CCNA Monitor and Maintain Azure Resources Questions

41 of 191 questions · Page 3/3 · Monitor and Maintain Azure Resources · Answers revealed

151
MCQeasy

Based on the exhibit, which alert type should the administrator create to detect when Azure marks the storage account unhealthy because of a platform issue?

A.Metric alert on account capacity.
B.Resource Health alert.
C.Log search alert against AzureDiagnostics.
D.Autoscale rule based on storage transactions.
AnswerB

Resource Health alerts are intended for platform-level availability problems reported by Azure itself. They are the right fit when the business wants to know that Azure has marked a resource unhealthy or unavailable, rather than watching an application metric or a custom log entry. This directly matches the requirement for platform issue notification on the storage account.

Why this answer

Resource Health alerts are specifically designed to notify administrators when an Azure service or resource becomes unhealthy due to platform issues. In this scenario, the storage account being marked unhealthy by Azure due to a platform issue is exactly the kind of event that a Resource Health alert captures, as it monitors the health status of Azure resources and triggers alerts on state transitions (e.g., from 'Available' to 'Degraded' or 'Unavailable').

Exam trap

The trap here is that candidates often confuse Resource Health alerts with metric alerts or log search alerts, mistakenly thinking that any health-related event can be captured by querying AzureDiagnostics or by setting a metric threshold, when in fact Resource Health alerts are the dedicated mechanism for platform-issue notifications.

How to eliminate wrong answers

Option A is wrong because a metric alert on account capacity monitors storage usage thresholds (e.g., percentage of used capacity), not platform health issues; it would not detect when Azure marks the resource unhealthy due to a platform problem. Option C is wrong because a log search alert against AzureDiagnostics queries operational logs for specific events (e.g., authentication failures), but it does not natively capture the resource health state transitions that indicate platform-level unhealthiness; Resource Health events are logged in the Azure Activity Log, not in AzureDiagnostics. Option D is wrong because an autoscale rule based on storage transactions is used to scale resources like Azure Functions or App Service based on transaction counts, not to detect health issues; storage accounts themselves do not support autoscaling based on transactions, and this option is irrelevant to health monitoring.

152
MCQeasy

A company wants to enable backup for an Azure virtual machine and later restore the VM if needed. Which Azure service should the administrator use to manage the backup plan and restores?

A.Azure Monitor
B.Recovery Services vault
C.Log Analytics workspace
D.Azure Front Door
AnswerB

A Recovery Services vault is the Azure service used to configure VM backup policies, run backups, and perform restores.

Why this answer

The Recovery Services vault is the correct Azure service for managing backup plans and restores for Azure virtual machines. It provides a centralized management interface for configuring backup policies, performing on-demand backups, and initiating restore operations to recover VMs to a specific point in time.

Exam trap

The trap here is that candidates often confuse Azure Backup (which uses Recovery Services vault) with Azure Site Recovery (which also uses a Recovery Services vault but for disaster recovery replication, not backup), leading them to incorrectly select a different service or misunderstand the vault's dual role.

How to eliminate wrong answers

Option A is wrong because Azure Monitor is a monitoring and diagnostics service that collects metrics, logs, and alerts from Azure resources, but it does not provide backup or restore capabilities. Option C is wrong because Log Analytics workspace is used for collecting and analyzing log data from various sources, not for managing backup plans or performing VM restores. Option D is wrong because Azure Front Door is a global load balancer and application delivery service that optimizes traffic routing and provides web application firewall capabilities, with no backup or restore functionality.

153
MCQeasy

Based on the exhibit, why does a query against AzureDiagnostics return no rows after the storage account diagnostic setting was changed?

A.The storage account cannot send logs to Log Analytics when public network access is disabled.
B.The logs are written to resource-specific tables instead of AzureDiagnostics.
C.The diagnostic setting only sends metrics, not logs, to the workspace.
D.The workspace retention period automatically deletes all records after one hour.
AnswerB

When diagnostic settings use resource-specific mode, Azure writes records to service-specific tables rather than the legacy AzureDiagnostics table. The query failed because it looked in the wrong table. The administrator should query the table that matches the storage log source or switch the destination format if a unified table is preferred.

Why this answer

Option B is correct because when you change a diagnostic setting for a storage account from 'AzureDiagnostics' mode to 'Resource-specific' mode, logs are no longer sent to the AzureDiagnostics table. Instead, they are written to dedicated resource-specific tables (e.g., StorageReadLogs, StorageWriteLogs). Since the query targets AzureDiagnostics, it returns no rows because the logs are now stored in the new table format.

Exam trap

The trap here is that candidates assume logs are always written to the AzureDiagnostics table, overlooking that the diagnostic setting can be configured to use resource-specific tables, which changes the destination table name and causes queries against AzureDiagnostics to return no rows.

How to eliminate wrong answers

Option A is wrong because disabling public network access on a storage account does not prevent logs from being sent to Log Analytics; the diagnostic setting uses a private endpoint or Microsoft trusted services to send logs, and the setting itself is configured at the resource level, not dependent on public network access. Option C is wrong because the diagnostic setting can be configured to send both metrics and logs; the exhibit shows the setting includes 'Audit logs' and 'Transaction logs', not just metrics. Option D is wrong because the workspace retention period does not delete records after one hour; retention is configurable (default 30 days) and only applies to data already ingested, not to logs that were never written to the AzureDiagnostics table.

154
MCQeasy

An administrator wants to send a virtual machine's guest logs to a central workspace so they can search them later with queries. Which configuration should be created on the VM or its resource provider first?

A.A role assignment at the subscription scope
B.A diagnostic setting
C.A private endpoint
D.A lock on the VM resource group
AnswerB

A diagnostic setting routes platform or guest log data from the resource to a destination such as a Log Analytics workspace.

Why this answer

A diagnostic setting is the correct configuration because it enables the streaming of guest OS logs (e.g., System, Application, Security event logs) from an Azure virtual machine to a Log Analytics workspace. This is done by installing the Azure Monitor Agent (AMA) or legacy Log Analytics agent on the VM and then configuring a data collection rule or diagnostic setting to specify which logs to send and the destination workspace. Without this setting, the VM's guest logs remain local and cannot be queried centrally.

Exam trap

The trap here is that candidates often confuse a diagnostic setting with a role assignment, thinking that granting permissions (RBAC) is the first step to enable log collection, but in reality, the diagnostic setting is the specific configuration that defines what logs to send and where.

How to eliminate wrong answers

Option A is wrong because a role assignment at the subscription scope controls permissions (RBAC) for who can manage resources, not the flow of log data from a VM to a workspace. Option C is wrong because a private endpoint provides a secure, private connection to Azure services over the Microsoft backbone network, but it does not configure log collection or forwarding from a VM's guest OS. Option D is wrong because a lock on the VM resource group prevents accidental deletion or modification of resources, but it has no effect on log ingestion or diagnostic configuration.

155
MCQmedium

Based on the exhibit, an administrator needs to recover one deleted configuration file from a running Azure VM without replacing the VM. Which restore option should be used?

A.Create a new VM from the recovery point so the deleted file returns with a clean operating system.
B.Restore disks and manually rebuild the VM afterward.
C.Use File Recovery to mount the recovery point and copy back the missing file.
D.Replace the existing VM immediately to recover only one file.
AnswerC

File Recovery is designed for restoring individual files from a backup without replacing the live VM. It lets the administrator mount the recovery point, copy back the deleted file, and leave production running normally.

Why this answer

Azure VM File Recovery (part of Azure Backup) allows you to mount a recovery point as a drive on a running VM, browse the file system, and copy specific files back without restoring the entire VM or disks. This is the only option that recovers a single deleted configuration file without replacing or rebuilding the VM.

Exam trap

The trap here is that candidates may think a full disk restore or VM rebuild is required for file-level recovery, but Azure Backup's File Recovery feature is specifically designed for granular file recovery from a VM backup without VM replacement.

How to eliminate wrong answers

Option A is wrong because creating a new VM from a recovery point would replace the existing VM entirely, not recover a single file, and would require reconfiguration and potential downtime. Option B is wrong because restoring disks and manually rebuilding the VM is a full disk-level restore that is overkill for a single file and involves significant manual effort and downtime. Option D is wrong because replacing the existing VM immediately is a drastic, unnecessary action that would cause full VM replacement and data loss for a single file recovery.

156
Matchinghard

A VM backup policy is being designed in a Recovery Services vault. Match each backup policy element to the behavior it controls.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines when the backup job starts, such as daily at a specific time.

Defines how long recovery points remain available for restore.

Determines how the scheduled backup time is interpreted in the policy.

Keeps snapshot copies available for fast local restores before the vault copy completes.

Reusable object that combines schedule, retention, and related backup settings.

Why these pairings

A backup policy in a Recovery Services vault includes retention settings (how long to keep backups), schedule (when to back up), snapshot retention (for instant restores), policy type (Standard vs Enhanced), time zone, and frequency (daily/weekly).

157
Matchinghard

A team manages a production VM and its supporting storage account. Match each operational requirement to the Azure Monitor component that should be configured.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Metric alert rule

Action group

Diagnostic setting

Activity log alert

Log Analytics workspace

Why these pairings

Azure Monitor Metrics stores numerical performance data, Log Analytics enables KQL queries, Alerts notify on conditions, Workbooks provide dashboards, the Azure Monitor Agent collects guest OS logs, and Storage analytics logs capture storage access data.

158
MCQmedium

The team accidentally stopped protection for a VM and deleted its backup data. They want Azure Backup to keep deleted backup items recoverable for a grace period so the item can be undeleted if needed. Which vault feature should be enabled?

A.Instant restore
B.Soft delete
C.A new backup policy
D.A private endpoint for the vault
AnswerB

Soft delete keeps removed backup items in a recoverable state for a retention period after deletion or after protection is stopped. That gives administrators a safety window to reverse accidental deletion and prevents immediate permanent loss of backup data. It is the right protection setting for accidental removal scenarios in Recovery Services vaults.

Why this answer

Soft delete is the correct feature because it provides a grace period (default 14 days) during which deleted backup data is retained in a soft-deleted state. This allows administrators to recover (undelete) backup items that were accidentally deleted, including cases where protection was stopped and data was removed. Without soft delete, deleted backup data is permanently purged and cannot be recovered.

Exam trap

The trap here is that candidates confuse 'soft delete' with 'instant restore' because both involve retention of backup data, but instant restore only affects recovery point snapshots, not the ability to recover deleted items after protection is stopped.

How to eliminate wrong answers

Option A is wrong because Instant Restore controls the retention of recovery points for immediate restoration (typically snapshots kept for 1-5 days), not the ability to recover deleted backup items after deletion. Option C is wrong because a new backup policy defines backup frequency and retention rules for active backups, but does not provide any recovery mechanism for already deleted backup data. Option D is wrong because a private endpoint for the vault enables secure network access via Azure Private Link, but has no effect on data recovery after deletion.

159
Multi-Selecteasy

A security team wants platform logs from a storage account sent for long-term retention and later analysis. Which three destinations can an Azure diagnostic setting send data to? Select three.

Select 3 answers
A.A Log Analytics workspace
B.A storage account
C.An Event Hub
D.A Recovery Services vault
E.An availability zone
AnswersA, B, C

A workspace stores logs and makes them searchable with KQL queries.

Why this answer

Azure Diagnostic Settings can stream platform logs and metrics to three destinations: a Log Analytics workspace for query-based analysis, a storage account for archival and long-term retention, and an Event Hub for real-time ingestion into SIEM or third-party tools. This is defined in the Azure Monitor diagnostic settings configuration, which supports these three outputs natively.

Exam trap

The trap here is that candidates may confuse a Recovery Services vault (used for backup) with a Log Analytics workspace or storage account, or mistakenly think availability zones can store log data, when in fact they are purely a high-availability construct.

160
MCQmedium

Based on the exhibit, the operations team says the alert is too noisy because short CPU spikes after nightly maintenance trigger notifications. They want an alert only when VM1's average CPU stays above 80% for at least 10 minutes. What should you change?

A.Lower the threshold to 70% so the alert becomes less sensitive.
B.Increase the window size to 10 minutes and keep the evaluation frequency at 1 minute.
C.Replace the metric alert with a Log Analytics query alert against the activity log.
D.Move the alert scope from the VM to the resource group.
AnswerB

A longer evaluation window requires CPU to remain elevated over a longer period before the rule triggers. That directly addresses short maintenance spikes while still checking frequently enough to detect sustained pressure.

Why this answer

Option B is correct because increasing the window size to 10 minutes while keeping the evaluation frequency at 1 minute means the alert will only fire when the average CPU over the last 10 minutes exceeds 80%. This filters out transient spikes from nightly maintenance, as the alert requires sustained high CPU for the full duration. The evaluation frequency of 1 minute ensures the alert is checked every minute, but the condition is based on the 10-minute rolling average.

Exam trap

The trap here is that candidates often confuse 'window size' with 'evaluation frequency' and think increasing the evaluation frequency alone would solve the noise, but it is the window size that controls the duration over which the metric must remain above the threshold.

How to eliminate wrong answers

Option A is wrong because lowering the threshold to 70% would make the alert more sensitive, not less, and would still trigger on short spikes. Option C is wrong because a Log Analytics query alert against the activity log cannot monitor VM CPU performance metrics; the activity log tracks administrative events, not resource performance counters. Option D is wrong because moving the alert scope to the resource group would apply the same alert rule to all VMs in the group, potentially increasing noise, and does not address the issue of transient spikes.

161
MCQhard

You need to collect Windows event logs and performance counters from multiple Azure virtual machines and query the data by using Kusto Query Language. Which Azure resource should you use?

A.A Log Analytics workspace
B.A Recovery Services vault
C.Azure Network Watcher
D.A load balancer
AnswerA

Log Analytics workspaces store and enable KQL queries over collected monitoring data.

Why this answer

A Log Analytics workspace is the correct Azure resource for collecting Windows event logs and performance counters from Azure VMs and querying them using Kusto Query Language (KQL). It serves as the central repository where diagnostic data is ingested via the Azure Diagnostics extension or the Log Analytics agent, enabling rich log analytics and custom KQL queries.

Exam trap

The trap here is that candidates often confuse a Log Analytics workspace with Azure Monitor itself, but the workspace is the specific resource that stores and queries the data, while Azure Monitor is the overarching service; the question explicitly asks for the resource that collects and queries the data, which is the workspace.

How to eliminate wrong answers

Option B is wrong because a Recovery Services vault is used for backup and disaster recovery (e.g., Azure Backup, Site Recovery), not for collecting and querying operational logs or performance data. Option C is wrong because Azure Network Watcher provides network-level monitoring and diagnostics (e.g., packet capture, NSG flow logs), but it does not collect Windows event logs or performance counters, nor does it support KQL queries. Option D is wrong because a load balancer distributes incoming traffic across VMs and does not ingest, store, or query log data; it is a networking component, not a data analytics resource.

162
MCQmedium

An administrator must centralize Azure Activity log events and diagnostic logs from several storage accounts into a single workspace so the team can query them with KQL. What should be configured on each resource?

A.A backup policy in Recovery Services vault to copy logs into the workspace.
B.Diagnostic settings to send logs to a Log Analytics workspace.
C.A private endpoint for each storage account so the logs remain internal to Azure.
D.A management group lock to prevent log deletion.
AnswerB

Diagnostic settings are the standard way to export platform logs and resource logs from Azure resources into Log Analytics for centralized querying. Once the data reaches the workspace, the team can use KQL to search and correlate events across resources. For Azure Activity logs, the subscription diagnostic setting is used; for storage accounts, resource diagnostic settings are configured on each account.

Why this answer

Diagnostic settings are the Azure mechanism for streaming resource logs and metrics to various destinations, including Log Analytics workspaces. By configuring diagnostic settings on each storage account to send its Activity Log and diagnostic logs to a single Log Analytics workspace, the administrator centralizes the logs for KQL querying. This is the only option that directly enables log ingestion into the workspace.

Exam trap

The trap here is confusing Azure Monitor diagnostic settings with backup or security features, leading candidates to select options that manage data protection or network isolation instead of log streaming.

How to eliminate wrong answers

Option A is wrong because a backup policy in a Recovery Services vault is designed for backup and restore of Azure resources, not for streaming or copying logs to a Log Analytics workspace. Option C is wrong because a private endpoint secures network traffic to the storage account but does not send logs to a Log Analytics workspace. Option D is wrong because a management group lock prevents accidental deletion or modification of resources but does not configure log forwarding or ingestion.

163
Multi-Selecthard

A finance VM is backed up daily. The team wants short-lived snapshots so recently changed files can be recovered quickly, but they also need daily recovery points retained for 30 days. Which two backup policy settings should be configured? Select two.

Select 2 answers
A.Retain instant restore snapshots for 2 days
B.Retain daily recovery points for 30 days
C.Run the backup job every 12 hours
D.Retain weekly recovery points for 30 days
E.Move backup data to Archive tier
AnswersA, B

Short snapshot retention keeps recent restore points available for fast file recovery.

Why this answer

Option A is correct because instant restore snapshots are short-lived, locally stored snapshots that allow quick recovery of recently changed files. Setting 'Retain instant restore snapshots for 2 days' ensures these snapshots are available for immediate restores without consuming long-term backup storage. Option B is correct because 'Retain daily recovery points for 30 days' meets the requirement for daily recovery points to be kept for the specified retention period, allowing recovery from any of the last 30 daily backups.

Exam trap

The trap here is that candidates often confuse 'instant restore snapshots' with 'recovery points' and may select options like 'Run the backup job every 12 hours' thinking more frequent backups improve recovery speed, when in fact the instant restore snapshot retention setting directly controls the availability of quick file-level restores.

164
MCQmedium

A Recovery Services vault currently keeps daily Azure VM recovery points for 7 days. The business changes the requirement to keep daily recovery points for 30 days. Where should the administrator change the setting?

A.In the VM's network interface settings, because backup retention follows the NIC configuration.
B.In the backup policy associated with the Recovery Services vault.
C.In Azure Policy, by assigning a retention compliance initiative to the subscription.
D.In a storage account lifecycle rule attached to the VM disks.
AnswerB

Retention settings for Azure VM backups are controlled in the backup policy within the Recovery Services vault. The policy defines how often backups occur and how long recovery points are retained. To move from 7 days to 30 days of daily retention, the administrator updates the backup policy and applies it to the protected VM. This is the correct place because retention is a vault-level backup behavior, not a VM networking or storage setting.

Why this answer

The retention duration for Azure VM backups is configured within the backup policy that is associated with the Recovery Services vault. By modifying the backup policy (either the default policy or a custom policy), the administrator can change the retention setting from 7 days to 30 days for daily recovery points. This policy directly controls how long backup snapshots are retained, and the change takes effect for all VMs linked to that policy.

Exam trap

The trap here is that candidates often confuse backup retention settings with storage lifecycle management or Azure Policy, assuming that retention can be controlled at the disk or subscription level, when in fact it is exclusively managed through the backup policy linked to the Recovery Services vault.

How to eliminate wrong answers

Option A is wrong because backup retention is not tied to the VM's network interface (NIC) settings; NIC settings control IP addressing, DNS, and network security, not backup lifecycle. Option C is wrong because Azure Policy is used for enforcing compliance rules (e.g., requiring backups to be enabled) but cannot directly modify retention durations within an existing backup policy. Option D is wrong because storage account lifecycle rules manage the tiering or deletion of blob data (e.g., VM disks) but do not control backup recovery points, which are stored separately in the Recovery Services vault.

165
MCQhard

A storage account becomes unavailable because Azure has a regional platform issue. The operations team wants a notification whenever Azure marks the resource or region unhealthy, and they want to avoid continuous log ingestion just to detect the outage. What should they configure?

A.A metric alert on storage capacity with an action group.
B.A log alert on storage diagnostic logs that watches for 503 responses.
C.A Service Health alert based on the Activity log, scoped appropriately.
D.An Azure Policy assignment that audits the storage account state.
AnswerC

Service Health alerts are the right choice when you need to know about Azure platform incidents, regional issues, or service degradations that affect a resource or region. They are generated from the Activity log and do not require you to ingest operational logs continuously just to detect an outage. This makes them both efficient and appropriate for platform availability monitoring.

Why this answer

Option C is correct because a Service Health alert, configured from the Azure Activity log, provides proactive notifications when Azure services or regions experience an outage or degradation. This alert is triggered by Azure's own health signals, eliminating the need for continuous log ingestion or custom metric monitoring to detect platform-level issues.

Exam trap

The trap here is that candidates confuse application-level monitoring (e.g., log alerts on HTTP 503 errors) with Azure's own platform health signals, leading them to choose a log-based solution that requires continuous ingestion and misses the native Service Health alert capability.

How to eliminate wrong answers

Option A is wrong because a metric alert on storage capacity monitors usage thresholds (e.g., percentage used), not service availability or regional health; it cannot detect an Azure platform outage. Option B is wrong because a log alert on storage diagnostic logs watching for 503 responses requires continuous log ingestion and custom query setup, which contradicts the requirement to avoid continuous log ingestion; it also only detects application-level errors, not Azure-declared regional unhealthiness. Option D is wrong because an Azure Policy assignment audits compliance with rules (e.g., encryption settings) and cannot trigger real-time notifications for service health events; it is a governance tool, not an alerting mechanism.

166
MCQeasy

Based on the exhibit, which KQL operator should replace the blank to return only those columns?

A.where, because it filters rows and also selects the visible columns.
B.summarize, because it groups the failed records into a smaller result set.
C.project, because it returns only the named columns in the result.
D.extend, because it creates new output columns for the selected fields.
AnswerC

project is the KQL operator used to shape the output and keep only the columns listed. In this query, it returns TimeGenerated, VaultName, and OperationName for easier reading.

Why this answer

The `project` operator in Kusto Query Language (KQL) is specifically designed to select a subset of columns from the input table, returning only the named columns in the result set. This matches the requirement to 'return only those columns,' making option C correct.

Exam trap

The trap here is confusing row-filtering operators (like `where`) with column-selection operators (like `project`), leading candidates to choose `where` because they think it controls visible columns, when in fact it only filters rows.

How to eliminate wrong answers

Option A is wrong because `where` filters rows based on a predicate, not columns; it does not select or limit visible columns. Option B is wrong because `summarize` groups rows and produces aggregations, often reducing the number of rows but not directly selecting specific columns. Option D is wrong because `extend` adds new computed columns to the result set, but it does not remove or select only existing columns.

167
MCQmedium

Based on the exhibit, a user accidentally deleted one file from the VM and you need to restore only that file without recovering the entire virtual machine. What should you use?

A.Run file recovery from the available recovery point.
B.Restore the entire VM to the original resource group.
C.Create a new backup policy with longer retention and wait for the next backup.
D.Use Azure Monitor alerts to trigger an automatic file restore.
AnswerA

Azure VM backup supports file-level recovery from a restore point. Because only one file is needed, file recovery is the least disruptive and most efficient choice. It mounts the recovery point and lets you copy back the missing file without restoring the entire VM or its disks.

Why this answer

Azure Backup for Azure VMs supports file-level recovery from VM backup snapshots without restoring the entire VM. By selecting 'File Recovery' from the backup item's recovery point, you can mount the backup as a drive on the VM or a recovery machine, browse the file system, and copy the deleted file back to its original location. This avoids the overhead and downtime of a full VM restore.

Exam trap

The trap here is that candidates may confuse 'file recovery' with 'full VM restore' or assume that only a full restore can recover data, overlooking the granular file-level recovery capability built into Azure Backup.

How to eliminate wrong answers

Option B is wrong because restoring the entire VM to the original resource group would overwrite the current VM state, cause downtime, and is unnecessary when only a single file needs recovery. Option C is wrong because creating a new backup policy with longer retention does not help recover a file that was already deleted; it only affects future backups and does not provide access to existing recovery points. Option D is wrong because Azure Monitor alerts are used for monitoring and notification, not for triggering file-level restore operations; file recovery must be initiated manually or via Azure Backup APIs.

168
MCQhard

An administrator accidentally stopped protection for a critical VM and then deleted its backup item. The mistake was discovered a day later, and the organization wants deleted backup data to remain recoverable for a grace period. Which feature should be enabled on the Recovery Services vault?

A.Soft delete on the Recovery Services vault.
B.An action group attached to the vault alerts.
C.Diagnostic settings that export vault events to Log Analytics.
D.Cross-region restore for the vault.
AnswerA

Soft delete keeps deleted backup items recoverable for a retention window after deletion. That gives administrators time to reverse a mistaken stop-protection or delete action before the data is permanently lost. It is specifically designed for this sort of operational recovery scenario and is a vault-level protection setting. Because the question asks for recoverability after deletion, soft delete is the feature that directly addresses the requirement.

Why this answer

Soft delete on the Recovery Services vault provides a grace period (default 14 days) during which deleted backup data is retained in a soft-deleted state, allowing recovery even after a backup item is deleted. This feature is specifically designed to protect against accidental deletion, as it prevents permanent removal of backup data until the soft-delete period expires or is manually purged.

Exam trap

The trap here is that candidates may confuse soft delete with cross-region restore or diagnostic settings, thinking that logging or alerts can recover deleted data, when in fact only soft delete provides a grace period for recovery after accidental deletion.

How to eliminate wrong answers

Option B is wrong because an action group attached to vault alerts only sends notifications (e.g., email, SMS) when certain events occur; it does not retain or protect deleted backup data. Option C is wrong because diagnostic settings that export vault events to Log Analytics enable auditing and monitoring of vault operations, but they do not preserve deleted backup data or provide a recovery grace period. Option D is wrong because cross-region restore (CRR) allows restoring backups to a paired Azure region for disaster recovery, but it does not prevent permanent deletion of backup items or offer a grace period for accidental deletions.

169
MCQhard

You need to suppress alert notifications for a group of virtual machines every Sunday during a planned maintenance window, without deleting the underlying alert rules. What should you configure?

A.Disable diagnostic settings during the maintenance window.
B.Create an alert processing rule for the maintenance window.
C.Delete and recreate the alert rules every week.
D.Move the VMs to a different subscription on Sundays.
AnswerB

This suppresses notifications on schedule while keeping the alert rules intact.

Why this answer

An alert processing rule (formerly action rule) allows you to apply actions or suppress notifications for specific alert rules during defined time windows without modifying the underlying alert rules. By configuring a suppression action rule for the maintenance window (every Sunday), you can prevent notifications from being sent while the alert rules remain active and continue to evaluate conditions.

Exam trap

The trap here is that candidates may confuse disabling diagnostic settings (which stops data collection) with suppressing notifications, or think that modifying the underlying alert rule is required, when Azure provides a dedicated alert processing rule feature for this exact scenario.

How to eliminate wrong answers

Option A is wrong because disabling diagnostic settings would stop the collection of metrics and logs, which would prevent alert rules from evaluating conditions at all, rather than just suppressing notifications. Option C is wrong because deleting and recreating alert rules every week is inefficient, error-prone, and unnecessary; alert processing rules provide a native, automated way to suppress notifications without touching the rules themselves. Option D is wrong because moving VMs to a different subscription would change the resource scope and potentially break existing alert rules, and it is not a practical or supported method for temporarily suppressing notifications.

170
Multi-Selecteasy

A VM was corrupted and the team wants to recover it from Azure Backup without using the original damaged disks. Which two restore targets are supported? Select two.

Select 2 answers
A.Create a new virtual machine
B.Restore the managed disks
C.Change the subscription automatically
D.Replace the Recovery Services vault name
E.Rebuild the virtual network
AnswersA, B

Azure Backup can restore a protected VM as a new VM during recovery.

Why this answer

Option A is correct because Azure Backup supports restoring a VM to a new virtual machine directly from the recovery point, which creates a new VM with the same configuration and data without using the original damaged disks. This is a common restore workflow when the original VM is corrupted or inaccessible.

Exam trap

The trap here is that candidates often assume 'Replace existing VM' is an option, but Azure Backup does not support in-place restoration of a corrupted VM; you must restore to a new VM or to managed disks, then manually swap disks or reconfigure.

171
MCQeasy

A VM named VM01 stopped sending Heartbeat records to Log Analytics 15 minutes ago. Which KQL query should you run to confirm the VM's recent heartbeat entries?

A.Heartbeat | where Computer == "VM01" and TimeGenerated > ago(15m)
B.AzureActivity | where ResourceProviderValue == "Microsoft.Compute/virtualMachines"
C.Heartbeat | summarize count() by Computer
D.Perf | where CounterName == "% Processor Time"
AnswerA

This query filters the Heartbeat table for VM01 entries from the last 15 minutes.

Why this answer

The Heartbeat table in Log Analytics stores records sent by the Azure Monitor Agent (AMA) or Log Analytics agent every 5 minutes by default. Querying Heartbeat with a filter for Computer == 'VM01' and TimeGenerated > ago(15m) directly checks if any heartbeat records were generated in the last 15 minutes, confirming whether the VM is still reporting. This is the correct approach because Heartbeat is the dedicated table for agent health, and the time filter matches the 15-minute window specified in the question.

Exam trap

The trap here is that candidates confuse the Heartbeat table (agent health) with AzureActivity (resource operations) or Perf (performance metrics), assuming any log data can confirm agent connectivity, but only Heartbeat provides the direct, time-stamped signal of agent liveness.

How to eliminate wrong answers

Option B is wrong because AzureActivity logs control-plane operations (e.g., VM start/stop) and does not contain agent heartbeat data; it cannot confirm the VM's recent heartbeat entries. Option C is wrong because it summarizes heartbeat counts by computer without a time filter, so it does not check for records within the last 15 minutes and provides no confirmation of recent activity. Option D is wrong because the Perf table stores performance counters like CPU usage, not heartbeat signals; it cannot verify whether the agent is sending health records.

172
MCQeasy

You already created a metric alert rule. You want the alert to send email and call a webhook when it fires. Which component should you link to the alert rule?

A.A diagnostic setting
B.A Log Analytics workspace
C.An action group
D.An Azure Policy initiative
AnswerC

An action group is the notification and automation target for Azure alerts. It can send email, trigger webhooks, and start other actions when the alert fires.

Why this answer

An action group is the correct component because it defines the notification and automation actions (such as sending an email or invoking a webhook) that are triggered when a metric alert rule fires. In Azure Monitor, alert rules are linked to action groups to execute these responses; without an action group, the alert can only log the event but cannot perform any external notification or automation.

Exam trap

The trap here is that candidates often confuse diagnostic settings (which export data) with action groups (which define alert responses), leading them to select A instead of C.

How to eliminate wrong answers

Option A is wrong because a diagnostic setting is used to stream platform logs and metrics to destinations like Log Analytics, Storage, or Event Hubs, not to define alert actions like email or webhook. Option B is wrong because a Log Analytics workspace is a data repository for logs and metrics, not a mechanism for sending notifications or invoking webhooks when an alert fires. Option D is wrong because an Azure Policy initiative is a set of policies for enforcing governance and compliance rules, unrelated to alert notification actions.

173
Multi-Selecteasy

A help desk analyst needs to find Azure VM heartbeat records in Log Analytics and limit results to the last 30 minutes. Which two KQL elements should be used? Select two.

Select 2 answers
A.where
B.ago()
C.summarize
D.join
E.extend
AnswersA, B

The where clause filters rows, such as limiting records by time or status.

Why this answer

The `where` operator filters the result set based on a specified condition, which is essential for limiting records to those with a timestamp within the last 30 minutes. The `ago()` function returns a datetime value representing the current time minus a given timespan, allowing you to create a dynamic filter like `where TimeGenerated > ago(30m)`. Together, they enable precise time-based filtering in Kusto Query Language (KQL) for Log Analytics.

Exam trap

Microsoft often tests the misconception that `summarize` or `extend` can filter data by time, but only `where` with a time-based condition like `ago()` actually removes rows from the result set.

174
Multi-Selecteasy

A customer wants official information about whether an Azure service issue is affecting their subscription or the wider Azure platform. Which two sources should they check? Select two.

Select 2 answers
A.Azure Advisor
B.Azure Service Health
C.Backup center
D.Azure Status
E.Resource Graph
AnswersB, D

Azure Service Health shows incidents and advisories relevant to the customer's subscriptions.

Why this answer

Azure Service Health (B) provides personalized alerts and guidance when Azure service issues affect your subscription, including planned maintenance and health advisories. Azure Status (D) offers a global view of the health of all Azure services across regions, which is the official source for widespread platform issues. Together, they cover both subscription-specific and platform-wide service incidents.

Exam trap

The trap here is that candidates often confuse Azure Service Health (subscription-specific) with Azure Status (global platform health) and may pick Azure Advisor or Backup center because they sound like they could provide health information, but they serve entirely different monitoring and maintenance functions.

175
MCQhard

Your company wants to query performance and event data from multiple Azure virtual machines by using Kusto Query Language. The operations team also wants to centralize retention and analysis of this data. What should you deploy?

A.A Log Analytics workspace.
B.Azure Advisor.
C.Azure Network Watcher only.
D.A network security group.
AnswerA

This provides centralized collection, retention, and KQL-based querying for Azure Monitor Logs.

Why this answer

A Log Analytics workspace is the correct choice because it is the central repository in Azure Monitor for collecting telemetry and log data from Azure virtual machines. It supports Kusto Query Language (KQL) for querying performance and event data, and it provides centralized retention, analysis, and alerting capabilities, meeting both requirements.

Exam trap

The trap here is that candidates often confuse Azure Advisor or Network Watcher as monitoring tools, but neither provides the centralized log storage and KQL querying required for VM performance and event data analysis.

How to eliminate wrong answers

Option B is wrong because Azure Advisor is a personalized cloud consultant that provides recommendations on best practices for cost, security, reliability, and performance; it does not ingest, store, or query performance and event data from VMs using KQL. Option C is wrong because Azure Network Watcher only provides network-level monitoring and diagnostics (e.g., packet capture, NSG flow logs, connection troubleshoot) and does not collect VM performance counters or event logs, nor does it support KQL queries for such data. Option D is wrong because a network security group (NSG) is a firewall rule set that filters traffic to and from Azure resources; it does not collect, store, or query performance or event data, and it has no querying or analysis capabilities.

176
MCQmedium

A virtual machine is already protected by Azure Backup. The business wants the VM backed up every day at 11:00 PM and wants daily recovery points retained for 30 days, without re-onboarding the VM. What should the administrator modify?

A.Create a new Recovery Services vault and re-register the VM
B.Modify the backup policy associated with the protected VM
C.Install a new VM extension to change retention behavior
D.Take a manual snapshot of the VM disk every night
AnswerB

Backup schedule and retention are controlled by the backup policy in the Recovery Services vault. Updating that policy changes how future recovery points are created and retained for the protected VM. This is the correct operational object to edit because the VM is already onboarded and the requirement is to adjust policy settings, not the vault itself.

Why this answer

Option B is correct because Azure Backup uses backup policies to define the backup schedule and retention rules for protected resources. By modifying the existing policy associated with the VM, you can change the backup time to 11:00 PM and set daily recovery point retention to 30 days without needing to re-onboard the VM or create a new vault.

Exam trap

The trap here is that candidates may think changing the backup schedule or retention requires re-onboarding the VM or creating a new vault, but Azure Backup allows in-place policy modification for already protected resources.

How to eliminate wrong answers

Option A is wrong because creating a new Recovery Services vault and re-registering the VM is unnecessary; you can modify the existing backup policy without re-onboarding. Option C is wrong because the VM extension for backup (AzureBackupWindowsWorkload or AzureBackupLinux) is automatically managed by the Azure Backup service and does not control retention behavior; retention is a policy-level setting. Option D is wrong because manual snapshots are not integrated with Azure Backup's automated retention and scheduling, and they would require separate management, defeating the purpose of using the backup service.

177
MCQhard

An administrator enabled diagnostic settings on an Azure Storage account using the resource-specific schema. A coworker then ran a query against AzureDiagnostics and got no rows, even though failed blob writes occurred during the last hour. What is the best fix?

A.Switch the diagnostic setting back to the legacy AzureDiagnostics schema so all logs land there.
B.Query the storage account's dedicated resource-specific log table and filter for failed write operations.
C.Use the Azure Activity log because blob write failures are always control-plane events.
D.Create a metric alert on storage capacity because that metric includes failed requests.
AnswerB

When resource-specific diagnostic mode is enabled, logs no longer land in AzureDiagnostics for that resource. The correct action is to query the dedicated storage log table produced by the diagnostic setting, then filter for the failed write status and time window. This aligns the query with the actual schema that is collecting the data.

Why this answer

When a diagnostic setting is configured with the resource-specific schema, Azure routes logs to dedicated tables (e.g., StorageBlobLogs) rather than the legacy AzureDiagnostics table. Querying AzureDiagnostics returns no rows because the logs are not stored there. The correct fix is to query the appropriate resource-specific log table (e.g., StorageBlobLogs) and filter for failed write operations, as this table contains the detailed, schema-specific data for the storage account's blob operations.

Exam trap

The trap here is that candidates assume all diagnostic logs land in the AzureDiagnostics table by default, overlooking that the resource-specific schema redirects logs to dedicated tables, leading them to incorrectly choose Option A or fail to query the correct table.

How to eliminate wrong answers

Option A is wrong because switching back to the legacy AzureDiagnostics schema is unnecessary and defeats the purpose of the resource-specific schema, which provides better performance and schema alignment; the logs are already being collected, just in a different table. Option C is wrong because blob write failures are data-plane events, not control-plane events; the Azure Activity log only captures control-plane operations (e.g., creating a storage account), not data-plane operations like blob writes. Option D is wrong because a metric alert on storage capacity does not include failed requests; capacity metrics track storage usage, not request failures, and metric alerts cannot query log data for failed operations.

178
MCQeasy

Based on the exhibit, what should the administrator configure so storage logs can be queried later with KQL?

A.Create a backup policy for the storage account so the logs are retained automatically.
B.Enable a resource lock on the storage account so no logs are lost.
C.Turn on blob versioning so every change to the storage account is searchable.
D.Configure diagnostic settings to send logs to a Log Analytics workspace.
AnswerD

Diagnostic settings are used to export resource logs and metrics from Azure resources. Sending those logs to Log Analytics makes them available for KQL queries, filtering, and investigation.

Why this answer

Diagnostic settings in Azure allow you to stream platform logs, including storage logs, to a Log Analytics workspace. Once the logs are in Log Analytics, you can query them using Kusto Query Language (KQL) to analyze storage operations, errors, and metrics. This is the only option that directly enables querying storage logs with KQL.

Exam trap

The trap here is that candidates confuse data protection features (backup, locks, versioning) with logging and monitoring capabilities, failing to recognize that only diagnostic settings can route logs to a Log Analytics workspace for KQL queries.

How to eliminate wrong answers

Option A is wrong because a backup policy retains snapshots or copies of data for recovery purposes, not logs; it does not send logs to a queryable store like Log Analytics. Option B is wrong because a resource lock prevents accidental deletion or modification of the storage account, but it does not capture, retain, or make logs available for KQL queries. Option C is wrong because blob versioning tracks changes to blob objects for data protection and recovery, but it does not generate or store operational or diagnostic logs that can be queried with KQL.

179
MCQeasy

Based on the exhibit, which KQL clause should replace the blank to show only heartbeat records from the last 30 minutes?

A.project Computer, TimeGenerated
B.where TimeGenerated >= ago(30m)
C.extend TimeWindow = 30m
D.sort by TimeGenerated desc
AnswerB

The where clause filters rows before summarizing, and ago(30m) is the KQL function that represents the last 30 minutes from the current time. This is the correct way to restrict the Heartbeat table to recent records before calculating the most recent check-in for each computer. It is a standard operational troubleshooting pattern in Log Analytics.

Why this answer

The KQL clause `where TimeGenerated >= ago(30m)` filters the results to include only records where the `TimeGenerated` timestamp is within the last 30 minutes. The `ago()` function calculates a datetime value relative to the current time, and the `>=` operator ensures only records from that point forward are returned. This directly satisfies the requirement to show heartbeat records from the last 30 minutes.

Exam trap

The trap here is that candidates often confuse filtering (`where`) with projection (`project`), sorting (`sort`), or extending (`extend`), and may choose a clause that manipulates the output format or order instead of actually restricting the rows based on a time condition.

How to eliminate wrong answers

Option A is wrong because `project Computer, TimeGenerated` only selects (projects) those two columns, but does not filter any rows based on time; it would return all heartbeat records regardless of age. Option C is wrong because `extend TimeWindow = 30m` creates a new column with a constant value of 30 minutes, but does not filter the data; it simply adds a calculated field to each row. Option D is wrong because `sort by TimeGenerated desc` orders the results by time descending, but does not restrict the time range; it would still include all records, not just those from the last 30 minutes.

180
MCQhard

A virtual machine is already protected by Azure Backup. The current policy runs daily at 23:00 and keeps daily recovery points for 30 days. The business now wants the same schedule but wants new daily recovery points retained for 90 days. No new vault or re-registration should occur. What should the administrator do?

A.Create a new Recovery Services vault and enable backup again with the longer retention period.
B.Edit the existing backup policy and change the daily retention for future recovery points.
C.Take nightly managed disk snapshots because snapshots automatically inherit the Recovery Services vault retention period.
D.Change the vault redundancy setting to increase the number of retained recovery points.
AnswerB

Backup retention is controlled by the backup policy attached to the protected VM. Updating the policy to retain daily recovery points for 90 days changes how future backups are kept without re-registering the workload or creating a new vault. Existing recovery points keep their original retention behavior, while newly created recovery points follow the updated rule. This is the normal, low-impact administrative change.

Why this answer

Option B is correct because Azure Backup allows you to modify an existing backup policy to change the retention duration for future recovery points without creating a new vault or re-registering the VM. By editing the policy and setting the daily retention to 90 days, all new daily recovery points will be retained for the longer period, while existing recovery points remain unaffected by the change.

Exam trap

The trap here is that candidates may confuse vault redundancy settings with retention duration, or assume that a new vault is required to change retention, when in fact Azure Backup policies can be edited in place to adjust retention for future recovery points.

How to eliminate wrong answers

Option A is wrong because creating a new Recovery Services vault would require re-registering the VM, which violates the requirement that no new vault or re-registration should occur. Option C is wrong because managed disk snapshots are independent of Recovery Services vault retention policies; they do not automatically inherit vault retention settings and are managed separately. Option D is wrong because vault redundancy settings (e.g., LRS vs.

GRS) control data replication, not the number of retained recovery points; retention duration is configured in the backup policy, not via redundancy.

181
MCQmedium

A Virtual Machine Scale Set must add instances automatically when average CPU usage is above 75 percent and remove instances when CPU drops below 30 percent. Which feature should you configure?

A.Autoscale rules in Azure Monitor
B.A Recovery Services vault policy
C.Boot diagnostics
D.Azure Advisor only
AnswerA

This directly implements metric-based scaling logic for the VM Scale Set.

Why this answer

Autoscale rules in Azure Monitor allow you to define conditions for automatically scaling a Virtual Machine Scale Set (VMSS) based on metrics like average CPU usage. You can set a scale-out rule to add instances when CPU exceeds 75% and a scale-in rule to remove instances when CPU drops below 30%, with a cool-down period to prevent flapping. This is the native Azure feature designed for such metric-based auto-scaling scenarios.

Exam trap

The trap here is that candidates may confuse Azure Advisor (which gives recommendations) with the actual implementation of autoscale rules, or mistakenly think Recovery Services vault policies or boot diagnostics are involved in scaling decisions.

How to eliminate wrong answers

Option B is wrong because a Recovery Services vault policy is used for configuring backup and disaster recovery settings, not for auto-scaling based on performance metrics. Option C is wrong because boot diagnostics captures serial console output and screenshots for troubleshooting VM boot failures, not for scaling decisions. Option D is wrong because Azure Advisor provides proactive recommendations for cost, security, reliability, and performance, but it does not implement or configure auto-scaling rules itself.

182
MCQeasy

Based on the exhibit, what should the administrator check first to resolve the backup failure for the Azure VM?

A.Increase the backup retention period in the vault policy.
B.Verify that the Azure VM Agent is installed and running on the VM.
C.Move the VM to a different availability zone.
D.Change the storage account redundancy to ZRS.
AnswerB

Azure VM backups depend on a healthy VM agent so Azure can coordinate snapshot and extension operations. If the job reports that the agent is not in a ready state, the first troubleshooting step is to confirm the agent is installed, running, and up to date. Custom images sometimes miss the agent or contain a broken installation, which causes backup jobs to fail immediately.

Why this answer

The Azure VM backup failure is most commonly caused by the Azure VM Agent (also known as the Windows Guest Agent or Linux Agent) not being installed, outdated, or in a non-responsive state. The backup extension relies on the VM Agent to execute snapshots and coordinate with the Azure Backup service; without a healthy agent, the backup process cannot initiate. Therefore, verifying the agent's installation and status is the first troubleshooting step.

Exam trap

The trap here is that candidates often jump to storage or networking changes (like redundancy or availability zones) when the real issue is a missing or broken VM Agent, which is a prerequisite for any guest-level operation including backup extensions.

How to eliminate wrong answers

Option A is wrong because increasing the backup retention period does not resolve a failure to take a backup; retention only affects how long existing recovery points are kept, not the ability to create new ones. Option C is wrong because moving the VM to a different availability zone does not address the underlying cause of backup failure, which is typically related to the VM Agent or extension state, not the physical placement of the VM. Option D is wrong because changing the storage account redundancy to ZRS affects data durability and replication, but does not impact the backup operation itself, which uses the Azure Backup vault and its own storage infrastructure, not the VM's attached disks.

183
MCQmedium

Based on the exhibit, a VM is protected by Azure Backup. The business wants daily backups at 11:00 PM, retention of daily recovery points for 30 days, and no changes to the existing vault or VM. The current policy already backs up every day but keeps recovery points for only 7 days. What should the administrator modify?

A.Create a new VM and attach the existing backup vault to it.
B.Edit the backup policy and change daily retention to 30 days.
C.Enable soft delete on the vault.
D.Move the VM to another availability zone.
AnswerB

The schedule is already correct, so the only missing setting is retention. Updating the backup policy to keep daily recovery points for 30 days satisfies the requirement without changing the vault or protected item.

Why this answer

Option B is correct because the existing backup policy already performs daily backups at 11:00 PM, but its retention setting for daily recovery points is only 7 days. By editing the policy and changing the daily retention to 30 days, the administrator meets the business requirement without creating a new VM, altering the vault, or modifying the VM itself. Azure Backup policies allow modification of retention durations independently of backup frequency, so this is a straightforward configuration change.

Exam trap

The trap here is that candidates may think they need to create a new policy or modify the VM (e.g., move it to another zone) to change retention, when in fact Azure Backup allows direct editing of the existing policy's retention duration without any other infrastructure changes.

How to eliminate wrong answers

Option A is wrong because creating a new VM and attaching the existing backup vault does not change the retention period of the current backup policy; it would only add a new VM to the same vault, leaving the original VM's retention at 7 days. Option C is wrong because enabling soft delete on the vault protects against accidental deletion of recovery points but does not extend the retention duration of daily backups from 7 to 30 days. Option D is wrong because moving the VM to another availability zone has no effect on backup retention settings; availability zones are for high availability and disaster recovery, not backup policy configuration.

184
MCQeasy

In Log Analytics, you need to find AzureActivity records for VM stop or deallocate operations from the last 24 hours. Which query should you use?

A.AzureActivity | where TimeGenerated > ago(24h) | where OperationNameValue has_any ("Microsoft.Compute/virtualMachines/deallocate/action", "Microsoft.Compute/virtualMachines/powerOff/action")
B.AzureActivity | summarize count() by OperationNameValue
C.AzureActivity | where ResourceType == "Microsoft.Compute/virtualMachines" | project TimeGenerated, ResourceGroup
D.AzureActivity | sort by TimeGenerated asc
AnswerA

This query filters the AzureActivity table to the last 24 hours and then matches the VM stop-related operations you need to review.

Why this answer

Option A is correct because it uses the `has_any` operator to filter AzureActivity records for the exact operation names corresponding to VM stop (powerOff) and deallocate actions, and it restricts the time range to the last 24 hours using `ago(24h)`. This directly matches the requirement to find VM stop or deallocate operations within the specified timeframe.

Exam trap

The trap here is that candidates may confuse the `has_any` operator with `contains` or `in`, or forget to include the time filter, leading them to select options that either don't filter by operation type or don't restrict the time window.

How to eliminate wrong answers

Option B is wrong because it summarizes counts by OperationNameValue without any time filter or specific operation filtering, so it returns a count of all operation types, not just stop/deallocate from the last 24 hours. Option C is wrong because it filters by ResourceType and projects TimeGenerated and ResourceGroup, but does not filter for stop/deallocate operations or restrict to the last 24 hours, so it returns all VM-related activities regardless of operation. Option D is wrong because it simply sorts all AzureActivity records by TimeGenerated ascending without any filtering for operation type or time range, so it does not isolate the required records.

185
MCQeasy

A team wants an email and SMS notification whenever the average CPU on a production VM stays above 85% for 10 minutes. The same notification setup may be reused by other alerts later. Which Azure feature should you configure?

A.Metric alert rule
B.Action group
C.Diagnostic setting
D.Resource lock
AnswerB

An action group sends the email and SMS notifications and can be reused across multiple alerts.

Why this answer

B is correct because an Action Group is the Azure component that defines the notification actions (email, SMS, webhook, etc.) to be triggered when an alert fires. The question specifies that the same notification setup should be reusable by other alerts later, which is exactly the purpose of an Action Group: it decouples the notification configuration from the alert rule itself. You would create a Metric Alert Rule to monitor the CPU metric, but that rule references an Action Group to send the email and SMS.

Exam trap

The trap here is that candidates confuse the alert rule (which detects the condition) with the action group (which handles the notification), often selecting Metric Alert Rule thinking it directly sends emails/SMS, when in fact it only triggers the action group.

How to eliminate wrong answers

Option A is wrong because a Metric Alert Rule defines the condition (average CPU > 85% for 10 minutes) and the scope, but it does not itself send notifications; it must reference an Action Group to perform the email/SMS actions. Option C is wrong because a Diagnostic Setting is used to stream platform logs and metrics to destinations like Log Analytics, Storage, or Event Hubs, not to send real-time notifications for threshold breaches. Option D is wrong because a Resource Lock prevents accidental deletion or modification of a resource, and has no role in monitoring or alerting.

186
MCQhard

A platform team wants to investigate incidents involving Azure VM performance, storage failures, and subscription-level changes in one place. They want to minimize Log Analytics ingestion cost. Which telemetry approach should they use?

A.Enable full guest-level logging on every VM, send all storage logs to the workspace, and add all activity logs from every subscription
B.Use metric alerts only and avoid Log Analytics because metrics are always cheaper than logs
C.Send only the required platform diagnostic logs and Activity logs to one Log Analytics workspace, and use metric alerts for threshold-based signals
D.Export all telemetry to a storage account and query it manually when an incident occurs
AnswerC

This balances cost and troubleshooting value by collecting only the telemetry needed for investigation while using metrics for simple threshold monitoring.

Why this answer

Option C is correct because it balances the need for centralized incident investigation with cost control. By sending only required platform diagnostic logs (e.g., from Azure Storage and VM metrics) and Activity logs to a single Log Analytics workspace, the team avoids unnecessary ingestion of verbose guest-level logs. Metric alerts provide threshold-based signals without log ingestion costs, enabling efficient monitoring of performance and failures.

Exam trap

The trap here is that candidates may think full logging (Option A) is necessary for comprehensive investigation, overlooking the cost implications of ingesting verbose guest-level logs, or assume metrics alone (Option B) can replace logs for incident root cause analysis.

How to eliminate wrong answers

Option A is wrong because enabling full guest-level logging on every VM and sending all storage logs to the workspace would incur high Log Analytics ingestion costs, contradicting the goal to minimize cost. Option B is wrong because metric alerts alone cannot capture detailed incident context (e.g., storage failure logs or subscription-level changes) that require log-based analysis; metrics are cheaper but insufficient for comprehensive investigation. Option D is wrong because exporting all telemetry to a storage account and querying it manually is inefficient for real-time incident investigation and lacks the integrated querying and alerting capabilities of Log Analytics, increasing operational overhead.

187
MCQeasy

Based on the exhibit, where should the administrator go next to review the failed backup job details?

A.Backup policy, because it shows the retention and schedule configuration.
B.Backup items, because it lists protected resources and recovery points.
C.Jobs, because it contains the backup job status and error details.
D.Properties, because it contains the general vault settings.
AnswerC

The Jobs blade is where Azure Backup records job execution results, including success, failure, and error details. That makes it the correct next place to investigate the failed backup job shown in the exhibit.

Why this answer

The Jobs blade in Azure Backup is the central location for reviewing the status, progress, and detailed error messages of all backup jobs, including failed ones. It provides a filtered view of backup, restore, and other operations, allowing the administrator to drill into specific job failures to see error codes and recommended actions.

Exam trap

The trap here is that candidates confuse the location of configuration data (policies, properties) with operational data (job status), leading them to select Backup policy or Properties instead of Jobs.

How to eliminate wrong answers

Option A is wrong because the Backup policy blade only shows retention rules and backup schedule configuration, not the execution results or error details of individual jobs. Option B is wrong because Backup items lists protected resources and their recovery points, but does not display job-level status or failure details. Option D is wrong because Properties contains general vault settings such as encryption and soft-delete configuration, not operational job history.

188
Multi-Selecthard

A Windows VM fails shortly after startup when a custom extension runs, and the administrator cannot use RDP to inspect the machine. The goal is to see what happened during boot and confirm whether the failure occurred before the guest OS finished loading. Which two features should be used first? Select two.

Select 2 answers
A.Boot diagnostics
B.Azure Serial Console
C.Availability set
D.Managed disk snapshots
E.Azure Monitor autoscale
AnswersA, B

This captures screenshots and serial logs that help diagnose early boot failures.

Why this answer

Boot diagnostics captures serial console output and screenshots of the VM during the boot process, allowing you to see if the OS failed to load before the guest OS finished. Azure Serial Console provides text-based, keyboard-focused access to the VM even when RDP is unavailable, enabling you to inspect boot logs and interact with the OS during startup. Together, they let you determine whether the custom extension failure occurred before or after the OS fully loaded.

Exam trap

The trap here is that candidates often choose managed disk snapshots or availability sets, thinking they can restore or inspect the VM state, but these do not provide the real-time, pre-OS boot logs needed to diagnose a startup failure before the guest OS finishes loading.

189
Multi-Selecteasy

An administrator enabled Azure VM backup yesterday and now wants to confirm whether the most recent backup job succeeded. Which two places can they check? Select two.

Select 2 answers
A.Activity log
B.Azure Advisor
C.Recovery Services vault backup jobs
D.Backup center
E.Resource Graph
AnswersC, D

The Recovery Services vault contains backup job history and detailed success or failure results.

Why this answer

The Recovery Services vault backup jobs (Option C) is correct because it provides a dedicated view of all backup jobs associated with the vault, including status, start time, and duration. Backup Center (Option D) is correct because it offers a centralized, cross-vault, cross-region dashboard to monitor backup jobs and alerts, making it ideal for confirming the success of the most recent backup.

Exam trap

The trap here is that candidates often confuse the Activity log (which shows who enabled backup) with the actual backup job status, or they mistakenly think Azure Advisor provides operational monitoring, when in fact it only offers proactive recommendations.

190
Multi-Selecthard

A VM suddenly stops responding, and the operations team needs to determine whether the issue is caused by a Microsoft platform problem or is isolated to that specific VM. Which two Azure portal features should be reviewed? Select two.

Select 2 answers
A.Service Health
B.Resource Health
C.Azure Advisor
D.Diagnostic setting
E.Action group
AnswersA, B

Service Health shows Azure-wide incidents, advisories, and maintenance that may impact regions.

Why this answer

Service Health (A) provides a global view of Azure platform-wide issues, such as regional outages or service degradation, that could affect multiple resources. Resource Health (B) reports the health of a specific VM instance, indicating whether the VM is available, degraded, or unavailable, and whether the issue is due to a platform event or a user-initiated action. Together, these two features allow the operations team to differentiate between a Microsoft platform problem and an isolated VM issue.

Exam trap

The trap here is that candidates often confuse 'Service Health' with 'Resource Health' or think Azure Advisor can diagnose real-time outages, but the exam expects you to know that Service Health covers platform-wide issues while Resource Health is per-resource, and neither Diagnostic settings nor Action groups provide health status.

191
MCQmedium

Based on the exhibit, a security team wants to search Key Vault audit events in Log Analytics for 30 days and create alerts when secrets are accessed unexpectedly. The current diagnostic configuration is not sending the right data. What should the administrator enable?

A.Enable AuditEvent and send the logs to a Log Analytics workspace.
B.Enable only AllMetrics and keep sending data to the storage account.
C.Create a private endpoint for the Key Vault.
D.Turn on a resource lock with the ReadOnly effect.
AnswerA

Key Vault audit events must be collected into Log Analytics to support search, KQL queries, and log-based alerting. Enabling the AuditEvent category and targeting a workspace satisfies both investigation and alerting requirements.

Why this answer

Option A is correct because the Key Vault diagnostic setting must include the AuditEvent category to capture all audit logs, including secret operations. Sending these logs to a Log Analytics workspace enables the security team to query them for 30 days and create alerts on unexpected secret access. Without AuditEvent enabled, no audit data is available for analysis.

Exam trap

The trap here is that candidates often confuse AllMetrics (which provides performance data) with AuditEvent (which provides security logs), or mistakenly think that network controls like private endpoints or resource locks can substitute for proper diagnostic logging configuration.

How to eliminate wrong answers

Option B is wrong because AllMetrics captures performance metrics (e.g., requests, latency) but not audit events; it cannot provide the security logs needed to detect unauthorized secret access. Option C is wrong because a private endpoint restricts network access to the Key Vault but does not enable or send audit logs to Log Analytics; it addresses network security, not diagnostic data collection. Option D is wrong because a ReadOnly resource lock prevents modifications to the Key Vault but does not enable audit logging or send data to Log Analytics; it is a governance control, not a diagnostic configuration.

← PreviousPage 3 of 3 · 191 questions total

Ready to test yourself?

Try a timed practice session using only Monitor and Maintain Azure Resources questions.