CCNA AZ Monitoring Questions

75 of 191 questions · Page 1/3 · AZ Monitoring topic · Answers revealed

1
Matchingmedium

A support engineer has several recovery scenarios after Azure VM backup. Match each recovery need to the restore option that best fits.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Restore virtual machine

Restore disks

File recovery

Create virtual machine

Cross-region restore

Why these pairings

Azure VM Backup offers multiple restore options: File Recovery for individual files, Create new VM for a fresh VM, Restore to a restore point for point-in-time recovery, Replace existing VM to overwrite, Cross-region restore for disaster recovery, and Restore disks to restore only disks.

2
MCQhard

The subscription activity log is being sent to a Log Analytics workspace. An alert must fire when any resource group is deleted, but delete operations initiated by the automation account rg-cleaner@contoso.com must be ignored. Which query should be used in the alert rule?

A.AzureActivity | where ResourceProviderValue == "Microsoft.Resources" | where OperationName contains "delete"
B.AzureActivity | where OperationNameValue == "Microsoft.Resources/subscriptions/resourceGroups/delete" | where ActivityStatusValue == "Succeeded" | where Caller != "rg-cleaner@contoso.com" | summarize Count = count()
C.Heartbeat | where Computer == "rg-cleaner@contoso.com" | where TimeGenerated > ago(1d)
D.SecurityEvent | where EventID == 4688 | where Account == "rg-cleaner@contoso.com"
AnswerB

This query targets the exact delete operation for resource groups in AzureActivity, limits results to successful deletions, and excludes the automation account caller. A log alert can trigger when the result count is greater than zero. It is the most accurate choice because it filters by both operation identity and exception handling, which prevents false alerts from the known automation runbook.

Why this answer

Option B is correct because it filters for the exact operation that deletes a resource group (Microsoft.Resources/subscriptions/resourceGroups/delete), ensures the deletion succeeded, and excludes the caller 'rg-cleaner@contoso.com'. This meets the requirement to fire an alert only when a resource group is deleted by any user except the automation account.

Exam trap

The trap here is that candidates often choose Option A because they see 'delete' in the operation name, but they fail to realize that a broad 'contains' filter will match many unrelated delete operations and does not exclude the automation account's caller identity.

How to eliminate wrong answers

Option A is wrong because it uses a generic 'contains delete' filter on OperationName, which would match many unrelated delete operations (e.g., deleting a VM or storage account) and does not filter by caller or success status. Option C is wrong because it queries the Heartbeat table, which is used for agent health monitoring, not for tracking resource group deletions or caller identity. Option D is wrong because it queries SecurityEvent for process creation (EventID 4688), which logs local process execution, not Azure resource group deletions or the caller's identity in Azure Activity Log.

3
MCQhard

An administrator enabled diagnostic settings on a storage account and selected the resource-specific table format for Log Analytics. A coworker later queried AzureDiagnostics and received no rows. What should the administrator tell the coworker to do?

A.Query the dedicated storage resource tables created by the diagnostic setting instead of AzureDiagnostics
B.Recreate the storage account because AzureDiagnostics is only populated by new resources
C.Change the storage account replication type to GRS so diagnostic logs are duplicated
D.Enable Azure Monitor metrics collection on the storage account before querying AzureDiagnostics
AnswerA

Resource-specific export writes to service-specific tables, so AzureDiagnostics will not contain those records.

Why this answer

When diagnostic settings are configured to use the 'Resource specific' destination table format, logs are sent to dedicated tables named after the resource type (e.g., StorageBlobLogs, StorageQueueLogs) rather than the legacy AzureDiagnostics table. Querying AzureDiagnostics returns no rows because logs are not written there under this format. The coworker must query the appropriate resource-specific table instead.

Exam trap

The trap here is that candidates assume all diagnostic logs always land in the AzureDiagnostics table, overlooking the 'Resource specific' destination table format option that creates dedicated tables per resource type.

How to eliminate wrong answers

Option B is wrong because AzureDiagnostics is not 'only populated by new resources'; it is populated based on the diagnostic setting's destination table format, not the age of the resource. Option C is wrong because changing replication to GRS (geo-redundant storage) affects data durability and availability, not the routing or storage of diagnostic logs in Log Analytics. Option D is wrong because enabling Azure Monitor metrics collection is unrelated to the table format used for diagnostic logs; metrics and logs are separate data types and do not affect the presence of rows in AzureDiagnostics.

4
MCQhard

A Windows VM in Azure is protected by Azure Backup. A developer accidentally deleted one application folder, but the VM must keep serving users while the administrator restores only that folder. What should the administrator do?

A.Restore the entire VM from the latest recovery point into the production resource group.
B.Use File Recovery from the appropriate recovery point and copy the folder back.
C.Restore the managed disk and attach it to the running VM as a second OS disk.
D.Create a new Recovery Services vault and re-protect the VM before restoring anything.
AnswerB

File Recovery is designed for item-level restore from an Azure VM backup. The administrator can mount the recovery point, browse the backed-up contents, and copy the missing folder back without replacing the whole VM. This is the least disruptive option when the machine must remain online and only a small set of files is needed.

Why this answer

Option B is correct because Azure Backup's File Recovery feature allows you to mount a recovery point as a drive on the running VM, enabling you to copy specific files or folders without restoring the entire VM or disrupting production. This is the only method that meets the requirement of restoring only the deleted folder while the VM continues serving users.

Exam trap

The trap here is that candidates often assume a full VM restore or disk restore is required for file-level recovery, overlooking the Azure Backup File Recovery feature that is specifically designed for granular, non-disruptive restores.

How to eliminate wrong answers

Option A is wrong because restoring the entire VM from the latest recovery point into the production resource group would overwrite the current VM or create a conflicting VM, causing downtime and unnecessary data transfer, and it does not target only the deleted folder. Option C is wrong because restoring the managed disk and attaching it as a second OS disk would require stopping the VM to attach the disk, and the folder would need to be extracted from the OS volume, which is complex and disruptive; moreover, Azure Backup does not directly support restoring a managed disk for file-level recovery without using File Recovery. Option D is wrong because creating a new Recovery Services vault and re-protecting the VM does not restore the deleted folder; it only initiates new backups, and the existing recovery points in the original vault are still accessible for restoration.

5
Multi-Selecteasy

An alert must start automated responses when a metric threshold is reached. Which two resources can an Azure Monitor action group invoke? Select two.

Select 2 answers
A.An Azure Automation runbook
B.An Azure Function
C.A virtual network peering connection
D.A resource lock
E.A storage account access tier
AnswersA, B

Action groups can trigger runbooks to perform scripted operational tasks automatically.

Why this answer

Azure Monitor action groups can invoke an Azure Automation runbook to execute automated remediation or response tasks when a metric alert fires. This allows you to trigger scripts or workflows in response to specific conditions, such as scaling resources or restarting services, without manual intervention.

Exam trap

The trap here is that candidates often confuse Azure resources that can be configured or monitored with resources that can be directly invoked as actions by an alert, leading them to select static resources like peering or locks instead of executable services like runbooks and functions.

6
Multi-Selecteasy

An operations team wants an email notification when the average CPU percentage on a VM stays above 85 percent for 10 minutes. Which two Azure Monitor components should they configure? Select two.

Select 2 answers
A.A metric alert rule
B.An action group
C.Azure Bastion
D.A Recovery Services vault
E.A resource lock
AnswersA, B

A metric alert evaluates VM performance data and can trigger when a threshold is crossed.

Why this answer

A metric alert rule is correct because it monitors a specific VM performance metric (e.g., Percentage CPU) and triggers when the average value exceeds 85% for a duration of 10 minutes, as defined by the aggregation granularity and evaluation frequency. This rule evaluates the metric data at regular intervals and fires an alert when the condition is met, enabling automated notification.

Exam trap

The trap here is that candidates often confuse the metric alert rule (which monitors performance metrics) with activity log alerts (which monitor resource configuration changes), or they mistakenly think Azure Bastion or Recovery Services vaults have monitoring capabilities, when in fact only the combination of a metric alert rule and an action group enables email notifications for metric thresholds.

7
Multi-Selectmedium

Every backup job for a newly deployed Azure VM fails immediately and reports that the VM agent is not ready. Which two checks should the administrator perform first? Select two.

Select 2 answers
A.Verify that the Azure VM Agent is installed and the service is running inside the guest.
B.Verify that outbound HTTPS access to the required Azure Backup and Storage endpoints is allowed.
C.Increase the recovery point retention in the backup policy.
D.Recreate the Recovery Services vault in another region.
E.Disable the backup policy until the VM is rebooted several times.
AnswersA, B

A healthy VM agent is required for Azure Backup to coordinate with the guest operating system.

Why this answer

The Azure VM Agent is required for the Azure Backup service to communicate with the VM and orchestrate snapshot operations. If the agent is not installed or the service (Windows: WindowsAzureGuestAgent, Linux: waagent) is not running, backup jobs will fail immediately with the 'agent not ready' error. Verifying agent status is the first logical step because without a functioning agent, no backup can proceed.

Exam trap

The trap here is that candidates often jump to network connectivity (Option B) as the sole cause, forgetting that the agent must be installed and running first—without it, even perfect network access will not fix the backup failure.

8
Matchingmedium

A support engineer is investigating a failed Azure VM backup job in Log Analytics. Match each KQL operator to the result it produces.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Keeps only rows that meet the filter condition.

Returns only selected columns and can rename them.

Aggregates rows into totals, counts, or grouped results.

Orders the output by one or more columns.

Why these pairings

These are common KQL operators. 'where' filters, 'project' selects columns, 'extend' adds columns, 'summarize' aggregates, 'join' merges tables, and 'order by' sorts results.

9
Matchingmedium

An administrator is reviewing a KQL query used to investigate failed operations in a Log Analytics workspace. Match each KQL operator to the effect it has on the query output.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters rows so only records that meet the condition remain in the result.

Returns only selected columns and can rename them for cleaner output.

Aggregates data, such as counting failures by hour or by status code.

Adds a calculated column based on existing fields in each row.

Sorts the result set, such as showing the newest records first.

Why these pairings

These are standard KQL operators used in Log Analytics queries. 'where' filters, 'project' selects columns, 'extend' adds computed columns, 'summarize' aggregates, 'join' merges tables, and 'order by' sorts results.

10
MCQmedium

Based on the exhibit, which KQL query should you use to find failed storage account delete operations in the last hour and count them by caller?

A.AzureActivity | where TimeGenerated > ago(1h) | where OperationNameValue has 'Microsoft.Storage/storageAccounts/delete' | where ActivityStatusValue == 'Failed' | summarize Failures=count() by Caller
B.AzureActivity | where TimeGenerated > ago(1h) | where OperationNameValue has 'Microsoft.Storage/storageAccounts/delete' | where ActivityStatusValue == 'Succeeded' | summarize Failures=count() by Caller
C.SecurityEvent | where EventID == 4670 | summarize count() by Account
D.AzureActivity | where TimeGenerated > ago(1h) | where OperationNameValue has 'Microsoft.Storage/storageAccounts/delete' | summarize Failures=count() by Caller
AnswerA

This query filters to the last hour, matches the delete operation, keeps only failed records, and groups the results by caller. It returns exactly the data needed to see who attempted the failed deletes.

Why this answer

Option A is correct because it filters AzureActivity logs to the last hour using `TimeGenerated > ago(1h)`, targets only storage account delete operations with `OperationNameValue has 'Microsoft.Storage/storageAccounts/delete'`, restricts to failed operations via `ActivityStatusValue == 'Failed'`, and then counts failures by caller using `summarize Failures=count() by Caller`. This precisely meets the requirement to find failed storage account delete operations in the last hour and count them by caller.

Exam trap

The trap here is that candidates may forget to filter by `ActivityStatusValue == 'Failed'` (as in Option D) or mistakenly filter for `'Succeeded'` (as in Option B), both of which fail to meet the requirement for counting only failed operations.

How to eliminate wrong answers

Option B is wrong because it filters for `ActivityStatusValue == 'Succeeded'`, which would count successful delete operations instead of the required failed ones. Option C is wrong because it queries `SecurityEvent` with `EventID == 4670` (which relates to permission changes, not storage account delete operations) and does not filter by time or operation type. Option D is wrong because it omits the `where ActivityStatusValue == 'Failed'` filter, so it would count all storage account delete operations (both successful and failed) instead of only failed ones.

11
Multi-Selecthard

A backup administrator manages three Recovery Services vaults. They need a single place to review the latest job outcome across all vaults, and then drill into the failed job details for one VM. Which two Azure experiences should they use? Select two.

Select 2 answers
A.Azure Backup center
B.Recovery Services vault > Backup jobs
C.Azure Monitor metric chart
D.Azure Activity Log
E.Resource Health
AnswersA, B

Backup center provides a consolidated view for backup management across vaults and subscriptions.

Why this answer

Azure Backup center provides a single, unified dashboard to monitor backup jobs across multiple Recovery Services vaults, enabling you to quickly view the latest job outcome for all protected workloads. From the Backup center, you can drill into a specific failed job for a VM by selecting it, which navigates to the detailed job view within the associated Recovery Services vault's Backup jobs blade. This combination meets the requirement for a centralized review and granular drill-down.

Exam trap

The trap here is that candidates often assume a single Recovery Services vault's Backup jobs blade is sufficient for multi-vault oversight, but the question explicitly requires a single place to review across all vaults, which only Backup center provides, while the vault-specific blade is needed for the drill-down step.

12
MCQmedium

Based on the exhibit, the security team needs 30 days of searchable log data for a storage account and wants to create queries that can be used in workbooks and alerts. The current configuration only sends data to an archive location. What should the administrator configure?

A.Add a Log Analytics workspace destination to the diagnostic setting.
B.Change the storage account redundancy to RA-GRS.
C.Enable a CanNotDelete lock on the storage account.
D.Configure a private endpoint for the storage account.
AnswerA

Log Analytics is the destination that supports KQL searches, workbook visualizations, and log-based alert rules. Adding it to the diagnostic setting gives the security team queryable operational data for the required retention period.

Why this answer

Option A is correct because the current diagnostic setting only archives logs to a storage account, which does not support interactive querying, workbooks, or alert rules. By adding a Log Analytics workspace destination to the same diagnostic setting, logs are sent to a centralized workspace where they become searchable via KQL, enabling real-time queries, workbook visualizations, and alert triggers. This meets the security team's requirement for 30 days of searchable log data without changing the existing archive destination.

Exam trap

The trap here is that candidates may think archiving logs to a storage account is sufficient for querying, but Azure Storage does not provide native log search or alerting capabilities—only Log Analytics workspaces enable interactive queries, workbooks, and alerts.

How to eliminate wrong answers

Option B is wrong because changing the storage account redundancy to RA-GRS only improves data durability and availability through geo-replication, but does not make the stored logs searchable or queryable for workbooks and alerts. Option C is wrong because enabling a CanNotDelete lock prevents accidental deletion of the storage account but has no effect on log searchability or query capabilities. Option D is wrong because configuring a private endpoint for the storage account secures network access by using a private IP address from the virtual network, but does not enable log querying or integration with Log Analytics workbooks and alerts.

13
Matchingmedium

A production team wants to match common Azure Monitor components to the action each one performs. Match each item on the left to the best description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Triggers when a numeric metric such as CPU percentage crosses a defined threshold.

Sends notifications or starts responses such as email, SMS, webhook, or automation.

Reports an Azure platform incident, advisory, or planned maintenance that affects a region or subscription.

Shows whether one specific Azure resource is currently healthy, degraded, or unavailable.

Exports a resource's logs and metrics to destinations such as Log Analytics or Storage.

Why these pairings

Log Analytics workspace stores logs centrally; Azure Monitor Metrics handles numeric time-series data; Application Insights focuses on application performance; Activity Log tracks control plane events; Alerts send notifications; Workbooks create interactive reports.

14
Multi-Selecteasy

Which two settings can you configure in an Azure Backup policy for a virtual machine? Select two.

Select 2 answers
A.Backup schedule
B.Retention period
C.Virtual network peering
D.Network security group rules
E.Public IP allocation
AnswersA, B

The policy controls when backups run, such as daily or weekly timing.

Why this answer

Option A is correct because an Azure Backup policy for a virtual machine includes a 'Backup schedule' setting that defines how often (e.g., daily or weekly) and at what time the backup job runs. This schedule controls the frequency of recovery point creation, which is essential for meeting recovery point objectives (RPOs).

Exam trap

The trap here is that candidates confuse Azure Backup policy settings with other Azure resource configurations, such as networking or IP addressing, because the exam often includes distractor options from different domains (networking, security, compute) to test whether you know the exact scope of a backup policy.

15
Multi-Selecteasy

A helpdesk engineer wants to determine whether a VM issue is caused by a Microsoft platform problem or a problem limited to one specific VM. Which two Azure features should they use? Select two.

Select 2 answers
A.Azure Advisor
B.Backup center
C.Resource Health
D.Service Health
E.Log Analytics workspace
AnswersC, D

Resource Health shows whether a specific Azure resource is healthy or experiencing issues.

Why this answer

Resource Health (C) provides a personalized dashboard showing the health of your individual Azure resources, including VMs, and can indicate whether an issue is specific to that resource. Service Health (D) provides a global view of Azure service availability across regions and can identify platform-wide outages or planned maintenance. Together, they allow the engineer to differentiate between a problem limited to one VM and a broader Azure platform problem.

Exam trap

The trap here is that candidates often confuse Resource Health with Service Health, thinking they are interchangeable, when in fact Resource Health focuses on individual resources while Service Health covers the entire Azure platform, and both are needed together to isolate the scope of a problem.

16
MCQmedium

The team needs alerts for VM CPU and storage capacity thresholds, but they want to keep telemetry ingestion costs as low as possible. Which approach is best?

A.Use Azure Monitor metric alerts for the threshold conditions.
B.Send all VM diagnostic logs to Log Analytics and create only log search alerts.
C.Create a Recovery Services vault backup policy with a short retention period.
D.Assign Azure Policy to the subscription to audit CPU and storage trends.
AnswerA

Metric alerts evaluate native platform metrics directly and do not require broad log ingestion, so they are usually the most cost-aware option for threshold monitoring. For CPU and capacity-type measurements that are available as metrics, this approach gives near real-time alerting with minimal telemetry overhead. It fits the requirement to monitor multiple resources while keeping data collection costs down.

Why this answer

Azure Monitor metric alerts are the most cost-effective approach because they evaluate lightweight, pre-collected platform metrics (e.g., CPU percentage, disk read/write operations) at regular intervals without ingesting or storing raw log data. This avoids the ingestion and retention costs associated with sending diagnostic logs to a Log Analytics workspace, making it ideal for simple threshold-based monitoring of VM CPU and storage capacity.

Exam trap

The trap here is that candidates often assume Log Analytics is always the right choice for alerts because it provides richer data, but they overlook the cost implications of ingesting and storing diagnostic logs for simple threshold monitoring, where metric alerts are both sufficient and far cheaper.

How to eliminate wrong answers

Option B is wrong because sending all VM diagnostic logs to Log Analytics incurs significant data ingestion and retention costs, and log search alerts require querying that stored data, which is far more expensive than metric alerts for simple threshold conditions. Option C is wrong because a Recovery Services vault backup policy is designed for backup and disaster recovery of VMs, not for real-time monitoring or alerting on CPU and storage thresholds. Option D is wrong because Azure Policy is used for enforcing compliance rules (e.g., requiring specific VM sizes or tags), not for monitoring performance metrics or generating alerts on CPU and storage usage.

17
MCQhard

An operations team wants to know when Azure marks a specific storage account unhealthy because of a regional platform issue. They do not want to depend on a custom metric, a Log Analytics query, or any polling script. What should they create?

A.A metric alert on storage capacity because platform issues always reduce capacity first
B.A resource health alert for the storage account
C.A log alert that searches AzureDiagnostics for unavailable status codes
D.An activity log alert on every write operation to the storage account
AnswerB

Resource Health is designed to notify you when Azure reports the specific resource as unhealthy, which matches the requirement exactly.

Why this answer

A resource health alert is the correct choice because it directly monitors the health of a specific Azure resource, such as a storage account, and triggers when Azure detects a platform-level issue that marks the resource as unhealthy. This alert does not require custom metrics, Log Analytics queries, or polling scripts, aligning perfectly with the team's requirement to avoid those dependencies. Resource health alerts are designed to notify you of service-impacting events originating from the Azure platform, not from your own configuration or usage patterns.

Exam trap

The trap here is that candidates often confuse resource health alerts with activity log alerts or metric alerts, mistakenly thinking that monitoring operational metrics or logging errors can detect platform-level unavailability, when in fact resource health alerts are the only native, dependency-free mechanism for this specific scenario.

How to eliminate wrong answers

Option A is wrong because storage capacity metrics do not indicate platform health; platform issues can cause unavailability without any change in capacity, and capacity alerts are based on custom metric thresholds, which the team explicitly wants to avoid. Option C is wrong because a log alert searching AzureDiagnostics requires a Log Analytics workspace and a query, which violates the requirement of not depending on a Log Analytics query. Option D is wrong because an activity log alert on every write operation would generate excessive noise and does not detect platform-level unhealthiness; it monitors user-initiated operations, not the underlying platform health status.

18
Multi-Selecteasy

A VM must be backed up every day, and backups must be retained for several days after creation. Which two settings are configured in an Azure Backup policy? Select two.

Select 2 answers
A.Backup schedule
B.Retention rules
C.Network security group rules
D.Private DNS zone records
E.Availability set placement
AnswersA, B

The schedule defines when Azure Backup creates the recovery point each day.

Why this answer

Option A is correct because an Azure Backup policy requires a backup schedule to define when the backup job runs (e.g., daily at a specific time). Option B is correct because retention rules specify how long each backup recovery point is kept (e.g., 7 days for daily backups, 30 days for weekly). Together, these two settings form the core of a backup policy, ensuring both the timing and lifespan of backups are controlled.

Exam trap

The trap here is that candidates confuse backup policies with other VM management features like networking or availability, but Azure Backup policies strictly require only a schedule and retention rules to function.

19
MCQhard

A storage account hosts application logs that security wants to search in Log Analytics for 30 days and keep in a separate retained copy for one year. They also want to monitor storage metrics in the same place for troubleshooting. What should be configured on the storage account?

A.Enable only the activity log export because it already includes all storage telemetry.
B.Create a diagnostic setting that sends the storage resource logs and AllMetrics to Log Analytics and a storage account.
C.Create an action group that archives storage events and forwards them to investigators.
D.Create a metric alert on the storage account and use it as the retention mechanism.
AnswerB

Diagnostic settings can stream both resource logs and supported metrics from the storage account. Sending the logs to Log Analytics makes them searchable for troubleshooting, while sending them to a storage account preserves a second copy for the required one-year retention. Including metrics in the same diagnostic setting gives operators a unified view of performance and troubleshooting data. This is the most complete configuration for the stated retention and analysis goals.

Why this answer

Option B is correct because a diagnostic setting on a storage account can send both resource logs (e.g., StorageRead, StorageWrite) and AllMetrics (e.g., transactions, ingress) to a Log Analytics workspace for querying and to a secondary storage account for long-term retention. This meets the requirement to search logs for 30 days in Log Analytics (which has its own retention setting) and keep a separate archived copy for one year in the storage account.

Exam trap

The trap here is that candidates confuse the activity log (which only covers Azure resource management events) with resource logs (which capture data-plane operations), leading them to choose Option A, or they mistakenly think an action group or metric alert can handle log retention.

How to eliminate wrong answers

Option A is wrong because the activity log does not include storage resource logs or metrics; it only records control-plane operations (e.g., creating a storage account), not data-plane telemetry like read/write requests or latency. Option C is wrong because an action group is used to send notifications (e.g., email, SMS) when an alert fires, not to archive or forward logs for retention or search. Option D is wrong because a metric alert triggers a notification based on a threshold condition; it does not provide a mechanism for retaining or searching logs or metrics over time.

20
Matchingmedium

An operations team monitors a group of Azure VMs and storage accounts. Match each Azure Monitor component to the behavior it provides in day-to-day operations.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Evaluates a numeric metric and fires when the threshold condition is met.

Sends the alert to chosen recipients or automation targets.

Shows Microsoft platform, region, or resource health incidents affecting the subscription.

Sends resource logs and metrics to Log Analytics, Event Hub, or Storage for later analysis.

Why these pairings

Metrics give real-time performance; Logs store detailed events; Alerts trigger notifications; Workbooks visualize data; Autoscale adjusts capacity; Action Groups configure alert responses.

21
Matchinghard

An operations lead must choose the right Azure Monitor target for each requirement. Match each requirement to the Azure component that best satisfies it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Log Analytics workspace

Storage account

Event Hub

Action group

Why these pairings

Metrics Explorer shows real-time metrics; Action Groups define notification actions; Log Analytics Workspace stores and queries logs; Alert Rules define conditions; Workbooks provide visualizations.

22
Multi-Selecteasy

A production VM needs an email and SMS notification when CPU percentage stays above 80 percent for five minutes. Which two Azure Monitor components should the administrator configure? Select two.

Select 2 answers
A.Action group
B.Azure Policy assignment
C.Metric alert rule
D.Recovery Services vault
E.Log Analytics workspace
AnswersA, C

An action group defines the notifications or automated responses sent when an alert fires.

Why this answer

A Metric alert rule monitors the VM’s CPU percentage metric and triggers when the condition (above 80% for 5 minutes) is met. An Action group defines the notification actions (email and SMS) that are executed when the alert fires. Together, they enable the required notification workflow.

Exam trap

The trap here is that candidates may confuse Log Analytics workspace (which can also generate alerts from log queries) with the metric-based alerting required for CPU percentage, or mistakenly think a Recovery Services vault is involved in monitoring notifications.

23
Matchingmedium

A backup administrator is learning how Azure VM backup actions map to their purpose. Match each Recovery Services or backup item to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Central place where Azure VM backups, policies, and recovery points are managed.

Defines when backups run and how long recovery points are retained.

Mounts a recovery point so individual files or folders can be copied back.

Recovers VM disks so they can be attached or used to rebuild a machine.

Overwrites the original VM by restoring it from a chosen recovery point.

Why these pairings

Recovery Services vault stores backups; policy defines schedule; instant snapshot allows fast restore; extension is the agent; restore point is a backup copy; cross-region restore enables DR.

24
MCQmedium

A help desk analyst wants a query in Log Analytics that returns Azure virtual machines that have stopped sending a heartbeat for more than 15 minutes. Which KQL query should the analyst run?

A.Heartbeat | summarize LastSeen=max(TimeGenerated) by Computer | where LastSeen < ago(15m)
B.AzureActivity | where OperationNameValue contains 'Heartbeat' | summarize count() by ResourceGroup
C.Perf | where CounterName == '% Processor Time' | summarize avg(CounterValue) by Computer
D.SecurityEvent | where EventID == 4624 | summarize count() by Computer
AnswerA

This query uses the Heartbeat table to identify the most recent signal from each VM and filters for machines whose latest heartbeat is older than 15 minutes. That is the correct pattern for detecting VMs that are no longer reporting to Log Analytics or Azure Monitor. It is practical, concise, and directly aligned to troubleshooting agent connectivity or VM availability.

Why this answer

Option A is correct because the Heartbeat table in Log Analytics records a heartbeat signal from Azure Monitor agents every 5 minutes by default. The query uses `summarize` to find the latest `TimeGenerated` per computer, then filters with `where LastSeen < ago(15m)` to identify VMs that have not sent a heartbeat in over 15 minutes, indicating they are likely offline or unresponsive.

Exam trap

The trap here is that candidates may confuse the Heartbeat table with other log tables (AzureActivity, Perf, SecurityEvent) that contain different data types, leading them to pick a query that looks for 'heartbeat' in the wrong table or uses irrelevant metrics like CPU or logon events.

How to eliminate wrong answers

Option B is wrong because the AzureActivity table tracks Azure resource management operations (e.g., create, delete), not agent heartbeats; filtering for 'Heartbeat' in OperationNameValue would not return meaningful data for VM connectivity. Option C is wrong because the Perf table stores performance counters like '% Processor Time', which does not indicate VM heartbeat status; it measures CPU usage, not agent connectivity. Option D is wrong because the SecurityEvent table logs Windows security events such as logon attempts (EventID 4624), which are unrelated to agent heartbeats and cannot determine if a VM has stopped sending heartbeats.

25
MCQhard

You need to collect performance counters and event logs from multiple Azure virtual machines and query the data centrally by using Kusto Query Language. Which Azure resource should you deploy?

A.A Log Analytics workspace
B.A Recovery Services vault
C.Azure Network Watcher
AnswerA

A Log Analytics workspace is the central platform for Azure Monitor Logs and KQL queries.

Why this answer

A Log Analytics workspace is the correct Azure resource because it ingests performance counters and event logs from Azure virtual machines via the Azure Monitor agent or the legacy Log Analytics agent, and stores them in a centralized repository. You can then query this data using Kusto Query Language (KQL) to perform real-time analysis, troubleshooting, and reporting across multiple VMs.

Exam trap

The trap here is that candidates often confuse Azure Monitor with Azure Backup or network monitoring tools, mistakenly thinking a Recovery Services vault or Network Watcher can store and query log data, when in fact only a Log Analytics workspace provides the centralized KQL-based querying capability for performance counters and event logs.

How to eliminate wrong answers

Option B is wrong because a Recovery Services vault is used for Azure Backup and Azure Site Recovery scenarios, such as backing up VMs or replicating them to another region, not for collecting and querying performance counters or event logs. Option C is wrong because Azure Network Watcher provides network-level monitoring and diagnostics (e.g., packet capture, NSG flow logs, connection troubleshoot), but it does not ingest OS-level performance counters or event logs, nor does it support KQL-based querying. Option D is wrong because a load balancer distributes incoming network traffic across backend resources and does not collect or store performance counters or event logs for querying.

26
Multi-Selecteasy

A subscription admin wants to investigate who changed a resource and also review the platform-generated events for that subscription. Which two types of logs can be sent to Log Analytics and queried later? Select two.

Select 2 answers
A.Activity log entries
B.Resource diagnostic logs
C.Azure Backup vault names
D.Virtual network address spaces
E.Managed disk size settings
AnswersA, B

Activity logs record subscription-level events such as create, update, and delete operations.

Why this answer

The Activity log (option A) records subscription-level events such as who created, modified, or deleted a resource, making it essential for investigating administrative changes. Resource diagnostic logs (option B) capture platform-generated events emitted by a resource itself (e.g., Azure SQL Database audit logs, network security group flow logs), which can be sent to Log Analytics for querying. Both log types can be configured to stream to a Log Analytics workspace, enabling Kusto Query Language (KQL) analysis.

Exam trap

The trap here is that candidates often confuse resource diagnostic logs (which are platform-generated events from the resource) with Activity logs (which are subscription-level administrative events), and mistakenly think configuration properties like disk sizes or address spaces are loggable events.

27
Multi-Selecteasy

A support engineer is narrowing a Log Analytics query to only failed backup jobs and wants to show only the needed columns. Which two KQL operators should they use? Select two.

Select 2 answers
A.extend
B.join
C.project
D.summarize
E.where
AnswersC, E

Project keeps only the columns you want to display in the query results.

Why this answer

The `where` operator filters rows based on a condition, so it is used to narrow results to only failed backup jobs (e.g., `where Status == "Failed"`). The `project` operator selects a subset of columns, allowing the engineer to display only the needed columns (e.g., `project JobName, Status, StartTime`). Together, they achieve both row filtering and column selection in a Kusto Query Language (KQL) query.

Exam trap

The trap here is that candidates often confuse `project` with `extend` (thinking both are for column manipulation) or incorrectly assume `summarize` can filter rows, when in fact `summarize` aggregates and loses row-level detail.

28
MCQmedium

You want Azure to recommend ways to reduce cost, improve performance, and strengthen security across your subscriptions. Which service should you use?

A.Azure Advisor
B.Azure Policy
C.Azure Backup
D.Virtual network peering
AnswerA

Azure Advisor is the service designed to provide optimization recommendations across these categories.

Why this answer

Azure Advisor is the correct service because it provides personalized recommendations across your Azure subscriptions to optimize for cost, performance, reliability, and security. It analyzes your resource configuration and usage telemetry, then generates actionable recommendations such as right-sizing underutilized VMs, enabling geo-redundant storage, or applying security rules. This directly matches the question's requirement for a unified tool that suggests improvements in all three areas.

Exam trap

The trap here is that candidates often confuse Azure Advisor (a recommendation engine) with Azure Policy (a governance enforcement tool), mistakenly thinking Policy can also suggest cost or performance improvements when it only enforces rules and audits compliance.

How to eliminate wrong answers

Option B (Azure Policy) is wrong because it enforces compliance rules and governance (e.g., tagging, allowed regions) rather than analyzing existing resources to recommend cost, performance, or security improvements. Option C (Azure Backup) is wrong because it is a data protection service for backup and disaster recovery, not a recommendation engine for optimization. Option D (Virtual network peering) is wrong because it is a networking feature that connects VNets for low-latency communication, not a service that provides cost, performance, or security recommendations.

29
Multi-Selectmedium

A help desk analyst needs a KQL query that identifies each VM's most recent heartbeat so computers can be flagged if their last check-in is older than 20 minutes. Which two KQL elements should be used? Select two.

Select 2 answers
A.Query the Heartbeat table, because it stores the heartbeat records for Azure VMs.
B.Summarize max(TimeGenerated) by Computer to get the most recent heartbeat per VM.
C.Join the results to AzureActivity to calculate service health.
D.Filter where TimeGenerated is older than 20 minutes before summarizing.
E.Use the Perf table because it stores heartbeat timestamps.
AnswersA, B

Heartbeat is the log source that records the VM check-in data required for this troubleshooting query.

Why this answer

Option A is correct because the Heartbeat table in Azure Monitor Logs (Log Analytics) is specifically designed to store heartbeat records from Azure Monitor Agent (AMA) or the legacy Log Analytics agent. Each heartbeat record contains a TimeGenerated timestamp, making it the authoritative source for determining when a VM last reported its health status.

Exam trap

The trap here is that candidates mistakenly think filtering before summarizing is more efficient, but doing so removes the very data needed to identify the most recent heartbeat, leading to incorrect results.

30
Multi-Selecteasy

You want to send a storage account's platform logs to a workspace so they can be queried with KQL later. Which two items are part of the required configuration? Select two.

Select 2 answers
A.Diagnostic settings on the storage account
B.A Log Analytics workspace
C.A network security group
D.A Recovery Services vault
E.An availability zone assignment
AnswersA, B

Diagnostic settings control which logs and metrics are exported from the resource.

Why this answer

A is correct because diagnostic settings on the storage account are the mechanism that defines which platform logs (e.g., storage read/write/delete operations) are collected and where they are sent. Without configuring diagnostic settings, the storage account does not emit logs to any destination. B is correct because a Log Analytics workspace is the required destination for storing the logs so they can be queried with KQL; it provides the ingestion and retention infrastructure for log analytics.

Exam trap

The trap here is that candidates often confuse the destination (Log Analytics workspace) with the source configuration (diagnostic settings), or mistakenly think that network-level components like NSGs or redundancy features like availability zones are involved in log routing.

31
MCQmedium

You need to collect guest operating system performance counters and Windows event logs from several Azure virtual machines into a central queryable platform. Which Azure component should you configure?

A.A Log Analytics workspace
B.A Recovery Services vault
C.An Azure Policy initiative
D.A route table
AnswerA

A Log Analytics workspace centralizes collected data for querying and retention.

Why this answer

A Log Analytics workspace is the correct Azure component for collecting guest OS performance counters and Windows event logs from Azure VMs. It serves as a central repository where diagnostic data from Azure Monitor agents (such as the Log Analytics agent or Azure Monitor Agent) is ingested, stored, and made available for querying via Kusto Query Language (KQL). This enables you to analyze performance metrics and event logs across multiple VMs in a unified, queryable platform.

Exam trap

The trap here is that candidates often confuse a Log Analytics workspace with a Recovery Services vault, mistakenly thinking that backup vaults can also store and query performance data, when in fact Recovery Services vaults are solely for backup and disaster recovery operations.

How to eliminate wrong answers

Option B is wrong because a Recovery Services vault is used for backup and disaster recovery scenarios (e.g., Azure Backup, Site Recovery), not for collecting and querying guest OS performance counters or event logs. Option C is wrong because an Azure Policy initiative is a set of policies used to enforce compliance and governance rules (e.g., requiring specific tags or encryption), not a data collection or querying platform. Option D is wrong because a route table controls network traffic routing between subnets and virtual networks, and has no capability to ingest, store, or query performance counters or event logs.

32
Matchingmedium

An administrator is comparing Azure monitoring data sources and destinations during an investigation. Match each item to the best operational use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Shows subscription-level management events such as deployments, deletes, and role assignments.

Provide detailed, service-specific telemetry from an Azure resource after diagnostics are enabled.

Capture near-real-time numeric measurements used for charts and threshold-based alerts.

Stores data that can be searched and correlated with KQL queries.

Provides official Azure platform incident and maintenance information.

Why these pairings

Activity Log tracks management events; Metrics provide numeric performance data; Logs workspace enables cross-resource log analysis; Application Insights monitors app performance; Alerts trigger notifications; Workbooks combine data into dashboards.

33
MCQmedium

You need to notify the operations team by email when average CPU utilization on VM-App01 exceeds 80 percent for 15 minutes. Which Azure Monitor components should you configure?

A.A metric alert and an action group
B.An activity log alert only
C.A resource lock and Azure Advisor
D.A budget alert
AnswerA

The metric alert detects the threshold breach and the action group sends the email.

Why this answer

A metric alert monitors a specific performance metric (like CPU utilization) and triggers when a threshold is exceeded for a defined duration. An action group defines the notification action (e.g., sending an email) when the alert fires. Together, they meet the requirement to email the operations team when average CPU exceeds 80% for 15 minutes.

Exam trap

The trap here is confusing metric alerts (for performance data) with activity log alerts (for resource operations), leading candidates to choose an activity log alert when the requirement is about a performance metric like CPU utilization.

How to eliminate wrong answers

Option B is wrong because an activity log alert monitors changes to Azure resources (e.g., VM creation or deletion), not performance metrics like CPU utilization. Option C is wrong because a resource lock prevents accidental deletion or modification of resources, and Azure Advisor provides optimization recommendations; neither monitors CPU thresholds or sends email notifications. Option D is wrong because a budget alert monitors Azure spending against a cost budget, not VM performance metrics.

34
Multi-Selecteasy

A user deleted a single document from a backed-up Windows VM. Which two Azure Backup actions are appropriate if only that file must be recovered? Select two.

Select 2 answers
A.Use file recovery from the backup point
B.Mount the recovery point and copy the file back
C.Recreate the VM in another region
D.Change the VM size
E.Disable the backup policy
AnswersA, B

File recovery lets you retrieve individual files from a backup point without restoring the whole VM.

Why this answer

Option A is correct because Azure Backup provides file-level recovery for Windows VMs via the 'File Recovery' option in the Recovery Services vault. This allows you to mount the recovery point as a drive on the VM (using iSCSI) and directly copy the deleted file back to its original location without restoring the entire VM. Option B is also correct because mounting the recovery point (via the same file recovery process) and copying the file back is the exact mechanism used; the two options describe the same action from different perspectives.

Exam trap

The trap here is that candidates may think file recovery requires a full VM restore or that mounting the recovery point is a separate, unsupported action, when in fact both options describe the same Azure Backup feature.

35
Multi-Selecteasy

Which two statements about a Log Analytics workspace are correct? Select two.

Select 2 answers
A.It can store logs collected from Azure resources
B.It supports KQL queries
C.It creates backups of Azure virtual machines
D.It assigns permissions to Azure resources at scope
E.It blocks resource creation that violates a rule
AnswersA, B

The workspace is a central store for logs ingested from Azure services and devices.

Why this answer

Option A is correct because a Log Analytics workspace is a centralized repository that can ingest and store log data from various Azure resources, including virtual machines, Azure Activity logs, and resource diagnostics, enabling monitoring and analysis. Option B is correct because Log Analytics workspaces support Kusto Query Language (KQL) queries, which allow users to perform complex searches, aggregations, and visualizations on the stored log data.

Exam trap

The trap here is that candidates often confuse the monitoring and log storage capabilities of Log Analytics workspaces with other Azure services like Azure Backup, Azure Policy, or RBAC, leading them to select options that describe those separate services instead.

36
MCQhard

A production VM must generate an alert when average CPU exceeds 80 percent for 10 minutes. The alert must be evaluated continuously, but email notifications should be suppressed outside 08:00 to 18:00 on weekdays. What should the administrator configure?

A.A log query alert only, with the query scheduled to run during business hours
B.A metric alert rule with an action group and an alert processing rule that suppresses actions outside business hours
C.A diagnostic setting that sends CPU logs to a storage account and a Logic App for email delivery
D.An action group with an email receiver and a virtual machine extension to pause the workload outside business hours
AnswerB

A metric alert keeps evaluating all day and night, while an alert processing rule can mute notifications during the excluded time window without disabling detection.

Why this answer

Option B is correct because it combines a metric alert rule (which continuously evaluates the CPU threshold) with an alert processing rule that suppresses notifications outside business hours. The metric alert rule evaluates every minute by default, meeting the 'continuously evaluated' requirement, while the alert processing rule (formerly action rule) allows you to suppress actions based on a schedule without altering the alert rule itself.

Exam trap

The trap here is that candidates often confuse alert processing rules with action group schedules or diagnostic settings, failing to realize that alert processing rules are the correct mechanism to suppress notifications based on time without altering the alert rule's evaluation frequency.

How to eliminate wrong answers

Option A is wrong because a log query alert runs on a scheduled interval (e.g., every 5 minutes) and does not provide continuous evaluation; it also cannot natively suppress notifications based on time of day without additional logic. Option C is wrong because sending CPU logs to a storage account and using a Logic App for email delivery adds unnecessary complexity and latency, and does not provide the built-in continuous evaluation and suppression capabilities of metric alerts and alert processing rules. Option D is wrong because an action group with an email receiver and a VM extension to pause the workload does not address the requirement to suppress email notifications outside business hours; pausing the workload is an overreaction and not a suppression mechanism.

37
Multi-Selecthard

A production Azure VM farm runs customer-facing APIs. Operations wants an automatic notification when the average Percentage CPU on any VM stays above 85 percent for 10 minutes, and the notification must reach both email and SMS recipients. Which two Azure Monitor items must be configured? Select two.

Select 2 answers
A.Metric alert rule
B.Action group
C.Diagnostic setting
D.Workbook
E.Service health alert
AnswersA, B

Metric alert rules evaluate numeric platform metrics and trigger when thresholds are crossed.

Why this answer

A Metric alert rule is correct because it monitors the 'Percentage CPU' metric on Azure VMs and can trigger when the average value exceeds 85% for a duration of 10 minutes. This rule evaluates the metric over a specified time window and fires an alert based on the threshold condition, meeting the requirement for automatic notification based on performance metrics.

Exam trap

The trap here is that candidates often confuse a Metric alert rule with a Diagnostic setting, thinking that streaming metrics to a destination automatically triggers notifications, or they mistakenly select a Service health alert because they associate 'notification' with Azure service health, not VM-level performance.

38
MCQmedium

Based on the exhibit, the OS disk on a production VM is corrupted, but the VM must stay in place and keep its NIC and data disks. Which restore option should you choose?

A.Restore the VM as a new virtual machine and delete the existing one immediately.
B.Restore the disk, then attach or swap it as needed to repair the existing VM.
C.Use Azure Monitor to roll back the last deployment automatically.
D.Enable a diagnostic setting on the VM so the OS disk will be repaired.
AnswerB

When the VM still exists but one disk is corrupted, restoring the disk is the correct approach. It lets you recover the damaged OS disk from a backup point and then attach or swap it without rebuilding the VM identity, NIC, or data disk layout. This is a common recovery pattern for targeted repair.

Why this answer

Option B is correct because when an OS disk is corrupted, you can restore just the disk from a recovery point and then either attach it as a data disk to the existing VM or swap the OS disk. This approach preserves the VM's NIC, data disks, and IP configuration, meeting the requirement to keep the VM in place.

Exam trap

The trap here is that candidates often confuse Azure Monitor with Azure Backup or Site Recovery, assuming monitoring can perform recovery actions, when in fact only backup-based disk restoration can repair a corrupted OS disk while keeping the VM in place.

How to eliminate wrong answers

Option A is wrong because restoring the VM as a new virtual machine and deleting the existing one would change the VM's identity, potentially losing the NIC and data disk attachments, and does not keep the VM in place. Option C is wrong because Azure Monitor is a monitoring and alerting service, not a deployment rollback tool; it cannot automatically roll back a deployment or repair a corrupted OS disk. Option D is wrong because diagnostic settings on a VM only collect logs and metrics; they do not have any capability to repair a corrupted OS disk.

39
MCQeasy

An administrator accidentally deletes a VM backup item from a Recovery Services vault. The company wants a built-in protection feature that helps recover the deleted backup item during the retention window. Which feature is this?

A.Archive tier
B.Availability zones
C.Private endpoint
D.Soft delete
AnswerD

Soft delete keeps a deleted backup item recoverable for a period of time, giving administrators a safety net after accidental deletion.

Why this answer

Soft delete is a built-in protection feature for Azure Recovery Services vaults that preserves deleted backup data for an additional 14 days (default retention period) after deletion. When a backup item is accidentally deleted, soft delete retains the data in a 'soft deleted' state, allowing administrators to recover it within the retention window before permanent deletion occurs. This feature is enabled by default for new vaults and helps prevent data loss from accidental or malicious deletions.

Exam trap

The trap here is that candidates may confuse soft delete with other data protection features like archive tier or private endpoint, not realizing that soft delete is specifically designed to recover accidentally deleted backup items within the retention window.

How to eliminate wrong answers

Option A is wrong because Archive tier is a backup storage tier for long-term retention of infrequently accessed data, not a feature for recovering deleted backup items. Option B is wrong because Availability zones are a high-availability infrastructure feature that protects Azure resources from datacenter failures, not a backup recovery mechanism. Option C is wrong because Private endpoint provides secure connectivity to the Recovery Services vault over a private IP address in a virtual network, not a data recovery feature for deleted backups.

40
MCQmedium

Based on the exhibit, the backup policy must support 30-day recovery for daily backups while keeping 12 months of monthly copies. Which setting should be changed?

A.Increase daily retention from 7 days to 30 days.
B.Increase weekly retention from 4 weeks to 30 weeks.
C.Change the backup schedule to every 30 days.
D.Turn on archive tier for the backup policy.
AnswerA

The requirement is specifically about being able to recover recent daily backups for 30 days. Increasing the daily retention period directly satisfies that need without changing the already acceptable monthly retention.

Why this answer

The backup policy currently has daily retention set to 7 days, which only keeps daily recovery points for a week. To meet the requirement of 30-day recovery for daily backups, you must increase the daily retention to 30 days. This ensures that each daily backup is retained for 30 days, allowing point-in-time recovery within that window.

Exam trap

The trap here is that candidates may confuse retention duration with backup frequency or assume that archive tier extends retention, when in fact archive tier only changes storage tier without altering the retention count.

How to eliminate wrong answers

Option B is wrong because increasing weekly retention from 4 weeks to 30 weeks would retain weekly backups for 30 weeks, but the requirement is for daily backups to be recoverable for 30 days, not weekly backups. Option C is wrong because changing the backup schedule to every 30 days would only create one backup every 30 days, which fails the requirement for daily backups. Option D is wrong because turning on archive tier moves older backups to cold storage for long-term retention, but it does not change the retention duration of daily backups; it only affects cost and access latency, not the recovery window.

41
MCQeasy

Based on the exhibit, which restore option should the administrator choose?

A.Recreate VM, because it restores the entire virtual machine from the backup point.
B.File recovery, because it restores individual files or folders from the VM backup.
C.Backup policy, because it defines which files are included in the restore operation.
D.Recovery point, because it is the portal action used to mount a deleted file directly.
AnswerB

File recovery is the right choice when only specific files or folders must be restored from an Azure VM backup. The exhibit states that one Excel file was deleted and the rest of the VM should remain unchanged, which matches file-level recovery exactly.

Why this answer

File recovery is the correct option because the administrator needs to restore a specific deleted file from a VM backup without restoring the entire VM. Azure Backup's file-level recovery allows mounting the backup as a drive (via iSCSI) to browse and copy individual files or folders, which directly addresses the requirement.

Exam trap

The trap here is that candidates may confuse 'Recreate VM' (a full restore) with the more granular file-level recovery, assuming that any restore of a deleted file requires rebuilding the entire VM, when in fact Azure Backup provides a direct file recovery option.

How to eliminate wrong answers

Option A is wrong because 'Recreate VM' restores the entire virtual machine from the backup point, which is overkill and unnecessary when only a single file needs to be recovered. Option C is wrong because 'Backup policy' defines the schedule and retention of backups, not the restore operation or file selection. Option D is wrong because 'Recovery point' is the backup snapshot itself, not an action; mounting a deleted file directly is not a portal action, but file recovery is the feature that enables this.

42
Multi-Selecteasy

A team wants daily Azure VM backups with a 30-day retention period. Which two settings are configured in the backup policy? Select two.

Select 2 answers
A.Backup schedule
B.Log Analytics workspace
C.Retention rules
D.Private endpoint
E.Metric alert threshold
AnswersA, C

The backup schedule controls how often Azure Backup creates recovery points.

Why this answer

Option A is correct because a backup policy for Azure VM backups must include a backup schedule that defines when the backup job runs (e.g., daily at a specific time). This schedule triggers the Azure Backup service to create recovery points for the VM. Without a schedule, the backup policy cannot automate the creation of backups.

Exam trap

The trap here is that candidates often confuse the backup policy settings (schedule and retention) with other Azure features like monitoring (Log Analytics) or networking (private endpoints), leading them to select irrelevant options.

43
Multi-Selecthard

An application depends on a regional Azure service. Operations wants an automatic notification if Microsoft posts an incident that affects only the region where the app runs, even when the individual VMs remain healthy. Which two Azure Monitor capabilities should be configured? Select two.

Select 2 answers
A.Service health alert
B.Action group
C.Metric alert rule
D.Log Analytics query
E.Resource lock
AnswersA, B

Service health alerts notify you about Azure platform incidents, maintenance, and advisories.

Why this answer

A Service health alert is correct because it monitors for service incidents, maintenance, and health advisories published by Azure for a specific region or service. When Microsoft posts an incident affecting only the region where the application runs, the alert triggers automatically, even if individual VMs remain healthy. This meets the requirement for automatic notification of regional Azure service incidents.

Exam trap

The trap here is that candidates often confuse Metric alerts (which monitor resource performance) with Service Health alerts (which monitor Azure platform incidents), leading them to select Metric alert rule instead of Service health alert.

44
Matchinghard

During a compliance review, the team must distinguish what each Azure Monitor object can and cannot do. Match each object to its primary operational scope.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Evaluates resource performance data such as CPU, latency, or disk metrics.

Watches subscription-level control-plane events such as deletes or policy changes.

Runs a KQL query against workspace data and alerts on the result.

Exports resource telemetry off the resource for storage or analysis.

Serves as the reusable response target for notifications and automation.

Why these pairings

Metrics collect numeric time-series data; Logs collect text logs for querying; Application Insights monitors web apps; Activity Log records subscription events; Diagnostic Logs capture resource logs; Service Health provides service incident info.

45
MCQeasy

Based on the exhibit, what should the administrator add to send an email and SMS notification?

A.An action group with email and SMS receivers.
B.A Log Analytics workspace connected to the virtual machine.
C.A backup recovery point for the virtual machine.
D.A private endpoint for the virtual machine.
AnswerA

Action groups define how Azure Monitor sends notifications. Adding one with email and SMS receivers gives the alert rule the response path it currently lacks.

Why this answer

To send email and SMS notifications from an Azure Monitor alert, you must configure an action group. An action group defines the notification channels (e.g., email, SMS, webhook) and their respective receivers. When the alert rule triggers, Azure Monitor invokes the action group to deliver the notifications.

Without an action group, the alert rule has no mechanism to send email or SMS.

Exam trap

The trap here is that candidates may confuse a Log Analytics workspace (which can trigger alerts based on log queries) with the actual notification delivery mechanism, forgetting that an action group is required to define how and where the alert notification is sent.

How to eliminate wrong answers

Option B is wrong because a Log Analytics workspace is used for collecting and analyzing log data, not for sending notifications. Option C is wrong because a backup recovery point is a snapshot of the virtual machine's data for restore purposes; it does not provide any notification capability. Option D is wrong because a private endpoint enables secure network connectivity to Azure services over a private IP address; it has no role in sending email or SMS alerts.

46
MCQmedium

A user deleted one Excel file from a Windows Server VM that is protected by Azure Backup. The VM must keep running, and the administrator must restore only that file as quickly as possible. What should the administrator do?

A.Restore the entire virtual machine from the most recent recovery point.
B.Use File Recovery from the Recovery Services vault, mount the recovery point, and copy back the deleted file.
C.Fail over the VM by using Azure Site Recovery and then copy the file from the replica.
D.Create a snapshot of the VM disk and restore the spreadsheet from the snapshot.
AnswerB

File Recovery is designed for this exact scenario. It mounts a backup recovery point so the administrator can browse the contents and copy back only the missing file, while the production VM continues running without a full restore.

Why this answer

Azure Backup for Azure VMs supports file-level recovery from recovery points without restoring the entire VM. The File Recovery feature mounts the recovery point as an iSCSI target on the VM, allowing the administrator to browse and copy the deleted Excel file directly. This is the fastest method because it avoids the overhead of a full VM restore or snapshot management.

Exam trap

The trap here is that candidates may assume a full VM restore is required for any file recovery, overlooking the Azure Backup File Recovery feature which provides granular, in-place restoration without disrupting the running VM.

How to eliminate wrong answers

Option A is wrong because restoring the entire VM is unnecessary and time-consuming; it would require stopping the VM or creating a new VM, which violates the requirement to keep the VM running. Option C is wrong because Azure Site Recovery is designed for disaster recovery and failover, not for granular file restoration from backup; it would involve failing over to a replica VM, which is excessive and not intended for single-file recovery. Option D is wrong because creating a snapshot of the VM disk is a manual process that requires stopping the VM or using a crash-consistent snapshot, and then attaching the snapshot to another VM to extract the file, which is slower and more complex than using the built-in File Recovery feature.

47
MCQhard

You need to collect Windows event logs and performance counters from multiple Azure virtual machines and query the data centrally by using Kusto Query Language. Which Azure resource should you deploy?

A.A Log Analytics workspace
B.A Recovery Services vault
C.Azure Network Watcher
AnswerA

A Log Analytics workspace stores and enables KQL querying of collected monitoring data.

Why this answer

A Log Analytics workspace is the correct resource because it serves as the central repository for collecting diagnostic data such as Windows event logs and performance counters from Azure VMs. Once collected, you can query this data using Kusto Query Language (KQL) to perform advanced analysis and monitoring. This aligns directly with the requirement to centrally query the data using KQL.

Exam trap

The trap here is that candidates often confuse a Log Analytics workspace with a Recovery Services vault because both involve data storage, but the vault is strictly for backup/recovery data, not for operational log analytics.

How to eliminate wrong answers

Option B is wrong because a Recovery Services vault is designed for backup and disaster recovery scenarios, such as Azure Backup and Azure Site Recovery, not for collecting and querying operational logs or performance counters. Option C is wrong because Azure Network Watcher provides network-level monitoring and diagnostics tools (e.g., packet capture, NSG flow logs, connection troubleshoot) but does not ingest Windows event logs or performance counters for KQL-based querying. Option D is wrong because a load balancer distributes incoming network traffic across backend resources and does not have any capability to collect or store log data for querying with KQL.

48
MCQeasy

Based on the exhibit, a metric alert already exists for VM01, but the on-call team never receives an email when CPU exceeds 80% for 5 minutes. What should you configure to deliver the notification?

A.Create a diagnostic setting on VM01 to export metrics to Log Analytics.
B.Add an action group to the alert rule and configure email delivery.
C.Assign the Reader role to the on-call team so they can view the alert.
D.Create a resource lock on VM01 to prevent accidental changes.
AnswerB

Action groups define who is notified and how when an alert fires, including email.

Why this answer

The alert rule exists, but no notification action is configured. An action group defines how to notify administrators (e.g., email, SMS, webhook). Adding an action group with an email action to the existing alert rule will deliver the email when the CPU threshold is breached.

Exam trap

The trap here is that candidates confuse diagnostic settings (which export data) with action groups (which deliver notifications), or assume that simply creating an alert rule automatically sends notifications without an explicit action group.

How to eliminate wrong answers

Option A is wrong because diagnostic settings export metrics to Log Analytics for analysis or retention, they do not trigger notifications. Option C is wrong because the Reader role only grants read access to resources, it does not enable email delivery or alert notifications. Option D is wrong because a resource lock prevents accidental deletion or modification of VM01, it has no effect on alert notifications.

49
MCQhard

A security team needs to investigate future configuration changes on a storage account and subscription-level control-plane changes in one place by using KQL. The team already created a Log Analytics workspace. What else must the administrator configure so the required logs are queryable in that workspace?

A.Enable only the Azure Activity log export and skip resource diagnostic settings.
B.Configure diagnostic settings on the storage account and export the subscription Activity log to the same workspace.
C.Install the Azure Monitor Agent on the storage account so it can send its own logs.
D.Create separate workspaces for each resource and query them independently.
AnswerB

Resource logs from the storage account are collected through diagnostic settings, while control-plane events at subscription scope come from the Activity log. Sending both to the same Log Analytics workspace makes the data available for a single KQL investigation workflow, which is what the requirement asks for.

Why this answer

Option B is correct because the Azure Activity log captures subscription-level control-plane events (e.g., resource creation, policy changes), and diagnostic settings on the storage account capture resource-level control-plane and data-plane changes. By exporting both to the same Log Analytics workspace, the security team can query all future configuration changes in one place using KQL, meeting the requirement without needing separate workspaces or agents.

Exam trap

The trap here is that candidates assume the Activity log alone covers all control-plane changes, but it only captures subscription-level events, not resource-specific configuration changes, which require separate diagnostic settings on each resource.

How to eliminate wrong answers

Option A is wrong because enabling only the Activity log export omits storage-account-specific configuration changes (e.g., blob soft-delete settings, network rules), which require resource diagnostic settings on the storage account itself. Option C is wrong because the Azure Monitor Agent (AMA) is designed for OS-level metrics and logs from virtual machines, not for capturing control-plane changes on Azure resources like a storage account; control-plane logs are emitted via Azure Resource Manager and require diagnostic settings. Option D is wrong because creating separate workspaces would prevent querying both log sources in one place using KQL, directly contradicting the requirement for unified querying.

50
MCQmedium

An admin enables backup on a newly deployed Azure VM, but every backup job fails immediately with a message that the VM agent is not ready. What should the administrator verify first?

A.The VM is placed in an availability zone that supports backup.
B.The Azure VM Agent is installed, running, and able to provision backup-related extensions.
C.The VM has a public IP address assigned for outbound connectivity.
D.The VM is added to a load balancer backend pool.
AnswerB

Azure Backup relies on the VM agent and extensions inside the guest. If the agent is missing, stopped, or unhealthy, backup jobs can fail before a recovery point is created. Verifying the agent first addresses the specific error message.

Why this answer

The Azure VM Agent (also known as the Windows Guest Agent or Linux Agent) is required for the Azure Backup service to install the backup extension (e.g., IaaSBcdrExtension for Windows or SnapshotV2 for Linux). If the agent is not installed, not running, or is in a 'Not Ready' state, the backup extension cannot be provisioned, causing immediate failure. The administrator should first verify that the VM Agent is installed and its status is 'Ready' in the VM's properties.

Exam trap

The trap here is that candidates often assume network connectivity (public IP or load balancer) is the root cause, but the immediate failure message 'VM agent not ready' directly points to the agent status, not network issues.

How to eliminate wrong answers

Option A is wrong because backup functionality is not dependent on availability zones; Azure Backup supports VMs in all availability zones and regions. Option C is wrong because outbound connectivity for backup traffic is handled via Azure Private Endpoint or Service Tag-based network rules, not a public IP address; a public IP is not required for backup to succeed. Option D is wrong because adding a VM to a load balancer backend pool is unrelated to backup operations; load balancers distribute network traffic, not backup jobs.

51
MCQhard

Your operations team needs to receive a Microsoft Teams or email notification whenever a production application becomes unavailable. You have already created an availability test in Azure Monitor. What should you configure next?

A.A metric or log alert rule linked to an action group
B.A management group
C.A resource lock
D.A private endpoint
AnswerA

The alert rule detects failure conditions and the action group sends the notification.

Why this answer

An availability test in Azure Monitor detects when an application is unavailable, but it does not inherently trigger notifications. To send a Teams or email alert, you must create a metric or log alert rule that references the availability test's results and link it to an action group, which defines the notification actions (e.g., email, SMS, webhook to Teams). This is the standard Azure Monitor workflow for proactive incident response.

Exam trap

The trap here is that candidates may think an availability test alone sends notifications, but Azure Monitor requires an explicit alert rule linked to an action group to trigger any notification action.

How to eliminate wrong answers

Option B is wrong because a management group is a container for managing multiple subscriptions' governance (e.g., policy, RBAC), not for configuring alerts or notifications. Option C is wrong because a resource lock prevents accidental deletion or modification of resources, but does not enable alerting or notification delivery. Option D is wrong because a private endpoint provides secure network connectivity to Azure services over a private IP, but has no role in alerting or notification configuration.

52
Multi-Selecteasy

Which two statements about Azure Backup soft delete are correct? Select two.

Select 2 answers
A.Deleted backup data is retained for a grace period
B.A protected item can be recovered after accidental deletion within that period
C.It permanently deletes backups immediately
D.It changes the VM to a different availability zone
E.It only applies to Azure Policy assignments
AnswersA, B

Soft delete keeps deleted backup data recoverable for a limited time window.

Why this answer

Azure Backup soft delete ensures that deleted backup data is not immediately purged but retained for a default grace period of 14 days. This allows recovery of accidentally deleted backup items, such as Recovery Services vault backup data, without data loss. Option A is correct because the grace period is a core feature of soft delete.

Exam trap

The trap here is that candidates may confuse soft delete with immediate permanent deletion (Option C) or incorrectly associate it with unrelated Azure features like availability zones or Azure Policy, rather than recognizing it as a backup-specific retention mechanism.

53
MCQeasy

Based on the exhibit, which policy best matches the requirement for daily backups retained for 30 days?

A.A policy with daily backups retained for 7 days.
B.A policy with daily backups retained for 30 days.
C.A policy with weekly backups retained for 30 days.
D.A policy with daily backups retained for 365 days.
AnswerB

This policy matches both parts of the requirement: backups run every day, and each daily recovery point is kept for 30 days. It aligns exactly with the business need shown in the exhibit.

Why this answer

Option B is correct because the requirement explicitly states 'daily backups retained for 30 days.' A backup policy in Azure Backup allows you to define the frequency (daily) and retention duration (30 days) for recovery points. This policy directly matches the requirement without over-retention or under-retention.

Exam trap

The trap here is that candidates often confuse backup frequency with retention duration, or they assume that longer retention is always better, ignoring cost implications and the specific requirement stated in the question.

How to eliminate wrong answers

Option A is wrong because retaining daily backups for only 7 days does not meet the 30-day retention requirement; it would result in data loss after a week. Option C is wrong because it specifies weekly backups, not daily, so it fails to meet the daily backup frequency requirement. Option D is wrong because retaining daily backups for 365 days exceeds the 30-day requirement, leading to unnecessary storage costs and potential confusion in lifecycle management.

54
MCQmedium

The operations team manages several Azure VMs in one resource group. They need an alert whenever average CPU percentage on any VM in the group stays above 80% for 10 minutes, and the alert must send email and SMS to the on-call team. What should the administrator configure?

A.Create a Log Analytics query alert on the Activity log and manually notify the on-call team.
B.Create an Azure Monitor metric alert rule at the resource-group scope and attach an action group.
C.Export VM diagnostics to a storage account and have operators review the files after each incident.
D.Create a resource lock on the VMs and use Azure Policy to notify the team about CPU spikes.
AnswerB

A metric alert is the right tool for CPU thresholds, and an action group provides the email and SMS notifications. Scoping the alert to the resource group ensures all current VMs are covered without configuring each VM separately.

Why this answer

Option B is correct because Azure Monitor metric alerts can be created at the resource-group scope, which allows a single alert rule to monitor the 'Percentage CPU' metric across all VMs in that group. The alert triggers when the average CPU stays above 80% for 10 minutes (evaluated using a fixed aggregation window). An action group attached to the alert rule sends email and SMS notifications to the on-call team, meeting all requirements without manual intervention.

Exam trap

The trap here is that candidates may think a metric alert must be created per individual VM, but Azure Monitor supports resource-group scoped metric alerts that apply to all resources of the same type within that scope, simplifying management while still meeting the requirement.

How to eliminate wrong answers

Option A is wrong because Log Analytics query alerts on the Activity log capture administrative events (e.g., VM creation/deletion), not performance metrics like CPU usage; they cannot trigger on metric thresholds. Option C is wrong because exporting VM diagnostics to a storage account is a passive archival method that requires operators to manually review files after incidents, failing the requirement for real-time alerting via email/SMS. Option D is wrong because resource locks prevent accidental deletion or modification of resources but do not monitor metrics or send notifications; Azure Policy enforces compliance rules (e.g., tagging) and cannot trigger alerts on CPU spikes.

55
Matchinghard

A VM suffered corruption and an auditor also needs one missing file. Match each Azure Backup restore workflow to the recovery outcome it provides.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Creates a separate virtual machine from the recovery point.

Recovers the managed disks so you can rebuild or inspect the workload manually.

Mounts the recovery point so you can retrieve individual files or folders.

Restores from the paired region when the primary region is unavailable.

Why these pairings

Azure Backup restore workflows: 'Restore VM' creates a new VM, 'Restore files' recovers individual files, 'Restore as unmanaged/managed disks' recovers disks, 'Replace existing VM' overwrites the original, and 'Cross-region restore' restores to another region.

56
Matchinghard

A security analyst is reviewing deleted-resource evidence, exported diagnostics, and heartbeat data. Match each monitoring term to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Central repository for collected telemetry that you query and analyze over a retention period.

The query language used to filter, summarize, and correlate log records in Azure Monitor.

Subscription-scoped record of Azure control-plane operations such as create, update, and delete.

Alert that evaluates the result of a KQL query on a schedule and fires when conditions are met.

Configuration that sends resource logs and metrics to a workspace, storage account, or Event Hub.

Why these pairings

The monitoring terms relate to Azure Monitor data sources. Deleted-resource evidence comes from activity logs, exported diagnostics are resource logs sent elsewhere, heartbeat data indicates agent health, and the other terms are standard Azure Monitor components.

57
MCQmedium

A help desk engineer needs a Log Analytics query that returns each computer whose most recent heartbeat is older than 20 minutes. Which query should they use?

A.Heartbeat | where TimeGenerated < ago(20m) | summarize LastSeen = max(TimeGenerated) by Computer
B.Heartbeat | summarize LastSeen = max(TimeGenerated) by Computer | where LastSeen < ago(20m)
C.Heartbeat | summarize count() by Computer | where count_ < 20
D.Heartbeat | where TimeGenerated > ago(20m) | summarize LastSeen = max(TimeGenerated) by Computer
AnswerB

This query first finds the latest heartbeat per computer and then filters for machines whose latest timestamp is older than 20 minutes. That matches the operational requirement exactly and avoids false positives caused by filtering before summarization.

Why this answer

Option B is correct because it first summarizes the most recent heartbeat timestamp for each computer using `max(TimeGenerated)`, then filters for computers where that latest heartbeat is older than 20 minutes with `where LastSeen < ago(20m)`. This ensures only computers that have not sent a heartbeat in the last 20 minutes are returned, which is the exact requirement.

Exam trap

The trap here is that candidates often filter by time first (as in Option A) thinking it will find old heartbeats, but they forget that summarizing after filtering can include computers with recent heartbeats if any old heartbeat exists, whereas the correct approach is to summarize the latest heartbeat per computer first, then filter for staleness.

How to eliminate wrong answers

Option A is wrong because it filters heartbeats to only those older than 20 minutes before summarizing, which would return computers that had an old heartbeat but might also have a recent one—missing the requirement to check the most recent heartbeat. Option C is wrong because it counts heartbeats per computer and filters where the count is less than 20, which has no relation to time—it could return computers with few heartbeats ever, not those with a stale latest heartbeat. Option D is wrong because it filters for heartbeats newer than 20 minutes and then summarizes the max, which would return computers with recent heartbeats, the opposite of what is needed.

58
MCQmedium

The subscription admin wants to receive an alert whenever anyone deletes a resource group, regardless of which resource type was inside it. Which alert type should be used?

A.A metric alert on the deleted resource group's CPU
B.A log alert on a custom KQL query in a workspace only
C.An activity log alert targeting the delete resource group operation
D.A backup alert from a Recovery Services vault
AnswerC

An activity log alert is the right tool for subscription-level events such as resource group deletion. It monitors the Azure Activity log directly, so it can react as soon as the delete operation is recorded. This avoids depending on resource-specific metrics or a separate workspace query pipeline for a basic administrative event.

Why this answer

Option C is correct because the 'Delete Resource Group' operation is an Azure Resource Manager control-plane action that is automatically logged in the Azure Activity Log. An activity log alert can be configured to fire whenever this specific operation is recorded, regardless of the resource types inside the group. This is the only alert type that directly monitors management-plane events like resource group deletion.

Exam trap

The trap here is that candidates confuse resource-level monitoring (metrics, logs) with control-plane monitoring (Activity Log), and assume a metric or log alert can detect a deletion event, when in fact only an activity log alert natively watches for Azure Resource Manager operations like resource group deletion.

How to eliminate wrong answers

Option A is wrong because a metric alert on CPU monitors performance metrics of a resource, not management-plane operations; once the resource group is deleted, the metric data source no longer exists, so the alert cannot fire. Option B is wrong because a log alert on a custom KQL query in a Log Analytics workspace can only analyze data already ingested into that workspace (e.g., diagnostic logs or resource logs), but the 'Delete Resource Group' operation is an Activity Log event, not a resource log; while you could route Activity Logs to a workspace, the question asks for the alert type directly targeting the operation, and a log alert requires additional configuration and is not the native alert type for Activity Log events. Option D is wrong because a backup alert from a Recovery Services vault monitors backup job failures or warnings, not resource group deletion events.

59
Multi-Selectmedium

A production virtual machine must trigger an immediate notification whenever average CPU stays above 85 percent for 15 minutes, and the same event must also start an Azure Function that opens an incident ticket. Which two Azure Monitor components should you configure? Select two.

Select 2 answers
A.Create a metric alert rule on the VM CPU percentage.
B.Add an action group that sends email and invokes the Azure Function.
C.Enable a diagnostic setting on the VM without creating an alert rule.
D.Create a Log Analytics workspace and rely on manual queries only.
E.Apply a resource lock so CPU usage changes are blocked.
AnswersA, B

A metric alert evaluates the VM CPU metric continuously and can fire when the threshold and duration are met.

Why this answer

A metric alert rule on the VM CPU percentage is correct because it monitors the specific metric (Percentage CPU) and triggers when the average exceeds 85% for 15 minutes, meeting the notification requirement. This rule evaluates the metric at regular intervals and fires when the condition is met, which is the standard Azure Monitor approach for real-time metric-based alerts.

Exam trap

The trap here is that candidates might think a diagnostic setting alone can trigger alerts, but diagnostic settings only forward data and do not evaluate conditions, so an alert rule is always required for threshold-based notifications.

60
MCQmedium

Based on the exhibit, a user deleted one file from a Windows Azure VM. The VM is still running, and the administrator wants to restore only that file instead of recovering the full machine. Which restore approach should be used?

A.Use the VM restore option and overwrite the entire VM.
B.Mount the recovery point and copy the file back to the VM.
C.Increase the VM size and redeploy the workload.
D.Enable a diagnostic setting on the VM and recover the file from logs.
AnswerB

Azure Backup supports file-level recovery by mounting the recovery point so you can browse the backup content and copy back only the missing file. This minimizes impact and avoids replacing the entire VM.

Why this answer

Option B is correct because Azure VM backup allows you to mount a recovery point as a disk on another VM or the same VM, enabling file-level restore without overwriting the entire VM. This approach uses the 'File Recovery' feature of Azure Backup, which presents the recovery point as an iSCSI target that can be mounted and browsed to copy individual files back to the running VM.

Exam trap

The trap here is that candidates may assume file-level recovery requires restoring the entire VM (Option A) or confuse diagnostic logs with backup data (Option D), not realizing that Azure Backup's mount-and-copy feature is specifically designed for granular file recovery from a running VM.

How to eliminate wrong answers

Option A is wrong because using the VM restore option to overwrite the entire VM would replace the current VM state, causing data loss of any changes made after the backup point, and is unnecessary for a single file recovery. Option C is wrong because increasing the VM size and redeploying the workload does not restore any deleted files; it only changes the VM's SKU and potentially reallocates resources, with no impact on file recovery. Option D is wrong because diagnostic settings on a VM capture metrics and logs (e.g., boot diagnostics, performance counters) but do not store file contents; they cannot be used to recover a deleted file.

61
Multi-Selectmedium

An operations team needs to know when Azure marks a storage account unavailable because of a regional platform issue, and they also want to detect abnormal service latency on the account itself. Which two alerting approaches should they configure? Select two.

Select 2 answers
A.Create a Resource Health alert for the storage account.
B.Create a metric alert for storage availability or latency on the account.
C.Create an Activity Log alert for every blob write.
D.Send a workbook link in an action group instead of an alert.
E.Turn on Azure Policy compliance scanning for the storage account.
AnswersA, B

Resource Health alerts report when Azure considers the resource unhealthy due to a platform or regional issue.

Why this answer

Option A is correct because a Resource Health alert monitors the health of the storage account from the Azure platform's perspective, triggering when Azure marks the resource as unavailable due to a regional platform issue (e.g., an outage or degradation). This directly addresses the requirement to know when the account is marked unavailable.

Exam trap

The trap here is that candidates may confuse Activity Log alerts (which track control-plane operations) with metric or health alerts (which track data-plane performance and availability), leading them to select option C for monitoring latency or unavailability.

62
MCQmedium

Based on the exhibit, a subscription activity log is already being sent to Log Analytics. The operations team wants an alert that fires when any resource group is deleted, but it should ignore deletions performed by a known automation account. Which approach should the administrator use?

A.Create a metric alert on CPU percentage for the subscription.
B.Create a log alert using the AzureActivity table and filter out the automation caller.
C.Enable a diagnostic setting on the resource group object.
D.Apply an Azure Policy deny assignment to all deletions.
AnswerB

The deletion event is captured in the AzureActivity table, and the alert should evaluate a KQL query that excludes the known automation account. That provides precise log-based alerting for administrative operations.

Why this answer

Option B is correct because the AzureActivity table in Log Analytics captures all control-plane operations, including resource group deletions. By creating a log alert query that filters on OperationNameValue='MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE' and excludes Caller where it matches the automation account's service principal or object ID, the alert triggers only for non-automation deletions. This approach leverages the existing activity log stream to Log Analytics without additional configuration.

Exam trap

The trap here is that candidates may think a diagnostic setting on the resource group is needed to capture deletion events, but the activity log is already streaming at the subscription level and includes all resource group operations, making the additional setting redundant and incorrect.

How to eliminate wrong answers

Option A is wrong because a metric alert on CPU percentage monitors performance metrics, not control-plane operations like resource group deletions, and cannot filter by caller identity. Option C is wrong because enabling a diagnostic setting on the resource group object streams resource-level logs (e.g., metrics or resource-specific logs) but does not capture the subscription-level activity log events needed to detect deletions; the activity log is already being sent to Log Analytics at the subscription scope. Option D is wrong because an Azure Policy deny assignment prevents deletions from occurring entirely, which would block legitimate automation deletions that the team wants to allow, and it does not provide alerting functionality.

63
MCQmedium

You need to receive an email when average CPU usage on VM-App01 exceeds 85 percent for 10 minutes. Which Azure Monitor components should you configure?

A.A metric alert and an action group
B.A resource lock and Azure Advisor
C.An activity log alert only
D.A budget alert
AnswerA

This combination detects the threshold breach and sends the notification.

Why this answer

A metric alert monitors a specific Azure resource metric (like CPU percentage) and triggers when a condition (e.g., average > 85%) is met over a specified evaluation period (e.g., 10 minutes). An action group defines the notification actions (e.g., sending an email) when the alert fires. Together, they fulfill the requirement to receive an email based on a performance threshold.

Exam trap

The trap here is confusing metric alerts (for performance metrics) with activity log alerts (for management events) or budget alerts (for cost), leading candidates to pick an option that monitors the wrong type of data.

How to eliminate wrong answers

Option B is wrong because a resource lock prevents accidental deletion or modification of resources, and Azure Advisor provides best-practice recommendations; neither monitors CPU usage or sends email alerts. Option C is wrong because an activity log alert only triggers on Azure management events (e.g., VM creation, restart), not on performance metrics like CPU usage. Option D is wrong because a budget alert monitors Azure spending against cost thresholds, not resource performance metrics.

64
MCQmedium

In Log Analytics, you want an alert that fires if VM01 has not sent a Heartbeat record in the last 15 minutes. Which query should be used as the alert condition?

A.Heartbeat | where Computer == "VM01" | summarize LastHeartbeat = max(TimeGenerated) | where LastHeartbeat > ago(15m)
B.Heartbeat | where Computer == "VM01" | summarize LastHeartbeat = max(TimeGenerated) | where LastHeartbeat < ago(15m)
C.Heartbeat | where Computer == "VM01" and TimeGenerated > ago(15m) | summarize count() by Computer
D.Heartbeat | where Computer == "VM01" | summarize count() by bin(TimeGenerated, 15m)
AnswerB

This query finds the most recent heartbeat for VM01 and compares it to the 15-minute threshold. If the latest heartbeat is older than that, the query returns a result that can be used to trigger an alert. That directly matches the requirement to detect when the VM has stopped reporting heartbeats.

Why this answer

Option B is correct because the alert must fire when VM01 has *not* sent a Heartbeat in the last 15 minutes. The query uses `max(TimeGenerated)` to find the most recent heartbeat, then filters with `where LastHeartbeat < ago(15m)` to detect records older than 15 minutes. This condition evaluates to true when the last heartbeat is older than the threshold, triggering the alert.

Exam trap

The trap here is that candidates often confuse the comparison operator, choosing `>` (greater than) instead of `<` (less than), because they mistakenly think 'last heartbeat > 15 minutes ago' means it happened more than 15 minutes ago, when in fact `ago(15m)` returns a timestamp 15 minutes in the past, and a heartbeat older than that has a *smaller* timestamp value.

How to eliminate wrong answers

Option A is wrong because it uses `where LastHeartbeat > ago(15m)`, which fires when the last heartbeat is *within* the last 15 minutes — the opposite of the desired condition. Option C is wrong because it checks for heartbeats *within* the last 15 minutes and then counts them; a count of zero would not fire the alert (Log Analytics alerts on non-zero results by default), and it fails to detect the absence of a heartbeat. Option D is wrong because it counts heartbeats in 15-minute bins but does not compare against a time threshold; it would always return a result for the current bin, even if VM01 has not sent a heartbeat, and does not evaluate the absence condition.

65
Multi-Selecthard

A user deleted a file from an Azure VM, and the administrator wants to use Azure Backup file-level recovery rather than restore the whole VM. Which two prerequisites are required before mounting the recovery point from the portal? Select two.

Select 2 answers
A.Download the vault credentials file
B.Select the appropriate recovery point
C.Provide the storage account access key
D.Assign a public IP address to the VM
E.Create an Azure AD application secret
AnswersA, B

Vault credentials authenticate the temporary mount process used for file-level recovery.

Why this answer

Option A is correct because vault credentials are required to authenticate the portal session to the Recovery Services vault when performing file-level recovery. Option B is correct because you must select a specific recovery point (snapshot) from which to mount the files; the portal uses this point to create an iSCSI target on the VM.

Exam trap

The trap here is that candidates often confuse file-level recovery with restoring a VM from a storage account snapshot, leading them to think a storage account key is needed, when in fact the iSCSI mount uses vault credentials and the Backup service's managed identity.

66
MCQhard

A team already has a metric alert on a production VM. The alert should continue evaluating 24/7, but email notifications must be sent only Monday through Friday from 08:00 to 18:00 local time. What should the administrator add or change?

A.Replace the metric alert with a diagnostic setting and store the data in Log Analytics.
B.Create an alert processing rule that suppresses notifications outside business hours.
C.Lower the alert threshold so fewer alerts occur during the week.
D.Use an autoscale profile instead of an alert rule.
AnswerB

An alert processing rule lets you control how alerts are handled without disabling the alert condition itself. That means the metric alert can keep evaluating continuously for history and state changes, while notifications are suppressed outside the approved business hours. This cleanly separates detection from delivery, which is exactly what the requirement describes.

Why this answer

Option B is correct because an alert processing rule (formerly action rule) can suppress notifications for a metric alert based on a schedule. By creating a rule with a suppression action that applies outside business hours (e.g., 18:00 to 08:00 and weekends), the alert continues to evaluate and fire, but email notifications are blocked during those times. This meets the requirement without altering the alert rule itself.

Exam trap

The trap here is that candidates confuse alert processing rules (which modify actions after an alert fires) with alert rules themselves, or incorrectly assume that changing thresholds or using diagnostic settings can control notification timing.

How to eliminate wrong answers

Option A is wrong because a diagnostic setting sends metrics and logs to Log Analytics for analysis, but it does not control notification timing; it replaces the alert with a storage pipeline, not a suppression mechanism. Option C is wrong because lowering the alert threshold reduces the sensitivity of the alert, which would change the evaluation criteria and potentially miss critical issues during business hours; it does not selectively suppress notifications. Option D is wrong because an autoscale profile scales resources based on load, not alert notifications; it is unrelated to email delivery schedules.

67
MCQmedium

Backup protection was enabled on a new Azure VM, but every backup job fails immediately with a message indicating the guest agent is not ready. What should the administrator verify first?

A.That the Azure VM agent is installed, running, and up to date inside the guest operating system.
B.That the recovery vault uses GZRS storage redundancy.
C.That the VM has a private endpoint to the Recovery Services vault.
D.That a resource lock has not been applied to the VM.
AnswerA

Azure VM Backup depends on the VM agent to coordinate snapshot operations and communicate status back to Azure. If the portal reports that the guest agent is not ready, the first troubleshooting step is to verify that the agent exists, is running, and is current. Fixing the agent often resolves immediate backup failures without changing vault settings, policies, or storage configuration.

Why this answer

The Azure Backup extension requires the Azure VM agent to be installed, running, and up to date inside the guest OS to coordinate backup operations. When the agent is not ready, the backup job fails immediately because the extension cannot communicate with the VM to take snapshots. Verifying the agent's status is the first troubleshooting step before investigating network or configuration issues.

Exam trap

The trap here is that candidates may jump to network or vault configuration issues (like private endpoints or storage redundancy) when the error message explicitly points to the guest agent, which is a common first-check item in Azure Backup troubleshooting.

How to eliminate wrong answers

Option B is wrong because GZRS storage redundancy is a replication setting for the Recovery Services vault that affects data durability, not the guest agent readiness or backup job initiation. Option C is wrong because a private endpoint is used for secure network connectivity to the vault, but its absence does not cause an immediate 'guest agent not ready' error; that error is specific to the VM agent. Option D is wrong because a resource lock prevents deletion or modification of the VM, but it does not interfere with the guest agent's operational state or cause backup jobs to fail with an agent readiness message.

68
MCQmedium

Based on the exhibit, the support team needs a searchable 90-day history of who deleted Azure resources and when. The current workspace only contains VM guest logs. Which configuration should you add?

A.Enable guest-level diagnostics on each VM so deletion events are captured.
B.Configure a diagnostic setting at the subscription scope to send the Azure Activity log to Log Analytics and retain it for 90 days.
C.Turn on NSG flow logs for all subnets to capture resource deletions.
D.Store VM backups in the vault and use restore points as an audit trail.
AnswerB

The Azure Activity log records control-plane actions like deletes, updates, and role assignments. Exporting it from the subscription to Log Analytics makes those events searchable, and increasing retention gives the team the required 90-day history.

Why this answer

The Azure Activity log records all control-plane events, including resource deletions, at the subscription level. By configuring a diagnostic setting to stream the Activity log to a Log Analytics workspace, you can retain the data for up to 90 days (or longer with data export rules) and make it searchable via KQL queries. The current workspace only contains VM guest logs, so adding this setting directly meets the requirement without relying on guest-level or network-level logs.

Exam trap

The trap here is that candidates confuse guest-level diagnostics (OS logs) with the Azure Activity log (control-plane logs), or assume NSG flow logs or backups can serve as an audit trail for resource deletions, when in fact only the Activity log captures who deleted what and when at the Azure Resource Manager layer.

How to eliminate wrong answers

Option A is wrong because guest-level diagnostics capture OS-level events inside the VM (e.g., application crashes, performance counters), not Azure control-plane operations like resource deletions; deletion events are recorded in the Azure Activity log, not in guest logs. Option C is wrong because NSG flow logs capture network traffic metadata (IPs, ports, protocols) and have no visibility into Azure Resource Manager operations such as deleting resources; they are used for network security analysis, not audit trails of resource lifecycle events. Option D is wrong because VM backups and restore points only capture VM state at a point in time; they do not log who deleted a resource or when, and they cannot provide a searchable history of deletion events across all Azure resource types.

69
MCQhard

A Windows VM protected by Azure Backup is missing one application file, but the VM must stay online during recovery. Which restore approach should the administrator use?

A.Restore the entire VM to a new deployment and then copy the file back
B.Use the file recovery option from the Recovery Services vault for the relevant recovery point
C.Trigger an Azure Site Recovery failover to a recovery region
D.Create a new backup policy with a shorter retention period and run the next scheduled backup
AnswerB

File recovery lets you mount a backup recovery point and copy back only the missing file while the VM continues running.

Why this answer

Azure Backup's file recovery option allows you to mount a recovery point as a drive on the running VM without restoring the entire VM or taking it offline. This enables you to copy the missing application file directly from the backup while the VM remains operational, meeting the requirement to stay online.

Exam trap

The trap here is that candidates may confuse Azure Backup's file-level recovery with Azure Site Recovery's failover, or assume that a full VM restore is the only way to access individual files, overlooking the granular mount capability.

How to eliminate wrong answers

Option A is wrong because restoring the entire VM to a new deployment is unnecessary, time-consuming, and may cause IP or name conflicts; it also does not keep the original VM online during the process. Option C is wrong because Azure Site Recovery is designed for disaster recovery and failover to a secondary region, not for granular file-level recovery from backups, and it would require the VM to be failed over, disrupting operations. Option D is wrong because creating a new backup policy with shorter retention does not recover the missing file; it only changes future backup behavior and does not address the immediate recovery need.

70
MCQeasy

After enabling Azure VM backup, an administrator wants to confirm whether the nightly backup succeeded. Where should the administrator check the backup status?

A.In the Recovery Services vault backup jobs
B.In the VM's network security group
C.In the VM's availability set
D.In the subscription activity log only
AnswerA

Backup jobs in the vault show whether each backup operation completed successfully, failed, or is still running.

Why this answer

The correct place to check backup status is the Recovery Services vault backup jobs. When Azure VM backup is enabled, each backup operation creates a job entry in the associated Recovery Services vault. The 'Backup Jobs' blade within the vault lists all backup jobs, their status (e.g., Completed, Failed, In Progress), and details like start time and error messages.

This is the centralized monitoring point for backup operations, as defined by Azure Backup's job-based monitoring model.

Exam trap

The trap here is that candidates may confuse the subscription activity log (which shows who enabled backup) with the backup job status log, not realizing that backup job details are stored separately in the Recovery Services vault's dedicated backup jobs interface.

How to eliminate wrong answers

Option B is wrong because a VM's network security group (NSG) controls inbound/outbound traffic rules and has no relation to backup job status or history. Option C is wrong because an availability set is a logical grouping for VM fault tolerance and update domains, not a monitoring or logging resource for backup operations. Option D is wrong because while the subscription activity log records resource-level administrative operations (e.g., enabling backup), it does not capture the detailed status of individual backup jobs; backup job status is stored only in the Recovery Services vault's backup jobs interface.

71
MCQmedium

You want Azure to identify underutilized virtual machines and recommend ways to reduce cost and improve security posture. Which service should you use?

A.Azure Advisor
B.Azure Policy
C.Azure Backup
D.Virtual network peering
AnswerA

Azure Advisor provides recommendations for optimization and improvement.

Why this answer

Azure Advisor analyzes Azure resources and provides recommendations related to cost, security, reliability, performance, and operational excellence.

72
MCQmedium

Based on the exhibit, you want the resource logs for the storage account to appear in Log Analytics so you can investigate read and write failures. What should you configure?

A.Create a metric alert rule on the storage account and link it to an action group.
B.Add a diagnostic setting that sends resource logs to the Log Analytics workspace.
C.Enable a resource lock so the storage account cannot be modified.
D.Move the storage account to a different subscription that already has Log Analytics enabled.
AnswerB

Diagnostic settings are the Azure Monitor feature used to route platform logs and metrics from a resource to destinations such as Log Analytics. Because the exhibit shows logs are disabled and no destination is configured, adding a diagnostic setting with the workspace selected is the correct way to make read and write events available for querying.

Why this answer

Diagnostic settings in Azure allow you to stream resource logs (such as StorageRead and StorageWrite logs) from a storage account directly to a Log Analytics workspace. By configuring a diagnostic setting with the appropriate log categories enabled, you can query and analyze read and write failures in Log Analytics without additional infrastructure.

Exam trap

The trap here is that candidates often confuse metric alerts (which monitor performance metrics) with diagnostic settings (which collect detailed resource logs), leading them to choose a metric-based solution when the question explicitly asks for log data to investigate failures.

How to eliminate wrong answers

Option A is wrong because a metric alert rule monitors performance metrics (e.g., latency, availability) and triggers actions via an action group, but it does not send resource logs to Log Analytics for investigation of read/write failures. Option C is wrong because a resource lock prevents accidental deletion or modification of the storage account, but it does not enable log collection or analysis. Option D is wrong because moving the storage account to a different subscription does not automatically enable log streaming to Log Analytics; you must still configure a diagnostic setting to send logs to the workspace.

73
Multi-Selectmedium

Your company has a hybrid infrastructure with Azure VMs and on-premises servers. You need to configure Azure Monitor to collect and analyze performance and event data from all servers in a centralized workspace. Which three of the following steps are required to achieve this? (Choose three.)

Select 3 answers
.Deploy the Azure Monitor Agent on both Azure VMs and on-premises servers.
.Create a Log Analytics workspace in the same Azure region as your Azure VMs.
.Configure Data Collection Rules (DCRs) to specify which performance counters and events to collect.
.Install the Microsoft Monitoring Agent (MMA) on all servers and connect to a Log Analytics workspace.
.Enable Network Watcher to monitor network traffic between on-premises and Azure.
.Create a VM Insights solution in the Azure portal to automatically collect data from all Azure VMs.

Why this answer

The Azure Monitor Agent (AMA) is the current recommended agent for collecting telemetry from both Azure VMs and on-premises servers, replacing the legacy Microsoft Monitoring Agent (MMA). A Log Analytics workspace is required as the centralized data repository, and Data Collection Rules (DCRs) define exactly which performance counters and events to collect, enabling granular, scalable data ingestion without manual configuration per machine.

Exam trap

The trap here is that candidates often confuse the legacy Microsoft Monitoring Agent (MMA) with the current Azure Monitor Agent, or assume that VM Insights or Network Watcher can replace the need for explicit agent deployment and Data Collection Rules.

74
MCQmedium

Based on the exhibit, a production VM must send an email and SMS notification if average CPU stays above 85% for 10 minutes. The team created the alert rule, but no one receives notifications when the condition is met. What should the administrator add to the alert rule?

A.Add a diagnostic setting that sends VM metrics to a Log Analytics workspace.
B.Attach an action group that includes email and SMS receivers.
C.Change the alert to use a log query instead of a metric condition.
D.Create a resource lock to prevent changes to the virtual machine.
AnswerB

Azure Monitor alert rules need an action group to trigger notifications or automation when the metric condition is met. The alert already evaluates correctly, but it has no notification target. Adding an action group with email and SMS receivers enables the response the business wants.

Why this answer

The alert rule is correctly configured to trigger when the average CPU exceeds 85% for 10 minutes, but notifications are not being sent because no action group is attached. An action group defines the notification channels (e.g., email, SMS, webhook) that fire when the alert is activated. Without an action group, the alert can fire silently, so the administrator must attach an action group containing the desired email and SMS receivers.

Exam trap

The trap here is that candidates may think the alert rule itself includes notification settings, but Azure separates the alert condition (metric/log) from the notification mechanism (action group), so you must explicitly attach an action group to receive alerts.

How to eliminate wrong answers

Option A is wrong because a diagnostic setting sends VM metrics to a Log Analytics workspace for analysis or archival, but it does not trigger notifications; notifications require an action group. Option C is wrong because the condition is already a metric (CPU percentage), and changing to a log query would require log data ingestion and is unnecessary; the existing metric alert is the correct approach for real-time CPU thresholds. Option D is wrong because a resource lock prevents accidental deletion or modification of the VM, but it has no effect on alert notifications.

75
MCQmedium

Based on the exhibit, compliance requires one backup every week to be kept for 52 weeks, in addition to the daily backups already configured. What should you change in the backup policy?

A.Increase the daily retention from 30 days to 365 days.
B.Add a weekly retention rule that keeps one weekly recovery point for 52 weeks.
C.Change the vault to use soft delete so backups are retained for 52 weeks.
D.Create a metric alert to warn the team when backups are older than seven days.
AnswerB

The requirement is specific: keep one backup each week for a year. That is a weekly retention requirement, not just longer daily retention. Adding a weekly retention rule to the Azure Backup policy satisfies the compliance need while preserving the existing daily backups for operational recovery.

Why this answer

The requirement is to retain one weekly backup for 52 weeks, in addition to the existing daily backups. Adding a weekly retention rule that keeps one recovery point per week for 52 weeks directly satisfies this requirement by ensuring that each weekly backup is retained for the full year, while daily backups remain unaffected. This is the correct approach because Azure Backup allows granular retention policies with multiple rules for different frequencies (daily, weekly, monthly, yearly).

Exam trap

The trap here is that candidates often confuse retention duration with backup frequency, mistakenly thinking that increasing daily retention to 365 days will satisfy the weekly requirement, when in fact it would retain all daily backups instead of just one per week.

How to eliminate wrong answers

Option A is wrong because increasing daily retention to 365 days would keep every daily backup for a year, not just one per week, which violates the compliance requirement of keeping only one weekly backup for 52 weeks and would significantly increase storage costs. Option C is wrong because soft delete is a data protection feature that prevents permanent deletion of backups for a configurable period (default 14 days), but it does not control retention duration or create weekly recovery points; it is unrelated to meeting the 52-week weekly retention requirement. Option D is wrong because a metric alert for backups older than seven days is a monitoring tool that notifies the team but does not change the backup policy to retain weekly backups for 52 weeks; it cannot enforce retention.

Page 1 of 3 · 191 questions totalNext →

Ready to test yourself?

Try a timed practice session using only AZ Monitoring questions.