A VM has an NSG with these inbound rules: Deny-RDP at priority 100 for TCP 3389 from Any, and Allow-RDP-Admins at priority 200 for TCP 3389 from 10.8.1.0/24. Admins from 10.8.1.0/24 still cannot connect by RDP. What change fixes access while keeping all other sources blocked?

Change the deny rule to protocol Any so the allow rule will be evaluated first.

Changing the protocol does not alter priority order, so the deny rule would still win if it remains higher precedence.

Add a UDR that sends TCP 3389 traffic to the VM subnet.

Route tables influence path selection, not NSG rule evaluation, so they will not fix an inbound deny decision.

Associate an application security group with the VM and keep the existing priorities.

Application Security Groups can simplify rule maintenance, but they do not override an earlier deny rule with a higher priority.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Move the allow rule to a lower priority number than 100. — NSG processing is based on priority, and the lowest numbered matching rule is applied first. In this case, the deny rule at priority 100 matches TCP 3389 from Any before the allow rule at 200 can be considered. The correct fix is to give the allow rule a lower number than the deny rule, such as 90, so the admin subnet is allowed while everyone else is still denied. Why others are wrong: Changing protocol settings does not change the evaluation order, so the deny still takes precedence. A UDR cannot override NSG behavior because routing and filtering are separate functions. An ASG can reduce IP management work, but it cannot make a lower-priority allow rule beat a higher-priority deny rule.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.