with drive mapping. Option D is wrong because a storage account access key alone is an authentication method, not a storage service; it cannot provide a shared drive letter or file-sharing capability.

565
Multi-Selecthard

A developer has the Contributor role on a resource group. A Bicep deployment that creates a VM with a public IP fails with a policy denial, but the same template succeeds after the public IP resource is removed. Which two statements are true? Select two.

Select 2 answers
A.The Contributor role allows deployments in the resource group, but it cannot override a deny policy inherited from a higher scope.
B.The policy assignment can apply to the resource group because policy inheritance flows from management group to subscription to resource group.
C.A CanNotDelete lock is the reason the public IP resource cannot be created.
D.Assigning Owner on the resource group would automatically bypass the policy denial and allow the template to deploy unchanged.
E.Moving the VM to another subnet in the same virtual network would remove the inherited policy effect.
AnswersA, B

Contributor grants broad management rights within its scope, but Azure Policy enforcement is separate from RBAC. A deny effect blocks the resource creation even when the user has sufficient permissions. The fact that the deployment succeeds once the public IP is removed strongly indicates a policy rule, not a permissions issue.

Why this answer

Option A is correct because the Contributor role grants full management access to resources within the resource group, but it cannot override Azure Policy effects such as 'deny'. Policy inheritance flows from higher scopes (management group, subscription) down to the resource group, and even a Contributor cannot bypass a deny policy assigned at a higher scope. The Bicep deployment fails specifically because the public IP resource violates a policy rule, not because of a lack of permissions on the role itself.

Exam trap

The trap here is confusing Azure Policy denials with Azure role-based access control (RBAC) or resource locks, leading candidates to incorrectly assume that a higher-privileged role like Owner can override a policy denial, or that a CanNotDelete lock blocks resource creation.

566
MCQmedium

Security wants one assignment that enforces all of these controls across several subscriptions: allowed Azure regions, required tags, and disabling public network access on specific resources. Which Azure feature should you use?

A.A single Azure Policy definition with one rule for all three controls
B.An Azure Policy initiative that contains multiple related policy definitions
C.A management group lock applied to the subscriptions
D.A custom RBAC role assigned at the management group
AnswerB

An initiative lets you group multiple policies into one assignment, which is ideal for enforcing a broader security baseline.

Why this answer

An Azure Policy initiative (also called a policy set) is the correct choice because it groups multiple independent policy definitions into a single assignable unit. This allows you to enforce all three distinct controls—allowed regions, required tags, and disabling public network access—across several subscriptions in one assignment, while keeping each rule as a separate policy definition for easier management and granular effect.

Exam trap

The trap here is that candidates often think a single policy definition can contain multiple rules (like a JSON array of conditions), but Azure Policy requires each definition to have exactly one policyRule, so an initiative is the only way to bundle separate controls into one assignment.

How to eliminate wrong answers

Option A is wrong because a single Azure Policy definition can contain only one rule (one policy effect per definition); combining three different controls into one definition would violate the policy structure and make it impossible to manage or audit each control independently. Option C is wrong because a management group lock prevents accidental deletion or modification of resources but cannot enforce compliance controls like allowed regions, required tags, or disabling public network access—locks are for operational protection, not governance. Option D is wrong because a custom RBAC role controls who can perform actions (permissions) but does not enforce resource configuration or compliance; RBAC cannot automatically block the creation of resources in disallowed regions or enforce tagging rules.

567
MCQmedium

Based on the exhibit, what should the administrator configure so the container group can pull the private image without storing registry credentials?

A.Assign a managed identity to the container group and grant it AcrPull on the registry.
B.Store the ACR admin account password in a container environment variable.
C.Use a SAS token for the container image reference.
D.Place the registry in the same resource group as the container group.
AnswerA

Managed identity-based access is the correct secret-free method for Azure Container Instances to authenticate to Azure Container Registry. By assigning an identity to the container group and granting that identity the AcrPull role on the registry, the group can pull the private image without storing credentials in the template. This satisfies both security and operational requirements.

Why this answer

Option A is correct because Azure Container Groups support managed identities, which allow the container group to authenticate to Azure Container Registry (ACR) without storing any credentials. By assigning a system-assigned or user-assigned managed identity to the container group and granting it the AcrPull role on the registry, the container runtime can use Azure AD authentication to pull the private image. This eliminates the need to store registry admin credentials or SAS tokens in the container configuration.

Exam trap

The trap here is that candidates often confuse SAS tokens (used for Azure Storage) with ACR authentication, or assume that resource group placement or admin credentials are valid solutions, when the core requirement is to use Azure AD-based authentication via a managed identity to avoid storing any credentials.

How to eliminate wrong answers

Option B is wrong because storing the ACR admin account password in a container environment variable exposes the credential in plain text within the container, which is a security risk and does not meet the requirement of not storing registry credentials. Option C is wrong because a SAS token is used for Azure Storage access, not for Azure Container Registry authentication; ACR does not support SAS tokens for image pulls. Option D is wrong because placing the registry in the same resource group as the container group does not grant any authentication permissions; resource group location has no bearing on access control or credential storage.

568
MCQmedium

A Linux VM in a subnet must accept SSH only from the corporate admin subnet 10.8.4.0/24. The subnet NSG currently has an Allow-SSH rule for Any at priority 300 and a Deny-SSH rule for Any at priority 200. Administrators from 10.8.4.0/24 still cannot connect. What change should the administrator make?

A.Change the deny rule protocol from TCP to Any so the allow rule is evaluated first.
B.Add an Allow-SSH rule for 10.8.4.0/24 with a priority lower than 200.
C.Move the existing Allow-SSH rule to priority 400 so it applies later.
D.Add a route table to the subnet so the SSH packets follow a different path.
AnswerB

NSG rules are evaluated by priority, and the lowest number wins. A deny rule at 200 blocks SSH before the allow at 300 is considered. The fix is to add a more specific allow rule for the admin subnet with a higher priority, such as 100, so it is evaluated first. That keeps SSH restricted to approved administrators while preserving the existing deny for everyone else.

Why this answer

The subnet NSG has a Deny-SSH rule for Any at priority 200, which blocks all SSH traffic regardless of source. To allow SSH only from 10.8.4.0/24, an Allow-SSH rule for that specific subnet must be added with a priority lower (higher number) than 200, such as 210, so it is evaluated after the deny rule. Since NSG rules are processed in priority order (lowest number first), the deny at 200 will block traffic before the allow rule is reached unless the allow rule has a lower priority number, which is not possible here; instead, the allow rule must have a higher priority number (e.g., 210) to be evaluated after the deny, but the correct approach is to add an allow rule with a priority lower than 200 (i.e., a smaller number) to override the deny.

However, the correct answer states 'priority lower than 200' meaning a numerically smaller value (e.g., 100), which would be evaluated before the deny rule, allowing traffic from 10.8.4.0/24 before the deny rule blocks it. This is the standard NSG rule evaluation behavior: the highest priority (lowest number) rule wins.

Exam trap

The trap here is that candidates often confuse 'lower priority' with a higher numeric value, thinking a rule with priority 400 is 'lower' than 200, when in fact NSG rules use ascending numeric priority where lower numbers are evaluated first.

How to eliminate wrong answers

Option A is wrong because changing the deny rule protocol from TCP to Any does not affect rule evaluation order; NSG rules are evaluated by priority number, not protocol, and the deny rule at priority 200 will still block SSH before the allow rule at priority 300 is reached. Option C is wrong because moving the existing Allow-SSH rule to priority 400 (a higher number) would cause it to be evaluated even later, after the deny rule at 200, so it would never be applied and SSH would remain blocked. Option D is wrong because route tables control network traffic paths at Layer 3, not security filtering; adding a route table does not bypass NSG rules, and SSH packets would still be subject to NSG evaluation.

569
MCQmedium

Based on the exhibit, what should the administrator do so VM-B resolves the storage account name to the private IP address?

A.Create a service endpoint on VNet-B and leave DNS unchanged.
B.Link the private DNS zone to VNet-B.
C.Assign a public IP address to the private endpoint.
D.Add a route table with a next hop to the storage account.
AnswerB

The DNS zone link lets workloads in VNet-B resolve the storage name to the private endpoint address.

Why this answer

The private DNS zone for the storage account must be linked to VNet-B so that VM-B can resolve the storage account's fully qualified domain name (FQDN) to the private IP address of the private endpoint. Without this link, the DNS resolution will fall back to the public endpoint, bypassing the private connectivity. Linking the zone ensures Azure's default DNS servers return the private IP for the storage account within VNet-B.

Exam trap

The trap here is that candidates often confuse network-level controls (like service endpoints or route tables) with DNS resolution, assuming that private connectivity alone will automatically change name resolution without explicitly linking the private DNS zone.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not affect DNS resolution; it only provides direct connectivity to the Azure service over the Microsoft backbone, but the storage account name would still resolve to a public IP unless a private DNS zone is linked. Option C is wrong because assigning a public IP to the private endpoint defeats the purpose of private connectivity and does not change DNS resolution; private endpoints use private IPs from the virtual network, and a public IP would not be used for name resolution. Option D is wrong because a route table controls network traffic paths, not DNS resolution; adding a route with a next hop to the storage account would not change how the storage account name is resolved to an IP address.

570
MCQmedium

A blob was moved to the Archive tier last month. A project team now needs the file available later today, and they expect to read it several times during review. What should the administrator do first?

A.Copy the blob directly from Archive to a local machine and reopen it there.
B.Start a rehydration request and move the blob to the Hot tier with high priority.
C.Change the blob to the Cool tier immediately and expect it to become available within minutes.
D.Create a lifecycle rule to move the blob back to Hot automatically on the next day.
AnswerB

Archive data must be rehydrated before it can be read. If the team needs the file later today and will access it repeatedly, rehydrating it to Hot with high priority is the fastest practical choice.

Why this answer

Option B is correct because a blob in the Archive tier is offline and must be rehydrated (changed to Hot or Cool) before it can be accessed. Using high-priority rehydration ensures the blob becomes available within 1 hour, which meets the requirement for later today. The Hot tier is appropriate since the team expects to read the blob several times, providing low-latency access without incurring read costs from Cool tier.

Exam trap

The trap here is that candidates assume changing the tier directly (e.g., to Cool) makes the blob instantly accessible, but in reality, any tier change from Archive triggers a rehydration process with significant latency, and only high-priority rehydration guarantees availability within an hour.

How to eliminate wrong answers

Option A is wrong because you cannot directly copy or download a blob from the Archive tier; it must first be rehydrated to an online tier (Hot or Cool) before any read or copy operation. Option C is wrong because changing the blob tier directly from Archive to Cool triggers a standard-priority rehydration that can take up to 15 hours, not minutes, which does not meet the 'later today' requirement. Option D is wrong because lifecycle rules operate on a schedule (typically daily) and cannot be triggered immediately; waiting until the next day would not make the blob available later today.

571
Multi-Selecthard

A compliance team wants newly uploaded monthly reports to remain in the Hot tier for 90 days and then move automatically to a cheaper online tier without becoming offline. Which two configurations should the administrator use? Select two.

Select 2 answers
A.Create a blob lifecycle management rule.
B.Configure the rule to transition blobs from Hot to Cool after 90 days.
C.Transition the blobs to Archive after 90 days so they cost less than Cool.
D.Use file share snapshots because lifecycle rules do not apply to blobs.
E.Enable soft delete on the container to change access tiers automatically.
AnswersA, B

Lifecycle management automates tier changes based on object age, which fits recurring report data perfectly.

Why this answer

Option A is correct because Azure Blob Lifecycle Management rules allow administrators to automate tier transitions for blobs based on age or other conditions. Option B is correct because transitioning from Hot to Cool after 90 days meets the requirement of moving to a cheaper online tier (Cool is online and less expensive than Hot) while keeping the data accessible without becoming offline.

Exam trap

The trap here is that candidates often confuse the Archive tier as a 'cheaper online' option, but Archive is offline and requires rehydration, while Cool is the correct online tier for cost savings after 90 days.

572
MCQmedium

A subnet uses a route table with gateway route propagation disabled so internet-bound traffic can be forced through a network virtual appliance. After the change, VMs in the subnet can no longer reach servers in the on-premises network 172.16.0.0/16 over the VPN gateway. What should the administrator add to the route table?

A.A user-defined route for 172.16.0.0/16 with next hop type Virtual network gateway.
B.A user-defined route for 172.16.0.0/16 with next hop type Internet.
C.An NSG allow rule for TCP 172.16.0.0/16.
D.A service endpoint for the on-premises network range.
AnswerA

When gateway route propagation is disabled, the subnet no longer learns on-premises routes automatically from the VPN gateway. Adding a specific route for the on-premises prefix with next hop Virtual network gateway restores reachability to that network while keeping the forced-tunneling design for other traffic.

Why this answer

When gateway route propagation is disabled on a route table, the subnet no longer receives the default system routes that include the VPN gateway route for on-premises networks. To restore connectivity to 172.16.0.0/16, you must add a user-defined route (UDR) with next hop type 'Virtual network gateway', which explicitly directs traffic for that prefix through the VPN gateway. This overrides the missing propagated route and forces the traffic to the on-premises network correctly.

Exam trap

The trap here is that candidates confuse routing (UDR) with filtering (NSG) or connectivity methods (service endpoints), assuming an NSG rule or service endpoint can fix a routing issue, when only a user-defined route with the correct next hop type can restore traffic flow to the on-premises network.

How to eliminate wrong answers

Option B is wrong because setting the next hop type to 'Internet' would send traffic to 172.16.0.0/16 out to the public internet, which cannot reach a private on-premises network and would fail. Option C is wrong because a Network Security Group (NSG) rule controls firewall filtering (allow/deny traffic), not routing; it does not define the path traffic takes to reach a destination. Option D is wrong because a service endpoint is used to extend a VNet's private address space to Azure PaaS services (e.g., Azure Storage, SQL Database) over the Azure backbone, not to route traffic to an on-premises network via VPN.

573
Matchingmedium

A team is choosing the right Azure Monitor alert type for different operational signals. Match each alert type to the situation it is best suited for.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Alerts on a numeric measurement such as average CPU, disk queue length, or memory utilization.

Evaluates a KQL query and alerts when matching records appear in a workspace.

Responds to subscription-level control-plane events such as create, delete, or policy changes.

Indicates that a specific Azure resource is unhealthy or unavailable.

Notifies on Azure platform incidents, advisories, or maintenance affecting a region or service.

Why these pairings

Metric alerts monitor numeric values; Activity log alerts on resource changes; Log alerts query log data; Smart detection finds anomalies; Resource health alerts on resource status; Service health alerts on Azure service issues.

574
MCQmedium

Based on the exhibit, an administrator wants to prevent new Azure resources from being deployed in any region except East US and West US across the entire Corp hierarchy. What should the administrator configure?

A.Assign a built-in RBAC role that denies deployments in unsupported regions.
B.Create and assign an Azure Policy at the Corp management group using the allowed locations rule.
C.Apply a CanNotDelete lock to the subscriptions.
D.Use a resource tag named RegionApproved and require teams to set it manually.
AnswerB

Azure Policy is the correct tool for enforcing location compliance. Assigning the policy at the Corp management group ensures the restriction applies to all current and future child subscriptions, and a deny effect blocks noncompliant region deployments at creation time.

Why this answer

Azure Policy is the correct tool to enforce governance rules across management groups. The 'allowed locations' built-in policy definition restricts resource deployment to specified regions. By assigning this policy at the Corp management group, the rule applies to all child subscriptions and resources, preventing deployment in any region except East US and West US.

Exam trap

The trap here is confusing Azure Policy (which enforces rules on resource properties) with RBAC (which controls access) or resource locks (which prevent deletion), leading candidates to choose an option that addresses permissions rather than configuration compliance.

How to eliminate wrong answers

Option A is wrong because RBAC roles control access permissions (who can do what), not resource configuration or deployment restrictions; there is no built-in RBAC role that denies deployments based on region. Option C is wrong because a CanNotDelete lock prevents deletion of resources but does not restrict where new resources can be deployed. Option D is wrong because resource tags are metadata for organization and cost tracking, not a mechanism to enforce regional deployment restrictions; they require manual compliance and do not block deployment.

575
MCQmedium

Based on the exhibit, the security team wants an alert whenever someone changes the configuration of a storage account, such as disabling public network access. The current rule is a metric alert on transaction count. What should you use instead?

A.Keep the metric alert and lower the threshold to 10 transactions.
B.Create a service health alert because storage account settings affect platform status.
C.Use a Log Analytics query alert against VM guest logs to detect network-rule changes.
D.Create an activity log alert for write operations on the storage account resource.
AnswerD

Configuration changes to a storage account are control-plane actions and appear in the Azure Activity log. An activity log alert on write operations is the right monitoring approach because it detects management changes, not traffic patterns.

Why this answer

Activity log alerts are designed to monitor Azure resource-level operations, such as write actions that modify storage account configurations. Option D is correct because it creates an alert specifically for write operations on the storage account resource, which captures events like disabling public network access. This is the appropriate method for detecting configuration changes, unlike metric alerts which track performance data.

Exam trap

The trap here is that candidates confuse metric alerts (which monitor performance counters like transaction count) with activity log alerts (which monitor resource management operations), leading them to choose options that track the wrong type of data.

How to eliminate wrong answers

Option A is wrong because lowering the threshold on a metric alert for transaction count does not detect configuration changes; it only triggers on high transaction volumes, which is unrelated to actions like disabling public network access. Option B is wrong because service health alerts monitor Azure platform-wide issues (e.g., regional outages), not resource-level configuration changes on a specific storage account. Option C is wrong because Log Analytics query alerts against VM guest logs can only detect changes within the VM's operating system, not changes to the storage account's Azure Resource Manager configuration.

576
MCQeasy

A web front end must automatically add or remove instances based on demand. The application is stateless and all instances should be managed as one group. Which Azure service should you use?

A.A single Azure VM with a larger size
B.Virtual Machine Scale Set
C.Availability set
D.Managed disk snapshots
AnswerB

A Virtual Machine Scale Set is designed for multiple similar VMs that need to scale together. It is a good fit for stateless workloads because instances can be added or removed without special per-VM configuration. You can also combine it with autoscale rules to respond to changing demand automatically.

Why this answer

Virtual Machine Scale Sets (VMSS) automatically scale the number of VM instances in or out based on demand or a defined schedule, making them ideal for stateless, horizontally scalable applications. They manage all instances as a single group behind a load balancer, ensuring uniform configuration and seamless scaling without manual intervention.

Exam trap

The trap here is that candidates confuse availability sets (which only provide fault tolerance) with auto-scaling, or mistakenly think that a single large VM can handle variable load by resizing, when the question explicitly requires automatic addition/removal of instances as a group.

How to eliminate wrong answers

Option A is wrong because scaling up a single large VM does not provide automatic horizontal scaling; it requires manual resizing and introduces a single point of failure. Option C is wrong because an availability set only distributes VMs across fault and update domains for high availability, it does not provide any auto-scaling capability. Option D is wrong because managed disk snapshots are point-in-time backups used for disaster recovery or cloning, not for dynamic instance management or scaling.

577
Multi-Selectmedium

You are an Azure administrator for a company that runs critical virtual machines (VMs) in Azure. You need to configure a monitoring solution that will alert you when the average CPU usage of a specific VM exceeds 90% for more than 15 minutes. Which three of the following actions should you take to set up this alert? (Choose three.)

Select 3 answers
.Create a metric alert rule in Azure Monitor targeting the VM's 'Percentage CPU' metric.
.Configure the alert condition to fire when the average CPU usage is greater than 90 for a period of 15 minutes.
.Define an action group that includes an email notification to the operations team.
.Create a log alert rule based on the VM's performance counters collected in Log Analytics.
.Enable Azure Diagnostic Settings on the VM to send performance data to a storage account.
.Configure an Application Insights availability test to monitor the VM's CPU.

Why this answer

A metric alert rule in Azure Monitor is the correct approach because it directly monitors a specific metric like 'Percentage CPU' from the VM without requiring additional data collection. Configuring the condition to fire when the average CPU usage exceeds 90% for a period of 15 minutes ensures the alert triggers only after sustained high usage, reducing noise. Defining an action group with email notification is necessary to alert the operations team when the alert fires, completing the monitoring solution.

Exam trap

The trap here is that candidates often confuse metric alerts with log alerts or diagnostic settings, thinking that log-based monitoring is required for CPU alerts, when in fact metric alerts are the native, simpler solution for host-level metrics like CPU usage.

578
MCQeasy

You want to deploy a resource group with Bicep and see the changes Azure plans to make before you apply them. Which command should you run?

A.az deployment group what-if
B.az deployment group create
C.az group delete
D.az vm update
AnswerA

The what-if command previews planned changes so you can review them before deploying the template.

Why this answer

The `az deployment group what-if` command is correct because it performs a dry-run validation of a Bicep (or ARM) deployment against a resource group, showing the changes Azure will make (create, modify, delete) without actually applying them. This is the Azure equivalent of a 'what-if' analysis, allowing you to review the impact before execution.

Exam trap

The trap here is that candidates often confuse `az deployment group what-if` with `az deployment group create`, assuming that `create` also provides a preview, but `create` immediately applies changes without any dry-run capability.

How to eliminate wrong answers

Option B is wrong because `az deployment group create` immediately deploys the Bicep template and applies the changes to the resource group, without providing a preview of the changes. Option C is wrong because `az group delete` removes the entire resource group and all its resources, which is destructive and unrelated to previewing deployment changes. Option D is wrong because `az vm update` modifies an existing virtual machine's properties, not a resource group deployment, and does not offer a what-if preview.

579
MCQmedium

A team standardizes 30 Windows VMs for a line-of-business application. They install IIS, a monitoring agent, and baseline security settings on one reference VM. Future deployments must use that same build and be easy to version. Which Azure feature should the administrator create?

A.A snapshot of the reference VM's OS disk
B.An image version in Azure Compute Gallery
C.An availability set for the reference VM
D.A custom script extension on each new VM
AnswerB

Azure Compute Gallery is designed for publishing, versioning, and distributing custom VM images. It lets administrators capture a hardened reference image, create managed versions, and deploy consistent new VMs from that approved build across environments or regions.

Why this answer

B is correct because an image version in Azure Compute Gallery (formerly Shared Image Gallery) captures the entire VM configuration—including IIS, monitoring agent, and security settings—into a reusable, versioned image. This allows the team to deploy standardized VMs from the same build and easily manage updates by creating new image versions, meeting the requirements for consistency and versioning.

Exam trap

The trap here is that candidates often confuse a snapshot with an image, thinking a snapshot can be used to deploy standardized VMs, but snapshots lack versioning, regional replication, and the ability to create multiple VMs directly without additional conversion steps.

How to eliminate wrong answers

Option A is wrong because a snapshot of the OS disk captures only the disk state at a point in time, not a deployable image; it cannot be used to create multiple VMs with the same build across regions or subscriptions without additional manual steps, and it lacks versioning capabilities. Option C is wrong because an availability set is a logical grouping for high availability that distributes VMs across fault and update domains; it does not capture or replicate the VM's configuration or software build. Option D is wrong because a custom script extension runs scripts on existing VMs to install software or apply settings, but it does not create a reusable, versioned image; each new VM would need to run the extension, which is not a build-based deployment approach.

580
MCQmedium

Your operations team wants to query collected VM log data by using Kusto Query Language and retain it centrally for analysis. Which Azure resource should you deploy?

A.A Log Analytics workspace
B.An availability set
C.A local user account on each VM
D.A network security group
AnswerA

This is the central log store and query platform for Azure Monitor Logs.

Why this answer

A Log Analytics workspace is the correct Azure resource because it serves as the central repository for VM log data collected via Azure Monitor agents. It supports Kusto Query Language (KQL) for querying and analyzing the collected data, enabling the operations team to perform advanced log analytics and retention. This aligns directly with the requirement to query and retain VM log data centrally.

Exam trap

The trap here is that candidates might confuse a Log Analytics workspace with a simple storage account or think that local accounts or NSGs can somehow be used for log aggregation, but only a Log Analytics workspace provides the KQL query engine and central retention required for this scenario.

How to eliminate wrong answers

Option B is wrong because an availability set is a VM placement configuration that ensures high availability during planned or unplanned maintenance events; it does not collect, store, or query log data. Option C is wrong because a local user account on each VM provides authentication access to the VM but cannot aggregate or query log data across multiple VMs or retain it centrally. Option D is wrong because a network security group (NSG) filters inbound and outbound traffic at the subnet or NIC level using security rules; it has no capability to collect, store, or query log data.

581
MCQmedium

Based on the exhibit, a support lead must manage role assignments for RG-Apps so the team can grant or revoke access for others. The support lead must not be able to change resource configurations. Which role should you assign?

A.Owner at RG-Apps
B.Contributor at RG-Apps
C.User Access Administrator at RG-Apps
D.Reader at RG-Apps
AnswerC

User Access Administrator is designed specifically for managing Azure RBAC access without granting full resource configuration rights. Assigning it at the resource group scope lets the support lead create and remove role assignments for RG-Apps while avoiding unnecessary management permissions.

Why this answer

The User Access Administrator role at the RG-Apps scope allows the support lead to manage role assignments (grant or revoke access) for others without having permissions to modify resource configurations. This role is specifically designed for delegating access management while preventing changes to the resources themselves, which aligns with the requirement.

Exam trap

The trap here is that candidates often confuse the Contributor role (which can manage resources but not access) with the User Access Administrator role, or mistakenly think the Owner role is required for managing role assignments, overlooking the specific delegation capability of User Access Administrator.

How to eliminate wrong answers

Option A is wrong because the Owner role at RG-Apps includes full administrative access, allowing the support lead to change resource configurations, which violates the requirement. Option B is wrong because the Contributor role can create and manage resources but cannot grant or revoke access to others, failing the primary requirement. Option D is wrong because the Reader role only allows viewing resources and configurations, with no permissions to manage role assignments or change anything.

582
MCQmedium

A storage automation service principal must upload, read, and delete blob data in one container by using Microsoft Entra authentication. It must not manage storage account settings, keys, or other containers. Which approach is best?

A.Assign Storage Account Contributor at the resource group scope.
B.Create a custom role with blob dataActions only and assign it at the container scope.
C.Assign Reader and give the service principal a storage account access key.
D.Assign Contributor at the subscription scope and restrict access with naming conventions.
AnswerB

This allows data access while avoiding storage account management permissions and limiting scope.

Why this answer

Option B is correct because it creates a custom Azure RBAC role with only the required blob data actions (e.g., Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read, write, delete) and assigns it at the container scope. This ensures the service principal can upload, read, and delete blobs in that specific container using Microsoft Entra authentication, without any permissions to manage storage account settings, keys, or other containers.

Exam trap

The trap here is that candidates often confuse built-in roles like Storage Blob Data Contributor (which works at the storage account scope) with the need for a custom role at the container scope, or they mistakenly think that assigning a management role like Contributor combined with an access key satisfies the requirement for Microsoft Entra authentication and container-specific access.

How to eliminate wrong answers

Option A is wrong because Storage Account Contributor at the resource group scope grants full management access to the storage account, including the ability to manage account settings, keys, and all containers, which violates the requirement to not manage storage account settings or other containers. Option C is wrong because assigning Reader and giving the service principal a storage account access key bypasses Microsoft Entra authentication and grants full data access to all blobs in the storage account via the key, not just the specified container. Option D is wrong because Contributor at the subscription scope grants extensive management permissions across all resources in the subscription, and naming conventions are not a security control; they cannot restrict access to a specific container.

583
MCQmedium

Based on the exhibit, the operations team wants an alert that fires when any VM has not sent a heartbeat in the last 15 minutes. Which KQL query should they use as the condition for the log alert?

A.Heartbeat | summarize LastSeen=max(TimeGenerated) by Computer | where LastSeen > ago(15m)
B.Heartbeat | summarize LastSeen=max(TimeGenerated) by Computer | where LastSeen < ago(15m)
C.Heartbeat | where TimeGenerated > ago(15m) | summarize count() by Computer | where count() == 0
D.Heartbeat | distinct Computer | where Computer == "VM01"
AnswerB

This query summarizes the most recent heartbeat per computer and then filters for systems whose latest record is older than 15 minutes. That matches the requirement to alert when a VM has stopped sending heartbeat data.

Why this answer

Option B is correct because the query uses `summarize max(TimeGenerated) by Computer` to get the latest heartbeat timestamp per VM, then filters with `where LastSeen < ago(15m)` to identify VMs whose last heartbeat is older than 15 minutes. This directly matches the alert condition: any VM that has not sent a heartbeat in the last 15 minutes.

Exam trap

The trap here is that candidates often confuse the direction of the time comparison, picking Option A (which fires on VMs that *have* sent a heartbeat recently) instead of Option B (which fires on VMs that have *not* sent a heartbeat recently).

How to eliminate wrong answers

Option A is wrong because `where LastSeen > ago(15m)` selects VMs that have sent a heartbeat within the last 15 minutes, which is the opposite of the desired condition. Option C is wrong because `where TimeGenerated > ago(15m)` filters to only heartbeats in the last 15 minutes, then `summarize count() by Computer` will never produce a count of 0 for any VM that had a heartbeat in that window; VMs with no heartbeat are simply not present in the result set, so the `where count() == 0` condition will never match. Option D is wrong because it only checks for a specific VM named 'VM01' and does not evaluate heartbeat timing at all, failing to meet the requirement for any VM.

584
MCQmedium

A subnet has a NAT gateway attached, but outbound internet traffic from the VMs is still leaving through a network virtual appliance. The subnet's route table includes a user-defined route for 0.0.0.0/0 with the next hop set to Virtual appliance. The business wants internet traffic to use the NAT gateway while keeping any required specific routes to on-premises networks. What should the administrator do?

A.Keep the default route and add a second NAT gateway to the subnet.
B.Remove the 0.0.0.0/0 user-defined route and keep only specific routes for private prefixes.
C.Disable network security groups on the subnet so the NAT gateway becomes active.
D.Set gateway route propagation to Disabled so the NAT gateway is preferred.
AnswerB

A subnet-level 0.0.0.0/0 UDR to a virtual appliance overrides the system route that would otherwise let the NAT gateway handle internet-bound traffic. Removing that default route restores normal outbound internet handling through the NAT gateway, while more specific routes for on-premises or private destinations can remain in place. This preserves both functionality and control.

Why this answer

Option B is correct because the user-defined route (UDR) for 0.0.0.0/0 with next hop Virtual appliance is overriding the NAT gateway's default route. NAT gateways require a default route (0.0.0.0/0) with next hop 'Internet' to direct outbound traffic through them. By removing the conflicting UDR and keeping only specific routes for on-premises prefixes, the subnet will use the NAT gateway for internet traffic while maintaining connectivity to on-premises networks via the remaining UDRs.

Exam trap

The trap here is that candidates mistakenly think NAT gateways can coexist with a default UDR to a virtual appliance, or that disabling gateway propagation or adding more NAT gateways will override the UDR, when in fact the UDR's higher priority always wins for the 0.0.0.0/0 prefix.

How to eliminate wrong answers

Option A is wrong because adding a second NAT gateway does not resolve the conflict; the existing UDR for 0.0.0.0/0 with next hop Virtual appliance will still take precedence over both NAT gateways, as UDRs have higher priority than system routes. Option C is wrong because network security groups (NSGs) do not affect routing decisions; they filter traffic at the subnet or NIC level but do not influence which next hop is used for outbound traffic. Option D is wrong because disabling gateway route propagation only affects routes learned from Azure VPN/ExpressRoute gateways, not user-defined routes; the UDR for 0.0.0.0/0 will still override the NAT gateway's default route.

585
MCQmedium

A subnet has a route table with a 0.0.0.0/0 user-defined route to an on-premises virtual appliance. The business now wants Azure VM outbound internet traffic to use a NAT gateway so the public source IP stays consistent, and the firewall appliance is no longer required for internet egress. What should the administrator do?

A.Keep the default route to the virtual appliance and add the NAT gateway to the subnet.
B.Remove the 0.0.0.0/0 UDR and associate the NAT gateway with the subnet.
C.Change the route next hop to Virtual network gateway.
D.Create an NSG outbound rule that allows internet traffic from the subnet.
AnswerB

NAT gateway is used for outbound internet traffic when the subnet does not already force that traffic elsewhere. Because the 0.0.0.0/0 UDR sends all internet-bound packets to the virtual appliance, NAT gateway cannot provide the source IP. Removing the UDR allows the subnet to use the NAT gateway for outbound connectivity as intended.

Why this answer

Option B is correct because removing the 0.0.0.0/0 user-defined route (UDR) that points to the on-premises virtual appliance and associating a NAT gateway with the subnet ensures that all outbound internet traffic from Azure VMs uses the NAT gateway's public IP address. The NAT gateway automatically creates a default route (0.0.0.0/0) with a next hop type of 'Internet' for the subnet, overriding any conflicting UDRs. This provides a consistent source IP for internet egress without requiring the firewall appliance.

Exam trap

The trap here is that candidates may think a NAT gateway can coexist with a conflicting UDR (Option A) or that changing the next hop to a virtual network gateway (Option C) will provide internet egress, when in fact the UDR must be removed to allow the NAT gateway's default route to take effect.

How to eliminate wrong answers

Option A is wrong because keeping the 0.0.0.0/0 UDR to the virtual appliance would still route internet traffic through the firewall, bypassing the NAT gateway and failing to achieve the goal of using the NAT gateway for consistent source IP. Option C is wrong because changing the next hop to 'Virtual network gateway' would route traffic to a VPN or ExpressRoute gateway, which is not designed for NAT-based internet egress and would not provide a consistent public IP. Option D is wrong because an NSG outbound rule allowing internet traffic does not change the routing path; the subnet's route table still controls where traffic is forwarded, so without modifying the UDR, traffic would still go to the virtual appliance.

586
MCQmedium

Based on the exhibit, which restart policy should be configured for the container group?

A.Always
B.OnFailure
C.Never
D.UnlessStopped
AnswerC

Never is the correct restart policy for a one-time task that should stop after finishing successfully. The exhibit describes a batch-style import job, not a long-running service. Using Never ensures the container exits and stays stopped until the next deployment or scheduled run. That behavior matches operational expectations for a completed import process.

Why this answer

The container group in the exhibit is configured with a restart policy of 'Never' because it is designed to run a batch job that should execute once and then terminate. Azure Container Instances supports three restart policies: Always, OnFailure, and Never. Since the task is a one-time job, 'Never' ensures the container does not restart after completion, which is the correct choice for a single-run workload.

Exam trap

The trap here is that candidates confuse Docker's native restart policies (which include 'UnlessStopped') with Azure Container Instances' supported policies, leading them to select 'UnlessStopped' even though it is not available in ACI.

How to eliminate wrong answers

Option A is wrong because 'Always' would restart the container regardless of exit code, which is intended for long-running services like web servers, not for a batch job that should run once. Option B is wrong because 'OnFailure' would restart the container only if it exits with a non-zero exit code, but the exhibit shows the container is expected to complete successfully (exit code 0) and should not restart even on failure in this scenario. Option D is wrong because 'UnlessStopped' is not a valid restart policy for Azure Container Instances; it is a Docker-specific policy not supported in ACI.

587
MCQmedium

After a Windows VM is deployed, an administrator must install IIS, copy application files, and run a post-deployment configuration script without connecting interactively to the server. Which Azure feature should be used?

A.Custom Script Extension.
B.An availability zone assignment.
C.A route table association.
D.A user-assigned managed identity alone.
AnswerA

The Custom Script Extension runs post-provisioning commands and scripts on a VM without interactive login.

Why this answer

The Custom Script Extension (CSE) is the correct Azure feature because it allows you to run scripts on an Azure VM after deployment without requiring interactive login. It is specifically designed for post-deployment configuration tasks like installing IIS, copying application files, and executing configuration scripts, all executed via the Azure VM agent.

Exam trap

The trap here is that candidates may confuse the Custom Script Extension with other automation tools like Azure Automation or Desired State Configuration (DSC), but the question specifically requires a feature that runs a script post-deployment without interactive login, and CSE is the direct, lightweight solution for that task.

How to eliminate wrong answers

Option B is wrong because an availability zone assignment is a high-availability feature that distributes VMs across physically separate datacenters within a region; it does not execute scripts or configure software. Option C is wrong because a route table association controls network traffic routing for subnets or network interfaces, not post-deployment software installation or configuration. Option D is wrong because a user-assigned managed identity alone provides Azure AD authentication for the VM to access Azure resources (e.g., Key Vault, Storage) but does not run scripts or install software; it must be combined with an extension or other mechanism to execute commands.

588
Multi-Selectmedium

A platform team wants to prevent engineers from creating VM sizes that are not approved, but they also need the engineers to be able to restart their own VMs. Which two statements are correct? Select two.

Select 2 answers
A.Use Azure Policy to deny creation of nonapproved VM sizes.
B.Use Azure RBAC to grant the restart action on the VMs.
C.Use Azure Policy to grant restart permission when the VM is compliant.
D.Use a resource lock to approve only specific VM sizes.
E.Use tags to enforce the approved VM size list and restart action.
AnswersA, B

Azure Policy can enforce allowed VM size rules at deployment time, which is exactly what you want for blocking unapproved sizes.

Why this answer

Option A is correct because Azure Policy can enforce organizational standards by denying the creation of non-approved VM sizes through built-in policies like 'Allowed virtual machine SKUs'. This prevents engineers from provisioning unapproved VM sizes at the time of creation, ensuring compliance without blocking other actions. Option B is correct because Azure RBAC allows granular permission assignment, such as granting the 'Microsoft.Compute/virtualMachines/restart/action' to engineers, enabling them to restart their own VMs without granting broader management rights.

Exam trap

The trap here is confusing Azure Policy (which enforces compliance on resource creation) with Azure RBAC (which controls permissions on existing resources), leading candidates to incorrectly assign policy to grant permissions or RBAC to deny creation.

589
MCQhard

A records team stores monthly regulatory exports in a blob container. The files are rarely opened, but auditors may request one specific file later the same day. The team wants the lowest storage cost possible while keeping a path to restore a single file on demand. Which approach should you use?

A.Keep the blobs in the Hot tier and rely on lifecycle rules to delete them after 90 days.
B.Move the blobs to the Archive tier and use high-priority rehydration when a file is requested.
C.Move the blobs to the Cool tier because it is offline until accessed.
D.Use the Cold tier because it requires a rehydration job before the blob becomes readable.
AnswerB

Archive is the correct storage tier when the files are rarely accessed and cost reduction is the priority. Archived blobs are offline, so they cannot be read immediately. However, if auditors need one file later the same day, the administrator can initiate rehydration. High-priority rehydration is the best choice when faster access is needed for a specific archived blob and the team is willing to pay for the quicker retrieval path.

Why this answer

The Archive tier offers the lowest storage cost for rarely accessed data, and high-priority rehydration allows a single file to be restored within approximately one hour, meeting the auditor's same-day request requirement. This approach minimizes cost while retaining the ability to retrieve a specific file on demand.

Exam trap

The trap here is that candidates confuse the Archive tier's offline nature with the Cool or Cold tiers, or assume that the lowest storage cost must come from an online tier, ignoring that Archive's rehydration feature still allows on-demand retrieval at a higher retrieval cost but lower overall storage expense.

How to eliminate wrong answers

Option A is wrong because keeping blobs in the Hot tier incurs the highest storage cost, and lifecycle rules only delete blobs after 90 days, not reduce cost for rarely accessed data. Option C is wrong because the Cool tier is not offline; it is an online tier with higher storage cost than Archive and no rehydration requirement, but it does not provide the lowest storage cost. Option D is wrong because the Cold tier (if referring to Azure's Cold tier, which is a sub-tier of Cool) is online and does not require a rehydration job; the statement incorrectly describes it as requiring rehydration, which is a property of the Archive tier.

590
MCQmedium

A storage account has public network access disabled. An app in a VNet must read and write blobs privately, and the team wants the blob endpoint name to resolve to a private IP without exposing the service publicly. What should the administrator configure?

A.A service endpoint on the subnet and a storage firewall allow rule.
B.A public IP address for the app and allow access from that IP in the storage firewall.
C.An NSG rule that allows outbound TCP 443 from the app subnet to storage.
D.A private endpoint for the storage account and a private DNS zone for blob name resolution.
AnswerD

Private endpoints give the storage service a private IP in the VNet, and DNS must resolve to it.

Why this answer

Option D is correct because a private endpoint assigns the storage account a private IP from the VNet, ensuring all traffic to the blob endpoint stays within Microsoft's backbone. A private DNS zone (e.g., `privatelink.blob.core.windows.net`) is required so that the blob endpoint name resolves to that private IP instead of the public IP, meeting the requirement for private name resolution without any public exposure.

Exam trap

The trap here is that candidates confuse service endpoints (which only provide source IP preservation and firewall rules) with private endpoints (which provide a true private IP and private DNS resolution), leading them to pick Option A thinking it achieves private connectivity when it does not change the public DNS resolution.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP to the storage account; it only extends the VNet's identity to the service, and the blob endpoint still resolves to a public IP, which violates the requirement for private name resolution. Option B is wrong because assigning a public IP to the app and allowing that IP in the storage firewall still exposes the storage account to the public internet (the firewall rule only restricts access, but the endpoint remains publicly resolvable). Option C is wrong because an NSG rule controlling outbound TCP 443 does not change how the blob endpoint name resolves; it only permits traffic, but the name still resolves to a public IP, failing the private resolution requirement.

591
MCQhard

Based on the exhibit, what should the administrator configure so the VM in the spoke VNet can resolve internal hostnames that are hosted on the DNS server in the hub VNet? The team has already verified that IP connectivity between the spoke VM and the hub VM works.

A.Set the SpokeVNet DNS server list to use 10.40.0.4 so the spoke queries the hub resolver directly.
B.Create a private endpoint for web01.corp.contoso.local in the spoke VNet so DNS resolves automatically.
C.Enable gateway transit on the peering so the spoke inherits the hub VNet DNS configuration.
D.Add inbound and outbound NSG rules allowing UDP and TCP port 53 between the two VNets.
AnswerA

The spoke already has network connectivity to the hub, so the remaining problem is name resolution. Azure VNet peering does not copy DNS settings from one VNet to another. By configuring the spoke to use the hub DNS server, queries for the internal zone are sent to the resolver that actually hosts or forwards that namespace.

Why this answer

Option A is correct because setting the SpokeVNet DNS server list to 10.40.0.4 (the IP of the DNS server in the hub VNet) configures the spoke VNet to forward all DNS queries to that custom DNS server. Since IP connectivity between the VNets is already verified, the spoke VM can resolve internal hostnames hosted on the hub DNS server. This is the standard method for cross-VNet DNS resolution when using a custom DNS server in a hub-and-spoke topology.

Exam trap

The trap here is that candidates often confuse VNet peering's gateway transit feature with DNS settings inheritance, but gateway transit only applies to network gateway routes, not DNS server configuration.

How to eliminate wrong answers

Option B is wrong because a private endpoint is used to connect privately to an Azure PaaS service (e.g., Azure SQL, Storage) and does not resolve custom internal hostnames hosted on a VM DNS server; it creates a network interface with a private IP for the PaaS resource, not a DNS resolution mechanism for arbitrary hostnames. Option C is wrong because gateway transit on VNet peering only allows the spoke VNet to use the hub's VPN/ExpressRoute gateway for outbound connectivity to on-premises networks; it does not inherit or propagate DNS server settings between VNets. Option D is wrong because while NSG rules allowing UDP/TCP port 53 are necessary for DNS traffic, the question states IP connectivity already works, implying the underlying network path is open; the core issue is DNS configuration, not firewall rules, and adding NSG rules alone does not configure the spoke to use the hub DNS server.

592
Multi-Selecthard

After applying a custom image, a Linux VM stops at a black screen before the sign-in prompt. The administrator cannot use RDP or SSH and needs the fastest way to inspect the boot process. Which two actions should they take? Select two.

Select 2 answers
A.Enable Boot diagnostics on the virtual machine.
B.Review the screenshot and serial log in Boot diagnostics.
C.Reimage the VM immediately to a clean managed disk.
D.Increase the VM size to a larger SKU.
E.Reset the network interface configuration from the portal.
AnswersA, B

Correct. Boot diagnostics captures startup output even when the guest OS does not finish booting.

Why this answer

Enabling Boot diagnostics on the virtual machine allows the administrator to capture serial console output and screenshots of the VM during boot. This is the fastest way to inspect the boot process without requiring network connectivity (RDP/SSH), as the serial log provides kernel-level messages and the screenshot shows the display state at the point of failure.

Exam trap

The trap here is that candidates may assume RDP/SSH are the only ways to diagnose a VM, overlooking that Boot diagnostics provides out-of-band access to boot-time information even when the OS is unresponsive.

593
MCQhard

After a user-defined route and VNet peering were added, a VM in a spoke subnet still does not reach 10.20.4.8 as expected. You need to confirm which route Azure will actually select on that VM's NIC, including any propagated routes and the route that wins. Which Network Watcher tool should you use?

A.Connection troubleshoot
B.Effective routes
C.IP flow verify
D.Packet capture
AnswerB

Effective routes shows the routes applied to the NIC and which next hop Azure will use for the destination.

Why this answer

Effective routes displays the actual routes applied to a network interface, including user-defined routes (UDRs), BGP-propagated routes, and VNet peering routes, along with the route priority (based on the longest prefix match and route source precedence). This allows you to see exactly which route wins for the destination 10.20.4.8, resolving why the VM cannot reach it despite the configured UDR and peering.

Exam trap

The trap here is that candidates confuse 'IP flow verify' (which checks NSG rules) with route verification, but IP flow verify does not show the routing table or the winning route for a destination IP.

How to eliminate wrong answers

Option A is wrong because Connection troubleshoot tests end-to-end connectivity between a source and destination, but it does not show the routing table or which specific route is selected on the NIC. Option C is wrong because IP flow verify checks whether traffic is allowed or denied by network security groups (NSGs) for a given 5-tuple, not which route is chosen from the routing table. Option D is wrong because Packet capture captures raw network traffic for analysis, but it does not provide the effective routing decision or the route selection logic.

594
MCQmedium

A policy that requires secure transfer for storage accounts has been assigned to a subscription with the DeployIfNotExists effect. Several existing storage accounts are still noncompliant and have not changed. What should you do next to update those existing resources automatically?

A.Assign a CanNotDelete lock to the storage accounts
B.Create and run a remediation task for the policy assignment
C.Move the storage accounts into a new resource group
D.Grant the administrators a higher RBAC role on the subscription
AnswerB

A remediation task applies the policy's corrective effect to existing resources so they can be brought into compliance.

Why this answer

The DeployIfNotExists effect on a policy assignment automatically deploys a template to remediate noncompliant resources, but only for new or updated resources. Existing noncompliant resources require a manual remediation task to trigger the deployment of the template. Creating and running a remediation task for the policy assignment applies the required secure transfer configuration to all existing storage accounts, bringing them into compliance.

Exam trap

The trap here is that candidates assume DeployIfNotExists automatically remediates all existing resources, but it only applies to new or updated resources, requiring a separate remediation task for existing noncompliant resources.

How to eliminate wrong answers

Option A is wrong because a CanNotDelete lock prevents deletion of the storage accounts but does not apply any configuration changes, so it cannot enforce the secure transfer requirement. Option C is wrong because moving storage accounts to a new resource group does not change their existing configuration; they remain noncompliant unless the policy is reassigned and a remediation task is run. Option D is wrong because granting a higher RBAC role (e.g., Owner) does not automatically apply policy effects; it only provides permissions, and the policy assignment still requires a remediation task to update existing resources.

595
MCQhard

Based on the exhibit, which change should the administrator make so the application identity remains stable across VM redeployments without reapplying RBAC assignments?

A.Keep the system-assigned identity and reapply the same RBAC roles after each rebuild.
B.Create a user-assigned managed identity and attach it to the VM template.
C.Store a local administrator password in Key Vault and use it for Azure resource access.
D.Replace the identity with a shared access signature so the VM can authenticate to Azure services.
AnswerB

A user-assigned managed identity is an independent Azure resource. It survives VM deletion and redeployment, so RBAC assignments remain valid.

Why this answer

A user-assigned managed identity is decoupled from the VM lifecycle, so it persists independently of VM redeployments. By attaching the same user-assigned identity to the new VM instance, the application retains its Azure AD object ID and all existing RBAC role assignments remain valid without requiring reapplication.

Exam trap

The trap here is that candidates often confuse system-assigned and user-assigned managed identities, assuming both persist across VM redeployments, but only user-assigned identities survive VM deletion because they are separate Azure resources.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the VM's lifecycle; when the VM is deleted or rebuilt, the identity is destroyed and a new one is created, requiring RBAC roles to be reassigned. Option C is wrong because storing a local administrator password in Key Vault does not provide an Azure AD identity for the application to authenticate to Azure services; it only manages a local credential. Option D is wrong because a shared access signature (SAS) is a token for delegated access to specific Azure storage resources, not an identity that can be used for general Azure resource access or RBAC assignments.

596
MCQmedium

An enterprise wants to enforce three governance controls for all subscriptions under a management group: allowed locations, required tags, and permitted VM sizes. The team wants a single place to assign and track compliance for all three controls. What should the administrator use?

A.Three separate policy assignments at each subscription
B.One policy initiative assigned at the management group
C.A custom RBAC role assigned to each subscription
D.A resource lock on each subscription
AnswerB

An initiative groups related policies and can be assigned once to cover all subscriptions beneath the management group.

Why this answer

A policy initiative (also known as a policy set) allows you to group multiple policy definitions (e.g., allowed locations, required tags, permitted VM sizes) into a single, reusable package. Assigning this initiative at the management group level enforces all three governance controls across every subscription under that management group, providing a single place to assign and track compliance via Azure Policy's compliance dashboard.

Exam trap

The trap here is confusing Azure Policy (which enforces rules on resource properties) with RBAC (which controls access permissions) or resource locks (which prevent deletion), leading candidates to pick a solution that addresses a different concern than governance compliance.

How to eliminate wrong answers

Option A is wrong because creating three separate policy assignments at each subscription would require manual effort for every subscription, lacks centralized tracking, and violates the requirement for a single place to assign and track compliance. Option C is wrong because a custom RBAC role controls permissions (who can do what), not governance rules (what resources are allowed), and cannot enforce allowed locations, required tags, or permitted VM sizes. Option D is wrong because a resource lock only prevents accidental deletion or modification of resources, it does not enforce any governance controls like allowed locations or required tags.

597
MCQeasy

A team has an approved Windows VM that already includes their application, patches, and monitoring agent. They want future VMs to start with the same configuration. What should they use?

A.A managed image created from the approved VM
B.An availability set
C.A snapshot of the OS disk
D.A larger virtual machine size
AnswerA

A managed image captures the configured operating system and installed software so you can deploy new VMs with the same baseline. This is the simplest way to standardize a known-good VM configuration for repeated use. It fits the requirement because the team wants future VMs to start from the same approved setup, not rebuild the software manually each time. It is an operationally common choice for consistent VM deployment.

Why this answer

A managed image captures the entire VM configuration, including the OS, application, patches, and monitoring agent, allowing you to create multiple identical VMs from a single source. Unlike a snapshot, which is tied to a specific disk and requires manual steps to replicate the full VM setup, a managed image provides a reusable template for consistent deployments. This approach ensures future VMs start with the exact same configuration as the approved VM.

Exam trap

The trap here is that candidates often confuse a snapshot with a managed image, not realizing that a snapshot only captures a single disk's state and lacks the VM-level configuration needed to create a fully functional VM directly.

How to eliminate wrong answers

Option B is wrong because an availability set is a logical grouping of VMs to ensure high availability across fault and update domains, not a mechanism to capture or replicate a VM's configuration. Option C is wrong because a snapshot of the OS disk captures only the disk state at a point in time, but it does not include the VM's metadata, network settings, or other attached disks, requiring additional steps to create a full VM from it. Option D is wrong because a larger VM size changes the hardware resources (CPU, RAM) but does not preserve or replicate the software configuration, patches, or applications of the approved VM.

598
MCQhard

Your company must retain Azure Activity Log data beyond the built-in retention period and make it available for long-term analysis. Which configuration should you use?

A.Diagnostic settings for the Activity Log
B.A ReadOnly lock on the subscription
C.An availability set
D.NSG flow logs only
AnswerA

Diagnostic settings export Activity Log data to supported long-term destinations.

Why this answer

Azure Activity Log is retained by default for 90 days. To store data beyond this period for long-term analysis, you must configure diagnostic settings to route the Activity Log to a Log Analytics workspace (for querying) or an Azure Storage account (for archival). This is the only native mechanism to extend retention and enable long-term analysis.

Exam trap

The trap here is that candidates confuse the built-in 90-day retention of the Activity Log with the ability to extend it, mistakenly thinking a lock or other resource configuration can preserve the data, when only diagnostic settings provide the export and retention control needed.

How to eliminate wrong answers

Option B is wrong because a ReadOnly lock prevents accidental deletion or modification of resources but does not extend data retention or enable long-term analysis of Activity Log data. Option C is wrong because an availability set is a VM high-availability configuration that groups VMs to protect against rack-level failures; it has no relation to log retention or analysis. Option D is wrong because NSG flow logs capture IP traffic data for network security groups, not Azure Activity Log events; they are used for network monitoring, not subscription-level operational auditing.

599
MCQmedium

You need to connect VNet-Hub and VNet-Spoke so that resources in both virtual networks can communicate privately over the Microsoft backbone. Both virtual networks are in the same region. What should you configure?

A.Virtual network peering
B.A site-to-site VPN
C.A network security group
D.An Azure Policy assignment
AnswerA

VNet peering is the correct solution for private, low-latency communication between Azure VNets.

Why this answer

Virtual network peering (A) is the correct solution because it enables direct, private connectivity between two virtual networks over the Microsoft backbone infrastructure. Since both VNets are in the same region, you can use standard VNet peering, which routes traffic between the peered networks using only private IP addresses, with no internet transit or gateway required. This meets the requirement for private communication without any additional VPN or gateway overhead.

Exam trap

Microsoft often tests the misconception that a site-to-site VPN is required for private connectivity between VNets, but VNet peering is the native, simpler solution for same-region private communication over the Microsoft backbone.

How to eliminate wrong answers

Option B is wrong because a site-to-site VPN requires a VPN gateway in each VNet and tunnels traffic over the internet or ExpressRoute, which adds latency, cost, and complexity compared to the simpler, lower-latency VNet peering for same-region connectivity. Option C is wrong because a network security group (NSG) is a stateful firewall that filters traffic at the subnet or NIC level; it does not establish connectivity between VNets and cannot enable routing or private communication between them. Option D is wrong because an Azure Policy assignment enforces compliance rules (e.g., tagging, allowed SKUs) but does not create network connectivity; it cannot route traffic between VNets or provide private communication.

600
MCQeasy

You need one assignment that requires a cost-center tag and also allows only approved locations. What should you use?

A.A policy initiative
B.A role assignment
C.A resource lock
D.A management group
AnswerA

An initiative groups multiple related policies into a single assignment for easier governance.

Why this answer

A policy initiative is the correct choice because it allows you to group multiple Azure Policy definitions (such as 'Require a cost-center tag' and 'Allowed locations') into a single, reusable assignment. This ensures both conditions are enforced simultaneously at a scope like a subscription or resource group, meeting the requirement for a cost-center tag and location restriction.

Exam trap

The trap here is that candidates often confuse a policy initiative with a management group, thinking the management group itself enforces rules, but a management group is only a hierarchy container—you must assign a policy or initiative to it to enforce compliance.

How to eliminate wrong answers

Option B is wrong because a role assignment grants permissions (e.g., Contributor, Reader) via Azure RBAC, but it cannot enforce resource properties like tags or locations; it controls who can act, not what resources must have. Option C is wrong because a resource lock prevents deletion or modification of resources (e.g., CanNotDelete, ReadOnly), but it does not enforce tagging or location restrictions; it is an operational safeguard, not a compliance rule. Option D is wrong because a management group is a logical container for organizing subscriptions and applying governance at scale, but it is not a policy assignment itself; you still need a policy initiative assigned to the management group to enforce the tag and location requirements.

Page 7

Page 8 of 16

Page 9