AZ-104 (AZ-104) — Questions 601675

1170 questions total · 16pages · All types, answers revealed

Page 8

Page 9 of 16

Page 10
601
Multi-Selecteasy

A Windows VM and a Linux VM are both joined to the same Active Directory Domain Services domain. Which two authentication methods can be used to mount the same Azure Files share over SMB? Select two.

Select 2 answers
A.Storage account key
B.Active Directory Domain Services credentials
C.Blob SAS token
D.Network security group rule
E.Azure resource lock
AnswersA, B

The storage account key can authenticate SMB mounts from supported Windows and Linux clients.

Why this answer

Option A is correct because the storage account key provides administrative access to the Azure Files share, allowing any SMB client (Windows or Linux) to mount the share by using the key as the credential. Option B is correct because when both VMs are joined to the same Active Directory Domain Services domain, the Azure Files share can be enabled for AD DS authentication, allowing domain-joined clients to mount the share using their domain credentials.

Exam trap

The trap here is that candidates often confuse Azure Files authentication with Blob Storage authentication, mistakenly selecting a SAS token as a valid method for SMB mounting, when in fact SAS tokens are only used for REST-based access to Blob or File storage (via HTTPS), not for SMB protocol.

602
MCQmedium

An administrator is deploying a site-to-site VPN gateway in an existing VNet. The GatewaySubnet already exists, but deployment validation fails because the gateway has no public-facing IP resource. Which configuration is required?

A.Attach a Standard SKU public IP address with static allocation to the VPN gateway.
B.Attach a private IP address from the GatewaySubnet to the VPN gateway.
C.Place the gateway behind an internal load balancer in the GatewaySubnet.
D.Create a NAT gateway and associate it with the GatewaySubnet.
AnswerA

Azure VPN gateways require a public IP resource, and Standard static IPs are the supported choice.

Why this answer

A site-to-site VPN gateway in Azure requires a public IP address to establish connectivity with the on-premises VPN device. The Standard SKU public IP with static allocation is required because VPN gateways do not support Basic SKU public IPs and must have a static IP that does not change. Without this public IP resource, the gateway cannot be provisioned as it has no public endpoint for the VPN tunnel.

Exam trap

The trap here is that candidates may think a private IP from the GatewaySubnet is sufficient for a site-to-site VPN, overlooking that the VPN gateway must have a public IP to terminate the IPsec tunnel from the on-premises device.

How to eliminate wrong answers

Option B is wrong because a private IP from the GatewaySubnet is used for internal routing within the VNet, but the VPN gateway needs a public IP for the site-to-site tunnel endpoint. Option C is wrong because an internal load balancer operates within the VNet and cannot provide the public-facing endpoint required for a site-to-site VPN gateway; VPN gateways are not placed behind load balancers. Option D is wrong because a NAT gateway is used for outbound internet traffic from private subnets and does not provide a public IP for inbound VPN connections; the VPN gateway itself must have a directly attached public IP.

603
Multi-Selectmedium

A troubleshooting team wants to investigate a storage account write failure and subscription-level role assignment changes in a single Log Analytics workspace. They want to ingest only the telemetry needed for those investigations. Which two sources should they enable? Select two.

Select 2 answers
A.Configure diagnostic settings on the storage account to send resource logs to the workspace.
B.Export the subscription Azure Activity log to the same workspace.
C.Enable guest-level Windows event collection on a random virtual machine.
D.Turn on NSG flow logs for every subnet in the subscription.
E.Use Azure Advisor recommendations as the source of telemetry.
AnswersA, B

Storage diagnostic settings send the account's resource logs into Log Analytics for later querying and correlation.

Why this answer

Option A is correct because diagnostic settings on a storage account can be configured to send resource logs (such as storage write operations, including details of failed writes) to a Log Analytics workspace. This allows the team to investigate write failures directly from the storage account's telemetry.

Exam trap

The trap here is that candidates may confuse Azure Activity Logs (which are subscription-level and include role assignment changes) with Azure resource logs (which are resource-specific), and may incorrectly think that NSG flow logs or VM guest logs are needed for storage or role change investigations.

604
MCQeasy

A finance analyst needs read-only access to one storage account named stprod01. The analyst must not see other resources in the subscription. Where should you assign the Reader role?

A.At the management group scope that contains the subscription
B.At the subscription scope that contains the storage account
C.At the resource group that contains the storage account
D.At the storage account resource scope
AnswerD

Assigning Reader at the storage account scope is the narrowest option that still provides read-only access to that single resource. Azure RBAC permissions inherit downward, so a resource-level assignment affects only that storage account and nothing else in the subscription. This matches the requirement to limit visibility and access as tightly as possible.

Why this answer

Assigning the Reader role at the storage account resource scope (stprod01) grants read-only access exclusively to that specific storage account. This meets the requirement of restricting the analyst from seeing any other resources in the subscription, as role assignments at a higher scope (e.g., resource group, subscription, management group) would inherit permissions to all resources under that scope.

Exam trap

The trap here is that candidates often assume assigning the Reader role at the resource group scope is sufficient, but this would grant access to all resources in that resource group, not just the single storage account, violating the 'must not see other resources' constraint.

How to eliminate wrong answers

Option A is wrong because assigning the Reader role at the management group scope would grant read-only access to all subscriptions and resources within that management group, far exceeding the requirement. Option B is wrong because assigning the Reader role at the subscription scope would grant read-only access to all resources in the subscription, including other storage accounts, virtual machines, and networks. Option C is wrong because assigning the Reader role at the resource group scope would grant read-only access to all resources within that resource group, not just the single storage account.

605
Multi-Selectmedium

A network team wants reliable time, name resolution, centralized logs, and visibility into traffic patterns. Which two services directly match those goals?

Select 2 answers
A.NTP
B.NetFlow
C.Syslog
D.DHCP
AnswersA, B

NTP matches the reliable time requirement.

Why this answer

NTP (Network Time Protocol) is correct because it provides reliable time synchronization across network devices, which is essential for accurate log timestamps and security protocols. This directly matches the goal of reliable time.

Exam trap

The trap here is that candidates often confuse Syslog (which provides centralized logs) with NTP (which provides time synchronization), but the question specifically asks for 'reliable time' and 'visibility into traffic patterns' — Syslog does not provide time synchronization or traffic visibility, while NetFlow does provide traffic pattern analysis.

Why the other options are wrong

C

Syslog is primarily used for logging and monitoring system messages rather than providing reliable time, name resolution, or traffic visibility. While it contributes to centralized logs, it does not fulfill the other specified goals of the network team.

D

DHCP is primarily used for dynamically assigning IP addresses to devices on a network, which does not directly address the goals of reliable time, name resolution, centralized logs, or visibility into traffic patterns.

606
MCQmedium

Based on the exhibit, why is TCP 8443 traffic from the web tier still denied to the app tier, and what should you do to allow only the web tier?

A.Change the deny-all rule at priority 200 to allow TCP 8443 from ASG-Web.
B.Add an inbound allow rule for TCP 8443 from ASG-Web to ASG-App with a priority lower than 100.
C.Add a route table entry for 8443 traffic from the web tier to the app tier.
D.Remove the AzureLoadBalancer rule because it is overriding the web tier traffic.
AnswerB

An allow rule must be evaluated before the existing deny rule, and using ASGs limits access to the web tier.

Why this answer

Option B is correct because in Azure Network Security Groups (NSGs), rules are evaluated in priority order, with lower numbers evaluated first. The existing rule at priority 100 allows traffic from the web tier, but a subsequent deny-all rule at priority 200 blocks all traffic, including TCP 8443. To allow only the web tier, you must add an inbound allow rule for TCP 8443 from ASG-Web with a priority lower than 200 (e.g., 150) so it is evaluated before the deny-all rule, effectively permitting the desired traffic while still blocking other sources.

Exam trap

The trap here is that candidates often assume changing the deny-all rule is the simplest fix, but they overlook that it would open the port to all sources, not just the web tier, failing the specific requirement.

How to eliminate wrong answers

Option A is wrong because changing the deny-all rule at priority 200 to allow TCP 8443 would permit traffic from all sources, not just the web tier, violating the requirement to allow only the web tier. Option C is wrong because route tables control network traffic paths between subnets or virtual networks, not security filtering; NSGs are the correct mechanism to allow or deny traffic based on source, destination, and port. Option D is wrong because the AzureLoadBalancer rule is a default NSG rule that allows health probe traffic from Azure Load Balancer; it does not override or block web tier traffic, and removing it would break load balancer health monitoring.

607
MCQmedium

A scheduled script runs on several Azure virtual machines that are created and replaced over time. The script must use the same Azure identity on every VM, and the identity should continue to exist even if one VM is deleted and recreated. What should the administrator use?

A.A system-assigned managed identity on each VM.
B.A user-assigned managed identity attached to the VMs.
C.A service principal with a client secret stored in each VM.
D.A shared access signature stored in the VM registry.
AnswerB

A user-assigned managed identity is created as a separate Azure resource and can be attached to multiple VMs. Because it is not tied to the lifecycle of a single VM, the same identity remains available even if one VM is deleted and rebuilt, which fits the requirement for shared, durable authentication.

Why this answer

A user-assigned managed identity is the correct choice because it is an Azure resource that exists independently of any VM, and it can be attached to multiple VMs. When a VM is deleted and recreated, the same user-assigned managed identity can be reattached, ensuring the script uses the same identity consistently. This decouples the identity lifecycle from the VM lifecycle, meeting the requirement for persistence across VM replacements.

Exam trap

The trap here is that candidates often confuse system-assigned managed identities (which are tied to a single resource's lifecycle) with user-assigned managed identities (which are independent and reusable), leading them to incorrectly choose option A for persistence across VM deletions.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM; if the VM is deleted, the identity is also deleted, and a new VM would get a new identity, breaking the requirement for a consistent identity. Option C is wrong because storing a client secret in each VM is a security risk and violates best practices; managed identities eliminate the need for secrets by using Azure AD tokens obtained via the IMDS endpoint. Option D is wrong because a shared access signature (SAS) is a token for delegated access to Azure Storage, not an Azure identity; it cannot be used for authentication to Azure AD or for running scripts with a consistent identity across VMs.

608
MCQeasy

Three Azure virtual machines in different resource groups must all use the same Azure identity to access a storage account. The identity should keep working even if one VM is rebuilt. What should you use?

A.A system-assigned managed identity on each VM
B.A user-assigned managed identity
C.A shared VM administrator password
D.A storage account SAS token
AnswerB

A user-assigned managed identity is a standalone Azure resource that can be attached to multiple VMs. Because it is not tied to one VM’s lifecycle, it continues to exist even if a VM is rebuilt or replaced. This makes it the best choice when several compute resources need to share the same identity for Azure access. It also simplifies permission management because you grant access once to the shared identity.

Why this answer

A user-assigned managed identity is created as a standalone Azure resource and can be assigned to multiple VMs, even across resource groups. It persists independently of any VM lifecycle, so rebuilding a VM does not affect the identity's availability or its permissions to access the storage account.

Exam trap

The trap here is that candidates confuse system-assigned managed identities (which are tied to a single VM's lifecycle) with user-assigned managed identities (which are independent resources), leading them to choose option A because they think 'each VM needs its own identity' rather than a shared, persistent one.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM; if the VM is deleted, the identity is also deleted, and rebuilding the VM would create a new identity, breaking access. Option C is wrong because a shared VM administrator password is used for OS-level authentication, not for Azure resource access, and it violates security best practices by sharing credentials. Option D is wrong because a storage account SAS token is a time-limited, shared access token that does not represent an Azure identity; it would need to be securely stored and rotated, and it cannot be consistently used across multiple VMs without complex management.

609
MCQmedium

You need to ensure that a contractor can manage virtual machines only in the RG-Test resource group and cannot access any other resource groups in the subscription. What is the best way to achieve this?

A.Assign the Virtual Machine Contributor role at the subscription scope
B.Assign the Virtual Machine Contributor role at the RG-Test scope
C.Assign the Reader role at the RG-Test scope
D.Assign the Owner role at the RG-Test scope
AnswerB

Scoping the role to RG-Test limits access to that resource group only.

Why this answer

Assigning the Virtual Machine Contributor role at the RG-Test scope grants the contractor permissions to manage virtual machines within that specific resource group only, adhering to the principle of least privilege. This role includes actions like creating, starting, stopping, and deleting VMs, but does not allow access to other resource groups in the subscription because the role assignment is scoped to RG-Test.

Exam trap

The trap here is that candidates often confuse the Virtual Machine Contributor role with broader roles like Contributor or Owner, or incorrectly assume that a subscription-scoped assignment can be restricted by resource group, when in fact Azure RBAC permissions are cumulative and inherited from higher scopes.

How to eliminate wrong answers

Option A is wrong because assigning the Virtual Machine Contributor role at the subscription scope would grant the contractor permissions to manage VMs in all resource groups within the subscription, violating the requirement to restrict access to RG-Test only. Option C is wrong because the Reader role at the RG-Test scope only allows read-only access to resources, not the ability to manage virtual machines as required. Option D is wrong because the Owner role at the RG-Test scope grants full control over all resources in that resource group, including the ability to manage access and delete resources, which exceeds the necessary permissions and violates the principle of least privilege.

610
Multi-Selectmedium

A development team needs a new Windows VM created from an approved hardened image, and IIS must be installed automatically after deployment. Which three actions should the administrator take? Select three.

Select 3 answers
A.Use an Azure Compute Gallery image version created from the approved hardened build.
B.Reference that gallery image as the source image in the VM deployment.
C.Include the IIS extension or a custom script extension in the same deployment template or script.
D.Start from a fresh marketplace image and harden it manually after the VM is running.
E.Install IIS interactively after logging in to the VM with an administrator account.
AnswersA, B, C

Azure Compute Gallery lets the team store and version approved images centrally. That makes it easy to deploy future VMs from the same hardened baseline rather than rebuilding the image each time.

Why this answer

Option A is correct because an Azure Compute Gallery (formerly Shared Image Gallery) allows you to create and store custom VM images, including hardened builds. Using a gallery image version ensures the VM is deployed from an approved, pre-configured image that meets security and compliance requirements, avoiding the need to manually harden a fresh marketplace image.

Exam trap

The trap here is that candidates may think manual hardening or interactive installation is acceptable, but the question explicitly requires automation and an approved hardened image, making options D and E incorrect because they lack automation and consistency.

611
Multi-Selectmedium

An external consultant must access a resource group in your tenant using the consultant's existing work account. You want to avoid creating a separate username and password pair. Which two actions should the administrator take? Select two.

Select 2 answers
A.Invite the consultant as a guest user in Microsoft Entra ID.
B.Create a new member user account with an internal password.
C.Assign the required RBAC role on the target resource group to the guest account.
D.Add the consultant to the Global Administrator role.
E.Share the subscription ID and tenant ID only.
AnswersA, C

A guest user allows the consultant to authenticate with their existing organization identity while still being represented in your tenant. That keeps identity administration externalized and avoids creating a separate local password account.

Why this answer

Option A is correct because inviting the consultant as a guest user in Microsoft Entra ID (formerly Azure AD) allows the consultant to use their existing work account (external identity) without creating a new username/password. This leverages B2B collaboration, which uses the consultant's home directory for authentication, and the guest user object is created in your tenant to represent them.

Exam trap

The trap here is that candidates often confuse inviting a guest user (which uses external authentication) with creating a new user account (which requires a separate password), or they incorrectly think that sharing tenant/subscription IDs alone provides access without an identity and role assignment.

612
MCQmedium

Based on the exhibit, which feature should be enabled on the subnet so the storage account remains reachable through its public endpoint but only from that subnet?

A.Private endpoint
B.Service endpoint
C.Azure Bastion
D.VPN Gateway
AnswerB

A service endpoint lets the subnet reach the service over Azure backbone without creating a private IP.

Why this answer

Service endpoints (B) extend the virtual network private address space and the identity of the VNet to Azure services over a direct connection. By enabling a Microsoft.Storage service endpoint on the subnet and configuring the storage account firewall to allow access only from that subnet's virtual network, the storage account remains reachable via its public endpoint but only from the specified subnet, without requiring a public IP on the subnet.

Exam trap

The trap here is that candidates often confuse private endpoints with service endpoints, mistakenly thinking a private endpoint is required for subnet-level access control, when in fact service endpoints achieve the same goal while preserving public endpoint accessibility.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP address from the subnet to the storage account, making it reachable only over the private endpoint and removing public endpoint access entirely, which contradicts the requirement to keep the public endpoint reachable. Option C is wrong because Azure Bastion provides secure RDP/SSH connectivity to virtual machines in the VNet via the Azure portal, not access to storage accounts or subnet-level network restrictions. Option D is wrong because a VPN Gateway extends on-premises networks to Azure over encrypted tunnels, but it does not restrict access to a storage account's public endpoint from a specific subnet; it would allow all traffic from the connected on-premises network.

613
Multi-Selectmedium

Two line-of-business VMs in a single region must stay available if one physical host is patched or fails. A zone failure is not part of the requirement. Which three actions should the administrator take? Select three.

Select 3 answers
A.Create an availability set for the application VMs before deployment.
B.Deploy both VMs into the same availability set.
C.Allow Azure to place the VMs across different fault and update domains within the availability set.
D.Deploy the VMs in separate availability zones to protect against a datacenter outage.
E.Use a single larger VM and rely on snapshots for uptime.
AnswersA, B, C

An availability set is the correct Azure construct for protecting workloads from host-level maintenance and failures inside a datacenter. It provides the placement mechanism needed to improve availability without requiring zone-level resilience.

Why this answer

Option A is correct because an availability set ensures that VMs are placed on different fault domains (physical hosts) and update domains within a single Azure region, protecting against physical host patching or failure. This meets the requirement of keeping VMs available during a single host event without requiring zone-level redundancy.

Exam trap

The trap here is that candidates often confuse availability sets (protecting against host failure) with availability zones (protecting against datacenter failure), leading them to select zone-based deployment when the requirement only specifies a single host failure scenario.

614
MCQeasy

A line-of-business app runs on two Azure VMs in the same region. The business wants to reduce the chance that both VMs are affected by the same planned host update. What should the administrator use?

A.An availability set
B.A public load balancer
C.A managed image
D.A private endpoint
AnswerA

An availability set spreads VMs across fault domains and update domains within a datacenter environment. This reduces the chance that a planned host update or a hardware issue affects both VMs at the same time. It is the right choice when the goal is host-level resilience for VMs in the same region.

Why this answer

An availability set ensures that VMs are placed on different fault domains and update domains within an Azure datacenter. Fault domains isolate VMs from shared hardware failures, while update domains ensure that planned host updates (e.g., OS patching) are applied sequentially across groups, so not all VMs are rebooted simultaneously. This directly reduces the chance that both VMs are affected by the same planned host update.

Exam trap

The trap here is that candidates often confuse availability sets (logical grouping for update/fault domain isolation within a single datacenter) with availability zones (physical separation across datacenters), or mistakenly think a load balancer provides high availability against planned maintenance, when it only distributes traffic and does not affect host placement.

How to eliminate wrong answers

Option B is wrong because a public load balancer distributes incoming traffic across VMs but does not influence the underlying host placement or update scheduling; it operates at the network layer (Layer 4) and cannot protect against planned host updates. Option C is wrong because a managed image is a snapshot of a VM's OS and data disks used for scaling out identical VMs, but it has no effect on how those VMs are placed across update or fault domains. Option D is wrong because a private endpoint provides secure connectivity to Azure PaaS services over a private IP address in a virtual network; it is a networking construct unrelated to VM placement or host update isolation.

615
MCQeasy

Based on the exhibit, a script running on an Azure VM must create resources in another subscription without using passwords or client secrets. Which command should the administrator use first?

A.az login --identity
B.az login --service-principal
C.az account set --subscription <subscriptionId>
D.Connect-AzAccount -UseDeviceAuthentication
AnswerA

This command signs in the Azure CLI by using the VM's managed identity instead of a stored username or secret. It is the correct first step when a script on an Azure VM needs to access Azure resources securely without embedded credentials.

Why this answer

Option A is correct because the script must authenticate without passwords or client secrets, and Azure VMs can use a managed identity for this purpose. The `az login --identity` command authenticates the Azure CLI using the VM's managed identity, which is a passwordless, secretless authentication method. This allows the script to obtain tokens for accessing resources in another subscription, provided the managed identity has appropriate RBAC permissions.

Exam trap

The trap here is that candidates often confuse setting the subscription context (`az account set`) with authentication, forgetting that authentication must occur first before any subscription-level operations can be performed.

How to eliminate wrong answers

Option B is wrong because `az login --service-principal` requires a client secret or certificate, which violates the requirement of no passwords or client secrets. Option C is wrong because `az account set --subscription <subscriptionId>` only sets the active subscription context after authentication; it does not perform authentication and cannot be used first. Option D is wrong because `Connect-AzAccount -UseDeviceAuthentication` is a PowerShell cmdlet for interactive device code authentication, which requires user interaction and does not work for automated scripts running on a VM without passwords or secrets.

616
MCQeasy

Based on the exhibit, the governance team wants to assign three related policy definitions together: allowed regions, required tags, and approved VM SKUs. What should the administrator create first?

A.A policy initiative that groups the three policy definitions into one object.
B.A resource lock so the policies cannot be changed after assignment.
C.A custom RBAC role that grants permission to edit policy assignments.
D.A management group exemption so all three rules apply automatically.
AnswerA

An initiative is designed to bundle multiple policy definitions into a single reusable unit. This lets the administrator assign and report on the controls together at the management group scope. It is the correct choice when several related governance rules should be managed as one baseline.

Why this answer

A policy initiative (also known as a policy set) is the correct answer because it allows you to group multiple related policy definitions into a single assignable object. This is the intended Azure governance pattern for bundling policies like allowed regions, required tags, and approved VM SKUs, ensuring they are applied together consistently across management groups or subscriptions.

Exam trap

The trap here is that candidates often confuse a policy initiative with a resource lock or RBAC role, thinking that administrative controls are needed to enforce the grouping, when in fact the initiative itself is the native Azure construct for bundling policy definitions.

How to eliminate wrong answers

Option B is wrong because a resource lock prevents accidental deletion or modification of resources, but it does not group or assign policy definitions together. Option C is wrong because a custom RBAC role controls who can edit policy assignments, but it does not create a grouping of policy definitions. Option D is wrong because a management group exemption excludes resources from policy evaluation, but it does not create a grouping of policy definitions and would not automatically apply the three rules together.

617
MCQeasy

Based on the exhibit, an auditor needs to view all resources in RG-Finance but must not be able to make any changes. The auditor also should not have access to other resource groups. Which RBAC assignment best meets the requirement?

A.Reader at the subscription scope, because it is read-only and easy to manage.
B.Reader at RG-Finance scope, because it allows viewing without granting write permissions.
C.Contributor at RG-Finance scope, because the auditor needs to read tags and configuration.
D.Reader at the management group scope, because all finance resources are grouped there.
AnswerB

Reader at the resource group scope gives the auditor visibility into the resources in RG-Finance without permitting changes. This is the narrowest built-in role and scope combination that satisfies the requirement to view the group only and avoid access to other resource groups.

Why this answer

The Reader role at the RG-Finance scope grants read-only access to all resources within that specific resource group, preventing any modifications. This meets the auditor's requirement to view resources in RG-Finance without write permissions and without access to other resource groups, as the scope is limited to RG-Finance.

Exam trap

The trap here is that candidates often choose Reader at the subscription scope (Option A) thinking it is simpler and still read-only, but they overlook the requirement to restrict access to only one resource group, which subscription-level access violates due to inheritance.

How to eliminate wrong answers

Option A is wrong because assigning Reader at the subscription scope would grant read-only access to all resource groups in the subscription, violating the requirement that the auditor should not have access to other resource groups. Option C is wrong because Contributor at RG-Finance scope includes write permissions (e.g., create, delete, update resources), which violates the requirement that the auditor must not be able to make any changes. Option D is wrong because Reader at the management group scope would inherit read-only access to all subscriptions and resource groups under that management group, including non-finance resources, which violates the requirement to restrict access to only RG-Finance.

618
MCQeasy

Based on the exhibit, why is the administrator's HTTPS test still being denied, and what should be changed?

A.Increase the deny rule priority number from 200 to 300.
B.Move Allow-HTTPS-Admin to a priority lower than 200.
C.Change Allow-HTTPS-Admin to use protocol Any.
D.Assign a public IP address to the VM.
AnswerB

NSG rules are processed from the lowest priority number upward. Because the deny rule is evaluated first, the admin allow rule never gets a chance. Moving the allow rule ahead of the deny rule lets only the admin IP reach HTTPS while everyone else remains blocked.

Why this answer

The administrator's HTTPS test is denied because Azure Network Security Groups (NSGs) process rules in priority order, from lowest to highest numeric value. The deny rule at priority 200 is evaluated before the allow rule at priority 300, so the HTTPS traffic is blocked. To allow HTTPS traffic, the allow rule must have a lower priority number (e.g., 100) than the deny rule, ensuring it is evaluated first.

Option B correctly identifies that moving Allow-HTTPS-Admin to a priority lower than 200 (i.e., a smaller number) will allow the traffic before the deny rule is applied.

Exam trap

The trap here is that candidates often confuse priority numbers, thinking a higher number means higher priority, when in fact lower numbers are evaluated first; this leads them to incorrectly choose increasing the deny rule's priority or other irrelevant changes.

How to eliminate wrong answers

Option A is wrong because increasing the deny rule's priority number from 200 to 300 would make it evaluated after the allow rule, but the deny rule would still block traffic if it matches; the correct fix is to change the allow rule's priority, not the deny rule's. Option C is wrong because changing Allow-HTTPS-Admin to use protocol 'Any' would not resolve the priority issue; the rule would still be evaluated after the deny rule at priority 200, and HTTPS traffic would still be denied. Option D is wrong because assigning a public IP address to the VM does not affect NSG rule evaluation; NSG rules filter traffic based on source/destination IPs and ports, not the presence of a public IP on the VM.

619
MCQmedium

A team enabled Azure Files for a Windows-based application. The app can reach the storage account, but the mount fails because users cannot authenticate with the share. The team does not want to use the storage account key. What is the best next step?

A.Turn off the storage account firewall and retry the mount anonymously.
B.Grant the VM or user an Azure Files data-plane role, such as Storage File Data SMB Share Contributor, and use identity-based authentication.
C.Create a network security group rule that allows TCP 445 to the share.
D.Convert the storage account to a premium block blob account.
AnswerB

When Azure Files is accessed over SMB without storage keys, the administrator should use identity-based authentication and assign the appropriate Azure Files data-plane role. This provides the permissions needed to mount and use the share while avoiding storage account keys. It is the correct fix when network access works but authorization fails.

Why this answer

Option B is correct because Azure Files supports identity-based authentication over SMB using either on-premises Active Directory Domain Services (AD DS) or Azure Active Directory Domain Services (Azure AD DS). By granting the VM or user the Storage File Data SMB Share Contributor role, the team enables Kerberos-based authentication, eliminating the need for the storage account key. This approach allows the mount to succeed while meeting the requirement to avoid using the shared key.

Exam trap

The trap here is that candidates often confuse network-level connectivity (TCP 445) with authentication requirements, assuming that opening the port alone will fix the mount failure, when in fact the issue is the lack of a valid identity-based authentication mechanism.

How to eliminate wrong answers

Option A is wrong because turning off the storage account firewall and mounting anonymously is not supported for Azure Files SMB shares; anonymous access is disabled by default and cannot be used for authentication. Option C is wrong because a network security group rule allowing TCP 445 is necessary for SMB connectivity but does not address the authentication failure; the issue is identity-based authentication, not network reachability. Option D is wrong because converting the storage account to a premium block blob account would change the account type to one that does not support Azure Files (block blobs are for object storage, not file shares), and it would not resolve the authentication problem.

620
Multi-Selecteasy

A partner must upload files to one blob container for 12 hours. You do not want to share the storage account key. Which two temporary access methods can be used? Select two.

Select 2 answers
A.Service SAS, because it grants scoped access to a container or blob for a limited time.
B.User delegation SAS, because it is issued with Microsoft Entra ID and supports limited-time access.
C.Storage account shared key, because it can be time-limited when copied into an email.
D.Anonymous access, because it can be enabled for the container and expires automatically after 12 hours.
E.Resource lock, because it can restrict the partner to one container without requiring any token.
AnswersA, B

A service SAS can grant short-lived access with precise permissions and scope.

Why this answer

Option A is correct because a Service SAS (Shared Access Signature) allows you to delegate limited-time, scoped access to a specific container or blob without exposing the storage account key. It can be configured with a start time, expiry time, and permissions (e.g., write, read), making it ideal for a 12-hour upload window. This method ensures the partner can only access the designated container for the required duration.

Exam trap

The trap here is that candidates often confuse a Service SAS with the storage account shared key, mistakenly thinking the key can be time-limited when shared, or they overlook that anonymous access lacks any expiry mechanism and cannot be used for controlled, temporary access.

621
Multi-Selecteasy

A storage account's platform logs must be searchable later with KQL in a central workspace. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create a diagnostic setting on the storage account
B.Configure a NAT gateway on the storage subnet
C.Send the logs to a Log Analytics workspace
D.Assign the Reader role on the subscription
E.Enable a VM backup policy
AnswersA, C

Diagnostic settings tell Azure which resource logs and metrics to export from the storage account.

Why this answer

Option A is correct because a diagnostic setting on the storage account is required to route platform logs (e.g., storage read/write/delete operations) to a destination. Option C is correct because a Log Analytics workspace is the destination that enables KQL-based searching and analysis of those logs. Without both, the logs cannot be stored in a central, queryable repository.

Exam trap

The trap here is that candidates may think simply enabling logging on the storage account (e.g., via the 'Logging' blade) is sufficient, but without a diagnostic setting and a Log Analytics workspace destination, the logs are not searchable with KQL in a central workspace.

622
Multi-Selecteasy

An app must resolve a storage account name to the private IP address created by a private endpoint. Which two actions are required? Select two.

Select 2 answers
A.Create the private endpoint in the same virtual network as the app
B.Link the virtual network to the private DNS zone for the storage service
C.Enable a service endpoint on the subnet
D.Add a public DNS record pointing to the storage account
E.Turn on blob versioning
AnswersA, B

The private endpoint must exist in a VNet the workload can reach so it gets a private address.

Why this answer

Option A is correct because a private endpoint must be in the same virtual network as the app to provide a private IP address that the app can directly reach. Without this, the app cannot resolve the storage account name to the private IP, as the private endpoint's network interface is only accessible from within that VNet.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, thinking a service endpoint alone provides private IP resolution, or they overlook the mandatory DNS zone link required for name resolution to the private IP.

623
Multi-Selecthard

A user had a direct Reader assignment on a virtual machine, but that assignment was removed. The user can still open the VM blade and view its properties. Which two sources could still be granting access? Select two.

Select 2 answers
A.A Reader assignment at the parent resource group, subscription, or management group scope can still be inherited by the VM.
B.Membership in an Entra security group that has Reader at an inherited scope can still provide visibility to the VM.
C.A CanNotDelete lock on the VM is granting the user permission to view it.
D.An Azure Policy assignment that audits the VM is granting read access through compliance evaluation.
E.A private endpoint connected to the VM subnet is providing inherited read permission through networking.
AnswersA, B

RBAC inheritance flows downward from management group to subscription to resource group to resource. A broader-scope Reader assignment would still allow the user to view the VM even after the direct VM-level assignment was removed. This is the most common reason access appears to persist.

Why this answer

Option A is correct because Azure RBAC permissions are inherited from higher scopes. Even if a direct Reader assignment on the VM is removed, a Reader role assigned at the parent resource group, subscription, or management group scope will still grant the user read access to the VM through inheritance. This is a fundamental behavior of Azure RBAC, where permissions flow down the hierarchy.

Exam trap

The trap here is that candidates often confuse resource locks (like CanNotDelete) with RBAC permissions, or think that Azure Policy or networking constructs (like private endpoints) can grant access, when in fact only role assignments (direct or inherited) control access to Azure resources.

624
MCQmedium

A route table on a subnet contains this user-defined route: - 0.0.0.0/0 -> Virtual appliance 10.0.0.4 The subnet is peered to another VNet with address space 10.2.0.0/16. A VM in the subnet sends traffic to 10.2.2.7, and Network Watcher shows the next hop as Virtual network peering instead of the appliance. What explains this result?

A.User-defined routes never apply to peered networks.
B.The peering route is more specific than the default route, so it is selected first.
C.NSG rules always override any route table entry.
D.Peering only works when both VNets are in the same region.
AnswerB

Azure uses the longest-prefix match first. The destination 10.2.2.7 falls within the peered VNet prefix 10.2.0.0/16, which is more specific than 0.0.0.0/0. A default route to a virtual appliance does not override a more specific route. To force traffic to the appliance, you need a matching UDR for the peered address range, not only a catch-all default route.

Why this answer

Azure uses the longest prefix match to determine the next hop for traffic. The user-defined route (UDR) for 0.0.0.0/0 is a default route, while the peering route for 10.2.0.0/16 is more specific. Since 10.2.2.7 falls within the 10.2.0.0/16 range, the peering route is preferred over the default route, directing traffic through the VNet peering instead of the virtual appliance.

Exam trap

The trap here is that candidates assume a default route (0.0.0.0/0) always forces all internet-bound or cross-VNet traffic through a virtual appliance, forgetting that more specific routes—such as those from VNet peering—override the default route based on prefix length.

How to eliminate wrong answers

Option A is wrong because user-defined routes do apply to peered networks; they are evaluated based on prefix specificity, and a more specific UDR can override peering. Option B is wrong because it is actually the correct answer. Option C is wrong because NSG rules filter traffic based on allowed/denied flows but do not determine the next hop; route tables control the path, and NSGs are evaluated after routing.

Option D is wrong because VNet peering works across regions (global peering) as long as both VNets are in the same Azure cloud; the question does not specify a regional restriction.

625
Multi-Selectmedium

A compliance team wants to identify all resources in a department that are missing an Environment tag, but they do not want to stop users from creating or changing resources. Which two choices should the administrator make? Select two.

Select 2 answers
A.Use an Azure Policy assignment with the Audit effect.
B.Assign the policy at the management group scope that contains the department subscriptions.
C.Use the Deny effect.
D.Grant Reader on the subscription to the compliance team.
E.Apply a ReadOnly lock to all resource groups.
AnswersA, B

Audit records noncompliance without blocking activity. That makes it ideal for compliance reporting when the organization wants visibility first and enforcement later.

Why this answer

Option A is correct because the Audit effect in Azure Policy allows the compliance team to identify resources missing an Environment tag without blocking resource creation or modification. This effect logs non-compliant resources to the activity log, enabling visibility without enforcement. Option B is correct because assigning the policy at the management group scope ensures it applies to all subscriptions within that department, covering all resources under a single governance boundary.

Exam trap

The trap here is that candidates often confuse the Audit effect with the Deny effect, thinking they need to block non-compliant resources to identify them, or they mistakenly believe granting Reader access is sufficient for automated tag discovery, when in fact Azure Policy is the correct tool for compliance evaluation without enforcement.

626
Multi-Selecteasy

A development team needs one storage account to host blob containers, Azure Files shares, and blob lifecycle management rules. Which two statements about the account are correct? Select two.

Select 2 answers
A.It should be a General-purpose v2 storage account.
B.It must be a BlobStorage account.
C.It can host both blob containers and Azure Files shares.
D.It must use only zone-redundant storage to use lifecycle rules.
E.It cannot use lifecycle management for blobs.
AnswersA, C

A General-purpose v2 account supports blob storage, Azure Files, and lifecycle management features.

Why this answer

A General-purpose v2 (GPv2) storage account is required because it supports the latest storage features, including blob lifecycle management rules, blob containers, and Azure Files shares. GPv2 accounts provide the necessary REST API endpoints and management capabilities for lifecycle policies, which are not available in older account types like BlobStorage or General-purpose v1.

Exam trap

The trap here is that candidates often confuse the BlobStorage account type as a universal blob solution, forgetting it cannot host Azure Files shares, and they may also incorrectly assume lifecycle management requires a specific replication redundancy like ZRS.

627
MCQmedium

Based on the exhibit, which Azure service should you deploy to provide browser-based administrative access to the VM without assigning it a public IP address?

A.Azure Bastion
B.Azure VPN Gateway
C.Public IP address on the VM
D.Azure Load Balancer
AnswerA

Azure Bastion provides secure RDP and SSH access from the portal over the browser without exposing a public IP.

Why this answer

Azure Bastion provides secure, seamless RDP/SSH connectivity to virtual machines directly in the Azure portal over TLS, without requiring a public IP address on the VM. It uses a hardened bastion host in your virtual network that brokers the connection, eliminating exposure of the VM to the internet.

Exam trap

The trap here is that candidates often confuse Azure Bastion with a VPN Gateway, thinking both provide secure remote access, but Bastion is specifically for browser-based administrative sessions without a public IP, while VPN Gateway extends the network for full client-to-site or site-to-site connectivity.

How to eliminate wrong answers

Option B (Azure VPN Gateway) is wrong because it establishes site-to-site or point-to-site encrypted tunnels for network-level connectivity, not browser-based administrative access; it still requires the VM to have a private IP and does not provide a portal-based RDP/SSH session. Option C (Public IP address on the VM) is wrong because it directly exposes the VM to the internet, which contradicts the requirement of no public IP; it also does not provide browser-based access by itself. Option D (Azure Load Balancer) is wrong because it distributes inbound traffic across multiple VMs for high availability and scaling, not for administrative access; it does not offer browser-based RDP/SSH connectivity.

628
Multi-Selectmedium

You are responsible for managing a large Azure environment with multiple subscriptions. You need to ensure compliance with company policies by auditing resource changes and enabling automated remediation for non-compliant resources. Which three of the following Azure services or features should you use? (Choose three.)

Select 3 answers
.Azure Policy to define and enforce rules for resource configurations.
.Azure Activity Log to record and review all management operations on resources.
.Azure Automation with runbooks to automatically remediate non-compliant resources.
.Azure Security Center (Defender for Cloud) to monitor for security threats.
.Azure Resource Graph to query and visualize resource properties across subscriptions.
.Azure Blueprints to package and deploy environment definitions.

Why this answer

Azure Policy is correct because it allows you to define and enforce rules for resource configurations, ensuring compliance with company policies. The Activity Log is correct because it records all management operations, providing an audit trail for resource changes. Azure Automation with runbooks is correct because it can be triggered by Azure Policy or Activity Log alerts to automatically remediate non-compliant resources, such as stopping an unapproved VM or applying a required tag.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure Blueprints, thinking Blueprints provides ongoing auditing, when in fact Blueprints is only for initial deployment and does not monitor or remediate changes after deployment.

629
MCQeasy

A VM-based application needs to read from Azure Storage without storing a password, access key, or other secret in code or configuration. The identity should also be removed automatically if the VM is deleted. What should you enable?

A.A system-assigned managed identity
B.A user-assigned managed identity
C.A storage account access key
D.A shared access signature
AnswerA

A system-assigned managed identity is attached to the VM itself, enabling secretless access and automatic cleanup when the VM is deleted.

Why this answer

A system-assigned managed identity is the correct choice because it is tied directly to the lifecycle of the Azure VM: when the VM is deleted, the identity is automatically removed. It allows the VM to authenticate to Azure Storage without storing any secrets in code or configuration, using Azure AD tokens obtained via the Azure Instance Metadata Service (IMDS) endpoint at 169.254.169.254.

Exam trap

The trap here is that candidates often confuse user-assigned managed identities with system-assigned ones, overlooking the key requirement that the identity must be automatically removed when the VM is deleted, which only system-assigned identities guarantee.

How to eliminate wrong answers

Option B is wrong because a user-assigned managed identity is a standalone Azure resource that is not automatically deleted when the VM is deleted; it must be manually cleaned up, which violates the requirement for automatic removal. Option C is wrong because a storage account access key is a static secret that must be stored in code or configuration, directly contradicting the requirement to avoid storing secrets. Option D is wrong because a shared access signature (SAS) is a token that must be generated and stored in code or configuration, and it does not provide automatic identity removal tied to the VM lifecycle.

630
MCQhard

After a bad script ran, one file at C:\Finance\Q4.xlsx was deleted from a Windows VM. The VM is still running, and the team wants only that file restored without replacing the operating system disk or restarting the VM. What should the administrator use from Azure Backup?

A.Restore the entire VM to a new instance so the deleted file comes back automatically.
B.Perform a file-level restore from the recovery point and copy only the missing file back.
C.Restore the managed disks and replace the existing disks on the running VM.
D.Use Azure Monitor logs to reconstruct the file because the backup vault stores telemetry.
AnswerB

File-level restore is the correct Azure Backup workflow when only a specific file or folder must be recovered. The administrator mounts the recovery point, browses the backed-up file system, and copies back the missing file without replacing disks or redeploying the VM. This keeps the running server intact and minimizes recovery time and operational risk. It is the least disruptive way to recover a single deleted file.

Why this answer

Azure Backup for Azure VMs supports file-level restore (FLR) from recovery points without requiring a full VM restore or disk replacement. This allows you to mount the recovery point as a drive on the running VM, browse the file system, and copy only the missing file (C:\Finance\Q4.xlsx) back to its original location. The VM remains online and no OS disk replacement or restart is needed.

Exam trap

The trap here is that candidates often assume file-level restore requires the VM to be stopped or that only full VM or disk restore options are available, but Azure Backup's file-level restore feature is specifically designed for granular recovery on a running VM.

How to eliminate wrong answers

Option A is wrong because restoring the entire VM to a new instance would create a separate VM, not restore the file to the existing running VM, and it would incur unnecessary cost and complexity. Option C is wrong because restoring managed disks and replacing the existing disks on the running VM would require stopping the VM, detaching the old disks, and attaching the restored disks, which violates the requirement of not restarting the VM. Option D is wrong because Azure Monitor logs do not store file content or telemetry from backup vaults; they collect metrics and logs for monitoring, not file-level data for reconstruction.

631
MCQmedium

Two Azure virtual machines run the same automation script and both need access to Key Vault and Storage. The script must keep working if one VM is redeployed, and the team wants the same identity to be usable by both VMs. What should the administrator use?

A.A system-assigned managed identity on each VM
B.A user-assigned managed identity attached to both VMs
C.A service principal stored in a configuration file on the VMs
D.A storage account access key stored in the script
AnswerB

A user-assigned identity is reusable, can be shared, and survives VM replacement or redeployment.

Why this answer

A user-assigned managed identity is the correct choice because it is created as a standalone Azure resource and can be assigned to multiple VMs. This ensures both VMs share the same identity for accessing Key Vault and Storage, and the identity persists independently of any single VM's lifecycle, so redeploying one VM does not break access for the other.

Exam trap

The trap here is that candidates often assume a system-assigned managed identity can be shared across VMs because it is 'managed,' but they overlook that it is inherently tied to a single resource's lifecycle and cannot be assigned to multiple resources.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity is tied to the lifecycle of a single VM; if that VM is deleted, the identity is also deleted, and it cannot be shared across multiple VMs. Option C is wrong because storing a service principal in a configuration file on the VMs introduces credential management overhead, security risks (e.g., credential leakage), and the need to rotate secrets, which contradicts the goal of a passwordless, resilient identity. Option D is wrong because a storage account access key stored in the script is a static secret that must be managed securely, cannot be shared across VMs without exposing the key, and does not provide a unified identity for both Key Vault and Storage access.

632
MCQmedium

Based on the exhibit, the team wants a single notification setup that can be reused by several alert rules across different subscriptions. What should the administrator create?

A.A Log Analytics workspace with custom tables
B.An action group
C.A management group
D.A resource lock
AnswerB

An action group centralizes notification and automation actions and can be linked to many alerts. That makes it the correct reusable mechanism for email, SMS, and webhook delivery across multiple alert rules and subscriptions.

Why this answer

An action group is the correct choice because it is a reusable Azure Monitor resource that defines notification preferences (e.g., email, SMS, webhook, ITSM) and can be associated with multiple alert rules across different subscriptions. This allows the team to create a single notification setup once and reference it from any alert rule, ensuring consistent notification behavior without duplicating configuration.

Exam trap

The trap here is that candidates often confuse management groups (which organize subscriptions) with action groups (which handle notifications), mistakenly thinking a management group can centralize alert notifications across subscriptions when it cannot.

How to eliminate wrong answers

Option A is wrong because a Log Analytics workspace with custom tables is used for collecting, storing, and querying log data, not for defining notification actions; it cannot be directly reused as a notification setup for alert rules. Option C is wrong because a management group is a hierarchical container for organizing and managing access, policies, and compliance across multiple subscriptions, but it does not provide notification or action capabilities for alerts. Option D is wrong because a resource lock prevents accidental deletion or modification of resources, but it has no role in configuring alert notifications or actions.

633
MCQhard

VM-Web01 is connected to Subnet-Web in VNet-Prod. Users on the internet cannot access the website hosted on TCP port 443. You confirm that VM-Web01 has a public IP address and the web service is running. You need to allow inbound HTTPS traffic with the least administrative effort. What should you do?

A.Add an inbound NSG rule allowing TCP 443.
B.Create a user-defined route to the internet.
C.Configure VNet peering with another virtual network.
D.Create a private endpoint for VM-Web01.
AnswerA

This allows HTTPS traffic to reach the VM or subnet as required.

Why this answer

The VM has a public IP and the web service is running, but internet users cannot access it. The most common reason is that the Network Security Group (NSG) associated with the subnet or NIC is blocking inbound traffic. Adding an inbound NSG rule to allow TCP 443 is the least administrative effort to permit HTTPS traffic from the internet.

Exam trap

The trap here is that candidates may think a public IP alone is sufficient for internet access, forgetting that NSGs act as a stateful firewall that blocks all inbound traffic by default unless explicitly allowed.

How to eliminate wrong answers

Option B is wrong because a user-defined route (UDR) controls traffic leaving the subnet, not inbound access; it cannot allow inbound HTTPS traffic. Option C is wrong because VNet peering connects two virtual networks privately, but it does not provide internet-facing access to a VM. Option D is wrong because a private endpoint is used to securely access Azure PaaS services over a private IP, not to allow inbound internet traffic to a VM.

634
Drag & Dropmedium

Order the steps to configure Azure DNS for a custom domain.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create zone, add records, get name servers, update registrar, verify.

635
MCQhard

Your company wants to know when an Azure service outage in the region might affect subscribed resources, even if no metric threshold has been crossed yet. Which alert type should you configure?

A.A metric alert
B.A Service Health alert
C.A budget alert
D.A boot diagnostics alert
AnswerB

Service Health alerts notify you about Azure service issues, planned maintenance, and health advisories relevant to your subscription.

Why this answer

Service Health alerts are designed to notify you about Azure service incidents, maintenance, health advisories, and security advisories that may impact your subscribed resources. Unlike metric alerts, they trigger based on Azure's own health status rather than any metric threshold you configure, making them ideal for detecting region-wide outages before they affect your specific metrics.

Exam trap

The trap here is that candidates often confuse metric alerts (which require a threshold) with Service Health alerts (which are event-driven from Azure's own health signals), leading them to choose metric alerts when the question explicitly states 'no metric threshold has been crossed yet.'

How to eliminate wrong answers

Option A is wrong because metric alerts monitor specific resource metrics (e.g., CPU percentage, memory usage) and only fire when a defined threshold is crossed; they cannot detect an Azure service outage that hasn't yet impacted those metrics. Option C is wrong because budget alerts are part of Cost Management and track spending against a defined budget, not service health or outages. Option D is wrong because boot diagnostics alerts are specific to virtual machine boot failures and are not designed to monitor Azure service health or regional outages.

636
MCQhard

Your company uses Microsoft Entra ID. A new engineer must be able to create virtual machines in RG-Dev but must not be able to assign roles to other users. Which built-in role should you assign at the RG-Dev scope?

A.Owner
B.Virtual Machine Contributor
C.User Access Administrator
D.Reader
AnswerB

This allows VM management in the resource group without permission to grant access.

Why this answer

The Virtual Machine Contributor role provides the exact permissions needed: it allows creating and managing virtual machines within the specified scope (RG-Dev), but explicitly does not include the ability to assign roles to other users. This role grants write access to compute resources while preserving the principle of least privilege.

Exam trap

The trap here is that candidates often confuse the Virtual Machine Contributor role with the Owner role, mistakenly thinking that any contributor-level role includes role assignment capabilities, when in fact only Owner and User Access Administrator have that permission.

How to eliminate wrong answers

Option A is wrong because the Owner role includes the 'Microsoft.Authorization/roleAssignments/write' permission, which allows assigning roles to other users, violating the requirement. Option C is wrong because the User Access Administrator role is specifically designed to manage user access and role assignments, directly enabling the prohibited action. Option D is wrong because the Reader role only allows viewing resources, not creating virtual machines.

637
MCQhard

A web application runs in Azure App Service and uploads files to Azure Blob Storage. The storage account has shared key access disabled, and the app must not store secrets in configuration. If the App Service is deleted and recreated later, the storage access should be removed automatically with the app. What should you configure?

A.A system-assigned managed identity with Blob Data Contributor permissions on the container.
B.A user-assigned managed identity with Blob Data Reader permissions on the storage account.
C.A shared access signature generated from the storage account key.
D.A storage account access key stored in an application setting.
AnswerA

A system-assigned managed identity is tied directly to the App Service instance and disappears when the app is deleted, which satisfies the automatic cleanup requirement. Because shared key access is disabled and secrets are not allowed in configuration, the app should authenticate through Microsoft Entra ID using the managed identity. Assigning Blob Data Contributor at the appropriate scope allows upload access without storing credentials.

Why this answer

A system-assigned managed identity is tied to the App Service lifecycle, so when the app is deleted, the identity is automatically removed, revoking access to Blob Storage. Granting Blob Data Contributor permissions on the container allows the app to upload files without storing any secrets, satisfying the requirement that shared key access is disabled and no secrets are stored in configuration.

Exam trap

The trap here is that candidates might choose a user-assigned managed identity (Option B) because it also avoids secrets, but they overlook the requirement that access must be automatically removed when the app is deleted, which only a system-assigned identity guarantees.

How to eliminate wrong answers

Option B is wrong because a user-assigned managed identity persists independently of the App Service lifecycle, so deleting the app would not automatically remove storage access; also, Blob Data Reader is insufficient for uploading files. Option C is wrong because a shared access signature (SAS) requires a storage account key to generate, and shared key access is disabled, making this option invalid; additionally, the SAS would need to be stored as a secret. Option D is wrong because storing a storage account access key in an application setting violates the requirement that the app must not store secrets in configuration, and shared key access is disabled.

638
MCQmedium

A lifecycle rule moved old audit logs to the Archive tier. A support engineer now needs to read one archived blob, and the download request fails with a message that the blob is archived. The engineer can wait several hours for the data to become available. What should the administrator do?

A.Enable versioning on the storage account so the archived blob can be read immediately.
B.Change the blob tier from Archive to Hot or Cool to start rehydration.
C.Move the blob to a different container in the same storage account.
D.Switch the storage account replication from LRS to ZRS.
AnswerB

Archived blobs are offline and cannot be read until they are rehydrated. Changing the access tier to Hot or Cool begins the rehydration process, after which the blob becomes available again. Because the engineer can wait, this is the correct administrative action rather than copying the data elsewhere or changing account settings.

Why this answer

Option B is correct because archived blobs in Azure Storage are offline and cannot be read directly. To access the data, the blob must first be rehydrated by changing its tier to Hot or Cool, which initiates an asynchronous copy of the blob data to an online tier. This process can take up to 15 hours, matching the engineer's ability to wait several hours.

Exam trap

The trap here is that candidates may confuse storage account settings (versioning, replication, container moves) with blob-tier operations, failing to recognize that only a tier change initiates rehydration for archived blobs.

How to eliminate wrong answers

Option A is wrong because enabling versioning creates new versions of blobs on writes, but does not change the tier of existing archived blobs; the archived blob remains offline and unreadable. Option C is wrong because moving a blob to a different container does not alter its tier; the blob stays in the Archive tier and remains inaccessible. Option D is wrong because changing replication from LRS to ZRS affects redundancy and durability, but does not affect the blob's tier or its offline status; the archived blob still requires rehydration.

639
MCQhard

A company has VNet-A with address space 10.20.0.0/16 and active workloads in several subnets. The team must peer VNet-A with VNet-B, but VNet-B currently uses 10.20.128.0/17 and cannot be rebuilt from scratch. What should the administrator do first to make peering possible without interrupting current workloads?

A.Create the peering now and let Azure automatically route overlapping prefixes.
B.Add a new non-overlapping address space to VNet-B, create replacement subnets there, and migrate workloads gradually.
C.Attach a route table to VNet-B so traffic to VNet-A is forced through a firewall appliance.
D.Create a private endpoint between the two VNets so Azure ignores the overlap during connectivity checks.
AnswerB

A second non-overlapping range lets you prepare new subnets and move workloads before removing the conflicting range.

Why this answer

Azure Virtual Network peering requires that the address spaces of the peered VNets do not overlap. VNet-A uses 10.20.0.0/16, which fully contains VNet-B's 10.20.128.0/17, creating an overlap. Since VNet-B cannot be rebuilt, the correct first step is to add a new non-overlapping address space (e.g., 10.30.0.0/16) to VNet-B, create subnets in that new range, migrate workloads gradually, and then remove the overlapping address space before establishing the peering.

This ensures no IP conflicts and avoids disrupting existing workloads.

Exam trap

The trap here is that candidates assume Azure can handle overlapping address spaces through routing tricks (like route tables or firewalls), but Azure VNet peering strictly prohibits any address overlap and will reject the peering request outright, forcing you to resolve the conflict by adding a non-overlapping address space and migrating workloads.

How to eliminate wrong answers

Option A is wrong because Azure does not automatically route overlapping prefixes; peering creation will fail with an error indicating overlapping address spaces, and even if forced, traffic routing would be ambiguous and unpredictable. Option C is wrong because attaching a route table with a firewall appliance does not resolve the fundamental address overlap; Azure still checks for overlapping address spaces at peering creation time and will reject the request regardless of routing policies. Option D is wrong because private endpoints are used for secure access to PaaS services over a private IP, not to bypass address space overlap checks; Azure still validates that the VNet address spaces do not overlap before allowing peering.

640
MCQmedium

After a custom image is applied, a VM restarts to a black screen and never reaches the login prompt. The administrator needs the fastest way to inspect what happened during boot without logging into the guest OS. What should be enabled or reviewed first?

A.Boot diagnostics
B.Azure Monitor metric alert
C.VM extension status
D.Network Watcher IP flow verify
AnswerA

Boot diagnostics captures a screenshot and serial log data that help diagnose failures before the guest OS loads.

Why this answer

Boot diagnostics captures serial console output and screenshots of the VM during boot, allowing you to inspect boot failures like a black screen without guest OS access. This is the fastest method because it provides immediate, out-of-band visibility into the boot process, including kernel panics or driver issues, without requiring RDP or SSH connectivity.

Exam trap

The trap here is that candidates often confuse Boot diagnostics (which captures boot-time logs and screenshots) with VM extension status or metrics, mistakenly thinking they can diagnose a boot failure from post-boot telemetry or network checks.

How to eliminate wrong answers

Option B is wrong because Azure Monitor metric alerts monitor performance metrics (e.g., CPU, memory) and cannot capture boot-time logs or screenshots; they are reactive to post-boot conditions, not boot failures. Option C is wrong because VM extension status shows the state of installed extensions (e.g., custom scripts, antivirus), which run after the OS loads, so they cannot reveal why the VM failed to reach the login prompt during boot. Option D is wrong because Network Watcher IP flow verify checks network connectivity (e.g., allowed/denied traffic) between a source and destination, which is irrelevant to a boot failure that manifests as a black screen before any network services start.

641
Multi-Selecthard

A 180-GB blob is in the Archive tier. A legal team needs the file available later today and expects to open it several times during review. Which two actions should the administrator take? Select two.

Select 2 answers
A.Initiate rehydration of the blob to the Hot tier.
B.Leave the blob in Archive and rely on first access to trigger rehydration.
C.Choose High priority rehydration.
D.Copy the blob to a new container and keep it in Archive.
E.Apply a lifecycle rule that moves the blob to Cool after rehydration completes.
AnswersA, C

Archive blobs must be rehydrated before access. Moving the blob to Hot makes it immediately usable after the rehydration finishes.

Why this answer

Rehydrating the blob from Archive to Hot tier makes it immediately accessible for frequent reads, as the Hot tier is optimized for high access rates. The legal team needs to open the file several times later today, so Hot tier is appropriate. Option A is correct because it explicitly initiates the rehydration process to a tier that supports frequent access.

Exam trap

The trap here is that candidates may think Archive blobs are automatically rehydrated on first read (like Cool tier's 'first access' feature), but Archive requires explicit rehydration, and the priority setting (Standard vs. High) determines the speed of that rehydration.

642
MCQmedium

A business-critical application uses an Azure storage account. The company requires that data remain available even if an entire Azure region becomes unavailable. Which redundancy option should you choose?

A.LRS
B.ZRS
C.GRS
D.GZRS
AnswerD

This best matches the requirement for both zone and region resilience.

Why this answer

D (GZRS) is correct because it combines zone-redundant storage (ZRS) within a primary region with geo-redundant replication to a secondary region, ensuring data remains available even if an entire Azure region becomes unavailable. This meets the business-critical requirement for regional disaster recovery while maintaining high durability and availability.

Exam trap

The trap here is that candidates often confuse GRS with GZRS, thinking GRS provides zone redundancy, but GRS only uses LRS in the primary region, making it vulnerable to zone-level failures within that region.

How to eliminate wrong answers

Option A (LRS) is wrong because it replicates data three times within a single datacenter, providing no protection against a full regional outage. Option B (ZRS) is wrong because it replicates data synchronously across three availability zones within a single region, but does not provide geo-replication to a secondary region. Option C (GRS) is wrong because it replicates data to a secondary region asynchronously, but uses LRS within the primary region, meaning a regional outage could cause data loss if the primary region fails before the async replication completes.

643
MCQmedium

You need to ensure that junior administrators can view all resources in the Prod-Sub subscription but cannot create, modify, or delete any resources. Which Azure RBAC role should you assign?

A.Owner
B.Contributor
C.Reader
D.Monitoring Reader
AnswerC

Reader provides view-only access to resources across the assigned scope.

Why this answer

The Reader role is the correct choice because it grants read-only access to all resources in a subscription, including their properties and status, but does not allow any create, modify, or delete operations. This aligns perfectly with the requirement for junior administrators to view resources without making changes.

Exam trap

The trap here is that candidates often confuse the Monitoring Reader role with the Reader role, mistakenly thinking it provides full read access, but it only covers monitoring data, not all resource types.

How to eliminate wrong answers

Option A is wrong because the Owner role grants full access to manage all resources, including the ability to assign roles, which would allow junior administrators to create, modify, or delete resources. Option B is wrong because the Contributor role allows creating, modifying, and deleting resources, which violates the requirement for read-only access. Option D is wrong because the Monitoring Reader role only provides read access to monitoring data (e.g., metrics, logs, alerts) and does not grant visibility into all resource types like virtual machines or storage accounts.

644
MCQeasy

A switch administrator wants log entries from multiple devices to be collected on one central server for later review. Which service should be configured?

A.DNS
B.NTP
C.Syslog
D.SNMP trap suppression
AnswerC

Syslog centralizes device logging.

Why this answer

Syslog is the standard protocol (RFC 5424) used for collecting and centralizing log messages from network devices, servers, and other infrastructure components. By configuring each device to send syslog messages to a central syslog server, the administrator can aggregate logs for unified review, monitoring, and troubleshooting. This directly meets the requirement for centralized log collection.

Exam trap

The trap here is that candidates often confuse SNMP traps (which are event-driven alerts) with syslog (which is a log message transport protocol), leading them to incorrectly select SNMP-related options when the question explicitly asks for log collection.

Why the other options are wrong

A

DNS is primarily used for resolving domain names to IP addresses and does not facilitate the collection of log entries from multiple devices. Therefore, it cannot be configured for central log management.

B

NTP (Network Time Protocol) is primarily used for synchronizing the clocks of network devices and does not facilitate the collection of log entries from multiple devices. Therefore, it does not meet the requirement for central log collection.

D

SNMP trap suppression is not a logging service; it is used to limit the number of SNMP traps sent from devices to a management system. This option does not address the requirement for collecting log entries from multiple devices.

645
MCQeasy

Based on the exhibit, you need to return only the failed operations from the log entries. Which KQL query should you use?

A.AzureActivity | where ActivityStatusValue == "Failed" | project TimeGenerated, OperationName, Caller
B.AzureActivity | summarize count() by Caller
C.AzureActivity | top 10 by TimeGenerated
D.AzureActivity | where ActivityStatusValue == "Succeeded"
AnswerA

This filters the table to failed rows and keeps the useful columns for review.

Why this answer

Option A is correct because the KQL query filters the AzureActivity table using the `where` clause to return only rows where `ActivityStatusValue` equals 'Failed', then projects the relevant columns `TimeGenerated`, `OperationName`, and `Caller`. This directly meets the requirement to return only failed operations from the log entries.

Exam trap

The trap here is that candidates may confuse the `ActivityStatusValue` field with other status fields like `Status` or `ResultType`, or mistakenly choose an aggregation query (Option B) that summarizes data without filtering, failing to meet the precise requirement to return only failed operations.

How to eliminate wrong answers

Option B is wrong because it uses `summarize count() by Caller`, which aggregates the total number of operations per caller without filtering for failed operations, thus returning counts for all statuses. Option C is wrong because it uses `top 10 by TimeGenerated`, which returns the ten most recent log entries regardless of their status, failing to isolate failed operations. Option D is wrong because it filters for `ActivityStatusValue == 'Succeeded'`, which explicitly returns only successful operations, the opposite of what is required.

646
MCQeasy

A workload needs more CPU and memory than the current Azure VM size provides. The administrator wants to increase compute capacity without redeploying the application. What should be done?

A.Resize the VM to a larger size
B.Move the VM into an availability set
C.Replace the VM with a snapshot
D.Assign a user-assigned managed identity
AnswerA

Resizing changes the VM's compute capacity while keeping the same VM and typically preserves the installed application.

Why this answer

Resizing the Azure VM to a larger size (option A) directly increases the CPU and memory resources allocated to the VM without requiring redeployment of the application. Azure supports resizing VMs within the same hardware family or to a different family, provided the new size is available in the current region and the VM is not part of a VMSS with overprovisioning constraints. The resize operation updates the VM's SKU, and after a reboot, the new resources are available to the OS and applications.

Exam trap

The trap here is that candidates may confuse 'increasing compute capacity' with high availability features (availability set) or identity management, leading them to select options that do not address resource scaling.

How to eliminate wrong answers

Option B is wrong because moving a VM into an availability set does not change its compute capacity (CPU/memory); it only provides high availability by distributing replicas across fault and update domains. Option C is wrong because replacing a VM with a snapshot creates a new VM from a disk image, which requires redeployment and does not inherently increase the size of the original VM's resources. Option D is wrong because assigning a user-assigned managed identity grants the VM access to Azure resources (e.g., Key Vault, Storage) without affecting its CPU or memory allocation.

647
Multi-Selectmedium

A customer-facing application has two goals: it must keep running if one datacenter in the region fails, and it must be able to scale out automatically during daily peaks. Which two Azure compute choices best match those requirements? Select two.

Select 2 answers
A.Deploy the workload across Availability Zones
B.Place all instances in one Availability Set
C.Use a Virtual Machine Scale Set with autoscale
D.Run a single VM behind a load balancer
E.Use a proximity placement group
AnswersA, C

Zones place instances in separate datacenters to reduce outage impact.

Why this answer

Option A is correct because deploying across Availability Zones provides datacenter-level fault tolerance: each zone is an isolated physical datacenter with independent power, cooling, and networking. If one zone fails, the application continues running in the other zones. Option C is correct because a Virtual Machine Scale Set with autoscale automatically adjusts the number of VM instances based on CPU or memory metrics, enabling the application to scale out during daily peaks and scale in during off-peak hours.

Exam trap

The trap here is that candidates often confuse Availability Sets (which protect against rack failures) with Availability Zones (which protect against datacenter failures), and they may overlook that a single VM behind a load balancer still has a single point of failure.

648
MCQmedium

A container group in Azure Container Instances must pull a private image from Azure Container Registry without embedding registry credentials in the template. What should you configure?

A.A managed identity for the container group and the AcrPull role on the registry
B.An admin user account on the Azure Container Registry
C.A shared access signature in a container environment variable
D.A public network access rule that allows all Azure services
AnswerA

A managed identity lets the container group authenticate to ACR without secrets, and AcrPull grants pull permission.

Why this answer

Option A is correct because Azure Container Instances (ACI) can authenticate to Azure Container Registry (ACR) using a managed identity assigned to the container group. By granting the managed identity the AcrPull role on the registry, ACI can pull private images without embedding any credentials in the deployment template, leveraging Azure AD authentication and RBAC for secure access.

Exam trap

The trap here is that candidates often confuse network access controls (like 'Allow Azure Services' or service endpoints) with authentication mechanisms, assuming that enabling network rules alone grants pull access, when in fact a managed identity with AcrPull is required for credential-free authentication.

How to eliminate wrong answers

Option B is wrong because enabling the admin user account on ACR creates a static username/password pair that would need to be embedded in the container group template or passed as environment variables, violating the requirement to avoid embedding credentials. Option C is wrong because a shared access signature (SAS) is used for delegated access to Azure Storage resources (blobs, files, queues), not for authenticating to ACR; ACR uses OAuth2 tokens or admin credentials, not SAS tokens. Option D is wrong because a public network access rule allowing all Azure services only controls network-level access to the registry (bypassing firewalls), not authentication; it does not provide the container group with any identity or credentials to pull the image.

649
Multi-Selecteasy

A company wants a storage account that keeps a readable copy in the secondary region and lets read operations continue if the primary region becomes unavailable. Which two redundancy options meet this requirement? Select two.

Select 2 answers
A.Locally redundant storage (LRS)
B.Zone-redundant storage (ZRS)
C.Geo-redundant storage (GRS)
D.Read-access geo-redundant storage (RA-GRS)
E.Read-access geo-zone-redundant storage (RA-GZRS)
AnswersD, E

RA-GRS replicates data to a secondary region and allows read access from that secondary endpoint.

Why this answer

Read-access geo-redundant storage (RA-GRS) is correct because it provides geo-redundant replication (GRS) with the added ability to read from the secondary region at all times, even when the primary region is available. If the primary region becomes unavailable, read operations can continue using the readable copy in the secondary region, meeting the requirement for continuous read access.

Exam trap

The trap here is that candidates often select GRS (Option C) thinking it provides read access to the secondary region, but GRS only allows read access after a failover, not continuously, which is a key distinction tested in the AZ-104 exam.

650
MCQmedium

A support engineer must download a blob that was moved to the Archive tier by a lifecycle rule. The file must be available as soon as possible for an investigation. What should the engineer do first?

A.Download the blob directly from the Archive tier because archived blobs are always online.
B.Change the blob's tier to Hot or Cool and wait for rehydration to complete.
C.Move the blob to a different container in the same account to make it downloadable immediately.
D.Disable the lifecycle rule so the blob becomes immediately readable again.
AnswerB

Archived blobs are stored offline, so they must be rehydrated before the data can be read or downloaded. Changing the tier to Hot or Cool starts that process. If the engineer needs the blob available as quickly as possible, the appropriate administrative action is to initiate rehydration rather than trying to access the file directly from Archive.

Why this answer

Option B is correct because blobs in the Archive tier are offline and must be rehydrated to a Hot or Cool tier before they can be accessed. Rehydration can take up to 15 hours, but setting the tier to Hot or Cool initiates the process, making the blob available as soon as possible for investigation.

Exam trap

The trap here is that candidates may assume archived blobs are still accessible for download or that lifecycle rules can be disabled to instantly restore access, but Azure requires explicit tier change and rehydration before any read operation.

How to eliminate wrong answers

Option A is wrong because archived blobs are not always online; they are stored in an offline state and cannot be directly downloaded without rehydration. Option C is wrong because moving a blob to a different container does not change its tier or rehydrate it; the blob remains in the Archive tier and still inaccessible. Option D is wrong because disabling the lifecycle rule does not affect the blob's current tier; the blob remains in the Archive tier and must be explicitly rehydrated to become readable.

651
MCQeasy

Based on the exhibit, the VPN gateway deployment fails during validation. What resource is missing?

A.A public IP address resource associated with the VPN gateway.
B.A network security group attached to GatewaySubnet.
C.A route table with a default route to the on-premises network.
D.A private endpoint for the on-premises VPN device.
AnswerA

A VPN gateway needs a public IP resource so the on-premises VPN device can establish encrypted tunnels to Azure. The exhibit already has GatewaySubnet, so the missing piece is the public-facing IP on the gateway itself. Once that resource is created and attached during deployment, the gateway can be provisioned successfully.

Why this answer

A VPN gateway requires a dedicated public IP address resource to establish the IPsec tunnel with the on-premises VPN device. During validation, Azure checks that a public IP address is associated with the gateway; if missing, the deployment fails because the gateway cannot route traffic over the internet or terminate the VPN connection.

Exam trap

The trap here is that candidates often confuse the requirement for a public IP on the VPN gateway with the need for an NSG or route table on GatewaySubnet, but Azure explicitly blocks NSG association on GatewaySubnet and route tables are optional for site-to-site VPNs.

How to eliminate wrong answers

Option B is wrong because a network security group (NSG) is not required on GatewaySubnet; in fact, Microsoft recommends against attaching an NSG to GatewaySubnet as it can interfere with gateway control plane traffic. Option C is wrong because a route table with a default route (0.0.0.0/0) to the on-premises network is not a prerequisite for VPN gateway deployment; such a route is typically used for forced tunneling but is not required for gateway creation. Option D is wrong because a private endpoint is used for accessing Azure PaaS services privately over the Microsoft backbone network, not for connecting an on-premises VPN device to a VPN gateway; the gateway uses a public IP for the IPsec tunnel.

652
Multi-Selecthard

A build agent VM is recreated from image every night. The OS can be lost on reimage, but build caches and artifacts must persist across rebuilds. The team also wants the cheapest OS storage option that supports this pattern. Which two choices should you make? Select two.

Select 2 answers
A.Use an ephemeral OS disk.
B.Place build caches and artifacts on a separate managed data disk.
C.Use a Premium SSD OS disk so the reimage is preserved.
D.Store the caches only on the temporary resource disk.
E.Use an availability set to make the OS disk persistent.
AnswersA, B

An ephemeral OS disk is the cheapest OS storage choice for a VM that can be recreated from image often. It is acceptable here because the scenario explicitly says the OS can be lost on reimage.

Why this answer

Option A is correct because an ephemeral OS disk uses the local VM storage or temp SSD, which is destroyed when the VM is deallocated or reimaged. This matches the requirement that the OS can be lost on reimage. Option B is correct because placing build caches and artifacts on a separate managed data disk ensures they persist independently of the OS disk lifecycle; data disks are not affected by OS reimaging and can be reattached to the new VM instance.

Exam trap

The trap here is that candidates often confuse the temporary resource disk (which is also ephemeral) with a managed data disk, or assume that Premium SSD or availability sets provide persistence, when in fact only a separate managed data disk ensures data survives OS reimaging.

653
MCQmedium

A company has three business units. Each business unit needs its own subscription for billing and admin delegation. Corporate security wants one policy assignment to cover all current and future subscriptions in each business unit. What structure should you implement?

A.Place all resources in one subscription and separate them only by resource group
B.Create a management group for each business unit and place that unit's subscriptions underneath it
C.Assign the policy at each resource group because policies cannot target subscriptions
D.Create one resource group per business unit inside a shared subscription
AnswerB

Management groups provide a level above subscriptions, making them ideal for consistent policy assignment across multiple subscriptions in a business unit.

Why this answer

Management groups allow you to aggregate multiple subscriptions under a single hierarchy, enabling policy assignment at the management group level that applies to all current and future subscriptions within that group. This meets the requirement for per-business-unit billing isolation (via separate subscriptions) and centralized policy enforcement across all subscriptions in each unit.

Exam trap

The trap here is that candidates may think resource groups are sufficient for isolation and policy enforcement, overlooking that management groups provide subscription-level aggregation and inheritance that resource groups cannot achieve across multiple subscriptions.

How to eliminate wrong answers

Option A is wrong because placing all resources in one subscription with separate resource groups does not provide separate billing or admin delegation per business unit, and a single policy assignment would apply to all resources, not per unit. Option C is wrong because Azure Policy can be assigned at management group, subscription, and resource group scopes; the statement that policies cannot target subscriptions is false. Option D is wrong because creating one resource group per business unit inside a shared subscription does not provide separate billing or subscription-level isolation, and a single policy assignment would apply to all resource groups in that subscription, not per business unit.

654
Multi-Selecthard

A ReadOnly lock is applied to RG-App. Which two requested changes will fail because of the lock? Select two.

Select 2 answers
A.Resize a virtual machine to a larger SKU.
B.List the resources currently in the resource group.
C.Delete an unused public IP address.
D.Read the current tag values on the resource group.
E.View the VM power state in the portal.
AnswersA, C

Resizing requires a write operation, and ReadOnly blocks write operations against locked resources.

Why this answer

A ReadOnly lock on a resource group prevents any operations that modify existing resources or create/delete resources within that group. Resizing a VM to a larger SKU requires a write operation to the VM resource (specifically, updating the hardware profile), which is blocked by the lock. Deleting an unused public IP address is also a write operation (delete), which is blocked.

Read operations, such as listing resources or viewing tags, are allowed.

Exam trap

The trap here is that candidates often confuse a ReadOnly lock with a 'read-only' permission on the resource group itself, forgetting that read operations like listing resources or viewing tags are still allowed, while any write operation (including resize or delete) is blocked.

655
MCQmedium

You need to synchronize an on-premises Windows file server with an Azure file share so that branch offices can continue using the local server while keeping cloud-based copies of the files. Which service should you configure?

A.Azure File Sync
B.Blob versioning
C.Azure NetApp Files
D.Storage account failover
AnswerA

Azure File Sync is designed to synchronize on-premises Windows file servers with Azure file shares.

Why this answer

Azure File Sync is the correct service because it enables you to centralize your on-premises file shares in Azure Files while maintaining local access to the data. It uses a sync agent installed on the Windows file server to replicate files to an Azure file share, allowing branch offices to continue using the local server with cloud-based copies for backup, disaster recovery, or multi-site access. This directly meets the requirement of keeping the on-premises server operational while maintaining cloud copies.

Exam trap

The trap here is that candidates often confuse Azure File Sync with Azure NetApp Files or Blob storage features, mistakenly thinking that any cloud storage service can synchronize on-premises data, but only Azure File Sync provides bidirectional sync with an on-premises Windows file server.

How to eliminate wrong answers

Option B is wrong because Blob versioning is a feature of Azure Blob Storage that maintains previous versions of blobs for data protection and recovery, but it does not synchronize on-premises file servers with the cloud. Option C is wrong because Azure NetApp Files provides high-performance NFS and SMB file shares for enterprise workloads, but it is a fully managed cloud service that does not sync with on-premises file servers. Option D is wrong because Storage account failover is a disaster recovery feature that automatically switches to a secondary region in the event of a primary region outage, but it does not provide ongoing synchronization between on-premises and cloud file shares.

656
MCQeasy

Based on the exhibit, which identity should the administrator enable to remove the secret from app settings and have the identity disappear automatically when the app is deleted?

A.User-assigned managed identity
B.Service principal with a client secret
C.System-assigned managed identity
D.Shared access signature
AnswerC

A system-assigned managed identity is tied directly to the Azure resource, so it is created with the app and removed when the app is deleted. It is the best fit when you want to eliminate stored secrets and keep the identity lifecycle aligned to one resource.

Why this answer

The system-assigned managed identity is tied directly to the lifecycle of the Azure resource (e.g., an App Service). When you enable it, Azure automatically creates a service principal in Azure AD for that resource, and you can use the identity to access Azure Key Vault without storing secrets in app settings. When the resource is deleted, the system-assigned managed identity and its corresponding service principal are automatically removed, eliminating the need for manual cleanup.

Exam trap

The trap here is that candidates often confuse user-assigned managed identities with system-assigned ones, assuming both are automatically deleted with the resource, but only the system-assigned identity is tied to the resource's lifecycle.

How to eliminate wrong answers

Option A is wrong because a user-assigned managed identity is created as a standalone Azure resource with its own lifecycle; it does not automatically disappear when the app is deleted—you must delete it separately. Option B is wrong because a service principal with a client secret requires you to manually manage the secret (e.g., store it in app settings) and the service principal persists in Azure AD even after the app is deleted, requiring manual cleanup. Option D is wrong because a shared access signature (SAS) is a token used to delegate access to storage resources, not an identity for Azure AD authentication, and it does not automatically disappear when the app is deleted.

657
Multi-Selectmedium

You are designing a governance strategy for an Azure environment that includes multiple subscriptions. You need to ensure that all resources deployed in the production subscription adhere to specific regulatory compliance requirements, such as encryption at rest and denying public network access. Which three of the following should you implement? (Choose three.)

Select 3 answers
.Create a custom Azure Policy definition that enforces encryption at rest and denies public network access.
.Assign the built-in Azure Policy initiative 'ISO 27001:2013' to the production subscription.
.Assign a custom Azure Policy definition at the management group that contains the production subscription.
.Create an Azure role-based access control (RBAC) role to enforce encryption and network restrictions.
.Configure Azure Blueprints to include the custom policy assignment and assign the blueprint to the production subscription.
.Use Azure Resource Graph to audit resources that do not meet compliance requirements.

Why this answer

Creating a custom Azure Policy definition allows you to enforce specific regulatory requirements like encryption at rest and denying public network access. Assigning this custom policy at the management group that contains the production subscription ensures the policy is inherited by the subscription and all its resources. Configuring Azure Blueprints to include the custom policy assignment and assigning the blueprint to the production subscription provides a repeatable, versioned deployment of the policy along with other artifacts, ensuring consistent governance.

Exam trap

The trap here is confusing Azure Policy (which enforces resource configuration rules) with Azure RBAC (which controls user permissions), leading candidates to incorrectly select RBAC as a method to enforce encryption and network restrictions.

658
MCQhard

The platform team wants to block deployment of virtual machines that use any size except a small approved list. Operators already have Contributor access and should keep that access for other tasks. Which Azure control should the administrator use to enforce the size restriction?

A.Assign an Azure Policy with an allowed virtual machine size rule and the Deny effect at the subscription scope.
B.Create a custom RBAC role that excludes unsupported VM sizes from the Contributor role.
C.Apply a CanNotDelete lock to the resource group that contains the virtual machines.
D.Assign Reader permissions to the operators and rely on Azure portal validation.
AnswerA

Azure Policy is designed to enforce configuration rules such as allowed regions or allowed VM sizes. The Deny effect blocks noncompliant deployments even when the user has Contributor permissions, because policy enforcement is separate from RBAC authorization.

Why this answer

Azure Policy with the 'allowed virtual machine sizes' built-in policy and the Deny effect is the correct control because it enforces a deny action at the resource creation or update level, preventing any VM deployment that does not match the approved size list. This works independently of RBAC permissions, so operators retain their Contributor role for other tasks while the policy blocks non-compliant VM sizes. The policy is assigned at the subscription scope to cover all resource groups, ensuring consistent enforcement across the environment.

Exam trap

The trap here is that candidates confuse Azure Policy (which controls resource properties) with RBAC (which controls who can perform actions), leading them to incorrectly choose a custom RBAC role when the requirement is to restrict a specific configuration, not the action itself.

How to eliminate wrong answers

Option B is wrong because a custom RBAC role cannot exclude specific VM sizes; RBAC controls permissions to perform actions (e.g., 'Microsoft.Compute/virtualMachines/write'), not the properties of the resource being created. Option C is wrong because a CanNotDelete lock only prevents deletion of resources, not creation or modification, so it cannot block deployment of unapproved VM sizes. Option D is wrong because Reader permissions prevent operators from creating any VMs at all, which contradicts the requirement that they keep Contributor access for other tasks, and Azure portal validation is client-side only and can be bypassed via PowerShell, CLI, or API calls.

659
MCQmedium

A company merged with another business, and two Azure virtual networks need to be peered for shared application access. One VNet uses 10.20.0.0/16 and the other uses 10.20.128.0/17. The administrator must make the peering work with minimal operational complexity. What should be done first?

A.Create a route table on both VNets and point the overlapping prefixes to a virtual appliance.
B.Renumber one VNet to a non-overlapping address range before creating the peering.
C.Enable gateway transit on both VNets so overlapping ranges can be routed around.
D.Create a private endpoint in each VNet for the applications that need access.
AnswerB

Peering requires non-overlapping CIDR ranges, so one network must be redesigned first.

Why this answer

Azure VNet peering requires non-overlapping address spaces. The two VNets (10.20.0.0/16 and 10.20.128.0/17) overlap because 10.20.128.0/17 is a subset of 10.20.0.0/16. Peering will fail with an error about overlapping address ranges.

Renumbering one VNet to a non-overlapping range (e.g., 10.21.0.0/16) is the only way to satisfy the prerequisite for peering with minimal operational complexity.

Exam trap

The trap here is that candidates assume overlapping ranges can be handled with routing or network virtual appliances, but Azure VNet peering has a hard requirement for non-overlapping address spaces at creation time, and no post-peering configuration can override this.

How to eliminate wrong answers

Option A is wrong because creating route tables and pointing overlapping prefixes to a virtual appliance does not resolve the fundamental peering requirement that VNet address spaces must not overlap; Azure blocks peering creation entirely when ranges overlap, so no routing trick can bypass this. Option C is wrong because gateway transit is used to allow a peered VNet to use a VPN gateway in another VNet, not to resolve overlapping address spaces; overlapping ranges still prevent peering from being established. Option D is wrong because private endpoints provide private connectivity to Azure PaaS services, not to resolve overlapping VNet address spaces; they do not enable VNet peering when ranges conflict.

660
MCQhard

An enterprise has 30 Azure subscriptions. Production subscriptions need a common baseline of allowed regions, required tags, and approved SKU rules, and any new production subscription must inherit those rules automatically. Sandbox subscriptions should follow a separate, lighter baseline. Which Azure construct should the team use to organize this governance model?

A.A separate resource group for each business unit inside every subscription.
B.A management group hierarchy with separate production and sandbox branches.
C.A set of resource locks applied directly to critical resources in each subscription.
D.A single policy exemption applied at the tenant root.
AnswerB

Management groups are designed for organizing subscriptions and inheriting governance across many subscriptions.

Why this answer

Management groups allow you to build a hierarchy of Azure subscriptions and apply Azure Policy at the management group scope. By creating separate management group branches for production and sandbox, you can assign distinct policy sets (allowed regions, required tags, approved SKUs) to each branch, and any new subscription placed under the production branch will automatically inherit those baseline rules.

Exam trap

The trap here is that candidates confuse resource groups or resource locks with policy-based governance, failing to recognize that only management groups combined with Azure Policy can enforce a common baseline across multiple subscriptions and automatically apply to new subscriptions placed in the hierarchy.

How to eliminate wrong answers

Option A is wrong because resource groups are containers within a single subscription and cannot enforce policies across multiple subscriptions or automatically apply to new subscriptions. Option C is wrong because resource locks prevent accidental deletion or modification but cannot enforce allowed regions, required tags, or approved SKU rules across subscriptions. Option D is wrong because a policy exemption is used to exclude a scope from a policy effect, not to define or enforce baseline rules; applying it at the tenant root would exempt all subscriptions from policies, which is the opposite of what is needed.

661
Multi-Selectmedium

A DevOps engineer must run an Azure CLI script from a Windows VM to create resources in a specific resource group in another subscription. The script must not use a client secret or password, and access should be limited to only that resource group. Which three actions should the administrator take? Select three.

Select 3 answers
A.Enable a system-assigned managed identity on the source VM so the script can authenticate without stored credentials.
B.Assign Contributor on the target resource group to the VM identity so the script can create the required resources.
C.Use az login --identity in the script before running the Azure CLI deployment commands.
D.Create a service principal and store its client secret in a file on the VM for the script to read.
E.Grant Reader on the resource group because Reader permissions are sufficient for Azure CLI resource creation.
AnswersA, B, C

A system-assigned managed identity is tied directly to the VM and removes the need to store secrets on disk. It is the simplest credential-free option when a script runs inside a single virtual machine and must access Azure resources programmatically.

Why this answer

Option A is correct because enabling a system-assigned managed identity on the source VM allows the Azure CLI script to authenticate to Azure without storing any client secret or password. The managed identity is automatically managed by Azure AD and tied to the VM lifecycle, eliminating the need for credential management.

Exam trap

The trap here is that candidates may confuse Reader with Contributor, thinking Reader is sufficient for CLI commands, or they may default to creating a service principal with a secret, missing the managed identity approach that avoids stored credentials.

662
MCQeasy

You are creating a new Ubuntu VM and want it to create a local admin account and install packages automatically on the first boot. Which approach should you use?

A.Use an availability set so the script runs during placement.
B.Use cloud-init to run first-boot configuration in Linux.
C.Use a snapshot of the operating system disk.
D.Use a custom image and manually log in later.
AnswerB

cloud-init is designed for Linux first-boot automation and can create users, install packages, and apply startup settings.

Why this answer

Cloud-init is the standard method for automating first-boot configuration on Linux VMs in Azure. It processes user-data (such as cloud-config YAML) to create users, install packages, and run scripts during initial boot, making it the correct choice for creating a local admin account and installing packages automatically.

Exam trap

The trap here is that candidates may confuse availability sets with orchestration features or assume snapshots can trigger automation, missing that cloud-init is the Azure-native solution for first-boot configuration in Linux.

How to eliminate wrong answers

Option A is wrong because an availability set is a logical grouping for VM fault and update domains, not a mechanism to run scripts during placement. Option C is wrong because a snapshot captures the disk state at a point in time but does not trigger any automated first-boot configuration. Option D is wrong because a custom image only provides a pre-configured OS; it does not automatically create a local admin account or install packages on first boot without additional tooling like cloud-init.

663
Multi-Selecthard

A development team wants to publish an internet-facing application directly from source code. The solution must support built-in HTTPS, deployment slots for safe testing, and autoscale as demand changes. Which two choices should the administrator select? Select two.

Select 2 answers
A.Use Azure App Service.
B.Choose an App Service plan at Standard tier or higher.
C.Use Azure Container Instances for the public application.
D.Deploy the app on a virtual machine scale set.
E.Use an availability set for the application instances.
AnswersA, B

Correct. App Service is designed for hosted web applications with managed platform features.

Why this answer

Azure App Service is a fully managed platform for building, deploying, and scaling web apps. It natively supports publishing directly from source code (via continuous deployment from GitHub, Azure Repos, or Bitbucket), built-in HTTPS (with automatic certificate management), deployment slots for staging and swapping, and autoscale based on metrics or schedules. These features directly satisfy all the requirements stated in the question.

Exam trap

The trap here is that candidates often confuse Azure Container Instances or virtual machine scale sets as simpler alternatives, but they lack the integrated deployment slots and built-in HTTPS management that App Service provides out of the box.

664
MCQmedium

An administrator archives monthly log exports in a blob container to reduce storage cost. During an audit, one archived blob must be downloaded and opened later the same day. What must the administrator do before the blob can be read?

A.Read the blob directly from the Archive tier because archive data remains immediately online
B.Change the blob tier from Archive to Hot or Cool and wait for rehydration to finish
C.Copy the blob to a new container in the same account to bypass the archive restriction
D.Assign an Azure RBAC role to the auditor so the archived blob becomes available immediately
AnswerB

Changing the tier from Archive to an online tier starts rehydration, after which the blob becomes readable again.

Why this answer

Blobs stored in the Archive tier are offline and must be rehydrated to the Hot or Cool tier before they can be read. Rehydration can take up to 15 hours, so the administrator must initiate a tier change and wait for completion before downloading the blob. Option B correctly identifies this required step.

Exam trap

The trap here is that candidates assume Archive tier blobs are always accessible with the right permissions, but Azure explicitly keeps Archive blobs offline to minimize cost, requiring a manual rehydration step before any read or copy operation.

How to eliminate wrong answers

Option A is wrong because Archive tier blobs are not immediately online; they are offline and require rehydration before access. Option C is wrong because copying a blob from the Archive tier directly is not possible without first rehydrating it; the copy operation will fail or implicitly trigger rehydration, which still requires waiting. Option D is wrong because RBAC roles control access permissions, not the online/offline state of the blob; even with the correct role, the blob remains offline in the Archive tier.

665
MCQmedium

You need to notify the security team whenever anyone deletes a resource group in the subscription. Which alert type should you configure?

A.A metric alert on CPU percentage
B.A budget alert
C.An activity log alert
D.A log alert based only on guest OS event logs
AnswerC

This targets Azure control-plane events such as deletions.

Why this answer

Option C is correct because an activity log alert monitors subscription-level events recorded in the Azure Activity Log, including resource group deletion operations. When a user deletes a resource group, the 'Microsoft.Resources/subscriptions/resourceGroups/delete' operation is logged, and an activity log alert can be configured to trigger on that specific operation, sending notifications to the security team.

Exam trap

The trap here is that candidates often confuse activity log alerts with log alerts based on guest OS logs, not realizing that resource group deletions are control plane events captured in the Activity Log, not in guest OS event logs.

How to eliminate wrong answers

Option A is wrong because a metric alert on CPU percentage monitors performance metrics of Azure resources (like VMs or App Services) and cannot detect administrative operations such as resource group deletions. Option B is wrong because a budget alert is designed to notify when spending exceeds a defined cost threshold, not to track resource management actions like deletions. Option D is wrong because a log alert based only on guest OS event logs monitors logs from within a virtual machine's operating system and cannot capture Azure subscription-level control plane events like resource group deletions.

666
Multi-Selectmedium

A production resource group contains web and data resources. Administrators must be able to update, scale, and restart resources, but they must not delete the resource group or any resource inside it during maintenance windows. Which two actions should the administrator take? Select two.

Select 2 answers
A.Apply a CanNotDelete lock to the resource group.
B.Apply a ReadOnly lock to the resource group.
C.Apply a CanNotDelete lock only to the individual virtual machines.
D.Apply the lock at the resource group scope so it covers child resources.
E.Use tags to mark the resources as production and prevent deletion.
AnswersA, D

CanNotDelete blocks deletion while still allowing normal write operations such as updates and scaling. That makes it the right lock when the organization wants protection from accidental removal but still needs management access.

Why this answer

Option A is correct because applying a CanNotDelete lock to the resource group prevents the deletion of the resource group and all resources within it, while still allowing administrators to update, scale, and restart resources. This lock type blocks delete operations but permits read and update operations, which aligns with the requirement to perform maintenance actions without risking deletion. The lock is inherited by all child resources in the resource group, ensuring comprehensive protection.

Exam trap

The trap here is that candidates often confuse the CanNotDelete lock with the ReadOnly lock, mistakenly thinking a ReadOnly lock still allows updates and scaling, or they assume tags can enforce deletion prevention, when in reality tags are purely organizational and have no security or governance enforcement capabilities.

667
MCQmedium

A team in RG-Apps must be able to start, stop, and deallocate virtual machines and read their properties. Built-in roles available to the team are broader than necessary. What should the administrator do?

A.Assign Virtual Machine Contributor at the subscription scope.
B.Create a custom role with only the required VM actions and assign it at RG-Apps scope.
C.Assign Reader and Virtual Machine Contributor together at the resource group scope.
D.Assign Owner at the resource group scope to avoid troubleshooting access issues.
AnswerB

A custom role can include only the required actions, such as VM start, deallocate, and read, without granting unnecessary permissions. Assigning the role at RG-Apps scope keeps the permissions limited to the target resource group and is the cleanest least-privilege design.

Why this answer

Option B is correct because the team needs specific actions (start, stop, deallocate, read properties) that are a subset of the Virtual Machine Contributor role's permissions. Creating a custom role with only the required actions (Microsoft.Compute/virtualMachines/start/action, Microsoft.Compute/virtualMachines/deallocate/action, Microsoft.Compute/virtualMachines/read, etc.) and assigning it at the RG-Apps scope provides least-privilege access without granting broader capabilities like creating or deleting VMs.

Exam trap

The trap here is that candidates often choose Virtual Machine Contributor (Option A or C) thinking it covers start/stop/deallocate, but they overlook that it also includes broader VM management actions like create, delete, and modify, which violates the least-privilege requirement stated in the question.

How to eliminate wrong answers

Option A is wrong because Virtual Machine Contributor at subscription scope grants broader permissions (e.g., create, delete VMs) across all resource groups, violating the least-privilege principle and exceeding the team's needs. Option C is wrong because combining Reader and Virtual Machine Contributor still grants the full Virtual Machine Contributor permissions (including create/delete) plus read-only access, which is broader than necessary and does not restrict to only start, stop, deallocate, and read. Option D is wrong because Owner at resource group scope grants full administrative control, including managing role assignments and all resources, which far exceeds the required actions and violates security best practices.

668
MCQhard

Your operations team needs to run Kusto queries across collected sign-in logs, VM performance counters, and Azure Activity Log data in a central location. What should you deploy?

A.A Log Analytics workspace
B.An availability zone
C.A NAT gateway
D.A standard public IP address
AnswerA

This is the service designed for centralized log retention and KQL-based analysis.

Why this answer

A Log Analytics workspace is the central repository in Azure that ingests and stores diagnostic data from multiple sources, including sign-in logs (Azure AD), VM performance counters (Azure Monitor for VMs), and Azure Activity Logs. It supports Kusto Query Language (KQL) for running complex queries across all collected data, making it the correct choice for this requirement.

Exam trap

The trap here is that candidates may confuse a Log Analytics workspace with other networking or compute resources, thinking a NAT gateway or public IP is needed for data ingestion, when in fact Azure Monitor agents and diagnostic settings send data directly to the workspace without requiring public internet exposure.

How to eliminate wrong answers

Option B is wrong because an availability zone is a physically separate datacenter within an Azure region used for high availability and disaster recovery, not a data storage or query service. Option C is wrong because a NAT gateway provides outbound internet connectivity for virtual networks, not a location for storing or querying logs. Option D is wrong because a standard public IP address is a static IP resource for inbound/outbound communication, not a data repository or query engine.

669
Multi-Selecteasy

A team needs an alert that emails the operations group whenever a VM's average CPU percentage stays above 85% for 10 minutes. Which two Azure Monitor components must you configure? Select two.

Select 2 answers
A.A metric alert rule on the VM CPU metric
B.An action group with an email receiver
C.A Recovery Services vault
D.A private endpoint for the virtual machine
E.A blob lifecycle management policy
AnswersA, B

This defines the threshold condition that Azure Monitor evaluates against the VM's CPU metric.

Why this answer

A metric alert rule on the VM CPU metric is required because it continuously monitors the 'Percentage CPU' metric and triggers when the average value exceeds 85% for a duration of 10 minutes. This rule evaluates the condition using the aggregation type 'Average' and the window size set to PT10M (ISO 8601 format). Without this rule, no alert condition exists to detect the threshold breach.

Exam trap

The trap here is that candidates often forget that an action group (with email, SMS, or webhook receivers) is a separate, required component that must be linked to the metric alert rule to actually send the notification; without it, the alert rule fires but no one gets emailed.

670
MCQmedium

A platform team wants every current and future subscription under the company's Azure hierarchy to inherit Reader access for a central audit group. The team does not want to create separate assignments for each subscription. Where should the role be assigned?

A.At the management group that contains the subscriptions.
B.At one subscription and rely on inheritance to reach the others.
C.At a resource group in a single subscription.
D.At an individual resource that the audit team will inspect.
AnswerA

Management group scope is designed for governance that must apply across multiple subscriptions, including subscriptions added later under the same hierarchy. A role assignment at that level is inherited by child subscriptions and their resources, which is ideal for broad read-only audit access.

Why this answer

Assigning the Reader role at the management group level ensures that all current and future subscriptions within that management group inherit the assignment via Azure RBAC inheritance. This meets the requirement without needing separate assignments per subscription, as role assignments flow down the hierarchy from management group to subscription to resource group to resource.

Exam trap

The trap here is that candidates may think assigning the role at one subscription will propagate to others via inheritance, but Azure RBAC inheritance is strictly hierarchical and does not apply across sibling subscriptions—only downward from a management group or parent scope.

How to eliminate wrong answers

Option B is wrong because assigning the role at one subscription does not cause inheritance to other subscriptions; RBAC inheritance flows only downward within the same hierarchy branch, not across sibling subscriptions. Option C is wrong because assigning at a resource group limits the scope to that specific resource group and its resources, not to entire subscriptions or the management group. Option D is wrong because assigning at an individual resource is the narrowest scope and would only grant Reader access to that single resource, not to any subscription or broader scope.

671
MCQmedium

Based on the exhibit, the VM backup item was accidentally deleted from the vault yesterday, but the VM itself still exists. What should you do to resume protection with the existing backup item?

A.Delete the VM and recreate it so the backup can start again.
B.Recover or undelete the backup item from the vault before the soft-delete retention expires.
C.Create a new action group so the vault can re-enable protection.
D.Disable diagnostic settings on the vault and then re-enable them.
AnswerB

Because soft delete is enabled and the retention window is still open, the deleted backup item can be recovered from the Recovery Services vault. Undeleting the item restores the backup relationship without requiring a new protection configuration or a rebuild of the VM.

Why this answer

Azure Backup uses soft-delete for backup items, which retains deleted backup data for 14 days by default. Since the backup item was accidentally deleted yesterday, it is still in the soft-delete state and can be recovered or undeleted from the vault before the retention period expires. Once recovered, protection can be resumed on the existing VM without data loss or reconfiguration.

Exam trap

The trap here is that candidates may think deleting a backup item permanently removes all data, but Azure Backup's soft-delete feature retains the data for 14 days, allowing recovery without recreating the VM or backup configuration.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the VM is unnecessary and would cause downtime; the existing VM can be protected again by recovering the soft-deleted backup item. Option C is wrong because action groups are used for alerting and notifications, not for enabling backup protection on a vault. Option D is wrong because diagnostic settings control logging and monitoring of the vault, not the recovery or re-enabling of backup items.

672
MCQmedium

An operations team maintains a hardened Windows base image that includes patch baseline settings and monitoring agents. They need to publish new versions, replicate the image to another region, and deploy future VMs from the same controlled image source. What should they use?

A.A snapshot of the generalized OS disk.
B.An Azure Compute Gallery image version.
C.A VM extension on an existing VM.
D.An availability set for the image resources.
AnswerB

Compute Gallery supports versioned images, replication across regions, and repeatable VM deployment from one source.

Why this answer

An Azure Compute Gallery (formerly Shared Image Gallery) is the correct service for managing, versioning, replicating, and deploying custom Windows images across regions. It supports multiple image versions, regional replication, and allows you to deploy VMs from a controlled, hardened base image. Snapshots alone lack versioning and cross-region replication capabilities.

Exam trap

The trap here is that candidates often confuse a simple snapshot or managed disk copy with the versioning, replication, and lifecycle management capabilities that only an Azure Compute Gallery provides.

How to eliminate wrong answers

Option A is wrong because a snapshot of a generalized OS disk is a point-in-time copy that cannot be versioned, replicated across regions, or used as a managed image source for consistent VM deployments. Option C is wrong because a VM extension is used to configure software or agents on an existing VM, not to publish, replicate, or deploy new VM images. Option D is wrong because an availability set is a logical grouping for VM fault and update domains, not a mechanism for managing or distributing image versions.

673
Multi-Selecthard

An Azure Function App and an Azure Automation runbook both need to upload, read, and delete blobs in one container. You must avoid stored secrets and keep the permissions as limited as possible. Which two configuration choices should you make? Select two.

Select 2 answers
A.Create a user-assigned managed identity that can be attached to both Azure resources.
B.Grant Storage Blob Data Contributor on the target container to that identity.
C.Store the storage account access key in both app settings and runbook variables.
D.Assign Contributor on the storage account because it automatically includes all blob data permissions.
E.Use a shared SAS token without an expiration date for both workloads.
AnswersA, B

A user-assigned managed identity is reusable across resources and avoids storing secrets in application code or configuration.

Why this answer

Option A is correct because a user-assigned managed identity provides a secure, credential-free authentication method for Azure resources. It allows both the Function App and Automation runbook to authenticate to Azure Storage without storing any secrets, meeting the requirement to avoid stored secrets.

Exam trap

The trap here is that candidates often confuse the Contributor role on the storage account with data plane permissions, not realizing that Contributor only grants management plane access and does not allow blob operations.

674
MCQhard

Quarterly invoices were moved to the Archive tier by a lifecycle rule. An auditor now needs one specific blob available for download within the next hour. What should the administrator do?

A.Change the lifecycle rule so the blob will automatically move back to Hot on the next run.
B.Set the blob directly to the Hot tier and download it immediately.
C.Start a high-priority rehydration of the blob to the Hot tier, then wait for completion before downloading.
D.Copy the archived blob to another container by using the portal copy command.
AnswerC

Archive tier data is offline and must be rehydrated before it can be read. High-priority rehydration is the fastest recovery option when the blob is needed urgently, and Hot is appropriate when the user wants normal online access after the operation completes.

Why this answer

Option C is correct because blobs in the Archive tier are offline and must be rehydrated to an online tier (Hot or Cool) before they can be accessed. A high-priority rehydration completes within one hour, meeting the auditor's deadline. Changing a lifecycle rule (A) or directly setting the tier (B) does not initiate the necessary rehydration process, and copying an archived blob (D) fails because the blob is offline.

Exam trap

The trap here is that candidates assume you can directly change the tier of an archived blob (like from Cool to Hot) without realizing that Archive-tier blobs are offline and require a separate rehydration step before any tier change or access is possible.

How to eliminate wrong answers

Option A is wrong because modifying a lifecycle rule only affects future blob transitions; it does not trigger immediate rehydration of an already archived blob. Option B is wrong because you cannot directly set the tier of an archived blob to Hot; the blob must first be rehydrated via a copy operation or tier change that initiates data retrieval from offline storage. Option D is wrong because the portal copy command requires the source blob to be online; copying an archived blob without prior rehydration will fail with an error indicating the blob is in the Archive tier.

675
MCQmedium

An internal line-of-business application runs on two VMs in Azure. Users connect only from a peered virtual network and from on-premises through VPN. The application must not be reachable from the internet, but traffic should be balanced across the two VMs. Which configuration should you choose?

A.A public Standard Load Balancer with a public frontend IP.
B.A Standard Load Balancer with a private frontend IP.
C.A NAT gateway attached to the application subnet.
D.A network security group rule allowing TCP 443 from the internet.
AnswerB

A Standard Load Balancer with a private frontend provides load balancing only within the virtual network boundary, which fits an internal application. It can balance traffic from peered VNets or hybrid connections without assigning a public frontend. This is the appropriate pattern when the service must remain private but still needs distribution across backend VMs.

Why this answer

A Standard Load Balancer with a private frontend IP is correct because it distributes traffic to the two VMs using a private IP address that is only reachable from within the peered virtual network and the on-premises network via VPN. This configuration ensures the application is not exposed to the internet while still providing load balancing across the VMs.

Exam trap

The trap here is that candidates often assume a load balancer must have a public frontend IP to function, but Azure Standard Load Balancer fully supports private frontend IPs for internal load balancing without any internet exposure.

How to eliminate wrong answers

Option A is wrong because a public Standard Load Balancer with a public frontend IP would make the application reachable from the internet, violating the requirement that it must not be reachable from the internet. Option C is wrong because a NAT gateway provides outbound internet connectivity for VMs, not inbound load balancing, and it would not balance traffic across the two VMs. Option D is wrong because a network security group rule allowing TCP 443 from the internet would explicitly permit inbound internet traffic, directly contradicting the requirement that the application must not be reachable from the internet.

Page 8

Page 9 of 16

Page 10