CCNA Implement and Manage Storage Questions

75 of 228 questions · Page 3/4 · Implement and Manage Storage · Answers revealed

151
MCQmedium

A storage account must be reachable only from Azure VMs in a single subnet. Public network access should not be used, and the team wants the storage service to keep using a private IP address inside the virtual network. Which feature should the administrator configure?

A.A service endpoint on the subnet, because it creates a private IP address for the storage account.
B.A private endpoint for the storage account in the subnet.
C.A shared access signature that is limited to the subnet.
D.Storage account access keys, because they bind access to one subnet automatically.
AnswerB

A private endpoint places the storage service on a private IP address inside the VNet, which matches the requirement to avoid public network access. It is the correct choice when the service should be reachable only through a private address.

Why this answer

A private endpoint assigns the storage account a private IP address from the subnet's address space, using Azure Private Link to route traffic entirely over the Microsoft backbone network. This ensures the storage account is reachable only from VMs in that subnet and blocks all public internet access, meeting both requirements.

Exam trap

The trap here is confusing a service endpoint (which only provides source IP preservation and route optimization but leaves the public endpoint exposed) with a private endpoint (which truly removes public access by assigning a private IP).

How to eliminate wrong answers

Option A is wrong because a service endpoint does not create a private IP address for the storage account; it only extends the VNet identity to the service, leaving the storage account with a public endpoint that is reachable from the internet. Option C is wrong because a shared access signature (SAS) is a token for delegated access to storage resources, not a network access control; it cannot restrict access to a specific subnet. Option D is wrong because storage account access keys are global credentials that grant full access to the storage account from any network source; they do not bind access to a single subnet automatically.

152
MCQeasy

A legal team stores archived case files in Azure Blob Storage. The files are rarely read, but they must remain online and available immediately when needed. Which access tier should the administrator use?

A.Hot tier
B.Cool tier
C.Archive tier
D.Premium tier
AnswerB

Cool tier is designed for infrequently accessed data that still needs to stay online and be available immediately without rehydration.

Why this answer

The Cool tier is designed for data that is infrequently accessed but must remain online with low-latency retrieval. Archived case files that are rarely read but need immediate availability fit this profile, as Cool tier offers lower storage costs than Hot tier while still providing millisecond access times.

Exam trap

The trap here is that candidates often choose Archive tier for 'archived' data without reading the 'available immediately' requirement, missing that Archive tier requires rehydration and cannot serve data on demand.

How to eliminate wrong answers

Option A is wrong because the Hot tier is optimized for frequent access and has higher storage costs, making it cost-inefficient for rarely read data. Option C is wrong because the Archive tier has the lowest storage cost but requires rehydration (taking up to 15 hours) before data can be read, violating the 'available immediately' requirement. Option D is wrong because the Premium tier is for high-performance block blob or append blob workloads (e.g., low-latency transactions) and is not cost-justified for archived case files.

153
MCQmedium

A developer can access an Azure Blob container from the portal using Microsoft Entra sign-in, but their custom app gets a 403 error when reading the same blob. The storage account is configured to use Azure AD authorization. What is the most likely fix?

A.Assign the user the Storage Blob Data Reader role on the container or storage account.
B.Assign the user the Reader role on the subscription.
C.Enable shared key access so the app can bypass Azure AD permissions.
D.Move the container to the Hot tier so Azure AD authentication can succeed.
AnswerA

A 403 in this scenario usually means the identity lacks data-plane permissions. The user needs an Azure RBAC role such as Storage Blob Data Reader at the appropriate scope so the app can read blob content through Azure AD authorization.

Why this answer

The developer can authenticate via the portal because the portal uses the user's own Microsoft Entra identity, which may have implicit permissions (e.g., via group membership or subscription-level Reader). However, the custom app must explicitly be granted the Storage Blob Data Reader role on the container or storage account to authorize data plane operations (reading blobs). Without this role assignment, the app's identity lacks the RBAC permission to perform blob read operations, resulting in a 403 error.

Exam trap

The trap here is that candidates confuse the management plane Reader role (which allows viewing the storage account in the portal) with the data plane Storage Blob Data Reader role (which is required to actually read blob content), leading them to incorrectly select Option B.

How to eliminate wrong answers

Option B is wrong because the Reader role on the subscription grants read access to management plane resources (e.g., storage account properties) but does not grant data plane permissions to read blob content; data plane access requires a role like Storage Blob Data Reader. Option C is wrong because enabling shared key access would bypass Azure AD authorization entirely, which contradicts the requirement to use Azure AD authorization; it also introduces a security risk and does not fix the RBAC permission issue. Option D is wrong because the Hot tier is a storage tier for performance/cost optimization and has no effect on Azure AD authentication success; authentication is independent of the access tier.

154
MCQhard

A business stores audit exports in Blob Storage. The account must continue serving writes if one availability zone fails, and reporting users in the paired region must still be able to read the replicated data if the primary region becomes unavailable. Which redundancy option best meets the requirement?

A.ZRS, because it protects against a zone failure inside one region.
B.RA-GRS, because it provides read access to the secondary region but not zone redundancy.
C.RA-GZRS, because it combines zone redundancy in the primary region with read access to the secondary region.
D.GRS, because it keeps a full second copy in another region.
AnswerC

RA-GZRS is the only option that satisfies both parts of the business requirement: it protects the primary region against a zone failure and also exposes the secondary region for read access if the primary region is unavailable. That combination is exactly what zone resilience plus readable geo-redundancy requires.

Why this answer

RA-GZRS (Read-Access Geo-Zone-Redundant Storage) is the correct choice because it combines synchronous zone-redundant replication across three availability zones in the primary region (protecting against a single zone failure) with asynchronous geo-replication to a paired secondary region, and enables read access to the secondary region if the primary becomes unavailable. This satisfies both requirements: continued writes during a zone failure and readable replicated data from the paired region during a primary region outage.

Exam trap

The trap here is that candidates often confuse GRS with RA-GRS or think ZRS alone is sufficient, failing to recognize that the requirement for both zone failure protection and secondary region read access necessitates the specific combination of zone redundancy and geo-replication with read access, which only RA-GZRS provides.

How to eliminate wrong answers

Option A is wrong because ZRS provides zone redundancy within a single region but does not replicate data to a paired region, so reporting users in the paired region cannot read data if the primary region becomes unavailable. Option B is wrong because RA-GRS provides read access to the secondary region but uses LRS in the primary region, which does not protect against a single availability zone failure; a zone failure would block writes. Option D is wrong because GRS replicates data to a paired region but does not provide read access to the secondary region unless a failover is initiated, and it uses LRS in the primary region, offering no zone redundancy.

155
MCQmedium

A batch job fails with a blob read error after the administrator moved a 200-GB blob to the archive tier. The file must be available again within a few hours, and the administrator wants the least disruptive recovery. What should be done?

A.Delete the archived blob and upload a new copy from backup.
B.Change the blob tier to Hot or Cool and wait for the rehydration process to finish.
C.Enable soft delete on the storage account and retry the read operation.
D.Convert the storage account to premium performance.
AnswerB

Archive blobs are offline and cannot be read directly until they are rehydrated. The administrator should change the tier from Archive to Hot or Cool, which starts rehydration and makes the blob readable again after the process completes. This is the least disruptive recovery path because it preserves the existing blob and uses the supported restore mechanism instead of recreating the data.

Why this answer

Option B is correct because moving a blob to the archive tier makes it offline; to read it, you must first rehydrate it by changing the tier to Hot or Cool. Rehydration typically completes within a few hours (up to 15 hours for archive), meeting the requirement. This is the least disruptive method as it avoids data loss or additional uploads.

Exam trap

The trap here is that candidates may think soft delete (Option C) or changing the account tier (Option D) can immediately restore access, when in fact only explicit rehydration by tier change makes an archived blob readable.

How to eliminate wrong answers

Option A is wrong because deleting the archived blob and uploading a new copy from backup is more disruptive and time-consuming than rehydration, and it risks data loss if the backup is outdated. Option C is wrong because enabling soft delete does not affect the blob's offline state; it only protects against accidental deletion, not the need to rehydrate from archive. Option D is wrong because converting the storage account to premium performance does not change the blob's tier or rehydrate it; premium accounts do not support archive tier and would require a new account and data migration.

156
MCQhard

An on-premises ERP server connected to Azure through a site-to-site VPN must read and write blobs in a storage account by using the storage account's private IP address. Public network access must be blocked. Which storage configuration should the administrator implement?

A.Configure a service endpoint on the on-premises subnet and leave public access enabled.
B.Create a private endpoint for the storage account and disable public network access.
C.Issue a container SAS and publish the storage account public DNS name.
D.Enable SMB multichannel on the storage account.
AnswerB

A private endpoint gives the storage account a private IP in a VNet that on-premises can reach through VPN.

Why this answer

Option B is correct because a private endpoint assigns the storage account a private IP address from the on-premises subnet (connected via VPN), enabling the ERP server to communicate with the storage account over the private network. Disabling public network access ensures that all traffic must traverse the private endpoint, blocking any internet-based access. This meets the requirement of using the storage account's private IP address while preventing public exposure.

Exam trap

The trap here is that candidates confuse service endpoints (which only extend network identity and do not provide a private IP) with private endpoints (which assign a true private IP and fully isolate the storage account from public access).

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP address to the storage account; it only extends the virtual network identity to the service, and leaving public access enabled violates the requirement to block public network access. Option C is wrong because a container SAS (Shared Access Signature) uses the storage account's public DNS name and requires public network access to be enabled, which contradicts the need to block public access and use a private IP. Option D is wrong because SMB multichannel is a performance feature for Azure Files over SMB 3.0, not related to private IP assignment or blocking public access for blob storage.

157
MCQhard

A finance web app in AppSubnet must connect to Azure SQL Database over the service's public endpoint. Only AppSubnet should be allowed, and the security team does not want to deploy any private IPs or change DNS. What should you configure?

A.A private endpoint for the SQL server and a private DNS zone linked to AppSubnet.
B.Enable the Microsoft.Sql service endpoint on AppSubnet and add a virtual network rule on the SQL server.
C.Create an NSG rule on AppSubnet to allow outbound TCP 1433 traffic to the SQL server's public IP address.
D.Publish the AppSubnet public IP address range in the SQL server firewall as an allow list.
AnswerB

A service endpoint keeps Azure SQL reachable through its public endpoint while allowing access only from the authorized subnet. The subnet must have the Microsoft.Sql service endpoint enabled, and the SQL server must have a virtual network rule that permits AppSubnet. This satisfies the requirement to avoid private IPs and DNS changes while still restricting access to the subnet.

Why this answer

Option B is correct because enabling the Microsoft.Sql service endpoint on AppSubnet allows traffic from that subnet to reach Azure SQL Database's public endpoint without requiring public IP addresses or DNS changes. Adding a virtual network rule on the SQL server restricts access exclusively to that subnet, meeting the security requirement without deploying private IPs.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming private IPs are required for secure connectivity, or they mistakenly think NSG rules alone can restrict access to Azure SQL Database without considering the SQL server firewall.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP to the SQL server and requires a private DNS zone, which contradicts the requirement to not deploy private IPs or change DNS. Option C is wrong because an NSG rule allowing outbound TCP 1433 to the SQL server's public IP does not restrict inbound access to only AppSubnet; the SQL server firewall still needs to allow the subnet's public IP range, which violates the no-public-IP requirement. Option D is wrong because publishing the AppSubnet public IP address range in the SQL server firewall uses public IPs, which the security team explicitly wants to avoid, and does not leverage Azure's service endpoint for secure, private connectivity.

158
Multi-Selectmedium

A backup archive must survive a regional outage, and engineers need to read the secondary copy if the primary region is unavailable. Which two redundancy options meet both requirements? Select two.

Select 2 answers
A.LRS
B.ZRS
C.GRS
D.RA-GRS
E.RA-GZRS
AnswersD, E

Correct. RA-GRS replicates data to a secondary region and allows read access from that secondary endpoint.

Why this answer

RA-GRS (Read-Access Geo-Redundant Storage) is correct because it provides geo-redundant replication (GRS) that replicates data to a secondary region, ensuring survival of a regional outage, and additionally enables read access to the secondary copy even when the primary region is unavailable. This meets both requirements: disaster recovery and read availability during primary region failure.

Exam trap

The trap here is that candidates often confuse GRS with RA-GRS, assuming that geo-redundant replication automatically provides read access to the secondary copy, but GRS requires a failover to enable reads, while RA-GRS allows reads at any time.

159
MCQmedium

A team has Windows VMs in a subnet that need to access an Azure Storage account. The storage account should remain reachable through its public endpoint, but only traffic from that one subnet should be allowed. Which configuration best meets the requirement?

A.Create a private endpoint and disable public network access on the storage account.
B.Enable a service endpoint on the subnet and add a virtual network rule for that subnet on the storage account firewall.
C.Place the subnet behind a NAT gateway and use a shared public IP.
D.Add a VPN gateway and route storage traffic through the branch office.
AnswerB

A service endpoint lets resources in the subnet access the storage account through the service's public endpoint while presenting the subnet's Azure identity to the firewall. By adding a virtual network rule for that subnet, the storage account allows traffic from that subnet and blocks traffic from others. This satisfies the requirement to keep the public endpoint and restrict access to a single subnet.

Why this answer

Option B is correct because a service endpoint extends the virtual network private address space to the storage account, allowing traffic from the specified subnet to reach the storage account via the Azure backbone while keeping the public endpoint accessible. By adding a virtual network rule on the storage account firewall, you restrict access to only traffic originating from that subnet, meeting the requirement of allowing only that subnet through the public endpoint.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, thinking that a private endpoint is required to restrict access to a specific subnet, but service endpoints with firewall rules achieve the same goal while keeping the public endpoint accessible.

How to eliminate wrong answers

Option A is wrong because creating a private endpoint and disabling public network access would make the storage account reachable only via the private endpoint, not through its public endpoint as required. Option C is wrong because placing the subnet behind a NAT gateway and using a shared public IP does not restrict access to only that subnet; it only changes the source IP for outbound traffic, and the storage account firewall would need to allow that public IP, which could be shared with other resources. Option D is wrong because adding a VPN gateway and routing storage traffic through the branch office would force traffic to go on-premises and back, which is unnecessary and does not restrict access to only the specified subnet; it also does not leverage the storage account's public endpoint directly.

160
MCQmedium

A user accidentally deleted a folder tree from an Azure file share. The administrator needs to restore only the deleted folders to the state they had yesterday, not roll back the whole share. Which feature should be used?

A.Restore the entire storage account from an account-level backup.
B.Use a file share snapshot and copy the needed folders back from it.
C.Enable blob versioning on the storage account and recover the folders from versions.
D.Create a shared access signature with read permissions and use it to recover the folder tree.
AnswerB

Azure Files snapshots capture point-in-time versions of a file share. By using the snapshot, the administrator can browse the earlier state and copy back only the deleted folders, which avoids restoring the entire share and minimizes impact on current data. This is the right operational recovery method when you need granular recovery of file content after accidental deletion.

Why this answer

Azure file share snapshots provide a point-in-time, read-only copy of the share. By mounting a snapshot taken yesterday, the administrator can browse the folder tree and copy only the deleted folders back to the live share, restoring them without affecting other data. This is the only option that allows granular, folder-level recovery without rolling back the entire share or storage account.

Exam trap

The trap here is that candidates confuse Azure Files with Azure Blob Storage and incorrectly assume blob versioning or blob-level features apply to file shares, or they think a SAS token can somehow restore deleted data, when in fact only file share snapshots provide the necessary point-in-time, granular recovery for Azure Files.

How to eliminate wrong answers

Option A is wrong because restoring the entire storage account from an account-level backup (e.g., Azure Backup for storage accounts) would roll back all data in all containers and file shares to the backup point, which is an all-or-nothing operation and does not support selective folder recovery. Option C is wrong because blob versioning is a feature for Azure Blob Storage, not Azure Files; file shares do not support blob versioning, and even if they did, it would apply to blobs, not SMB-accessible folders. Option D is wrong because a shared access signature (SAS) with read permissions only grants access to read data; it does not provide any recovery or rollback capability, and it cannot restore deleted folders from a previous state.

161
MCQmedium

A records archive stores thousands of blobs that are usually read-only. The administrator wants blobs older than 90 days to move automatically to a lower-cost online tier without manual intervention. Which solution should be configured?

A.Manually change each blob tier when the archive team remembers to review it.
B.Create a blob lifecycle management policy with a rule that moves blobs after 90 days.
C.Enable object replication so the blobs are copied to another storage account.
D.Move the account to the Archive access tier and leave it there permanently.
AnswerB

A lifecycle management policy automates tier transitions based on blob age, last access time, or other conditions. In this case, the administrator can create a rule that moves blobs older than 90 days from a higher-cost tier to a lower-cost online tier, such as Cool, without manual work. This is the right control because it enforces a repeatable storage cost strategy over time.

Why this answer

Option B is correct because Azure Blob Storage lifecycle management policies allow you to define rules that automatically transition blobs to a lower-cost access tier (e.g., from Hot to Cool or from Cool to Archive) based on the age of the blob. In this scenario, a rule can be configured to move blobs older than 90 days to the Cool or Archive tier without any manual intervention, meeting the requirement for automated cost optimization.

Exam trap

The trap here is that candidates often confuse object replication (which copies data for redundancy) with lifecycle management (which changes the tier of existing blobs), or they assume that setting the entire account to Archive is equivalent to per-blob tiering, ignoring the operational impact on frequently accessed data.

How to eliminate wrong answers

Option A is wrong because manually changing each blob tier is not automated and contradicts the requirement for 'without manual intervention'; it also does not scale for thousands of blobs. Option C is wrong because object replication copies blobs to another storage account for redundancy or geo-distribution, not to change their access tier or reduce costs within the same account. Option D is wrong because moving the entire storage account to the Archive access tier is not a per-blob policy and would make all blobs immediately subject to Archive tier constraints (e.g., high retrieval costs and latency), which is inappropriate for blobs that may still be read occasionally before 90 days.

162
Matchingmedium

Match each access requirement to the most appropriate Azure Storage authentication or authorization approach.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enable a managed identity on the VM and assign a data-plane RBAC role

User delegation SAS

Storage account key

Azure RBAC data role assignment

Why these pairings

SAS provides delegated access; Azure AD authentication uses identity; public access allows anonymous reads; RBAC controls permissions; Azure AD DS extends on-prem AD; Service SAS can include IP restrictions.

163
MCQmedium

A finance application stores monthly invoice PDFs in Azure Blob Storage. The business wants the data to remain available if one availability zone in the region becomes unavailable, but it does not require a secondary region for read access. Which redundancy option should the administrator choose?

A.LRS, because it keeps three copies within a single datacenter and is the least expensive option.
B.ZRS, because it replicates data across zones in the same region and stays available through a zone outage.
C.GRS, because it keeps a readable copy in the paired region and is always the best choice for resilience.
D.RA-GRS, because it provides read access to the secondary region and is required for zone-level resilience.
AnswerB

ZRS stores synchronous copies across multiple availability zones in one region. That design keeps the data available if one zone becomes unavailable, while avoiding the extra complexity of a secondary region.

Why this answer

B is correct because Zone-Redundant Storage (ZRS) synchronously replicates data across three Azure availability zones within the same region, ensuring that if one zone becomes unavailable, the data remains accessible from the other zones. This meets the business requirement of staying available during a zone outage without needing a secondary region for read access.

Exam trap

The trap here is that candidates often confuse ZRS with LRS, assuming that three copies in a single datacenter (LRS) are sufficient for zone-level resilience, when in fact LRS does not span availability zones and offers no protection against a full zone outage.

How to eliminate wrong answers

Option A is wrong because LRS (Locally Redundant Storage) keeps three copies within a single datacenter, which does not protect against an entire availability zone outage—if that datacenter or zone fails, data may be lost. Option C is wrong because GRS (Geo-Redundant Storage) replicates data to a paired secondary region, which the business explicitly does not require, and it is not always the best choice for resilience due to higher cost and complexity. Option D is wrong because RA-GRS (Read-Access Geo-Redundant Storage) provides read access to the secondary region, which is unnecessary here, and it does not provide zone-level resilience within the primary region—it relies on geo-replication, not zone redundancy.

164
Multi-Selecteasy

A reporting team wants a storage redundancy option that keeps a readable copy in the paired region. Which two choices provide read access to the secondary region? Select two.

Select 2 answers
A.Read-access geo-redundant storage (RA-GRS).
B.Read-access geo-zone-redundant storage (RA-GZRS).
C.Locally redundant storage (LRS).
D.Zone-redundant storage (ZRS).
E.Geo-redundant storage (GRS).
AnswersA, B

RA-GRS replicates data to a paired region and allows reads from the secondary endpoint, which supports reporting and read-only workloads.

Why this answer

Read-access geo-redundant storage (RA-GRS) is correct because it provides geo-redundant storage (GRS) with the additional capability to read from the secondary region. This ensures that if the primary region becomes unavailable, the reporting team can still access a readable copy of the data in the paired region. RA-GRS replicates data asynchronously to a secondary region and allows read access to that secondary copy at all times.

Exam trap

The trap here is that candidates often confuse geo-redundant storage (GRS) with read-access geo-redundant storage (RA-GRS), mistakenly assuming GRS automatically provides read access to the secondary region, but GRS only allows read access after a failover, not continuously.

165
MCQmedium

A team has an existing storage account with the public endpoint enabled. They want to allow access only from a specific subnet in a virtual network, but they do not want to create a private endpoint or manage private DNS zones. Which configuration should the administrator use?

A.Enable a service endpoint for Microsoft.Storage on the subnet and add the subnet to the storage account network rules.
B.Create a private endpoint and disable the public endpoint.
C.Assign a SAS token to the subnet so only resources there can connect.
D.Use an Azure Policy assignment to block public traffic to the storage account.
AnswerA

This is the correct pattern when you want to keep using the public endpoint while restricting traffic to a specific subnet. The service endpoint identifies the subnet as trusted, and the storage account firewall can then allow that subnet explicitly. It avoids the overhead of private endpoint DNS management while still reducing exposure.

Why this answer

Option A is correct because enabling a service endpoint for Microsoft.Storage on the subnet allows traffic from that subnet to the storage account over the Azure backbone network, and then adding the subnet to the storage account's network rules restricts access to only that subnet while keeping the public endpoint enabled. This meets the requirement of not using a private endpoint or managing private DNS zones.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, thinking both require private DNS management, or mistakenly believe that a SAS token can be scoped to a network source, when in fact SAS tokens only control access to data operations, not network-level restrictions.

How to eliminate wrong answers

Option B is wrong because creating a private endpoint and disabling the public endpoint would require managing private DNS zones, which the team explicitly wants to avoid. Option C is wrong because a SAS token is a delegation mechanism that grants access to specific resources (e.g., blobs, files) via a signed URI, but it cannot restrict access to a specific subnet; it is scoped to the token holder, not the network source. Option D is wrong because Azure Policy can enforce compliance rules (e.g., deny public network access) but cannot selectively allow access from a specific subnet; it is a governance tool, not a network access control mechanism.

166
MCQhard

A business stores audit logs in Azure Blob Storage. The account must remain available if an entire availability zone in the primary region fails, and analysts must still be able to read the data from the paired region if the primary region becomes unavailable. Which replication option should the administrator select?

A.Zone-redundant storage (ZRS)
B.Geo-redundant storage (GRS)
C.Read-access geo-zone-redundant storage (RA-GZRS)
D.Read-access geo-redundant storage (RA-GRS)
AnswerC

RA-GZRS is the only option here that combines zone redundancy in the primary region with geo-replication to a paired region and read access to the secondary copy. That satisfies both requirements: survive a single-zone outage and still allow analysts to read from the secondary region if the primary region is unavailable.

Why this answer

C is correct because Read-access geo-zone-redundant storage (RA-GZRS) combines zone-redundancy within the primary region (surviving an entire zone failure) with geo-replication to a paired region, and crucially provides read access to the secondary region data even if the primary region is unavailable. This meets both requirements: availability during a zone failure and readable data from the paired region during a primary region outage.

Exam trap

The trap here is that candidates often confuse GRS with RA-GRS or ZRS with GZRS, failing to recognize that the requirement for both zone-failure resilience within the primary region AND read-access from the paired region uniquely points to RA-GZRS, not RA-GRS or GRS alone.

How to eliminate wrong answers

Option A is wrong because Zone-redundant storage (ZRS) only protects against a single availability zone failure within the primary region; it does not replicate data to a paired region, so analysts cannot read data from a secondary region if the primary region becomes unavailable. Option B is wrong because Geo-redundant storage (GRS) replicates data to a paired region but does not provide zone-redundancy within the primary region, so an entire zone failure in the primary region could cause data unavailability until failover occurs. Option D is wrong because Read-access geo-redundant storage (RA-GRS) provides read access to the secondary region but does not include zone-redundancy within the primary region, meaning a single zone failure in the primary region could still disrupt data access locally.

167
MCQmedium

A lifecycle rule moved quarterly audit logs to the Archive tier. An auditor now needs one blob for an urgent investigation and wants it available for download as soon as the rehydration completes. What should the administrator do?

A.Copy the blob directly from Archive tier to the client's local disk.
B.Change the blob access tier to Hot and wait for rehydration to finish before downloading it.
C.Assign the blob a shorter retention policy so it becomes accessible automatically.
D.Move the blob to the Cool tier and attempt the download immediately.
AnswerB

Archive blobs are offline and must be rehydrated to an online tier before they can be read. Moving the blob to Hot is appropriate when rapid access is needed after rehydration completes. The administrator should expect a delay during rehydration, then the blob can be downloaded normally.

Why this answer

Option B is correct because changing the access tier of a blob from Archive to Hot initiates an asynchronous rehydration process that moves the blob data back to an online tier. Once rehydration completes, the blob becomes available for download. This is the standard method to make archived blobs accessible for immediate use.

Exam trap

The trap here is that candidates assume changing the tier to Cool allows immediate download, but they overlook that rehydration from Archive is always required and takes time, regardless of the target tier.

How to eliminate wrong answers

Option A is wrong because you cannot directly copy a blob from the Archive tier; the blob must first be rehydrated to an online tier (Hot or Cool) before any read or copy operation can succeed. Option C is wrong because retention policies (e.g., immutability or time-based retention) do not affect the accessibility of archived blobs; they only prevent deletion or modification, not rehydration. Option D is wrong because moving a blob to the Cool tier still requires rehydration from Archive, and attempting to download immediately will fail with a 409 error (BlobBeingRehydrated) until rehydration completes.

168
Matchingeasy

Match each blob access method or setting to its best use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Provides full access to the storage account and should be protected carefully.

Grants time-limited access to specific resources and permissions.

Authorizes users or applications through Microsoft Entra ID at a chosen scope.

Allows anonymous read access when enabled for the container.

Lets an Azure-hosted app authenticate without storing credentials or secrets.

Why these pairings

Public endpoint with anonymous access is for public content. Private endpoint with managed identity provides secure VM access. SAS tokens grant time-limited restricted access.

Azure AD with RBAC centralizes identity management. Storage account key gives full admin control. Immutable storage with legal hold ensures data cannot be altered or deleted.

169
MCQmedium

A business-critical storage account must keep data available if one availability zone fails in the primary region. It must also keep a readable copy in the paired region so administrators can verify data during disaster recovery testing before failover. Which redundancy option should be selected?

A.LRS, because it stores three copies in one datacenter and is the lowest-cost option.
B.ZRS, because it replicates data across zones in the same region but not to another region.
C.GRS, because it replicates to the paired region and supports a secondary copy for recovery.
D.RA-GZRS, because it provides zone redundancy in the primary region and read access to the secondary region.
AnswerD

RA-GZRS combines zone-redundant storage in the primary region with geo-replication to the paired region, and it also enables read access to the secondary endpoint. That combination satisfies both requirements: survive a zone failure and allow administrators to validate replicated data before a planned or unplanned failover.

Why this answer

D is correct because RA-GZRS (Read-Access Geo-Zone-Redundant Storage) provides synchronous replication across three Azure availability zones within the primary region, ensuring data remains available if one zone fails. It also asynchronously replicates data to the paired region, where a read-only copy is available for verification during disaster recovery testing without requiring a failover.

Exam trap

The trap here is that candidates often confuse GRS with RA-GZRS, assuming geo-replication alone provides both zone redundancy and readable secondary access, but GRS does not offer zone-level protection within the primary region and its secondary copy is not readable until a failover is initiated.

How to eliminate wrong answers

Option A is wrong because LRS (Locally Redundant Storage) stores three copies within a single datacenter, which does not protect against an availability zone failure or provide a secondary region copy. Option B is wrong because ZRS (Zone-Redundant Storage) replicates across zones in the same region, meeting the zone-failure requirement but failing to provide a readable copy in the paired region. Option C is wrong because GRS (Geo-Redundant Storage) replicates to the paired region but does not offer zone redundancy within the primary region, and its secondary copy is not readable unless a failover occurs.

170
MCQeasy

A team stores application logs in an Azure Storage account. The logs must remain available if an entire Azure availability zone in the primary region has an outage, but the team does not require a secondary region copy. Which redundancy option should you choose?

A.LRS
B.ZRS
C.GRS
D.RA-GRS
AnswerB

ZRS stores data across multiple availability zones in the primary region. That provides resilience if one zone becomes unavailable, while staying within the same region.

Why this answer

Zone-redundant storage (ZRS) synchronously replicates data across three Azure availability zones within the primary region, ensuring durability even if an entire zone fails. Since the requirement explicitly states no secondary region copy is needed, ZRS is the correct choice because it provides intra-region zone-level resilience without cross-region replication.

Exam trap

The trap here is that candidates often confuse ZRS with LRS, assuming LRS provides zone-level redundancy, but LRS only protects against server rack failures within a single data center, not an entire availability zone outage.

How to eliminate wrong answers

Option A (LRS) is wrong because it replicates data only within a single data center in a single availability zone, so an entire zone outage would cause data loss. Option C (GRS) is wrong because it replicates data to a secondary region, which violates the requirement that no secondary region copy is needed. Option D (RA-GRS) is wrong because it also replicates to a secondary region and additionally provides read access to that secondary copy, again violating the no-secondary-region requirement.

171
MCQhard

A deployment pipeline uploads content to a blob container in Azure Storage. The pipeline authenticates with Microsoft Entra ID and must grant a partner temporary write access for 12 hours without sharing the storage account key. The access should be limited to the container only. Which access method should the administrator use?

A.Shared access key authentication
B.Account SAS
C.User delegation SAS
D.Service endpoint access with network rules only
AnswerC

User delegation SAS is generated by an identity authenticated with Microsoft Entra ID and does not require exposing the storage account key. It can be scoped tightly to the container, granted for a fixed time window, and limited to write operations. That makes it the best fit for temporary partner access.

Why this answer

A user delegation SAS is the correct choice because it uses Microsoft Entra ID credentials to sign the SAS token, providing temporary, delegated access to a specific container without exposing the storage account key. It supports granular permissions and an expiration time of up to 12 hours, meeting the partner's write access requirement while limiting access to the container only.

Exam trap

The trap here is that candidates often confuse Account SAS with user delegation SAS, not realizing that Account SAS is signed with the storage account key and thus fails the 'no key sharing' requirement, while user delegation SAS uses Microsoft Entra ID for secure, keyless delegation.

How to eliminate wrong answers

Option A is wrong because shared access key authentication requires sharing the storage account key, which violates the requirement to not share the key and does not provide temporary, granular access. Option B is wrong because an Account SAS is signed with the storage account key, which again requires sharing the key and does not leverage Microsoft Entra ID authentication. Option D is wrong because service endpoint access with network rules only controls network-level access via VNet/subnet restrictions, not identity-based authorization, and cannot grant temporary write access to a specific container without additional authentication.

172
Multi-Selecteasy

A company wants a single storage account for blob containers, Azure Files shares, and blob lifecycle management rules. Which two statements about the required account are true? Select two.

Select 2 answers
A.It should be a general-purpose v2 storage account.
B.It can host both blob containers and Azure Files shares.
C.It must be a premium block blob account.
D.It cannot use lifecycle management on blobs.
E.It can store only one type of Azure Storage data service at a time.
AnswersA, B

General-purpose v2 is the standard choice for combined blob and file workloads and supports the modern storage features the company needs.

Why this answer

A general-purpose v2 (GPv2) storage account is required because it is the only account type that supports all Azure Storage data services—including blob containers and Azure Files—and also provides full support for blob lifecycle management policies. GPv2 accounts offer the lowest per-gigabyte storage prices for blobs and enable you to define rules to automatically tier or delete blobs based on age or other conditions.

Exam trap

The trap here is that candidates often assume premium storage accounts are required for performance or that a storage account can only host one service type, but GPv2 accounts are the universal choice for mixed workloads and lifecycle management.

173
MCQmedium

Based on the exhibit, which Azure feature best meets the file-sharing requirement?

A.Azure Files only, because a cloud file share can replace every branch server share directly.
B.Azure File Sync, because it synchronizes local servers with a central Azure file share and keeps hot data cached.
C.Azure Backup, because it can restore files after a WAN outage occurs.
D.Azure NetApp Files, because it is the only service that supports SMB access from Windows servers.
AnswerB

Azure File Sync is designed for exactly this pattern. It keeps a central Azure file share while allowing local Windows Server endpoints to cache and serve frequently used files. That means branch offices can continue working during WAN interruptions, and the files later synchronize back to the cloud.

Why this answer

Azure File Sync is the correct choice because it enables hybrid file sharing by synchronizing on-premises Windows file servers with a central Azure file share, while also keeping frequently accessed (hot) data cached locally for low-latency access. This directly meets the requirement to replace branch server shares with a cloud-backed solution that maintains local performance.

Exam trap

The trap here is that candidates often confuse Azure Files (a standalone cloud file share) with Azure File Sync (a hybrid synchronization service), mistakenly thinking a cloud-only share can replace on-premises shares without addressing latency or caching needs.

How to eliminate wrong answers

Option A is wrong because Azure Files alone provides a cloud file share accessible via SMB, but it does not include local caching or synchronization with on-premises servers, so it cannot directly replace branch server shares without introducing latency for remote offices. Option C is wrong because Azure Backup is a backup and restore service, not a file-sharing or synchronization solution; it cannot provide real-time file access or replace branch server shares. Option D is wrong because Azure NetApp Files supports SMB access from Windows servers, but it is not the only service that does so (Azure Files also supports SMB), and it is designed for high-performance enterprise workloads rather than branch office file sharing with local caching.

174
MCQhard

You need to allow recovery of previous versions of files stored in an Azure file share after accidental modification or deletion. Which feature should you configure?

A.Blob versioning
B.Share snapshots for Azure Files
C.A shared access signature
D.Storage account failover
AnswerB

Share snapshots enable point-in-time recovery for Azure file shares.

Why this answer

Share snapshots for Azure Files capture point-in-time, read-only copies of the file share, allowing you to recover previous versions of files after accidental modification or deletion. This feature is specifically designed for Azure file shares, not for blobs, and does not require any additional infrastructure.

Exam trap

The trap here is that candidates confuse Blob versioning (which is for Azure Blob Storage) with share snapshots for Azure Files, as both provide versioning-like capabilities, but they apply to different storage services and have distinct implementations.

How to eliminate wrong answers

Option A is wrong because Blob versioning is a feature for Azure Blob Storage, not for Azure Files; it automatically retains previous versions of blobs but cannot be applied to file shares. Option C is wrong because a shared access signature (SAS) provides delegated access to storage resources but does not create or restore previous versions of files; it is a security token, not a recovery mechanism. Option D is wrong because Storage account failover is a disaster recovery feature that switches the primary region to a secondary region in the event of a regional outage; it does not provide point-in-time recovery for individual files.

175
MCQeasy

A contractor needs temporary read-only access to a single blob container for three hours. The contractor does not have an Azure user account in your tenant. Which method is the best fit?

A.Create a new managed identity for the contractor
B.Give the contractor the storage account access key
C.Issue a shared access signature with read-only permissions and an expiration time
D.Enable anonymous public access on the container
AnswerC

A SAS token can grant limited access to one container for a specific time period. That makes it a good fit for temporary external access without exposing the storage account key.

Why this answer

A shared access signature (SAS) is the best fit because it provides time-limited, delegated access to a specific resource (a blob container) without requiring an Azure AD identity. The contractor can use the SAS URL to access the container with read-only permissions for exactly three hours, after which the token expires automatically. This meets the requirement of temporary access for an external user who does not have an Azure account in your tenant.

Exam trap

The trap here is that candidates may confuse managed identities (designed for Azure resources, not external users) with user accounts, or mistakenly think that sharing the account key is acceptable for temporary access, overlooking the severe security risk and lack of scoping.

How to eliminate wrong answers

Option A is wrong because a managed identity is an Azure AD identity for Azure resources (like VMs or App Services), not for external users; it cannot be assigned to a contractor who lacks an Azure user account. Option B is wrong because sharing the storage account access key grants full administrative access (read, write, delete) to all services in the storage account, violating the principle of least privilege and the need for read-only, container-scoped access. Option D is wrong because enabling anonymous public access on the container would allow anyone on the internet to read the blob data indefinitely, with no time restriction or authentication, which is insecure and does not meet the three-hour temporary requirement.

176
MCQhard

A web app in a subnet must access a storage account through the storage account's public FQDN. Access must be limited to that single subnet, and the team does not want to deploy a private endpoint or manage private DNS records. Which configuration should you use?

A.Deploy a private endpoint and private DNS zone.
B.Enable a service endpoint on the subnet and allow that subnet in the storage account network rules.
C.Add a route table that sends storage traffic to an NVA.
D.Place the storage account behind a public load balancer.
AnswerB

This keeps the public FQDN, restricts access to the subnet, and avoids private endpoint and DNS overhead.

Why this answer

Option B is correct because a service endpoint on the subnet allows the web app to access the storage account via its public FQDN while restricting access to that specific subnet. By enabling the Microsoft.Storage service endpoint on the subnet and adding the subnet's virtual network rule to the storage account's network rules, traffic from the subnet to the storage account's public endpoint is routed through the Azure backbone network, and only traffic from that subnet is permitted. This meets the requirement of limiting access without deploying a private endpoint or managing private DNS records.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that service endpoints require private IPs or DNS changes, when in fact service endpoints work with the public FQDN and only require enabling the endpoint on the subnet and configuring the storage account's network rules.

How to eliminate wrong answers

Option A is wrong because deploying a private endpoint and private DNS zone contradicts the explicit requirement to not use a private endpoint or manage private DNS records, and it would change the access method from the public FQDN to a private IP address. Option C is wrong because adding a route table that sends storage traffic to an NVA (Network Virtual Appliance) would force traffic through a third-party device, which is unnecessary and does not inherently restrict access to a single subnet; it also introduces additional complexity and potential latency. Option D is wrong because placing the storage account behind a public load balancer is not a supported configuration for Azure Storage accounts; storage accounts are accessed via their public endpoint or through service/private endpoints, and a load balancer does not provide subnet-level access control.

177
MCQmedium

An employee accidentally deletes a critical document from an Azure file share. You need to restore only that file to its earlier state without restoring the entire share or using a vault-based backup job. Which feature should you use?

A.A file share snapshot, because it captures a point-in-time copy of the share for granular recovery.
B.A storage account access key, because it can retrieve deleted files from any share version.
C.An Azure VM snapshot, because it captures the file share state automatically.
D.A private endpoint to the file share, because it enables restore operations.
AnswerA

A snapshot is the right recovery tool when you need a point-in-time copy of an Azure file share and want to restore only a specific file. It allows granular recovery without rolling back the entire share, which keeps the impact small and the process simple. This is a common operational use of Azure Files snapshots.

Why this answer

File share snapshots are point-in-time, read-only copies of Azure file shares that allow you to recover individual files or folders without restoring the entire share. When a file is accidentally deleted, you can mount a previous snapshot, copy the deleted file from it, and restore it to the live share—no vault-based backup job or full share restore required.

Exam trap

The trap here is that candidates confuse file share snapshots with Azure Backup (vault-based recovery) or assume that access keys or private endpoints can somehow restore deleted files, when in fact only snapshots provide the granular, point-in-time restore capability for individual files.

How to eliminate wrong answers

Option B is wrong because a storage account access key provides full administrative access to the storage account but cannot retrieve deleted files from a previous version; it does not create or restore snapshots. Option C is wrong because an Azure VM snapshot captures the entire VM's disk state, not the file share data; it is unrelated to file-level recovery in Azure Files. Option D is wrong because a private endpoint secures network traffic to the file share via a private IP address but has no capability to restore deleted files or manage snapshots.

178
Multi-Selecteasy

A finance team stores documents in Azure Storage. The account must survive a failure of one availability zone in the primary region and also remain available if the primary region becomes unavailable. Which two replication options meet this requirement? Select two.

Select 2 answers
A.LRS, because it keeps copies only within one datacenter and does not provide zone or geo protection.
B.ZRS, because it replicates across zones in one region but does not add secondary-region replication.
C.GZRS, because it combines zone redundancy in the primary region with geo-replication to a secondary region.
D.RA-GZRS, because it provides the same protection as GZRS and also allows read access to the secondary region.
E.RA-GRS, because it allows reading from the secondary region but does not use zone-redundant storage in the primary region.
AnswersC, D

GZRS is designed for both requirements: zone resilience in the primary region and geo-replication for regional recovery.

Why this answer

Option C (GZRS) is correct because it provides both zone-redundant storage (ZRS) within the primary region, ensuring survival of an availability zone failure, and geo-replication (GRS) to a secondary region, ensuring availability if the entire primary region becomes unavailable. This meets both requirements of the question.

Exam trap

The trap here is that candidates often overlook the requirement to survive a zone failure and focus only on regional disaster recovery, leading them to pick RA-GRS (which lacks zone redundancy) or ZRS (which lacks geo-replication).

179
MCQeasy

A finance team stores monthly reports in Azure Blob Storage. The data must remain available if one datacenter in the Azure region fails, but the company does not need read access from a secondary region. Which redundancy option should the administrator choose?

A.Locally redundant storage (LRS)
B.Zone-redundant storage (ZRS)
C.Geo-redundant storage (GRS)
D.Read-access geo-redundant storage (RA-GRS)
AnswerB

ZRS stores replicas across availability zones in the same region, which matches this availability requirement.

Why this answer

Zone-redundant storage (ZRS) replicates data synchronously across three Azure availability zones within a single region, ensuring durability even if one datacenter (zone) fails. Since the requirement specifies no need for read access from a secondary region, ZRS meets the high-availability need without the cost or complexity of geo-replication.

Exam trap

The trap here is that candidates often choose GRS or RA-GRS because they assume any datacenter failure requires a secondary region, but ZRS within a single region is sufficient and more cost-effective when only one datacenter (zone) fails and secondary read access is not needed.

How to eliminate wrong answers

Option A is wrong because locally redundant storage (LRS) replicates data only within a single datacenter, so a full datacenter failure would cause data loss. Option C is wrong because geo-redundant storage (GRS) replicates data to a secondary region, which is unnecessary and more expensive given the requirement does not need secondary region read access. Option D is wrong because read-access geo-redundant storage (RA-GRS) adds read access to the secondary region, which is explicitly not required and incurs additional cost.

180
Multi-Selecthard

A finance application stores monthly invoice PDFs in Azure Blob Storage. The data must survive a single availability zone outage in the region, and the storage account must be reachable only through a private IP from AppSubnet. Public network access must not be available. Which three actions should the administrator take? Select three.

Select 3 answers
A.Create the storage account with zone-redundant storage (ZRS).
B.Create a private endpoint in AppSubnet for the storage account.
C.Disable public network access on the storage account.
D.Use locally redundant storage (LRS) because it stays inside one datacenter.
E.Enable a service endpoint on AppSubnet instead of using a private endpoint.
AnswersA, B, C

ZRS keeps copies across multiple availability zones in the region, so one zone outage will not interrupt access.

Why this answer

Option A is correct because Zone-Redundant Storage (ZRS) synchronously replicates data across three Azure availability zones within the same region, ensuring data durability even if one entire zone fails. This meets the requirement to survive a single availability zone outage.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, thinking a service endpoint alone provides private IP-only access, but it does not disable the public endpoint and still relies on the storage account's public DNS name.

181
MCQmedium

An application on a VM in subnet AppSubnet must access a storage account over the public endpoint. The security team wants to allow traffic only from AppSubnet and does not want to deploy a private endpoint. What should the administrator configure?

A.Disable the storage account firewall and rely on the VM's source IP address.
B.Enable the Microsoft.Storage service endpoint on AppSubnet and allow that virtual network in the storage account firewall.
C.Create a private endpoint and leave the firewall set to allow all networks.
D.Grant the VM Contributor access to the storage account and the network rule will be enforced automatically.
AnswerB

A service endpoint extends the subnet identity to the storage service while still using the public endpoint, which matches the requirement to avoid a private endpoint. After enabling the endpoint on AppSubnet, you can allow that virtual network in the storage account firewall so only traffic from the approved subnet can reach the account. This is a common network-control pattern for Azure Storage.

Why this answer

Option B is correct because enabling a Microsoft.Storage service endpoint on AppSubnet allows traffic from that subnet to the storage account over the Azure backbone network, while still using the public endpoint. Then, configuring the storage account firewall to allow that virtual network restricts access exclusively to AppSubnet, meeting the security requirement without deploying a private endpoint.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that only private endpoints can restrict access, when in fact service endpoints combined with the storage account firewall can achieve subnet-level restriction over the public endpoint.

How to eliminate wrong answers

Option A is wrong because disabling the storage account firewall would allow all traffic from any source, violating the security requirement to restrict access only to AppSubnet; relying on the VM's source IP address is unreliable due to dynamic IPs and does not enforce subnet-level isolation. Option C is wrong because creating a private endpoint contradicts the explicit requirement to not deploy a private endpoint, and leaving the firewall set to allow all networks would bypass the intended restriction. Option D is wrong because granting the VM Contributor access to the storage account does not enforce network-level restrictions; Azure RBAC controls data plane permissions, not network access, and network rules are not automatically enforced by role assignments.

182
MCQmedium

A Windows file server VM in Azure needs to mount an Azure file share by using existing Active Directory Domain Services credentials. The security team does not want to use storage account keys. Which authentication option should be configured for Azure Files?

A.Shared key authorization, because it is the only method supported by Azure Files.
B.Azure Files identity-based authentication using Active Directory Domain Services.
C.A user delegation SAS, because it maps the share automatically to domain accounts.
D.Anonymous access, because Windows file servers can mount Azure shares without authentication.
AnswerB

Azure Files can use AD DS-based identity authentication so Windows users and servers can access the share with domain credentials. This avoids storing or distributing storage account keys and fits the requirement to use existing directory identities.

Why this answer

Azure Files supports identity-based authentication using Active Directory Domain Services (AD DS), which allows domain-joined VMs to mount Azure file shares using existing AD credentials without exposing storage account keys. This method leverages Kerberos authentication and enables fine-grained access control via NTFS permissions, meeting the security team's requirement to avoid storage account keys.

Exam trap

The trap here is that candidates often assume Azure Files only supports shared key or SAS-based access, overlooking the identity-based authentication option that integrates with on-premises AD DS for seamless credential reuse.

How to eliminate wrong answers

Option A is wrong because Azure Files supports multiple authentication methods, including identity-based authentication via AD DS, not just shared key authorization. Option C is wrong because a user delegation SAS (shared access signature) is used for delegated access to specific resources with temporary permissions, but it does not map shares automatically to domain accounts nor does it integrate with AD DS for credential-based mounting. Option D is wrong because anonymous access is not supported for Azure file shares; mounting requires authentication, and Windows file servers cannot mount Azure shares without valid credentials.

183
Multi-Selectmedium

A team moved blob data to the Archive tier to minimize cost. They now need to restore a few files for an audit. Which two statements are true about accessing archived blobs? Select two.

Select 2 answers
A.Archived blobs can be read immediately through normal blob reads.
B.Rehydration is required before the blob can be read or copied.
C.Rehydration can target Hot or Cool access tier.
D.Archive tier provides the fastest retrieval time.
E.Changing a blob from Archive to Hot completes instantly and synchronously.
AnswersB, C

Correct. Archive blobs must be rehydrated before they become readable or available for copy operations.

Why this answer

Archived blobs are in an offline state and cannot be read or copied directly. They must first be rehydrated to an online tier (Hot or Cool) through a process that changes the blob's tier or copies it to a new online blob. This rehydration process is asynchronous and takes time, depending on the priority set.

Exam trap

The trap here is that candidates assume archived blobs can be read immediately or that tier changes are instant, confusing the Archive tier's offline state with the online Cool or Hot tiers.

184
MCQmedium

A team wants to restrict a storage account so only one Azure subnet can reach it. They do not need a private IP address, and they are fine with the storage account still using its public endpoint. Which configuration should the administrator use?

A.Create a private endpoint and disable public network access.
B.Enable a service endpoint on the subnet and allow that subnet in the storage account firewall.
C.Generate a user delegation SAS token and distribute it only to the subnet.
D.Change the redundancy setting to ZRS and enable soft delete.
AnswerB

A service endpoint extends the subnet identity to the storage service while traffic still reaches the public endpoint. Adding the subnet to the storage firewall then limits access to that subnet. This matches the requirement exactly because the team does not need a private IP, only subnet-restricted access.

Why this answer

Option B is correct because a service endpoint extends the virtual network identity to the storage account over the public endpoint, allowing the administrator to restrict access to only traffic originating from that specific subnet via the storage account firewall. This meets the requirement of using the public endpoint while limiting access to a single Azure subnet without needing a private IP address.

Exam trap

The trap here is that candidates confuse private endpoints (which require a private IP and can disable the public endpoint) with service endpoints (which keep the public endpoint but restrict access by subnet), leading them to incorrectly choose Option A.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP address to the storage account and disabling public network access removes the public endpoint, contradicting the requirement to keep the public endpoint. Option C is wrong because a user delegation SAS token grants access based on the token holder's identity and permissions, not on network source; distributing it to a subnet does not restrict access to only that subnet, as the token can be used from any network location. Option D is wrong because changing redundancy to ZRS and enabling soft delete are data protection and availability features, not network access control mechanisms, and do not restrict access to a specific subnet.

185
MCQmedium

A company stores contract PDFs in Azure Blob Storage. The application must keep working if one datacenter in the primary region has an outage, and auditors also want read-only access to the replicated data from the secondary region during a regional outage. Which redundancy option should the administrator choose?

A.LRS
B.ZRS
C.GZRS
D.RA-GZRS
AnswerD

RA-GZRS combines zone redundancy in the primary region with geo-replication and read access to the secondary endpoint.

Why this answer

RA-GZRS (Read-Access Geo-Zone-Redundant Storage) is the correct choice because it combines zone-redundant storage (ZRS) across availability zones in the primary region with geo-replication to a secondary region, and crucially enables read access to the secondary region data during a regional outage. This ensures the application remains available if one datacenter fails (via ZRS) and satisfies the auditors' requirement for read-only access to replicated data during a regional outage (via the read-access flag).

Exam trap

The trap here is that candidates often confuse GZRS with RA-GZRS, forgetting that GZRS alone does not grant read access to the secondary region during an outage; the 'RA' prefix is required to enable that read-only access.

How to eliminate wrong answers

Option A (LRS) is wrong because it replicates data only within a single datacenter, so a datacenter outage would cause data loss or unavailability, failing the requirement for continued operation. Option B (ZRS) is wrong because while it protects against a datacenter failure by replicating across availability zones in the primary region, it does not provide geo-replication to a secondary region, so auditors cannot access replicated data during a regional outage. Option C (GZRS) is wrong because although it provides geo-replication to a secondary region, it does not enable read access to the secondary region data during an outage; that requires the 'RA' (Read-Access) prefix, which is only available with RA-GZRS.

186
MCQhard

Diagnostic settings on an Azure storage account must send logs to a destination storage account that has its firewall set to deny all public network access. The team cannot create a private endpoint, but the destination service is one of the Azure services that can bypass the firewall as a trusted Microsoft service. What should the administrator enable?

A.A service endpoint on the destination storage account subnet
B.The Allow trusted Microsoft services to bypass this firewall setting
C.A shared access signature with read permission
D.A private DNS zone linked to the workspace virtual network
AnswerB

This setting is designed for supported Microsoft services that need to reach a storage account even when public network access is denied. It allows the service to deliver data without opening the firewall broadly and without requiring a private endpoint. Because the scenario explicitly says the destination is a trusted Microsoft service, this is the correct and minimal change.

Why this answer

Option B is correct because the 'Allow trusted Microsoft services to bypass this firewall' setting enables specific Azure services, such as Azure Monitor or Azure Backup, to write diagnostic logs to a storage account even when the storage account's firewall blocks all public network access. This bypass is controlled at the Azure platform level and does not require a private endpoint or public IP, making it the only viable solution when the destination storage account denies all public traffic.

Exam trap

The trap here is that candidates often confuse service endpoints (Option A) with the trusted Microsoft services bypass, mistakenly thinking a service endpoint on the source subnet can grant access, when in fact the bypass is a distinct firewall exception that does not require any virtual network integration.

How to eliminate wrong answers

Option A is wrong because a service endpoint on the destination storage account subnet would allow traffic from a specific virtual network, but the source (the storage account generating logs) is not in a subnet; service endpoints are used for client-to-service connectivity, not for service-to-service log delivery. Option C is wrong because a shared access signature (SAS) with read permission provides delegated access to a specific resource but does not bypass the storage account firewall; the firewall denies all public traffic, so SAS tokens are ineffective unless the request originates from an allowed network. Option D is wrong because a private DNS zone linked to the workspace virtual network is used for resolving private endpoint IP addresses, but the scenario explicitly states that a private endpoint cannot be created, and DNS zones do not grant network access or bypass firewall rules.

187
Multi-Selecteasy

An archived blob must be read tomorrow morning. Which two actions are required before the blob can be opened? Select two.

Select 2 answers
A.Change the blob access tier from Archive to Hot or Cool so the data becomes online again.
B.Wait for the rehydration process to finish before opening the blob in a client or portal.
C.Enable a private endpoint, because archive blobs can only be read through private connectivity.
D.Convert the storage account to GZRS, because geo-replication automatically restores archived blobs.
E.Set the container ACL to public so archived blobs can be read without rehydration.
AnswersA, B

Archived data must be moved back to an online tier before it can be read.

Why this answer

Option A is correct because an archived blob is in an offline state and must be rehydrated to the Hot or Cool tier before it can be read. Changing the access tier initiates the rehydration process, which makes the blob data online and accessible.

Exam trap

The trap here is that candidates may think archive blobs can be read directly with special network settings or permissions, but the core requirement is always rehydration to an online tier before any read operation.

188
MCQmedium

Based on the exhibit, which redundancy setting should you choose before deploying the storage account?

A.LRS, because it keeps three copies within one datacenter and is the least expensive option.
B.ZRS, because it replicates data across availability zones in the primary region.
C.GZRS, because it combines zone redundancy with geo-replication to another region.
D.RA-GZRS, because it provides zone redundancy and read access to the secondary region.
AnswerD

RA-GZRS is the only option listed that meets both business requirements. It protects the primary region with zone-redundant storage and also allows read access to the geo-replicated secondary endpoint. That means the workload can continue reading data during regional recovery scenarios while still benefiting from zone-level resiliency in the primary region.

Why this answer

RA-GRS (Read-Access Geo-Redundant Storage) is the correct choice because the exhibit shows a requirement for read access to the secondary region in the event of a primary region outage. RA-GRS provides zone-level redundancy within the primary region (using LRS for three copies) and asynchronously replicates data to a secondary region, where it is also stored with LRS. The 'RA' prefix enables read access to the secondary endpoint, allowing applications to serve read requests from the secondary region even when the primary is unavailable.

Exam trap

The trap here is that candidates often confuse GZRS with RA-GZRS, assuming that geo-replication automatically provides read access to the secondary region, but only the 'RA' prefix enables that read-access capability.

How to eliminate wrong answers

Option A is wrong because LRS (Locally Redundant Storage) only keeps three copies within a single datacenter and does not provide any geo-replication or read access to a secondary region, which the exhibit requires. Option B is wrong because ZRS (Zone-Redundant Storage) replicates data across availability zones within the primary region but does not provide geo-replication to a secondary region, so it cannot satisfy the requirement for secondary region read access. Option C is wrong because GZRS (Geo-Zone-Redundant Storage) combines zone redundancy with geo-replication, but it does not enable read access to the secondary region by default; RA-GZRS would be needed for that capability, and the exhibit specifically requires read access to the secondary region.

189
Multi-Selecteasy

A records team stores blobs that are read often during the first month and then rarely accessed later, but the files must stay online the whole time. Which two access tiers should they use for the active and inactive data sets? Select two.

Select 2 answers
A.Hot, because it is optimized for frequent reads and online access to active data.
B.Cool, because it is designed for infrequent access while still keeping blobs online.
C.Archive, because it is best for data that must be opened immediately by users.
D.Premium block blob, because it is the standard tier for long-term retention and low-cost storage.
E.Cold, because it is intended for data that can stay offline until someone requests it.
AnswersA, B

Hot is the best fit for data that is accessed often and needs immediate online availability.

Why this answer

Option A is correct because the Hot access tier is optimized for frequent reads and provides low-latency online access, making it ideal for the active data set that is read often during the first month. Option B is correct because the Cool access tier is designed for infrequently accessed data that must remain online, with lower storage costs but higher access costs, perfectly matching the rarely accessed but always online requirement.

Exam trap

The trap here is that candidates often confuse the Cool tier with the Archive tier, assuming 'infrequent access' means offline, or they mistakenly think the Cold tier (which is offline) satisfies the 'online' requirement, but the question explicitly states files must stay online the whole time.

190
MCQmedium

A media archive contains video files that are accessed only a few times per year, but they must remain online and readable immediately whenever an investigator requests them. Which blob access tier should the administrator choose to minimize storage cost?

A.Hot
B.Cool
C.Cold
D.Archive
AnswerC

Cold is intended for very infrequently accessed data that still needs to stay online and readable immediately.

Why this answer

The Cold tier is the correct choice because it provides online, immediately readable storage for data accessed only a few times per year, while offering lower storage costs than the Cool tier. Unlike the Archive tier, Cold tier data does not require a rehydration delay, ensuring instant access for investigators.

Exam trap

The trap here is that candidates often confuse the Archive tier's 'immediate online access' with its actual requirement for rehydration, leading them to choose Archive for cost savings without considering the access latency constraint.

How to eliminate wrong answers

Option A is wrong because the Hot tier is optimized for frequent access (multiple times per month) and has the highest storage cost, making it unsuitable for rarely accessed data. Option B is wrong because the Cool tier is designed for data accessed infrequently (about once per month) and has higher storage costs than Cold tier, leading to unnecessary expense for data accessed only a few times per year. Option D is wrong because the Archive tier requires a rehydration process (taking up to 15 hours) before data can be read, violating the requirement that files remain 'online and readable immediately' upon request.

191
MCQmedium

You plan to store backup files that are written once per week and are rarely accessed except during an audit. The company wants the lowest storage cost but still needs online access within hours, not days. Which blob access tier should you choose?

A.Hot
B.Cool
C.Archive
D.Premium
AnswerB

Cool is appropriate for infrequently accessed data that still needs to remain online.

Why this answer

The Cool tier is the correct choice because it is designed for data that is infrequently accessed and stored for at least 30 days, offering lower storage costs than Hot while still providing millisecond latency for online access. Since backups are written once per week and rarely accessed except during an audit, Cool tier meets the requirement of online access within hours at the lowest storage cost among the online tiers.

Exam trap

The trap here is that candidates often choose Archive for the lowest storage cost without considering the rehydration time requirement, mistakenly assuming 'online access within hours' is satisfied by Archive's standard rehydration priority of up to 15 hours.

How to eliminate wrong answers

Option A is wrong because the Hot tier has the highest storage cost and is optimized for frequent access, which does not align with the rarely accessed backup data. Option C is wrong because the Archive tier, while having the lowest storage cost, requires a rehydration process that can take up to 15 hours to make data accessible online, violating the requirement of access within hours. Option D is wrong because the Premium tier is designed for high-performance workloads with low latency and high transaction costs, making it unnecessarily expensive for backup files that are rarely accessed.

192
MCQhard

Your company stores departmental documents in an Azure file share. Users need to be able to recover previous versions of files that were deleted or modified accidentally. You need a solution that supports recovery at the file share level without deploying additional virtual machines. What should you configure?

A.Enable blob versioning.
B.Configure Azure File Sync cloud tiering.
C.Create share snapshots for the Azure file share.
D.Enable immutable blob storage.
AnswerC

Share snapshots provide point-in-time recovery for Azure Files without adding extra infrastructure.

Why this answer

Option C is correct because Azure file share snapshots provide point-in-time, read-only copies of the entire file share, allowing users to recover previous versions of files that were deleted or modified accidentally. This feature operates at the file share level without requiring any additional virtual machines, making it a straightforward and cost-effective solution for version recovery.

Exam trap

The trap here is that candidates often confuse blob versioning (a Blob Storage feature) with file share snapshots (an Azure Files feature), or they mistakenly think cloud tiering or immutable storage can serve as a version recovery mechanism, when in fact they serve entirely different purposes.

How to eliminate wrong answers

Option A is wrong because blob versioning is a feature of Azure Blob Storage, not Azure Files; it cannot be applied to an Azure file share. Option B is wrong because Azure File Sync cloud tiering is designed to optimize storage by caching frequently accessed files locally and tiering cold data to the cloud, not for providing version recovery capabilities. Option D is wrong because immutable blob storage is used to prevent data from being deleted or modified for a specified retention period (WORM policy), which does not support recovery of previous versions after accidental deletion or modification.

193
MCQhard

A legal department keeps signed contract scans in a blob container. The files are almost never opened, but when a reviewer requests one, it must be available later the same day and then stay online for about three days while the review is completed. The team wants the lowest ongoing storage cost during that review window. What should the administrator do?

A.Leave the blob in Archive and download it directly when needed
B.Rehydrate the blob to the Cool tier with standard priority
C.Copy the blob to the Hot tier permanently before the review starts
D.Change the storage account replication to GZRS to make archived data readable
AnswerB

Rehydrating to Cool makes the blob online again while keeping read costs lower than Hot for a short-term review period. Standard priority is appropriate when the request can wait several hours and does not require expedited restoration. This choice balances availability and cost for a blob that will be accessed briefly and infrequently.

Why this answer

Option B is correct because rehydrating the blob from Archive to the Cool tier with standard priority meets the requirement of making the file available later the same day (standard priority rehydration completes within 1–15 hours) and provides the lowest ongoing storage cost during the three-day review window, as Cool tier is cheaper than Hot tier for data that is infrequently accessed.

Exam trap

The trap here is that candidates may think Archive blobs can be directly downloaded or that changing replication settings makes archived data accessible, but in reality, Archive blobs must be explicitly rehydrated to an online tier before any read operation is possible.

How to eliminate wrong answers

Option A is wrong because downloading a blob directly from the Archive tier is not possible; the blob must first be rehydrated (changed to an online tier like Cool or Hot) before it can be read or downloaded. Option C is wrong because copying the blob to the Hot tier permanently incurs higher storage costs than necessary; the Cool tier is sufficient for the three-day review window and costs less. Option D is wrong because changing the storage account replication to GZRS does not make archived data readable; GZRS provides geo-redundancy for online tiers, but Archive blobs remain offline and must be rehydrated regardless of replication setting.

194
MCQhard

An analytics team keeps quarterly telemetry exports in Azure Blob Storage. The files are accessed only a few times per year, but when they are needed they must remain online and immediately readable without any rehydration delay. Which access tier should you use?

A.Hot, because it is optimized for frequent reads and writes.
B.Cool, because it is designed for infrequently accessed data that still stays online.
C.Cold, because it is intended for rarely accessed online data with lower storage cost.
D.Archive, because it is the cheapest tier and can be opened directly in the portal.
AnswerC

Cold is the best match because the data must remain online and readable immediately, yet is accessed only a few times per year. That makes Archive inappropriate because Archive requires rehydration before reading. Cold gives the team an online tier with lower storage cost than the hotter tiers, while preserving immediate access when an analyst needs the files.

Why this answer

The Cold tier is designed for data that is rarely accessed but must remain online with immediate read access, offering lower storage costs than Cool or Hot tiers while avoiding the rehydration delay of Archive. The scenario specifies files are accessed only a few times per year but must be immediately readable without any rehydration delay, which matches Cold tier's purpose of providing online access with no latency for infrequent reads.

Exam trap

The trap here is that candidates confuse 'rarely accessed' with 'Archive tier,' forgetting that Archive requires rehydration and is not immediately readable, while Cold tier provides online access with lower storage cost for data accessed only a few times per year.

How to eliminate wrong answers

Option A is wrong because the Hot tier is optimized for frequent reads and writes, which would incur higher storage costs for data accessed only a few times per year. Option B is wrong because the Cool tier is designed for infrequently accessed data (typically accessed every 30 days or so), but its storage cost is higher than Cold, making it suboptimal for quarterly access patterns. Option D is wrong because the Archive tier, while cheapest, requires rehydration (taking hours) before data can be read, violating the requirement for immediate readability without delay.

195
MCQmedium

An application team plans to store block blobs for application logs, lifecycle them to cooler tiers over time, and use Azure Monitor diagnostic exports from several Azure resources into the same storage account. They also want access tier controls and general-purpose features in one place. Which storage account type should the administrator create?

A.BlobStorage account, because it is optimized for storing only unstructured blobs.
B.StorageV2 general-purpose account, because it supports blobs, tiering, and broad Azure integrations.
C.FileStorage account, because it supports any Azure diagnostic data format and access tiers.
D.BlockBlobStorage account, because it is required whenever logs are exported from Azure Monitor.
AnswerB

A StorageV2 account is the standard choice when you need blob capabilities, access tiers, lifecycle policies, and broad service integration. It supports common operational tasks without limiting the team to a specialized storage type.

Why this answer

A StorageV2 general-purpose account (B) is the correct choice because it supports block blobs, lifecycle management policies for tiering to cool, cold, and archive tiers, and integrates seamlessly with Azure Monitor diagnostic exports. Unlike specialized accounts, StorageV2 provides a unified platform for blobs, files, queues, and tables, meeting the team's need for access tier controls and general-purpose features in one place.

Exam trap

The trap here is that candidates often assume any blob-specific account (like BlobStorage or BlockBlobStorage) is sufficient for diagnostic exports, but Azure Monitor requires a general-purpose v2 account to properly create the necessary containers and support lifecycle management policies.

How to eliminate wrong answers

Option A is wrong because a BlobStorage account is a legacy account type that lacks support for Azure Monitor diagnostic exports and does not offer the full set of general-purpose features like queues or tables. Option C is wrong because a FileStorage account is optimized exclusively for Azure Files SMB shares and does not support blob storage, access tiers, or diagnostic log exports. Option D is wrong because a BlockBlobStorage account is a premium-performance account for low-latency workloads and does not support lifecycle management policies or the broad Azure integrations required for diagnostic exports.

196
Matchingeasy

Match each Azure Storage redundancy option to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stores three copies of data within one Azure datacenter.

Stores copies across multiple availability zones in one region.

Replicates data to a secondary region, but the secondary copy is not readable.

Replicates data to a secondary region and allows read access to that secondary copy.

Combines zone redundancy in the primary region with geo-replication to a secondary region.

Combines zone redundancy and geo-replication, with readable access to the secondary region.

Why these pairings

Each redundancy option provides increasing durability and availability: LRS is lowest cost, ZRS protects against zone failure, GRS adds geo-replication, RA-GRS allows read from secondary, GZRS combines zone and geo, RA-GZRS adds read access to secondary.

197
MCQhard

A Windows VM and a Linux VM in the same on-premises Active Directory Domain Services domain must mount the same Azure Files share over SMB. Security policy forbids storage account keys and long-lived SAS tokens. What should the administrator configure?

A.Use Azure Files with Active Directory Domain Services authentication and grant permissions to the required AD group.
B.Use a private endpoint and rely on network isolation instead of authentication.
C.Use the storage account access key because SMB requires shared-key authentication.
D.Use Azure Files NFS authentication because Linux and Windows workloads can both mount it.
AnswerA

This provides password-based domain authentication for SMB access without using storage keys or SAS. Both Windows and Linux clients can mount the share when they are domain joined and the share permissions are assigned correctly.

Why this answer

Option A is correct because Azure Files supports identity-based authentication over SMB using on-premises Active Directory Domain Services (AD DS). By enabling AD DS authentication for the storage account and granting share-level permissions to an AD group that includes both the Windows and Linux VMs, the administrator can mount the Azure Files share without using storage account keys or SAS tokens. This satisfies the security policy while allowing SMB access from both operating systems.

Exam trap

The trap here is that candidates may assume NFS is the only cross-platform option for Linux and Windows, overlooking that Azure Files SMB with AD DS authentication supports both operating systems when domain-joined.

How to eliminate wrong answers

Option B is wrong because a private endpoint provides network isolation but does not replace authentication; the share still requires an authentication mechanism such as AD DS, keys, or SAS tokens. Option C is wrong because using the storage account access key violates the security policy that explicitly forbids storage account keys and long-lived SAS tokens. Option D is wrong because Azure Files NFS does not support SMB protocol; NFS and SMB are different protocols, and the question specifies SMB mounting, so NFS authentication is irrelevant.

198
MCQmedium

A development team stores build artifacts in Azure Blob Storage. The artifacts must remain available if one datacenter in the Azure region fails, but the business does not want to pay for replication to another region. Which redundancy option should the administrator select?

A.LRS, because it keeps multiple copies in the same zone and is the cheapest option.
B.ZRS, because it distributes copies across availability zones within the same region.
C.GRS, because it keeps the workload available in two regions at all times.
D.RA-GRS, because it provides zone redundancy and read access in the secondary region.
AnswerB

ZRS is the right choice when you want resilience to a datacenter or zone failure within a region without paying for geo-replication. It stores copies across multiple availability zones, which improves availability while keeping the data in a single region. That matches the requirement to stay regional but survive a datacenter outage.

Why this answer

B is correct because Zone-Redundant Storage (ZRS) synchronously replicates data across three Azure availability zones within the same region, ensuring durability even if one entire datacenter (zone) fails. This meets the requirement of intra-region resilience without incurring the cost of geo-replication to another region.

Exam trap

The trap here is that candidates often confuse ZRS with LRS, thinking LRS provides zone-level redundancy because it uses three copies, but LRS copies are within a single datacenter, not across zones.

How to eliminate wrong answers

Option A is wrong because Locally Redundant Storage (LRS) replicates data three times within a single physical datacenter (one zone), so a full datacenter failure would cause data loss. Option C is wrong because Geo-Redundant Storage (GRS) replicates to a paired secondary region, which violates the requirement to avoid paying for cross-region replication. Option D is wrong because Read-Access Geo-Redundant Storage (RA-GRS) also replicates to a secondary region (like GRS) and adds read access there; it is not a zone-redundant option and incurs cross-region costs.

199
MCQhard

A legal department keeps evidence files in Azure Blob Storage. The files are accessed only a few times per year, but they must stay online and be immediately readable when requested. The team wants the lowest-cost online tier and does not want a rehydration step. Which tier should you choose?

A.Hot, because it prioritizes immediate access over storage cost.
B.Cool, because it is an online tier for infrequent access.
C.Cold, because it keeps data online and is intended for rarely accessed content.
D.Archive, because it has the lowest cost and can be opened instantly from the portal.
AnswerC

Cold is the right tier because the files must remain immediately readable and cannot be placed into an offline state. The scenario says the data is accessed only a few times per year, so a lower-cost online tier is appropriate. Archive would introduce rehydration delay, which the business explicitly does not want. Cold preserves online availability while reducing storage cost compared with hotter tiers.

Why this answer

The Cold tier is the correct choice because it is an online tier designed for rarely accessed data that must remain immediately readable without a rehydration step. It offers lower storage costs than Hot or Cool while still providing instant access, meeting the requirement for the lowest-cost online tier.

Exam trap

The trap here is that candidates confuse 'lowest cost' with the Archive tier, forgetting that Archive is offline and requires a rehydration step, which violates the requirement for immediate readability without a rehydration step.

How to eliminate wrong answers

Option A is wrong because the Hot tier, while providing immediate access, has the highest storage cost and is intended for frequently accessed data, not the lowest-cost online option. Option B is wrong because the Cool tier is an online tier for infrequent access but has higher storage costs than Cold and is optimized for data accessed more than a few times per year. Option D is wrong because the Archive tier, although the lowest-cost, is an offline tier that requires a rehydration step (which can take hours) before data is readable, violating the requirement for immediate readability without a rehydration step.

200
Multi-Selecthard

A finance archive stores critical blobs in an Azure region that supports availability zones. The data must survive a single zone failure and also remain available if the primary region becomes unavailable. The team does not need a read-only endpoint in the secondary region during normal operations. Which two redundancy models satisfy the requirement? Select two.

Select 2 answers
A.LRS
B.ZRS
C.GRS
D.GZRS
E.RA-GZRS
AnswersD, E

GZRS combines zone redundancy in the primary region with geo-replication to the paired region, meeting both resilience goals.

Why this answer

D (GZRS) is correct because it combines zone-redundant storage (ZRS) within the primary region to survive a single zone failure with geo-redundancy (GRS) to replicate data asynchronously to a secondary region, ensuring availability if the primary region becomes unavailable. Since the team does not need a read-only endpoint in the secondary region during normal operations, GZRS (which does not provide read access to the secondary region unless a failover occurs) meets the requirement without the extra cost or feature of RA-GZRS.

Exam trap

The trap here is that candidates often confuse GZRS with RA-GZRS, assuming that geo-redundancy always provides read access to the secondary region, or they overlook that ZRS alone cannot handle a regional outage, leading them to incorrectly select ZRS or GRS instead of the correct combination of zone and geo redundancy.

201
MCQeasy

Before changing a managed data disk on a production VM, you want a point-in-time copy that you can keep and restore later if needed. What should you create?

A.A managed disk snapshot
B.An availability set
C.A load balancer backend pool
D.A resource lock
AnswerA

A snapshot captures a point-in-time copy of a managed disk. It is the right choice when you want a recoverable copy before making changes. You can create it for an OS disk or data disk and use it later to restore or create a new disk if the original change does not work as expected.

Why this answer

A managed disk snapshot captures a point-in-time, read-only copy of a managed disk. You can use it to restore the VM to that exact state by creating a new disk from the snapshot and attaching it to the VM. Snapshots are independent of the source disk's lifecycle, so you can keep them indefinitely for backup or recovery purposes.

Exam trap

The trap here is that candidates may confuse a resource lock (which protects against deletion but does not create a copy) with a backup mechanism, or think an availability set provides data redundancy, when in fact only a snapshot or backup service captures a point-in-time copy of the disk.

How to eliminate wrong answers

Option B is wrong because an availability set is a logical grouping of VMs that provides high availability by distributing them across fault domains and update domains; it does not create a point-in-time copy of a disk. Option C is wrong because a load balancer backend pool defines the set of VMs or instances that receive traffic from the load balancer; it has nothing to do with disk backups or snapshots. Option D is wrong because a resource lock prevents accidental deletion or modification of a resource at the Azure Resource Manager level; it does not create a copy of the disk data.

202
MCQhard

A legacy application still authenticates to Azure Blob Storage by using the account key. Security now requires preventing any new requests that use shared key authorization, while leaving the storage account itself and Microsoft Entra-based access unchanged. Which setting should the administrator enable?

A.Rotate the storage account keys every 24 hours
B.Disable shared key access on the storage account
C.Require secure transfer for the storage account
D.Create a private endpoint for the storage account
AnswerB

This blocks requests authenticated with account keys while still allowing identity-based access paths.

Why this answer

Option B is correct because disabling shared key access on the storage account enforces that all incoming requests must use Microsoft Entra ID (formerly Azure AD) authorization instead of the account key. This directly meets the security requirement to block new requests using shared key authorization while leaving the storage account itself and Entra-based access unchanged. The setting is available under the storage account's Configuration blade as 'Allow storage account key access'.

Exam trap

The trap here is that candidates often confuse disabling shared key access with rotating keys or enabling secure transfer, not realizing that only disabling shared key access actually blocks the authorization method itself, while the other options address key freshness or transport encryption, not authorization.

How to eliminate wrong answers

Option A is wrong because rotating keys every 24 hours does not prevent new requests using shared key authorization; it only changes the key value periodically, which still allows key-based access. Option C is wrong because requiring secure transfer enforces HTTPS for all requests but does not restrict the authorization method; shared key access remains possible over HTTPS. Option D is wrong because creating a private endpoint restricts network access to the storage account via a private IP in a virtual network, but it does not block shared key authorization; requests using the account key can still be sent through the private endpoint.

203
MCQhard

A contractor needs to upload files into one blob container for six hours. The administrator must avoid sharing the storage account key, and the access token should keep working even if the storage account keys are rotated later. Which access mechanism should be issued?

A.An account SAS signed with the storage account key
B.A service SAS signed with the storage account key
C.A user delegation SAS signed through Microsoft Entra authentication
D.The storage account access key itself in a temporary script variable
AnswerC

User delegation SAS avoids exposing the account key and is signed with identity-based authorization.

Why this answer

A user delegation SAS is signed with Microsoft Entra credentials rather than the storage account key, so it remains valid even if the storage account keys are rotated. This meets the requirement to avoid sharing the account key while providing temporary, scoped access for exactly six hours. The contractor can upload files without the administrator exposing the account key or needing to manage key rotation.

Exam trap

The trap here is that candidates often confuse service SAS and user delegation SAS, assuming both are tied to the account key, but only service SAS is; user delegation SAS uses Entra ID and survives key rotation.

How to eliminate wrong answers

Option A is wrong because an account SAS is signed with the storage account key, so if the key is rotated, the SAS token becomes invalid, and it also exposes the key indirectly. Option B is wrong because a service SAS is also signed with the storage account key, making it subject to key rotation invalidation and still relying on the account key. Option D is wrong because sharing the storage account access key itself directly violates the requirement to avoid sharing the key, and it provides full, unrestricted access to the entire storage account, not just the blob container.

204
MCQmedium

An on-premises application connects to Azure through an existing site-to-site VPN. The application must access an Azure Blob Storage account over a private IP, and the storage account must not accept public network traffic. Which configuration should the administrator deploy?

A.A service endpoint on the on-premises network and a storage account firewall exception.
B.A private endpoint for the storage account in an Azure VNet reachable through the VPN.
C.A NAT gateway on the subnet that hosts the storage account.
D.An application security group applied to the storage account.
AnswerB

A private endpoint gives the storage account a private IP address inside a VNet. Because the on-premises network already reaches Azure through a site-to-site VPN, on-prem clients can reach that private IP over the encrypted tunnel, provided DNS is also configured to resolve the private name correctly. This satisfies both goals: private connectivity and no public network access to the storage account.

Why this answer

Option B is correct because a private endpoint assigns the storage account a private IP from an Azure VNet, making it accessible over the site-to-site VPN without traversing the public internet. This satisfies the requirement for private IP access and allows the storage account to block all public network traffic by disabling public network access in the firewall settings.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming both provide private IP access, but only private endpoints remove the public endpoint entirely, which is necessary when public network access must be disabled.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP to the storage account; it only extends the VNet identity to the service, and the storage account still uses a public endpoint, which conflicts with the requirement to not accept public network traffic. Option C is wrong because a NAT gateway provides outbound internet connectivity for a subnet, not inbound private access to a storage account, and it does not affect the storage account's public endpoint. Option D is wrong because an application security group (ASG) is a network security group (NSG) filter for VMs or NICs, not a resource that can be applied to a storage account to control network access.

205
Multi-Selecthard

A user deleted a nested folder tree from an Azure file share yesterday. Other folders in the share were updated after the deletion and must not be rolled back. Which two actions should the administrator take? Select two.

Select 2 answers
A.Restore the entire file share from the latest snapshot.
B.Open a snapshot taken before the deletion.
C.Copy only the deleted folder tree back into the live share.
D.Convert the file share to the Hot access tier.
E.Delete the newer folders so the share matches the snapshot exactly.
AnswersB, C

A snapshot from before the deletion contains the missing folder tree in its prior state and is the correct recovery source.

Why this answer

Option B is correct because Azure file share snapshots provide a point-in-time, read-only copy of the entire share. By opening a snapshot taken before the deletion, the administrator can browse the exact folder tree as it existed at that time. Option C is correct because the administrator can copy only the deleted folder tree from the snapshot back into the live share, leaving all other folders (including those updated after the deletion) intact.

Exam trap

The trap here is that candidates often assume the only way to recover deleted data is to restore the entire share from a snapshot, overlooking the ability to mount the snapshot and perform a granular copy of only the deleted items.

206
MCQhard

A team needs one Azure Files share that can be mounted by both Windows and Linux VMs. The VMs are joined to the same on-premises Active Directory Domain Services domain, and the security team forbids storage account keys. The team also wants to manage access with existing AD group memberships. What should the administrator configure?

A.Use Azure Files over SMB and enable AD DS authentication
B.Use a blob container and mount it through the Blob API
C.Use anonymous access on an Azure File share
D.Use a premium NFS file share with a shared access signature
AnswerA

Azure Files over SMB supports both Windows and Linux clients, and AD DS authentication lets the team use existing domain identities and groups instead of storage keys. This keeps permissions centralized and avoids embedding secrets in scripts or mount commands. It is the most appropriate choice when both operating systems must share the same file data and access control should come from the established directory service.

Why this answer

Option A is correct because Azure Files supports SMB protocol, which can be mounted by both Windows and Linux VMs. By enabling AD DS authentication, the administrator can use existing on-premises Active Directory group memberships to control access to the file share without requiring storage account keys, satisfying the security team's requirement.

Exam trap

The trap here is that candidates may confuse NFS with SMB, assuming NFS is the only option for Linux, but Azure Files supports SMB for both Windows and Linux, and AD DS authentication is only available for SMB shares, not NFS.

How to eliminate wrong answers

Option B is wrong because a blob container accessed via the Blob API does not support SMB mounting and cannot be mounted as a file system by both Windows and Linux VMs; it is designed for object storage, not file sharing. Option C is wrong because anonymous access on an Azure File share would bypass authentication entirely, violating the security team's requirement to manage access with AD group memberships and forbidding storage account keys. Option D is wrong because a premium NFS file share does not support AD DS authentication; it relies on network-level security or export policies, and shared access signatures (SAS) are not supported for NFS shares, making it incompatible with the requirement to use existing AD group memberships.

207
MCQeasy

Based on the exhibit, what should the administrator configure to meet the storage access requirement?

A.Enable the Microsoft.Storage service endpoint on AppSubnet and allow that subnet on the storage account.
B.Create a private endpoint and disable all public network access.
C.Create a VPN gateway between the subnet and the storage account.
D.Attach a NAT gateway to the subnet and add a route table entry.
AnswerA

A service endpoint lets the subnet reach the storage service over the Azure backbone while the storage account still uses its public endpoint. Combined with the storage account's network rules, access can be restricted to AppSubnet only.

Why this answer

Option A is correct because enabling the Microsoft.Storage service endpoint on AppSubnet allows traffic from that subnet to be routed directly to the storage account over the Azure backbone network, bypassing the internet. By then configuring the storage account firewall to allow access only from that subnet, the administrator ensures that only resources within AppSubnet can access the storage account, meeting the requirement for restricted access.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming private endpoints are always required for secure access, when in fact service endpoints are simpler and sufficient for scenarios where only subnet-level restriction is needed without full network isolation.

How to eliminate wrong answers

Option B is wrong because creating a private endpoint assigns the storage account a private IP address within the virtual network, but disabling all public network access would block any traffic not originating from the private endpoint, which is overly restrictive and not required by the scenario. Option C is wrong because a VPN gateway is used for site-to-site or point-to-site connectivity between on-premises networks and Azure, not for connecting a subnet to a storage account within the same region. Option D is wrong because a NAT gateway provides outbound internet connectivity for a subnet, and adding a route table entry does not restrict inbound access to the storage account; it only controls traffic routing, not access control.

208
Multi-Selectmedium

A data-processing app reads blobs immediately after upload, and operations do not want any rehydration delay. Which three access tiers can be read directly? Select three.

Select 3 answers
A.Hot
B.Cool
C.Cold
D.Archive
E.Premium
AnswersA, B, C

Correct. Hot blobs remain online and can be read immediately without a restore operation.

Why this answer

The Hot, Cool, and Cold access tiers are designed for online data access, meaning blobs stored in these tiers can be read immediately without any rehydration delay. This is because the data is always stored on high-throughput, low-latency media and is immediately available for read operations. In contrast, the Archive tier requires a rehydration process (which can take hours) before data can be accessed, making it unsuitable for scenarios where blobs must be read immediately after upload.

Exam trap

The trap here is that candidates often confuse the Cold tier with the Archive tier, assuming Cold also requires rehydration, or they mistakenly think the Premium tier is an access tier like Hot/Cool/Cold, when in fact it is a performance tier for premium block blob accounts and not a blob-level access tier.

209
MCQhard

A storage account has public network access disabled. A VM in VNet-Prod must reach Blob storage by using the storage account name, but nslookup from the VM still returns the public endpoint address. What should the administrator do?

A.Enable a service endpoint for Microsoft.Storage on the subnet and keep public network access disabled.
B.Create a private endpoint for the blob service and link the private DNS zone to VNet-Prod.
C.Add an inbound NSG rule that allows TCP 443 from the VM to the storage account.
D.Turn on the trusted Microsoft services exception for the storage account firewall.
AnswerB

A private endpoint gives Blob storage a private IP in the virtual network, and the private DNS zone ensures the storage account name resolves to that private address. Both pieces are required when public access is disabled and clients must connect by name.

Why this answer

Option B is correct because the VM's nslookup returns the public endpoint address, indicating that DNS resolution is not pointing to the private IP of the storage account. Creating a private endpoint for the blob service assigns a private IP from the VNet-Prod subnet to the storage account, and linking a private DNS zone (privatelink.blob.core.windows.net) to VNet-Prod ensures that DNS queries from the VM resolve the storage account name to that private IP, bypassing the public endpoint entirely.

Exam trap

The trap here is that candidates confuse service endpoints (which only provide source IP preservation and routing over the Azure backbone) with private endpoints (which provide a private IP and DNS resolution change), leading them to choose Option A incorrectly.

How to eliminate wrong answers

Option A is wrong because enabling a service endpoint for Microsoft.Storage on the subnet does not change DNS resolution; it only routes traffic to the public IP of the storage service via the Azure backbone, but nslookup would still return the public endpoint address, not a private IP. Option C is wrong because adding an inbound NSG rule allowing TCP 443 from the VM to the storage account is irrelevant—the issue is DNS resolution, not network security; the VM can already reach the public endpoint if allowed, but the goal is to use the storage account name with a private IP. Option D is wrong because turning on the trusted Microsoft services exception allows specific Azure services (e.g., Azure Backup) to bypass the firewall, but it does not change DNS resolution or provide a private IP for the VM to connect via the storage account name.

210
Matchingmedium

Match each workload requirement to the Azure storage account kind that best fits it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

General-purpose v2

FileStorage

BlockBlobStorage

BlobStorage

Why these pairings

Each storage kind is tailored for specific workloads: GPv2 is the default, BlockBlobStorage for high throughput, FileStorage for premium files, and others for legacy or specialized needs.

211
MCQmedium

You need to give a third-party auditor temporary read-only access to specific blobs in a container without sharing the storage account keys. Which feature should you use?

A.A storage account key
B.A shared access signature (SAS)
C.A resource lock
D.Blob versioning
AnswerB

A SAS provides scoped, time-limited access without exposing the account keys.

Why this answer

A shared access signature (SAS) is the correct choice because it provides delegated, time-limited, and permission-restricted access to specific Azure Storage resources—in this case, blobs—without exposing the storage account keys. You can generate a service-level SAS token scoped to individual blobs with read-only permissions and an expiration time, allowing the auditor to access only the required blobs. This meets the requirement for temporary, read-only access while maintaining security and granular control.

Exam trap

The trap here is that candidates often confuse resource locks (which prevent deletion) with access control mechanisms, or mistakenly think blob versioning provides access delegation, when in fact only SAS tokens offer granular, time-bound, and keyless access to specific blobs.

How to eliminate wrong answers

Option A is wrong because sharing a storage account key grants full administrative access to the entire storage account, including all containers, blobs, and operations, which violates the principle of least privilege and is not temporary or read-only. Option C is wrong because a resource lock prevents accidental deletion or modification of resources at the subscription, resource group, or resource level, but it does not provide any form of delegated access or authentication to data within a storage account. Option D is wrong because blob versioning maintains previous versions of blobs for data protection and recovery, but it does not grant access permissions or control who can read specific blobs.

212
MCQeasy

A storage account should accept requests only from a specific virtual network subnet in Azure. The team does not want traffic to reach the public endpoint from the internet. What should the administrator configure?

A.Enable anonymous blob access
B.Add a storage network rule for the subnet or use a private endpoint
C.Move the container to the Archive tier
D.Assign the Contributor role to the subnet
AnswerB

Network rules can restrict access to allowed virtual network locations, and a private endpoint can place the service behind a private IP. Either approach supports controlled connectivity instead of internet exposure.

Why this answer

Option B is correct because Azure storage accounts can restrict access to specific virtual network subnets using service endpoints or private endpoints. A storage network rule for the subnet allows traffic only from that subnet, while a private endpoint maps the storage account to a private IP in the VNet, completely bypassing the public endpoint. This ensures no internet traffic reaches the public endpoint, meeting the requirement.

Exam trap

The trap here is that candidates often confuse network-level access controls (like service endpoints or private endpoints) with RBAC roles or storage tier changes, mistakenly thinking that assigning a role or changing a tier can restrict network traffic.

How to eliminate wrong answers

Option A is wrong because enabling anonymous blob access allows public read access to containers and blobs without authentication, which would allow internet traffic to reach the public endpoint, contrary to the requirement. Option C is wrong because moving a container to the Archive tier changes the storage tier for cost optimization, not access control; it does not restrict network access or block internet traffic. Option D is wrong because assigning the Contributor role to the subnet grants Azure RBAC permissions for management operations, not network-level access control; it does not restrict traffic to the public endpoint.

213
MCQmedium

A compliance team keeps signed contract scans in Azure Blob Storage. The files are usually read only a few times per year, but when a reviewer needs one, it must be available immediately without waiting for rehydration. Which access tier should the administrator use?

A.Hot, because it is optimized for frequent access and immediate retrieval.
B.Cool, because it is online and suited to infrequent access while remaining immediately readable.
C.Archive, because it is the lowest-cost option and can still be read instantly.
D.Cold, because it is designed for infrequently accessed data and remains online for immediate reads.
AnswerD

Cold is the best fit for data that is rarely read but must still be available immediately when needed. It keeps the blob online, unlike Archive, so there is no waiting for rehydration. This makes it suitable for compliance documents or records that are accessed occasionally but must open quickly during reviews.

Why this answer

The Cold access tier is designed for data that is infrequently accessed but must remain online and immediately readable without any rehydration delay. Since the compliance team needs instant access to contract scans when requested, Cold tier provides low-cost storage while keeping data online, unlike Archive which requires rehydration.

Exam trap

The trap here is that candidates often confuse 'lowest cost' (Archive) with 'immediate availability,' forgetting that Archive requires a rehydration process that can take hours, making it unsuitable for on-demand access.

How to eliminate wrong answers

Option A is wrong because Hot tier is optimized for frequent access (multiple times per month) and would incur higher storage costs for data read only a few times per year. Option B is wrong because Cool tier is suited for data accessed infrequently (about once per month) but has higher storage costs than Cold tier for this very low access pattern. Option C is wrong because Archive tier requires rehydration (taking up to 15 hours) to read data, violating the 'immediately available' requirement.

214
MCQmedium

A web app currently accesses Azure Blob Storage by using the storage account key in a connection string. Security now requires blocking any new requests that use shared key authorization, while Microsoft Entra-based access must continue to work. Which storage account setting should the administrator change?

A.Set the storage account network access to selected networks only.
B.Disable shared key authorization on the storage account.
C.Rotate the account keys and leave all authentication methods enabled.
D.Enable object replication for the storage account.
AnswerB

Disabling shared key authorization blocks new requests that rely on the account key, while still allowing Microsoft Entra-based authentication paths. This is the correct control when the goal is to stop key-based access without disabling modern identity-based access.

Why this answer

Option B is correct because disabling shared key authorization on the storage account explicitly blocks all requests that use the storage account key (shared key) for authentication, while still allowing requests authenticated via Microsoft Entra ID (formerly Azure AD). This directly meets the security requirement to block new requests using shared key authorization without affecting Entra-based access.

Exam trap

The trap here is that candidates often confuse network-level restrictions (firewall/VNet) with authentication-level controls, mistakenly thinking that limiting network access (Option A) is equivalent to blocking shared key authorization, when in fact it only controls which IPs or VNets can reach the storage account, not how they authenticate.

How to eliminate wrong answers

Option A is wrong because setting the storage account network access to selected networks only restricts access based on IP address or virtual network, not authentication method; it would block all traffic from outside the selected networks, including Entra-authenticated requests, and does not specifically block shared key authorization. Option C is wrong because rotating the account keys and leaving all authentication methods enabled does not block shared key authorization; it only changes the keys, so new requests can still use the new keys, failing the requirement. Option D is wrong because enabling object replication for the storage account is used for asynchronous replication of blobs across regions for data redundancy or disaster recovery, and has no effect on authentication methods or blocking shared key authorization.

215
MCQhard

A Windows VM runs an application that uploads files to a blob container every hour. Security forbids storing storage account keys or long-lived SAS tokens on the VM. The application must be able to write only to that container and nothing else. What should the administrator configure?

A.Store the storage account key in an environment variable on the VM
B.Create a service SAS with write permission on the storage account
C.Assign Storage Blob Data Contributor to the VM's managed identity at the container scope
D.Assign Contributor on the storage account to the VM's system-assigned identity
AnswerC

A managed identity avoids stored credentials, and the Storage Blob Data Contributor role grants blob read/write permissions without exposing account keys. Assigning it at the container scope keeps access limited to one container instead of the whole storage account. This is the least-privilege, Azure-native approach for an app that needs ongoing upload access.

Why this answer

Option C is correct because it uses Azure RBAC to grant the VM's managed identity the Storage Blob Data Contributor role at the container scope. This allows the application to write only to that specific container without requiring any storage account keys or SAS tokens on the VM, satisfying the security requirement. Managed identities provide an automatically managed service principal in Azure AD, enabling secure authentication to Azure services without storing credentials.

Exam trap

The trap here is that candidates often confuse the Contributor role (which grants management-plane access) with the Storage Blob Data Contributor role (which grants data-plane access), and fail to realize that scoping the role to the container level is necessary to restrict access to only that container.

How to eliminate wrong answers

Option A is wrong because storing the storage account key in an environment variable violates the security policy that forbids storing keys on the VM, and the key grants full access to the storage account, not just the container. Option B is wrong because a service SAS with write permission on the storage account would allow writing to any container within that account, not just the specific container, and the SAS token would still need to be stored on the VM, violating the security constraint. Option D is wrong because assigning the Contributor role at the storage account scope grants full management access to the storage account, including the ability to read and write to all containers and manage the account itself, which exceeds the required write-only access to a single container.

216
Multi-Selecteasy

A team wants an Azure Storage account to be reachable only from one subnet, but they do not want to use a private endpoint. Which two configurations should they use? Select two.

Select 2 answers
A.Enable a Microsoft.Storage service endpoint on the subnet so the subnet can reach the storage service privately over the Azure backbone.
B.Add the subnet to the storage account's networking rules so only that subnet is allowed through the storage firewall.
C.Create a private endpoint and leave the firewall open to all networks so the subnet can be filtered later.
D.Assign Contributor on the storage account to the subnet, because Azure roles control which networks can connect.
E.Disable the public endpoint and rely on Internet routing, because that is the only way to limit access to one subnet.
AnswersA, B

A service endpoint extends the subnet's identity to the storage service without creating a private IP address.

Why this answer

Option A is correct because enabling a Microsoft.Storage service endpoint on the subnet extends the virtual network identity to the storage service, allowing traffic from that subnet to reach the storage account over the Azure backbone network without using a public IP. This ensures private connectivity from the subnet to the storage account while keeping the storage account's public endpoint enabled but restricted.

Exam trap

The trap here is that candidates confuse Azure RBAC roles (which control management access) with network-level access controls (firewall rules and service endpoints), leading them to incorrectly select option D.

217
MCQhard

Your application stores regulatory records in Azure Blob Storage. The records must remain in a write-once-read-many state for four years and must not be altered or deleted during that time. What should you configure?

A.Blob soft delete
B.Immutable blob storage with a time-based retention policy
C.Lifecycle management to move data to Archive
D.A shared access signature
AnswerB

This enforces WORM protection for the required period.

Why this answer

Immutable blob storage with a time-based retention policy enforces a write-once-read-many (WORM) state, ensuring that blobs cannot be modified or deleted for a specified duration. This directly meets the regulatory requirement of four-year retention without alteration or deletion, as the policy locks the data at the container level and prevents any changes until the retention period expires.

Exam trap

The trap here is that candidates often confuse soft delete (which only protects against deletion) with immutable storage (which prevents both modification and deletion), leading them to choose blob soft delete when the question explicitly requires a write-once-read-many state.

How to eliminate wrong answers

Option A is wrong because blob soft delete provides protection against accidental deletion by retaining deleted blobs for a configurable period, but it does not prevent modification or enforce a WORM state; blobs can still be overwritten or altered before deletion. Option C is wrong because lifecycle management moves blobs to different tiers (e.g., Archive) based on age or conditions, but it does not prevent modification or deletion of the data; blobs in Archive can still be deleted or overwritten unless additional protection is applied. Option D is wrong because a shared access signature (SAS) grants delegated access to blobs with specific permissions (e.g., read, write) but does not enforce immutability; a SAS with write permissions would allow modification, and it cannot prevent deletion or alteration by authorized users.

218
MCQeasy

A contractor needs temporary access to upload files into one Azure Blob container for six hours. The administrator does not want to share the storage account key. What should the administrator create?

A.A shared access signature scoped to the container and expiration time
B.A new storage account access key
C.A management group assignment
D.A private endpoint for the contractor
AnswerA

A SAS can grant limited, time-bound access to a specific resource such as one container, without exposing the storage account key.

Why this answer

A shared access signature (SAS) scoped to the container provides time-limited, delegated access to specific operations (e.g., upload) without exposing the storage account key. By setting an expiration time of six hours, the administrator ensures the contractor can upload files only during that window, after which the token becomes invalid. This meets the requirement for temporary, secure access.

Exam trap

The trap here is that candidates may confuse a SAS with a storage account key, thinking any shared credential is unsafe, or mistakenly choose a private endpoint as a security solution for access control rather than network isolation.

How to eliminate wrong answers

Option B is wrong because creating a new storage account access key grants full administrative access to the entire storage account, not just the container, and cannot be scoped to a specific time window or operation. Option C is wrong because a management group assignment controls Azure RBAC permissions across subscriptions, not granular access to a single blob container. Option D is wrong because a private endpoint secures network connectivity to the storage account via a private IP, but does not provide authentication or authorization for the contractor to upload files.

219
MCQhard

A company uses Azure Blob Storage for legal documents. The documents must not be modified or deleted for seven years after upload, even by administrators. What should you configure?

A.Blob soft delete
B.Immutable blob storage with a time-based retention policy
C.Lifecycle management to move blobs to Archive
D.Blob versioning
AnswerB

Immutable storage enforces WORM protection for the required retention period.

Why this answer

Immutable blob storage with a time-based retention policy (WORM – Write Once, Read Many) ensures that blobs cannot be modified or deleted for a specified retention period, even by administrators. This is the only Azure storage feature that provides legal hold or regulatory compliance for fixed records, such as legal documents that must remain unaltered for seven years.

Exam trap

The trap here is that candidates often confuse soft delete or versioning with immutable storage, not realizing that only a time-based retention policy (WORM) provides the strict, administrator-proof immutability required for regulatory compliance.

How to eliminate wrong answers

Option A is wrong because blob soft delete only protects against accidental deletion by retaining deleted blobs for a configurable period, but it does not prevent modification or deletion by administrators during the retention period. Option C is wrong because lifecycle management moves blobs between tiers (e.g., to Archive) based on age or conditions, but it does not prevent modification or deletion of the blobs themselves. Option D is wrong because blob versioning preserves previous versions of a blob when overwritten or deleted, but it does not prevent administrators from modifying or deleting the current version or any version during the retention period.

220
MCQeasy

A healthcare application stores files that must be protected against a single datacenter outage in the region. The team does not need a secondary region for read access, and they want the simplest resilient option. Which storage redundancy should they choose?

A.Locally redundant storage (LRS)
B.Zone-redundant storage (ZRS)
C.Geo-zone-redundant storage (GZRS)
D.Read-access geo-redundant storage (RA-GRS)
AnswerB

ZRS stores copies across multiple zones in the region, which helps the data survive a datacenter or zone-level outage without needing another region.

Why this answer

Zone-redundant storage (ZRS) replicates data synchronously across three Azure availability zones within a single region, protecting against a complete datacenter outage without requiring a secondary region. This meets the requirement for the simplest resilient option that guards against a single datacenter failure while avoiding the complexity and cost of geo-replication.

Exam trap

The trap here is that candidates often confuse 'protecting against a single datacenter outage' with needing geo-redundancy, but ZRS within a region is sufficient and simpler when no secondary region read access is required.

How to eliminate wrong answers

Option A is wrong because locally redundant storage (LRS) replicates data only within a single datacenter (three copies in one physical location), so a full datacenter outage would cause data loss. Option C is wrong because geo-zone-redundant storage (GZRS) adds geo-replication to a secondary region, which is unnecessary complexity and cost since the team does not need a secondary region for read access. Option D is wrong because read-access geo-redundant storage (RA-GRS) replicates to a secondary region and provides read access there, which is overkill and more complex than the simple zone-level protection required.

221
MCQeasy

A blob was moved to the Archive tier last month. A user now needs to open the file within a few hours. What should the administrator do first?

A.Download the blob directly from the Archive tier
B.Change the blob to Hot or Cool and wait for rehydration to complete
C.Create a snapshot of the blob and open the snapshot instead
D.Enable versioning on the storage account
AnswerB

Archive data must be rehydrated back to an online tier such as Hot or Cool before it can be read again.

Why this answer

Blobs in the Archive tier are offline and cannot be read directly. To access the data, you must first change the blob's access tier to Hot or Cool, which initiates a rehydration process that makes the blob available for reading. Since the user needs the file within a few hours, rehydration typically completes within that timeframe (up to 15 hours for Archive to Cool/Hot).

Exam trap

The trap here is that candidates assume the Archive tier is readable like Cool or Hot, or that snapshots or versioning bypass the rehydration requirement, but Azure explicitly blocks direct access to archived blobs until they are rehydrated.

How to eliminate wrong answers

Option A is wrong because blobs in the Archive tier are offline and cannot be downloaded directly; attempting to do so results in an error (e.g., HTTP 409 or 'Blob is in Archive tier'). Option C is wrong because creating a snapshot of an archived blob does not make the data accessible; the snapshot inherits the same Archive tier and remains offline until rehydrated. Option D is wrong because enabling versioning does not change the access tier of existing blobs; it only creates new versions on writes, and archived versions would still require rehydration to read.

222
MCQmedium

A backup job from an Azure service must write to a storage account that has the network firewall set to deny all public traffic. The team does not want to create a private endpoint for this workload. What should the administrator enable?

A.Allow trusted Microsoft services to access the storage account
B.Add the backup server's public IP address to the storage firewall
C.Create a service endpoint on the subnet that hosts the backup job
D.Disable the storage account firewall temporarily during each backup window
AnswerA

Allowing trusted Microsoft services is the correct choice when a supported Azure platform service needs to reach the storage account without opening the firewall broadly. It permits specific Microsoft-managed services to bypass the network restriction while keeping public traffic denied. This is appropriate when the workload is an Azure service rather than a customer VM or subnet.

Why this answer

Option A is correct because Azure Storage firewalls include a special exception for 'Allow trusted Microsoft services to access this storage account'. When enabled, this exception permits Azure platform services—such as Azure Backup—to bypass the public network deny rule and write to the storage account without requiring a private endpoint. This works because the backup service runs on Microsoft-owned infrastructure that is authenticated and authorized at the control plane level, not via a public IP.

Exam trap

The trap here is that candidates often confuse 'Allow trusted Microsoft services' with a generic security bypass, not realizing it is a specific, documented exception designed for Azure platform services like Backup, Log Analytics, and Azure Site Recovery.

How to eliminate wrong answers

Option B is wrong because the backup job is an Azure platform service, not a specific server with a public IP; adding a public IP would not cover the dynamic, internal source addresses used by the service. Option C is wrong because a service endpoint would require the backup job's source subnet to be explicitly configured, and the backup service does not run in a customer subnet—it runs in a Microsoft-managed environment. Option D is wrong because disabling the firewall temporarily is a manual, insecure workaround that violates the requirement to keep the firewall enabled and introduces operational risk and potential data exposure.

223
MCQmedium

A legal department stores project video assets in Azure Blob Storage. The files are reviewed only during quarterly audits, but when someone needs a file it must open immediately without waiting for rehydration. Which access tier should the administrator use for the blobs?

A.Hot, because it is optimized for frequent access and always costs the least to retrieve.
B.Cool, because it is for infrequent access while still keeping blobs online and immediately available.
C.Archive, because it is the cheapest choice for data that is rarely used and can be restored instantly.
D.Premium, because it is intended for workload bursts and gives the best long-term storage economics.
AnswerB

Cool tier is meant for infrequently accessed data that still needs to remain online. It avoids archive rehydration delays, so users can open the file immediately during quarterly audits.

Why this answer

The Cool access tier is designed for data that is infrequently accessed but must remain immediately available (online) without any rehydration delay. Since the legal department needs instant access during quarterly audits, Cool meets the requirement of low retrieval cost while keeping blobs online, unlike Archive which requires hours-long rehydration.

Exam trap

The trap here is that candidates often choose Archive thinking it is the cheapest for rarely used data, forgetting that Archive blobs are offline and require significant rehydration time, which contradicts the 'immediately available' requirement in the question.

How to eliminate wrong answers

Option A is wrong because Hot is optimized for frequent access and has higher storage costs than Cool, making it uneconomical for data accessed only quarterly. Option C is wrong because Archive is the cheapest for rarely accessed data but requires rehydration (taking up to 15 hours) before blobs are available, violating the 'immediately available' requirement. Option D is wrong because Premium is a block blob tier for low-latency, high-frequency workloads (e.g., IoT) and has the highest storage cost, not suitable for long-term, infrequent access.

224
MCQhard

An operations team archived monthly log exports six weeks ago. An auditor now needs one specific blob restored within a day, and the file will likely be opened several times during the audit. Which action should the administrator take first?

A.Set the blob directly to the Archive tier again
B.Rehydrate the blob to the Hot tier
C.Create a snapshot of the archived blob and open the snapshot
D.Increase the account redundancy to RA-GRS before the audit
AnswerB

The blob must be rehydrated before it can be opened, and Hot is a sensible target when repeated reads are expected during an active audit. Choosing Hot avoids repeated retrieval penalties and keeps the file immediately online for the rest of the audit window. That makes the workflow simpler for the auditor.

Why this answer

The blob is currently in the Archive tier, which is offline and cannot be read directly. To access the data, the blob must first be rehydrated to an online tier (Hot or Cool) by changing its tier or copying it to a new blob. Rehydrating to the Hot tier ensures the blob is available for multiple reads within the audit timeframe, as the rehydration process typically takes up to 15 hours for Archive tier blobs.

Exam trap

The trap here is that candidates may think snapshots can be taken of any blob regardless of tier, but Azure requires the source blob to be in an online tier (Hot, Cool, or Cold) to create a snapshot.

How to eliminate wrong answers

Option A is wrong because setting a blob directly to the Archive tier again is meaningless—the blob is already archived and offline, and this action does not bring it online for access. Option C is wrong because you cannot create a snapshot of an archived blob; snapshots require the blob to be in an online tier (Hot, Cool, or Cold), and the Archive tier is offline. Option D is wrong because increasing account redundancy to RA-GRS does not affect the offline state of an archived blob; redundancy changes apply to the storage account configuration, not to the tier of individual blobs, and the blob remains inaccessible until rehydrated.

225
MCQeasy

A records team wants blobs to be replicated to a secondary region, and the secondary copy must be readable if the primary region becomes unavailable. Which redundancy option should you choose?

A.Locally redundant storage (LRS)
B.Zone-redundant storage (ZRS)
C.Geo-redundant storage (GRS)
D.Read-access geo-redundant storage (RA-GRS)
AnswerD

RA-GRS replicates data to a secondary region and allows reads from that secondary copy, which fits the requirement exactly.

Why this answer

RA-GRS (Read-access geo-redundant storage) is correct because it provides geo-redundant replication (GRS) to a secondary region, plus read access to the secondary copy even if the primary region is unavailable. This ensures the blob data is replicated asynchronously to a paired secondary region, and the secondary endpoint can be read immediately during a primary outage, meeting the team's requirement for readable secondary copies.

Exam trap

The trap here is that candidates often confuse GRS with RA-GRS, assuming that geo-redundant replication automatically provides readable secondary copies, but GRS does not allow read access to the secondary region until a failover occurs, whereas RA-GRS explicitly enables read access at all times.

How to eliminate wrong answers

Option A (LRS) is wrong because it replicates data only within a single data center in the primary region, providing no replication to a secondary region and no readable copy if the primary region fails. Option B (ZRS) is wrong because it replicates data synchronously across three availability zones within a single region, but does not replicate to a secondary region, so it cannot provide a readable copy in a different region. Option C (GRS) is wrong because while it replicates data to a secondary region, the secondary copy is not readable unless a failover is initiated by Microsoft; it does not offer read access to the secondary region during a primary region outage.

← PreviousPage 3 of 4 · 228 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Implement and Manage Storage questions.