CCNA AZ Monitoring Questions

75 of 191 questions · Page 2/3 · AZ Monitoring topic · Answers revealed

76
MCQmedium

You need an alert that emails administrators when CPU on VM-DB01 exceeds a threshold. Which two Azure Monitor components work together to achieve this?

A.A metric alert and an action group
B.A budget alert and a private DNS zone
C.A Recovery Services vault and a route table
D.An activity log export and a lock
AnswerA

This is the standard pairing for threshold-based alerting with notifications.

Why this answer

A metric alert monitors a specific performance metric (like CPU percentage) on a target resource (VM-DB01) and triggers when the value crosses a defined threshold. An action group defines the notification actions (e.g., sending an email to administrators) that execute when the alert fires. Together, they form the core alerting workflow in Azure Monitor: the metric alert evaluates the condition, and the action group delivers the response.

Exam trap

The trap here is that candidates confuse 'budget alerts' (cost-based) with 'metric alerts' (performance-based), or assume that activity logs capture VM-level metrics like CPU, when they only record control-plane events.

How to eliminate wrong answers

Option B is wrong because a budget alert monitors Azure spending against a cost threshold, not VM performance metrics, and a private DNS zone is used for custom domain name resolution within a virtual network, not for alerting. Option C is wrong because a Recovery Services vault manages backup and disaster recovery (e.g., Azure Backup, Site Recovery), not real-time performance monitoring, and a route table controls network traffic flow via user-defined routes, not alerting. Option D is wrong because an activity log export sends subscription-level operational events (e.g., resource creation) to a Log Analytics workspace or storage account, not CPU metrics, and a lock prevents accidental deletion or modification of resources, not alerting.

77
Multi-Selectmedium

A team wants to monitor average CPU on a small set of Linux VMs and OS disk free space, but they want the lowest telemetry ingestion cost possible. Which two actions should they take? Select two.

Select 2 answers
A.Use a metric alert for the VM CPU metric.
B.Install Azure Monitor Agent and collect only the disk-free-space counter by using a minimal data collection rule.
C.Enable full VM Insights for every guest performance counter.
D.Stream all syslog and event logs to a workspace before creating any alert.
E.Rely on Azure Resource Health to measure guest OS disk free space.
AnswersA, B

CPU is already exposed as a platform metric, so a metric alert avoids unnecessary log ingestion.

Why this answer

Option A is correct because metric alerts for VM CPU are based on platform metrics collected automatically by Azure, incurring no additional ingestion cost. This allows monitoring average CPU without any agent or data collection rule, making it the lowest-cost approach for that metric.

Exam trap

The trap here is that candidates often assume all monitoring requires agents and log ingestion, overlooking that platform metrics (like CPU) are free and agentless, while guest OS metrics (like disk space) can be collected with minimal cost by restricting the DCR to only the needed counter.

78
MCQeasy

A team wants to keep Azure platform logs for a storage account in a central location and analyze them with queries. The logs should be queryable together with other Azure resource logs. What destination should the administrator choose for the diagnostic setting?

A.A Log Analytics workspace
B.A storage account only
C.An action group
D.A management group
AnswerA

A Log Analytics workspace is the destination used for centralized log storage and KQL-based analysis across resources.

Why this answer

A Log Analytics workspace is the correct destination because it allows you to collect Azure platform logs (such as resource logs, activity logs, and metrics) from multiple resources into a central location. These logs can then be queried together using Kusto Query Language (KQL) across different resource types, enabling cross-resource analysis and correlation. This meets the requirement for queryable logs alongside other Azure resource logs.

Exam trap

The trap here is that candidates often confuse a storage account as a valid destination for log analysis because it can store logs, but they overlook that it lacks native querying capabilities and cannot integrate with other resource logs for cross-analysis.

How to eliminate wrong answers

Option B is wrong because a storage account only stores logs as blobs or files, which are not directly queryable with KQL and cannot be analyzed together with other resource logs in real time. Option C is wrong because an action group is used to send notifications (e.g., email, SMS) or trigger automated actions based on alerts, not to store or query logs. Option D is wrong because a management group is a scope for managing governance, policy, and compliance across multiple subscriptions, not a destination for diagnostic log data.

79
MCQeasy

A line-of-business app must keep serving users if an entire Azure region becomes unavailable. Is Azure Backup by itself enough to meet this requirement?

A.Yes, because backup alone guarantees immediate failover to another region
B.No, you also need disaster recovery replication such as Azure Site Recovery
C.Yes, as long as the VM has a backup policy
D.Yes, if diagnostic settings are enabled on the VM
AnswerB

Azure Backup protects data for recovery, but it does not keep the application running during a regional outage. Disaster recovery replication is needed for failover capability.

Why this answer

Azure Backup is designed to protect data by creating recovery points that can be used to restore VMs or files, but it does not provide automatic failover or continuous replication to another region. To meet the requirement of keeping an app running during a regional outage, you need a disaster recovery solution like Azure Site Recovery, which replicates VMs to a secondary region and enables orchestrated failover with minimal downtime.

Exam trap

The trap here is that candidates confuse data protection (backup) with high availability/disaster recovery, assuming that having backups automatically means the application can continue running during a regional outage.

How to eliminate wrong answers

Option A is wrong because Azure Backup alone does not guarantee immediate failover; it requires manual restore processes that can take significant time and do not provide automatic traffic redirection. Option C is wrong because having a backup policy only ensures data is backed up, not that the app can continue serving users during a regional outage without additional replication. Option D is wrong because diagnostic settings on a VM are used for monitoring and logging, not for disaster recovery or failover capabilities.

80
MCQhard

An operations team manages an Azure virtual machine scale set that hosts a stateless API. They already collect guest logs in Log Analytics, but they do not want to ingest extra performance data just to watch CPU. They need an alert when average CPU across the scale set stays above 80% for 10 minutes, and the notification must support email and a webhook. What should they configure?

A.Create a diagnostic setting on the scale set and build a log query alert for CPU samples.
B.Create an Azure Monitor metric alert on the scale set CPU metric and attach an action group.
C.Configure an autoscale rule and rely on its notification settings for alerting.
D.Install a monitoring extension that writes CPU readings to storage for later review.
AnswerB

Metric alerts evaluate platform metrics directly, so no extra log ingestion is needed. An action group is the correct notification mechanism for email, webhook, SMS, or other responses. This design is the lowest-overhead way to detect sustained CPU pressure on a VM scale set and notify operators quickly.

Why this answer

Option B is correct because Azure Monitor metric alerts can directly evaluate the 'Percentage CPU' metric from a virtual machine scale set without ingesting additional performance data into Log Analytics. By setting the aggregation to 'Average' and the threshold to 80% for a duration of 10 minutes, the alert triggers when the condition is met. An action group attached to the alert can send notifications via email and webhook simultaneously, meeting all requirements without extra data ingestion.

Exam trap

The trap here is that candidates often confuse metric alerts with log query alerts, assuming CPU monitoring requires Log Analytics ingestion, when in fact platform metrics are available natively and can be alerted on directly without extra data collection.

How to eliminate wrong answers

Option A is wrong because creating a diagnostic setting to send guest-level CPU samples to Log Analytics would ingest extra performance data, which the team explicitly wants to avoid, and log query alerts require querying that ingested data, adding cost and complexity. Option C is wrong because autoscale rules are designed to scale resources based on metrics, not to send alert notifications; their notification settings only inform about scaling events, not sustained CPU thresholds, and they do not support email or webhook directly. Option D is wrong because installing a monitoring extension to write CPU readings to storage does not provide real-time alerting; it only stores data for later review, and the team needs immediate notification via email and webhook.

81
MCQhard

A Recovery Services vault protects 40 VMs by using one daily backup policy that retains recovery points for 7 days. One finance VM must keep daily recovery points for 30 days, but the other VMs should remain on the 7-day policy. What should the administrator do?

A.Edit the existing policy so all protected VMs inherit 30-day retention.
B.Create a second backup policy with 30-day retention and assign only the finance VM to it.
C.Move the finance VM to another resource group so it gets different retention automatically.
D.Apply a resource lock to the finance VM to preserve its recovery points longer.
AnswerB

Backup policy settings apply to the items associated with that policy. To give one VM a longer retention period without changing the others, the administrator should create a separate policy and assign only the finance VM to that policy. This preserves the standard 7-day policy for the rest of the fleet while meeting the special retention requirement.

Why this answer

Option B is correct because Azure Backup allows multiple backup policies within a single Recovery Services vault, and you can assign different policies to different VMs. By creating a second policy with 30-day retention and assigning only the finance VM to it, the administrator meets the requirement without affecting the other 39 VMs that continue using the existing 7-day policy.

Exam trap

The trap here is that candidates may think a single vault can only have one backup policy, or that moving a VM to another resource group or applying a resource lock will affect backup retention, when in fact backup policies are independent of resource groups and locks only protect the resource, not its backup data.

How to eliminate wrong answers

Option A is wrong because editing the existing policy to 30-day retention would apply the change to all 40 VMs, violating the requirement to keep the other VMs on a 7-day policy. Option C is wrong because moving a VM to another resource group does not change its backup retention settings; backup policies are assigned per VM within a vault, not inherited from the resource group. Option D is wrong because a resource lock prevents accidental deletion or modification of the VM itself, but it does not extend the retention period of recovery points in the Recovery Services vault.

82
MCQmedium

Engineers need a single Log Analytics workspace to investigate incidents by querying Windows event logs from a VM and Azure resource logs from a storage account. What should the administrator configure?

A.Create a resource lock on the workspace and let each team send emails when incidents happen.
B.Use Azure Monitor Agent with a data collection rule for the VM and diagnostic settings for the storage account, both sending data to the same workspace.
C.Move the VM and storage account into the same availability set so their logs appear together.
D.Enable a private endpoint for the workspace and disable all diagnostic collection.
AnswerB

VM guest logs require the Azure Monitor Agent and a data collection rule, while storage account platform logs are exported with diagnostic settings. Sending both to one Log Analytics workspace gives the team a single place to correlate incidents with KQL.

Why this answer

Option B is correct because Azure Monitor Agent (AMA) with a data collection rule (DCR) collects Windows event logs from VMs, and diagnostic settings on a storage account send Azure resource logs to the same Log Analytics workspace. This centralizes both data sources for unified querying and incident investigation.

Exam trap

The trap here is that candidates may confuse availability sets (a VM high-availability feature) with log aggregation, or assume that a resource lock or private endpoint somehow enables data collection, when in fact only proper data collection agents and diagnostic settings can route logs to a workspace.

How to eliminate wrong answers

Option A is wrong because a resource lock prevents accidental deletion or modification of the workspace but does not collect or route any log data; it cannot enable log ingestion. Option C is wrong because an availability set is a VM placement configuration for high availability and has no effect on log aggregation or workspace connectivity. Option D is wrong because a private endpoint restricts network access to the workspace but does not enable log collection; disabling diagnostic collection would stop all data ingestion, making investigation impossible.

83
Matchingmedium

A response team is designing notification paths for Azure Monitor alerts. Match each action group receiver or action to the outcome it provides.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Delivers the alert to a mailbox or distribution list.

Sends a text message to an on-call phone number.

Calls an external HTTPS endpoint such as a ticketing or orchestration system.

Runs custom code after the alert fires.

Starts a scripted remediation runbook in Azure Automation.

Why these pairings

Email/SMS/Push/Voice are direct notifications; ITSM connector creates tickets; Automation runbook runs scripts; Webhook sends to external services like Teams; Push notifications target mobile apps.

84
MCQmedium

You need to view recommendations about underutilized virtual machines, security improvements, and cost-saving opportunities in Azure. Which service should you use?

A.Azure Advisor
B.Azure Policy
C.Network Watcher
D.Azure Backup
AnswerA

Azure Advisor is the Azure service for recommendations and optimization guidance.

Why this answer

Azure Advisor provides personalized best-practice recommendations related to reliability, security, performance, operational excellence, and cost.

85
MCQmedium

Based on the exhibit, the alert rule is firing, but the operations team is not receiving any notification. What should you change to make the alert send an email when the condition is met?

A.Increase the evaluation frequency to 15 minutes so Azure sends a summary notification.
B.Attach an action group that includes the required email recipient.
C.Create a diagnostic setting on the virtual machine and send logs to a storage account.
D.Move the virtual machine into a different resource group so the alert can notify the team.
AnswerB

Azure Monitor alerts need an action group to deliver notifications or trigger automation. In this case the rule is already evaluating correctly, but no action is configured, so the alert has nowhere to send the notification. Attaching an action group with the operations email address fixes the issue without changing the threshold or scope.

Why this answer

An alert rule in Azure Monitor requires an action group to define the notification actions (e.g., email, SMS) when the alert fires. Without an action group attached to the alert rule, no notifications are sent, even if the condition is met. Option B correctly identifies that attaching an action group containing the required email recipient will enable email notifications.

Exam trap

The trap here is that candidates often assume increasing evaluation frequency or moving resources will fix notification delivery, but the core requirement is that an action group must be attached to the alert rule to define the notification channel.

How to eliminate wrong answers

Option A is wrong because increasing the evaluation frequency to 15 minutes does not enable email notifications; it only changes how often the alert condition is checked, and summary notifications are unrelated to action groups. Option C is wrong because creating a diagnostic setting to send logs to a storage account is for log collection and retention, not for alert notifications; it does not trigger email delivery. Option D is wrong because moving the virtual machine to a different resource group has no effect on alert notification delivery; action groups are independent of resource group membership.

86
Matchinghard

Match each Recovery Services vault setting or feature to the behavior an administrator should expect after changing it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Keeps deleted backup items recoverable for a limited retention period.

Stops future backups but preserves existing recovery points in the vault.

Stops protection and removes stored recovery points after the deletion process completes.

Allows restore operations from the secondary region when the vault uses geo-redundant storage and the feature is enabled.

Why these pairings

Changing replication to GRS replicates all existing recovery points. Soft delete retains deleted data for 14 days. Changing storage replication after backup requires reconfiguration.

Custom managed identity grants specific resource access. Diagnostics settings send logs to Log Analytics. Cross Region Restore enables restore in paired region with GRS.

87
MCQmedium

Based on the exhibit, the business says the workload must keep running if an entire Azure region becomes unavailable. Is Azure Backup alone sufficient, and what should you add if it is not?

A.Yes. Azure Backup alone provides continuous service during a regional outage.
B.No. Add Azure Site Recovery or another replication and failover design for regional resilience.
C.Yes. Increasing the backup retention period will keep the application online.
D.No. Configure an action group so operators receive faster notifications during outages.
AnswerB

Azure Backup is for restore after data loss or corruption, not for continuously running the workload elsewhere. A full regional outage requires disaster recovery replication and failover, which Azure Site Recovery provides for supported workloads. That design keeps a secondary copy ready in another region so users can fail over when the primary region is unavailable.

Why this answer

Azure Backup is designed to protect data by creating recovery points that can be used to restore data to a different region, but it does not provide continuous service or automatic failover during a regional outage. To keep the workload running without interruption, you need Azure Site Recovery (ASR) or a custom replication and failover solution that replicates the entire workload to a secondary region and enables automatic or manual failover. Therefore, Azure Backup alone is insufficient for high availability during a regional disaster.

Exam trap

The trap here is that candidates confuse backup (data protection) with disaster recovery (application continuity), assuming that having backups in another region automatically keeps the workload running during an outage.

How to eliminate wrong answers

Option A is wrong because Azure Backup is a backup and restore service, not a disaster recovery or high availability solution; it does not provide continuous service or automatic failover during a regional outage. Option C is wrong because increasing backup retention only keeps more historical recovery points, which does not help keep the application running during an outage—it only extends the window for point-in-time restores. Option D is wrong because configuring an action group only sends notifications to operators; it does not provide any mechanism to keep the workload running or automatically fail over to another region.

88
MCQmedium

Based on the exhibit, the team wants to validate that a protected Azure VM can be recovered without affecting production. Which restore approach best meets the requirement?

A.Use Replace existing VM so the test uses the production name and disks.
B.Restore the VM to a separate resource group or test environment from the latest recovery point.
C.Export a snapshot and assume that proves the VM can boot successfully.
D.Enable Site Recovery failover, because backup restore and failover are identical.
AnswerB

Restoring to a separate resource group creates an isolated test copy of the VM. That lets the team validate recovery from a recent backup without touching the production workload or its current disks.

Why this answer

Restoring the VM to a separate resource group or test environment from the latest recovery point creates an isolated copy of the VM that does not interact with production resources. This approach validates recoverability without risking production name conflicts, IP address overlaps, or accidental data modification. Azure Backup's restore-to-new-location option explicitly supports this isolation by allowing you to choose a different resource group, virtual network, and storage account.

Exam trap

The trap here is that candidates confuse 'Replace existing VM' with a non-disruptive test, not realizing that this option directly modifies the production VM's disks and metadata, which would cause downtime and data loss if the test fails.

How to eliminate wrong answers

Option A is wrong because 'Replace existing VM' overwrites the production VM's disks and configuration, which directly affects production and violates the requirement to avoid impact. Option C is wrong because exporting a snapshot only captures a point-in-time disk image; it does not validate that the VM can boot, that applications start correctly, or that network and configuration dependencies are met. Option D is wrong because Site Recovery failover is designed for disaster recovery and replication, not for backup validation; performing a failover can disrupt replication and may incur costs, and backup restore and failover are fundamentally different processes with different recovery point objectives and consistency guarantees.

89
MCQmedium

You need to be notified whenever the average CPU usage of VM-App01 exceeds 80 percent for 10 minutes. The solution must send an email to the operations team automatically. What should you configure?

A.Create an Azure Monitor metric alert and link it to an action group.
B.Create an Azure Advisor recommendation alert.
C.Create an activity log alert for the virtual machine.
D.Create a subscription budget alert.
AnswerA

This is the standard way to send automated notifications based on CPU thresholds.

Why this answer

Option A is correct because Azure Monitor metric alerts can evaluate performance counters like CPU usage over a specified time window (e.g., 10 minutes) and trigger an action group when the threshold (80%) is exceeded. The action group can be configured with an email notification to the operations team, meeting the requirement automatically.

Exam trap

The trap here is confusing activity log alerts (which track management-plane operations) with metric alerts (which track performance data), leading candidates to choose Option C when they need real-time metric-based monitoring.

How to eliminate wrong answers

Option B is wrong because Azure Advisor recommendations are proactive suggestions for cost, security, reliability, and performance optimization, not real-time monitoring alerts based on metric thresholds. Option C is wrong because activity log alerts trigger on Azure resource management events (e.g., VM start/stop, configuration changes), not on performance metrics like CPU usage. Option D is wrong because subscription budget alerts monitor cost spending against a defined budget, not VM-level performance metrics.

90
MCQeasy

A support engineer needs to search a Log Analytics workspace for only failed sign-in records. Which KQL query should they use?

A.SigninLogs | where ResultType == 0
B.SigninLogs | where ResultType != 0
C.SigninLogs | summarize count()
D.SigninLogs | project UserPrincipalName
AnswerB

Filtering for values other than zero is a common way to return failed sign-in records in SigninLogs.

Why this answer

Option B is correct because in Azure AD sign-in logs, a `ResultType` of 0 indicates a successful sign-in, while any non-zero value (e.g., 50125, 53003) indicates a failure. The KQL query `SigninLogs | where ResultType != 0` filters for all records where the result type is not zero, thus returning only failed sign-in records.

Exam trap

The trap here is that candidates may mistakenly think `ResultType == 0` indicates a failure, when in fact 0 means success, and they overlook that non-zero values represent various failure codes.

How to eliminate wrong answers

Option A is wrong because `ResultType == 0` filters for successful sign-ins, not failures. Option C is wrong because `summarize count()` returns a count of all sign-in records without any filtering for failures. Option D is wrong because `project UserPrincipalName` only selects the user principal name column, discarding all other data and not filtering for failed sign-ins.

91
MCQhard

Your company must retain Azure Activity Log data beyond the default retention period and make it available for long-term analysis. What should you configure?

A.Diagnostic settings for the Activity Log
B.A ReadOnly lock on the subscription
C.An availability set
D.NSG flow logs only
AnswerA

Diagnostic settings export Activity Log data to supported long-term destinations.

Why this answer

Diagnostic settings for the Activity Log allow you to stream the log to a Log Analytics workspace, storage account, or Event Hubs, thereby extending retention beyond the default 90 days (for storage) or indefinitely (in Log Analytics). This is the only mechanism that enables long-term retention and analysis of Azure Activity Log data.

Exam trap

The trap here is that candidates often confuse the default 90-day retention of the Activity Log with the ability to extend it via a simple lock or by enabling NSG flow logs, not realizing that only diagnostic settings provide the export and retention control needed for long-term analysis.

How to eliminate wrong answers

Option B is wrong because a ReadOnly lock on the subscription prevents accidental deletion or modification of resources but does not affect log retention or data collection. Option C is wrong because an availability set is a logical grouping of VMs to ensure high availability across fault and update domains; it has no relation to log retention or analysis. Option D is wrong because NSG flow logs capture IP traffic through a Network Security Group and are used for network monitoring and security analysis, not for retaining the Azure Activity Log (which records control-plane operations).

92
MCQeasy

Based on the exhibit, which restore option should the administrator use to recover only the deleted file while keeping the VM online?

A.Restore the entire virtual machine to the latest recovery point.
B.Use File Recovery from the Recovery Services vault.
C.Redeploy the VM from the original image.
D.Disable backup protection and then re-enable it.
AnswerB

File Recovery is designed for exactly this scenario: recovering one or more files or folders from a VM backup without restoring the whole virtual machine. The VM stays online, users can continue working, and the administrator mounts the recovery point to copy back only the missing spreadsheet. This minimizes downtime and avoids overwriting unrelated data on the VM.

Why this answer

Option B is correct because Azure Backup's File Recovery feature allows you to mount a recovery point as a drive on the VM, enabling you to browse and restore individual files without affecting the running VM. This avoids the need to restore the entire VM or take it offline, which is essential for recovering only the deleted file while maintaining availability.

Exam trap

The trap here is that candidates may assume restoring the entire VM is the only way to recover files, overlooking the File Recovery option that provides granular, online file-level restore without impacting the running VM.

How to eliminate wrong answers

Option A is wrong because restoring the entire virtual machine to the latest recovery point would overwrite the current VM state, potentially causing downtime and data loss, and it recovers the entire VM rather than just the single deleted file. Option C is wrong because redeploying the VM from the original image would recreate the VM from scratch, losing all current data and configurations, and does not target the specific deleted file. Option D is wrong because disabling and re-enabling backup protection does not restore any data; it only stops and restarts the backup schedule, leaving the deleted file unrecovered.

93
MCQmedium

The team already exports subscription activity logs to a Log Analytics workspace and wants an alert that can ignore delete operations performed by a known automation account. What should they create?

A.An activity log alert at the subscription scope
B.A scheduled query alert in Log Analytics using the AzureActivity table
C.A metric alert on the subscription
D.A diagnostic setting on the resource group
AnswerB

Because the activity logs are already in Log Analytics, a scheduled query alert gives the team full KQL flexibility. They can filter by operation name and exclude actions performed by the automation account before firing the alert. This is the best choice when alert logic must be more specific than a standard activity log rule.

Why this answer

Option B is correct because a scheduled query alert in Log Analytics can query the AzureActivity table to filter out delete operations performed by a specific automation account. This allows the alert to ignore those operations by excluding them in the query logic, which is not possible with activity log alerts that lack such granular filtering.

Exam trap

The trap here is that candidates often assume activity log alerts can filter by caller identity, but they only support static conditions like operation name or severity, not dynamic exclusion of specific principals.

How to eliminate wrong answers

Option A is wrong because activity log alerts at the subscription scope can only trigger on specific operations (e.g., delete) but cannot filter out operations based on the caller (e.g., a known automation account). Option C is wrong because metric alerts monitor performance metrics (e.g., CPU, memory) and cannot evaluate activity log data or filter delete operations. Option D is wrong because a diagnostic setting on a resource group only controls where logs are sent (e.g., to Log Analytics), not how alerts are created or filtered.

94
Multi-Selectmedium

You are responsible for monitoring and maintaining Azure resources for a large enterprise. Which four of the following actions or configurations can help you proactively identify performance bottlenecks, optimize costs, and ensure high availability? (Choose four.)

Select 4 answers
.Configuring Azure Monitor autoscale rules to scale out virtual machine scale sets based on CPU usage.
.Setting up Azure Service Health alerts to notify your team when Azure services in your region experience an outage.
.Enabling Azure Advisor recommendations for resizing underutilized virtual machines to reduce costs.
.Creating diagnostic settings to stream resource logs from Azure SQL Database to a Log Analytics workspace for query-based analysis.
.Using Azure Backup Center to perform an on-demand restore of a deleted virtual machine to its original state.
.Deploying Azure Traffic Manager with a failover routing method to reroute traffic away from a healthy endpoint.

Why this answer

Configuring Azure Monitor autoscale rules to scale out virtual machine scale sets based on CPU usage is correct because it proactively adjusts capacity in response to demand, preventing performance bottlenecks during spikes and reducing costs during low usage. This aligns with the goal of maintaining high availability and cost optimization through automated scaling.

Exam trap

The trap here is that candidates may confuse reactive recovery actions (like Backup Center restores) with proactive monitoring and optimization tasks, or misunderstand Traffic Manager's failover routing by assuming it reroutes away from a healthy endpoint instead of an unhealthy one.

95
MCQmedium

A production virtual machine is experiencing intermittent performance spikes. The operations team wants an alert when average CPU usage stays above 80 percent for 10 minutes and wants email and SMS notifications sent automatically. What should the administrator configure in Azure Monitor?

A.Create a log search alert on the VM performance data and attach a resource lock.
B.Create a metric alert on Percentage CPU and associate an action group with email and SMS receivers.
C.Assign an Azure Policy definition to the VM to stop it when CPU exceeds the threshold.
D.Enable diagnostic settings on the VM and send the data only to a storage account.
AnswerB

Metric alerts are the best fit for near real-time threshold monitoring of Azure platform metrics such as CPU. An action group delivers the notification channels, such as email and SMS, when the alert fires. This design meets both parts of the requirement: detect sustained CPU pressure and notify the operations team automatically without needing log ingestion or manual polling.

Why this answer

Option B is correct because Azure Monitor metric alerts can evaluate real-time performance counters like Percentage CPU against a threshold (e.g., 80%) over a specified duration (e.g., 10 minutes). By associating an action group with email and SMS receivers, the alert automatically triggers the desired notifications without requiring log ingestion or complex queries.

Exam trap

The trap here is that candidates confuse metric alerts (which evaluate live performance counters) with log search alerts (which require log ingestion and are slower), or mistakenly think Azure Policy can react to performance metrics instead of enforcing configuration rules.

How to eliminate wrong answers

Option A is wrong because a log search alert requires log data to be collected and queried, which adds latency and complexity; a resource lock prevents accidental deletion but does not send notifications. Option C is wrong because Azure Policy definitions enforce compliance rules (e.g., tagging, location) and cannot stop a VM based on performance metrics; they do not trigger alerts or notifications. Option D is wrong because enabling diagnostic settings to send data only to a storage account archives the data but does not create alerts or send email/SMS notifications.

96
MCQeasy

A security admin wants Key Vault audit logs and metrics sent to a Log Analytics workspace for later search. Which Azure setting should be configured on the vault?

A.Diagnostic settings
B.Azure Policy assignment
C.Network security group
D.Action group
AnswerA

Diagnostic settings send resource logs and metrics from the vault to Log Analytics.

Why this answer

Diagnostic settings in Azure Key Vault allow you to stream platform logs and metrics to various destinations, including a Log Analytics workspace. By configuring diagnostic settings on the vault, you can send audit logs (e.g., AuditEvent) and metrics (e.g., ServiceApiLatency) to Log Analytics for querying with KQL, enabling security analysis and monitoring.

Exam trap

The trap here is that candidates confuse diagnostic settings (which export logs/metrics) with action groups (which send notifications) or Azure Policy (which enforces rules), leading them to select a wrong option that does not actually stream data to Log Analytics.

How to eliminate wrong answers

Option B is wrong because Azure Policy assignment is used to enforce compliance rules across resources (e.g., requiring encryption), not to route logs to a Log Analytics workspace. Option C is wrong because a network security group (NSG) filters traffic at the subnet or NIC level and cannot send logs to Log Analytics; NSG flow logs require a separate diagnostic setting on the NSG itself. Option D is wrong because an action group defines notification actions (e.g., email, SMS) for alerts, not log or metric streaming to a Log Analytics workspace.

97
Multi-Selectmedium

An employee deleted one spreadsheet from a Windows VM that is protected by Azure Backup. The VM must stay online while the administrator recovers only that file. Which two restore methods are supported? Select two.

Select 2 answers
A.Use file recovery from the recovery point in the Azure portal.
B.Use the file recovery script or PowerShell mount workflow from the recovery point.
C.Restore the entire VM to a new VM and copy the file back manually.
D.Restore the disks from backup and attach them to the running VM.
E.Use Azure Site Recovery failover to expose the file.
AnswersA, B

The portal file-recovery workflow lets you restore a single file without restoring the whole VM.

Why this answer

Option A is correct because Azure Backup's file-level recovery feature in the Azure portal allows you to mount a recovery point as a drive on the running Windows VM, enabling you to browse and copy individual files without restoring the entire VM. This method supports selective file recovery while the VM remains online, meeting the requirement. Option B is also correct because the file recovery script (or PowerShell mount workflow) performs the same mount operation programmatically, providing an alternative way to access and recover the specific spreadsheet from the recovery point.

Exam trap

The trap here is that candidates often confuse Azure Backup's file-level recovery with full VM restore or disk restore operations, assuming that granular recovery requires stopping the VM or using a separate disaster recovery service like Azure Site Recovery.

98
MCQmedium

Based on the exhibit, what does the query return?

A.All successful deallocate operations on virtual machines during the last 24 hours.
B.Failed deallocate operations on virtual machines during the last 24 hours.
C.Any operations related to starting or restarting virtual machines in the last 24 hours.
D.Administrative changes made only from the Azure portal in the last 24 hours.
AnswerB

The query filters the AzureActivity table to the last 24 hours, selects the virtual machine deallocate operation, and then limits results to records whose status is Failed. That combination means it returns only failed deallocation events for virtual machines in the time window shown.

Why this answer

The query filters for 'Status' equal to 'Failed' and 'Operation' equal to 'Deallocate Virtual Machines', returning only failed deallocate operations. The time filter restricts results to the last 24 hours. Therefore, the query returns failed deallocate operations on virtual machines during the last 24 hours.

Exam trap

The trap here is that candidates may overlook the explicit 'Status' filter and assume the query returns all deallocate operations, or confuse 'deallocate' with 'start' or 'restart' operations, leading them to select a wrong answer.

How to eliminate wrong answers

Option A is wrong because the query explicitly filters for 'Status' equal to 'Failed', not 'Succeeded', so it does not return successful deallocate operations. Option C is wrong because the query filters for 'Operation' equal to 'Deallocate Virtual Machines', not operations related to starting or restarting virtual machines. Option D is wrong because the query does not filter by 'Caller' or 'Source' to isolate Azure portal changes; it returns all failed deallocate operations regardless of the management interface used.

99
MCQhard

You need to retain Azure Firewall logs for long-term analysis in a Log Analytics workspace and also archive them in a storage account for compliance. What should you configure on the Azure Firewall resource?

A.Diagnostic settings
B.A resource lock
C.An availability set
D.A VNet peering connection
AnswerA

This is the Azure-native mechanism for routing logs and metrics to monitoring destinations.

Why this answer

Diagnostic settings on the Azure Firewall resource allow you to stream platform logs and metrics to a Log Analytics workspace for long-term analysis and to a storage account for archival and compliance. This is the only configuration that simultaneously supports both destinations for the firewall's log data.

Exam trap

The trap here is that candidates may confuse resource locks or VNet peering with logging configurations, but only diagnostic settings provide the dual-destination log routing required for both analysis and compliance archival.

How to eliminate wrong answers

Option B is wrong because a resource lock prevents accidental deletion or modification of the Azure Firewall resource but does not capture, route, or retain any log data. Option C is wrong because an availability set is a VM placement construct for high availability and has no role in log collection or storage. Option D is wrong because VNet peering connects virtual networks for private IP communication and does not handle logging, monitoring, or data archival.

100
MCQmedium

Based on the exhibit, which KQL query should you use in a scheduled query alert to trigger only when five or more failed events occur within any 15-minute window?

A.CustomAppLogs_CL | where TimeGenerated >= ago(15m) | where Status_s == 'Failed' | summarize FailedCount=count() by bin(TimeGenerated, 1h) | where FailedCount >= 5
B.CustomAppLogs_CL | where TimeGenerated >= ago(1h) | where Status_s == 'Failed' | summarize FailedCount=count() by bin(TimeGenerated, 15m) | where FailedCount >= 5
C.CustomAppLogs_CL | where TimeGenerated >= ago(1h) | summarize FailedCount=count() by bin(TimeGenerated, 15m) | where FailedCount >= 5
D.CustomAppLogs_CL | where TimeGenerated >= ago(1h) | where Status_s == 'Failed' | summarize FailedCount=count() by bin(TimeGenerated, 15m) | where FailedCount > 0
AnswerB

This query filters to the recent hour, keeps only failed events, groups them into 15-minute bins, and returns only bins with five or more failures. That matches the alert requirement directly.

Why this answer

Option B is correct because it filters for 'Failed' events in the last hour, groups them into 15-minute bins using `bin(TimeGenerated, 15m)`, and then counts them. The `where FailedCount >= 5` condition triggers the alert only when five or more failed events occur within any single 15-minute window, matching the requirement exactly.

Exam trap

The trap here is that candidates often confuse the lookback period (`ago(1h)`) with the aggregation window (`bin(..., 15m)`), leading them to pick Option A with a 1-hour bin, which fails to meet the 'any 15-minute window' requirement.

How to eliminate wrong answers

Option A is wrong because it uses `bin(TimeGenerated, 1h)`, which groups events into 1-hour bins, not 15-minute windows, so it cannot detect five failures within any 15-minute period. Option C is wrong because it omits the `where Status_s == 'Failed'` filter, counting all events regardless of status, which would trigger on non-failed events. Option D is wrong because it uses `where FailedCount > 0`, which triggers on any single failed event in a 15-minute window, not the required threshold of five or more.

101
MCQeasy

You want to send a storage account's read, write, and delete events to a Log Analytics workspace for later investigation. Which feature should you configure?

A.Diagnostic settings for the storage account
B.An action group
C.A metric alert rule
D.A Recovery Services vault
AnswerA

Diagnostic settings are used to export platform logs and metrics from an Azure resource to a workspace, storage account, or event hub.

Why this answer

Diagnostic settings on a storage account allow you to stream resource logs, including read, write, and delete operations (stored in the StorageRead, StorageWrite, and StorageDelete log categories), to a Log Analytics workspace. This is the correct feature for capturing and analyzing these events for later investigation.

Exam trap

The trap here is that candidates often confuse diagnostic settings (which stream logs) with metric alerts (which monitor numeric thresholds) or action groups (which define notification actions), leading them to pick an option that handles alerts rather than log collection.

How to eliminate wrong answers

Option B is wrong because an action group is a collection of notification preferences (e.g., email, SMS, webhook) triggered by alert rules, not a destination for streaming logs. Option C is wrong because a metric alert rule monitors numeric metrics (e.g., latency, throughput) and triggers notifications when thresholds are breached, it does not capture or send log data like read/write/delete events. Option D is wrong because a Recovery Services vault is used for backup and disaster recovery (e.g., Azure Backup, Site Recovery), not for collecting operational logs from a storage account.

102
MCQmedium

A storage account experiences a brief regional platform issue. The team wants an alert whenever Azure marks the resource as unavailable, even if no custom metric changes are detected. What should the administrator use?

A.A metric alert on the account's transaction count.
B.A Resource Health alert for the storage account.
C.A diagnostic setting that sends logs only to a storage account.
D.An Azure Policy assignment that denies writes to the storage account.
AnswerB

Resource Health alerts are designed to notify administrators when Azure determines that a specific resource is unavailable or degraded because of a platform issue. This works even when ordinary metrics do not change in a useful way. It is the correct choice when the requirement is to detect service or infrastructure problems that Azure reports at the resource level rather than workload performance issues.

Why this answer

A Resource Health alert is designed to monitor the health of Azure resources and trigger notifications when Azure detects that the resource is unavailable due to platform issues, even if no custom metric thresholds are breached. This alert uses signals from the Azure Resource Health service, which tracks the current and historical health status of resources, making it the correct choice for detecting regional platform unavailability without relying on custom metrics.

Exam trap

The trap here is that candidates often confuse metric alerts (which require custom metric thresholds) with Resource Health alerts (which detect platform-level unavailability), leading them to choose a metric-based option like transaction count instead of the health-specific alert.

How to eliminate wrong answers

Option A is wrong because a metric alert on transaction count monitors performance metrics (e.g., latency, throttling) and would not trigger solely for resource unavailability due to a platform issue; it requires metric threshold breaches. Option C is wrong because a diagnostic setting that sends logs to a storage account only archives logs for analysis, it does not generate alerts for resource unavailability. Option D is wrong because an Azure Policy assignment that denies writes is a governance control to prevent configuration changes, not a monitoring or alerting mechanism for resource health events.

103
MCQeasy

A file server VM is corrupted after a bad change. The team needs to recover the whole machine to the latest recovery point, not just one file. Which restore workflow should they use?

A.Restore virtual machine
B.File and folder recovery
C.Modify the backup policy
D.Create an action group
AnswerA

This workflow restores the full VM from the chosen recovery point.

Why this answer

Option A is correct because Azure Backup's 'Restore virtual machine' workflow creates a new VM from the latest recovery point, restoring the entire machine state including OS, applications, and data. This is the appropriate method when the goal is to recover the full VM after corruption, as it uses the VM-level restore point stored in the Recovery Services vault.

Exam trap

The trap here is that candidates confuse 'File and folder recovery' (which is for granular file-level restore) with full VM recovery, or mistakenly think modifying the backup policy can retroactively restore a corrupted VM.

How to eliminate wrong answers

Option B is wrong because 'File and folder recovery' is designed for granular restoration of individual files or folders from a VM backup, not for recovering the entire VM. Option C is wrong because modifying the backup policy changes future backup schedules or retention, but does not perform any restore operation. Option D is wrong because an action group is a notification and automation mechanism for Azure Monitor alerts, not a restore workflow for Azure Backup.

104
Drag & Dropmedium

Arrange the steps to configure Azure Load Balancer with a backend pool.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create LB, configure frontend and backend, add probes, rules, then associate VMs.

105
MCQeasy

Based on the exhibit, what should the administrator configure so the alert sends email and SMS when CPU stays above the threshold?

A.Create a diagnostic setting on the virtual machine and send metrics to a Log Analytics workspace.
B.Associate an Azure Monitor action group with the alert rule.
C.Enable boot diagnostics on the virtual machine so the CPU threshold can be reported.
D.Apply a resource lock to the virtual machine to prevent the CPU from increasing further.
AnswerB

An action group is the notification target for Azure Monitor alerts. It can send email, SMS, push notifications, and other responses when the alert condition is met.

Why this answer

An Azure Monitor action group defines the notification channels (e.g., email, SMS) and actions to trigger when an alert fires. Associating an action group with the alert rule enables the administrator to send both email and SMS when the CPU threshold is breached. Without an action group, the alert rule can only log the condition but cannot deliver notifications.

Exam trap

The trap here is that candidates confuse diagnostic settings (which export data) with action groups (which deliver notifications), or they mistakenly think boot diagnostics or resource locks can influence alert delivery or CPU behavior.

How to eliminate wrong answers

Option A is wrong because a diagnostic setting sends metrics to a Log Analytics workspace for analysis or storage, but it does not directly trigger notifications; alerts still require an action group for email/SMS delivery. Option C is wrong because boot diagnostics captures serial console output and screenshots for troubleshooting boot failures, not CPU performance metrics or alert notifications. Option D is wrong because a resource lock prevents accidental deletion or modification of the virtual machine, but it has no effect on CPU utilization or alerting behavior.

106
MCQeasy

A production VM is using too much CPU. You want Azure to notify the operations team by email when Average Percentage CPU stays above 80 percent for 5 minutes. What should you configure?

A.A diagnostic setting on the VM
B.A metric alert rule linked to an action group
C.A Log Analytics workspace only
D.An Azure Policy assignment
AnswerB

A metric alert rule watches a platform metric such as CPU percentage and evaluates it against a threshold over time. Linking the alert to an action group lets Azure send the notification to the operations team by email or other channels when the condition is met.

Why this answer

A metric alert rule monitors a specific metric (e.g., Percentage CPU) and triggers when a condition (e.g., above 80% for 5 minutes) is met. Linking the alert to an action group allows Azure to send email notifications to the operations team. This is the correct Azure Monitor feature for threshold-based, metric-driven notifications.

Exam trap

The trap here is that candidates confuse diagnostic settings (which only route data) with alert rules (which evaluate conditions and trigger actions), leading them to select Option A thinking it can send notifications directly.

How to eliminate wrong answers

Option A is wrong because a diagnostic setting on the VM sends metrics and logs to a destination (e.g., Log Analytics, Storage, Event Hubs) but does not itself evaluate thresholds or send email notifications. Option C is wrong because a Log Analytics workspace alone is a storage and query environment; it cannot generate proactive email alerts without a configured alert rule. Option D is wrong because an Azure Policy assignment enforces compliance rules (e.g., requiring a specific VM size) and is not designed for metric-based monitoring or notification.

107
MCQhard

A production subscription contains 20 virtual machines across two resource groups. Operations needs an email and SMS notification whenever any single VM's average Percentage CPU stays above 85 for 10 minutes. The alert should be managed as one rule, and evaluation must happen independently for each VM. What should the administrator configure?

A.Create a log query alert that uses the Heartbeat table and the existing action group.
B.Create one metric alert scoped to the 20 VM resources, using Percentage CPU and the shared action group.
C.Create one subscription-wide metric alert and average CPU across all virtual machines.
D.Configure diagnostic settings on each VM and use the action group for threshold processing.
AnswerB

A metric alert is the correct signal for CPU threshold monitoring, and scoping the rule to the VM resources lets Azure evaluate each VM independently while keeping a single alert definition. The action group handles the email and SMS delivery. This avoids creating 20 separate rules and prevents fleet-wide averaging from hiding one overloaded server. It is the simplest design that still evaluates each VM separately.

Why this answer

Option B is correct because a single metric alert rule can be scoped to multiple resources (up to 20 VMs) in Azure Monitor, allowing independent evaluation of each VM's Percentage CPU metric. When the average CPU exceeds 85% for 10 minutes on any individual VM, the alert fires and triggers the shared action group to send email and SMS notifications. This meets the requirement of one rule with per-VM independent evaluation.

Exam trap

The trap here is that candidates assume a single alert rule cannot monitor multiple VMs independently, leading them to choose option C (subscription-wide average) or option D (diagnostic settings), when in fact Azure Monitor supports multi-resource metric alerts with per-resource evaluation.

How to eliminate wrong answers

Option A is wrong because a log query alert using the Heartbeat table would require collecting CPU data via Log Analytics, which is unnecessary overhead and does not directly evaluate the Percentage CPU metric per VM; also, Heartbeat does not contain CPU utilization data. Option C is wrong because a subscription-wide metric alert averages CPU across all VMs, which would not trigger when a single VM exceeds 85% — it would only fire if the average of all 20 VMs exceeds 85%. Option D is wrong because diagnostic settings stream metrics to a destination (e.g., Log Analytics or Storage), but they do not perform threshold processing or trigger alerts; alert rules must be created separately to evaluate the metric data.

108
MCQmedium

An employee deleted one spreadsheet stored on a Windows VM that is protected by Azure Backup. The administrator must recover only that file without restoring the entire VM. What should be used?

A.A full VM restore to replace the existing virtual machine.
B.The file recovery process from the Recovery Services vault recovery point.
C.Blob rehydration from Archive tier in the storage account.
D.A restore point collection operation in Azure Compute.
AnswerB

Azure Backup supports file-level recovery by mounting a selected recovery point and allowing the administrator to copy out individual files or folders. This is the best option when the goal is to restore one deleted spreadsheet without replacing the entire virtual machine. It minimizes disruption and avoids overwriting other current VM data that was not affected.

Why this answer

Azure Backup for Azure VMs supports file-level recovery from a recovery point without restoring the entire VM. The file recovery process mounts the recovery point as an iSCSI target on the VM, allowing the administrator to browse and copy the deleted spreadsheet directly from the snapshot. This is the only option that provides granular, non-disruptive file restoration from a VM backup.

Exam trap

The trap here is that candidates confuse Azure Backup's file-level recovery with full VM restore or blob-level operations, assuming that file recovery requires a full VM restore or that the file is stored in Azure Blob Storage rather than on the VM's disk.

How to eliminate wrong answers

Option A is wrong because a full VM restore would replace the entire virtual machine, causing downtime and unnecessary overhead when only a single file needs recovery. Option C is wrong because Blob rehydration from Archive tier applies to Azure Blob Storage, not to files within a VM backup; the spreadsheet is stored on the VM's OS or data disk, not in a storage account's blob container. Option D is wrong because a restore point collection operation in Azure Compute is used for creating and managing VM restore points for disaster recovery scenarios, not for granular file recovery from an existing backup.

109
MCQeasy

Based on the exhibit, what should the administrator deploy to monitor CPU and free disk space on a small set of VMs while keeping telemetry cost low?

A.Deploy Azure Monitor Agent and collect only the required performance counters with a data collection rule.
B.Enable diagnostic settings on each VM and send all guest logs to a storage account.
C.Install Application Insights on each VM and enable request tracing.
D.Create a resource lock on each VM to preserve the current state.
AnswerA

Azure Monitor Agent with a targeted data collection rule is the cost-aware choice because it collects only the specific performance data needed. The administrator can scope the rule to the five VMs and include just CPU and disk free space counters, avoiding broad log ingestion. This meets the monitoring requirement without paying to send unnecessary telemetry to Log Analytics.

Why this answer

Option A is correct because Azure Monitor Agent (AMA) is the modern, cost-effective agent for collecting performance counters like CPU and free disk space from VMs. By using a Data Collection Rule (DCR) to specify only the required counters, the administrator minimizes data ingestion volume, directly controlling telemetry costs. This approach avoids the overhead of sending all guest logs or using more expensive monitoring tools.

Exam trap

The trap here is that candidates often confuse Azure Monitor Agent with the older Log Analytics agent or mistakenly think diagnostic settings to storage accounts are free, overlooking that storage write operations and data retention incur costs.

How to eliminate wrong answers

Option B is wrong because enabling diagnostic settings to send all guest logs to a storage account incurs storage costs and generates unnecessary data, increasing telemetry cost without providing real-time monitoring for CPU and disk space. Option C is wrong because Application Insights is designed for application performance monitoring (APM) and request tracing, not for OS-level performance counters like CPU and disk space; it also adds cost and complexity for a small set of VMs. Option D is wrong because a resource lock prevents accidental deletion or modification of resources but does not collect any telemetry or monitor performance metrics.

110
MCQeasy

The Azure portal shows that a storage service in the region is experiencing an outage that affects several Microsoft customers. The administrator wants to view official Azure status updates for that issue. Which Azure Monitor feature should be used?

A.Activity log
B.Service Health
C.Azure Advisor
D.Metrics explorer
AnswerB

Service Health provides Azure platform incident information, advisories, and status updates for impacted services and regions.

Why this answer

Service Health is the correct Azure Monitor feature because it provides a personalized view of the health of Azure services, regions, and resources, including real-time and historical information about service-impacting events such as outages. It also surfaces official root cause analyses and planned maintenance, making it the appropriate tool for an administrator to view official Azure status updates for a regional outage affecting multiple customers.

Exam trap

The trap here is that candidates often confuse the Activity log (which tracks resource-level operations) with Service Health (which tracks Azure platform-level health), leading them to select Activity log when they need official outage status updates.

How to eliminate wrong answers

Option A is wrong because the Activity log records control-plane operations (e.g., create, delete, update) on individual resources, not the health status of Azure services themselves. Option C is wrong because Azure Advisor provides proactive recommendations for cost, security, reliability, and performance optimization, not real-time or official outage status updates. Option D is wrong because Metrics explorer analyzes performance and usage metrics (e.g., CPU, latency) from Azure resources, but it cannot surface official Azure service health incidents or outage announcements.

111
Matchinghard

A platform team is tuning alerting for a production VM and the surrounding Azure resources. Match each Azure Monitor component to the function it performs in this design.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Evaluates a numeric Azure Monitor metric and fires when a threshold or dynamic condition is met.

Runs a KQL query against workspace data and fires when the query result matches the condition.

Delivers notifications or automation such as email, SMS, webhook, or runbook execution.

Exports resource logs and metrics to a destination such as Log Analytics, storage, or Event Hub.

Monitors subscription-level control-plane events such as deletes, writes, or policy actions.

Why these pairings

Azure Monitor Metrics handles numerical data, Logs handles log data; Application Insights is for app monitoring; Alerts notify on conditions; Workbooks and Dashboards are visualization tools.

112
Drag & Dropmedium

Order the steps to configure Azure Traffic Manager for geographic routing.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create profile, set geographic routing, add endpoints with mapping, configure monitoring, update DNS.

113
Matchingmedium

A team is choosing the right Azure Monitor alert type for different operational signals. Match each alert type to the situation it is best suited for.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Alerts on a numeric measurement such as average CPU, disk queue length, or memory utilization.

Evaluates a KQL query and alerts when matching records appear in a workspace.

Responds to subscription-level control-plane events such as create, delete, or policy changes.

Indicates that a specific Azure resource is unhealthy or unavailable.

Notifies on Azure platform incidents, advisories, or maintenance affecting a region or service.

Why these pairings

Metric alerts monitor numeric values; Activity log alerts on resource changes; Log alerts query log data; Smart detection finds anomalies; Resource health alerts on resource status; Service health alerts on Azure service issues.

114
MCQmedium

Based on the exhibit, the security team wants an alert whenever someone changes the configuration of a storage account, such as disabling public network access. The current rule is a metric alert on transaction count. What should you use instead?

A.Keep the metric alert and lower the threshold to 10 transactions.
B.Create a service health alert because storage account settings affect platform status.
C.Use a Log Analytics query alert against VM guest logs to detect network-rule changes.
D.Create an activity log alert for write operations on the storage account resource.
AnswerD

Configuration changes to a storage account are control-plane actions and appear in the Azure Activity log. An activity log alert on write operations is the right monitoring approach because it detects management changes, not traffic patterns.

Why this answer

Activity log alerts are designed to monitor Azure resource-level operations, such as write actions that modify storage account configurations. Option D is correct because it creates an alert specifically for write operations on the storage account resource, which captures events like disabling public network access. This is the appropriate method for detecting configuration changes, unlike metric alerts which track performance data.

Exam trap

The trap here is that candidates confuse metric alerts (which monitor performance counters like transaction count) with activity log alerts (which monitor resource management operations), leading them to choose options that track the wrong type of data.

How to eliminate wrong answers

Option A is wrong because lowering the threshold on a metric alert for transaction count does not detect configuration changes; it only triggers on high transaction volumes, which is unrelated to actions like disabling public network access. Option B is wrong because service health alerts monitor Azure platform-wide issues (e.g., regional outages), not resource-level configuration changes on a specific storage account. Option C is wrong because Log Analytics query alerts against VM guest logs can only detect changes within the VM's operating system, not changes to the storage account's Azure Resource Manager configuration.

115
Multi-Selectmedium

You are an Azure administrator for a company that runs critical virtual machines (VMs) in Azure. You need to configure a monitoring solution that will alert you when the average CPU usage of a specific VM exceeds 90% for more than 15 minutes. Which three of the following actions should you take to set up this alert? (Choose three.)

Select 3 answers
.Create a metric alert rule in Azure Monitor targeting the VM's 'Percentage CPU' metric.
.Configure the alert condition to fire when the average CPU usage is greater than 90 for a period of 15 minutes.
.Define an action group that includes an email notification to the operations team.
.Create a log alert rule based on the VM's performance counters collected in Log Analytics.
.Enable Azure Diagnostic Settings on the VM to send performance data to a storage account.
.Configure an Application Insights availability test to monitor the VM's CPU.

Why this answer

A metric alert rule in Azure Monitor is the correct approach because it directly monitors a specific metric like 'Percentage CPU' from the VM without requiring additional data collection. Configuring the condition to fire when the average CPU usage exceeds 90% for a period of 15 minutes ensures the alert triggers only after sustained high usage, reducing noise. Defining an action group with email notification is necessary to alert the operations team when the alert fires, completing the monitoring solution.

Exam trap

The trap here is that candidates often confuse metric alerts with log alerts or diagnostic settings, thinking that log-based monitoring is required for CPU alerts, when in fact metric alerts are the native, simpler solution for host-level metrics like CPU usage.

116
MCQmedium

Your operations team wants to query collected VM log data by using Kusto Query Language and retain it centrally for analysis. Which Azure resource should you deploy?

A.A Log Analytics workspace
B.An availability set
C.A local user account on each VM
D.A network security group
AnswerA

This is the central log store and query platform for Azure Monitor Logs.

Why this answer

A Log Analytics workspace is the correct Azure resource because it serves as the central repository for VM log data collected via Azure Monitor agents. It supports Kusto Query Language (KQL) for querying and analyzing the collected data, enabling the operations team to perform advanced log analytics and retention. This aligns directly with the requirement to query and retain VM log data centrally.

Exam trap

The trap here is that candidates might confuse a Log Analytics workspace with a simple storage account or think that local accounts or NSGs can somehow be used for log aggregation, but only a Log Analytics workspace provides the KQL query engine and central retention required for this scenario.

How to eliminate wrong answers

Option B is wrong because an availability set is a VM placement configuration that ensures high availability during planned or unplanned maintenance events; it does not collect, store, or query log data. Option C is wrong because a local user account on each VM provides authentication access to the VM but cannot aggregate or query log data across multiple VMs or retain it centrally. Option D is wrong because a network security group (NSG) filters inbound and outbound traffic at the subnet or NIC level using security rules; it has no capability to collect, store, or query log data.

117
MCQmedium

Based on the exhibit, the operations team wants an alert that fires when any VM has not sent a heartbeat in the last 15 minutes. Which KQL query should they use as the condition for the log alert?

A.Heartbeat | summarize LastSeen=max(TimeGenerated) by Computer | where LastSeen > ago(15m)
B.Heartbeat | summarize LastSeen=max(TimeGenerated) by Computer | where LastSeen < ago(15m)
C.Heartbeat | where TimeGenerated > ago(15m) | summarize count() by Computer | where count() == 0
D.Heartbeat | distinct Computer | where Computer == "VM01"
AnswerB

This query summarizes the most recent heartbeat per computer and then filters for systems whose latest record is older than 15 minutes. That matches the requirement to alert when a VM has stopped sending heartbeat data.

Why this answer

Option B is correct because the query uses `summarize max(TimeGenerated) by Computer` to get the latest heartbeat timestamp per VM, then filters with `where LastSeen < ago(15m)` to identify VMs whose last heartbeat is older than 15 minutes. This directly matches the alert condition: any VM that has not sent a heartbeat in the last 15 minutes.

Exam trap

The trap here is that candidates often confuse the direction of the time comparison, picking Option A (which fires on VMs that *have* sent a heartbeat recently) instead of Option B (which fires on VMs that have *not* sent a heartbeat recently).

How to eliminate wrong answers

Option A is wrong because `where LastSeen > ago(15m)` selects VMs that have sent a heartbeat within the last 15 minutes, which is the opposite of the desired condition. Option C is wrong because `where TimeGenerated > ago(15m)` filters to only heartbeats in the last 15 minutes, then `summarize count() by Computer` will never produce a count of 0 for any VM that had a heartbeat in that window; VMs with no heartbeat are simply not present in the result set, so the `where count() == 0` condition will never match. Option D is wrong because it only checks for a specific VM named 'VM01' and does not evaluate heartbeat timing at all, failing to meet the requirement for any VM.

118
MCQhard

Your company must retain Azure Activity Log data beyond the built-in retention period and make it available for long-term analysis. Which configuration should you use?

A.Diagnostic settings for the Activity Log
B.A ReadOnly lock on the subscription
C.An availability set
D.NSG flow logs only
AnswerA

Diagnostic settings export Activity Log data to supported long-term destinations.

Why this answer

Azure Activity Log is retained by default for 90 days. To store data beyond this period for long-term analysis, you must configure diagnostic settings to route the Activity Log to a Log Analytics workspace (for querying) or an Azure Storage account (for archival). This is the only native mechanism to extend retention and enable long-term analysis.

Exam trap

The trap here is that candidates confuse the built-in 90-day retention of the Activity Log with the ability to extend it, mistakenly thinking a lock or other resource configuration can preserve the data, when only diagnostic settings provide the export and retention control needed.

How to eliminate wrong answers

Option B is wrong because a ReadOnly lock prevents accidental deletion or modification of resources but does not extend data retention or enable long-term analysis of Activity Log data. Option C is wrong because an availability set is a VM high-availability configuration that groups VMs to protect against rack-level failures; it has no relation to log retention or analysis. Option D is wrong because NSG flow logs capture IP traffic data for network security groups, not Azure Activity Log events; they are used for network monitoring, not subscription-level operational auditing.

119
Multi-Selectmedium

A troubleshooting team wants to investigate a storage account write failure and subscription-level role assignment changes in a single Log Analytics workspace. They want to ingest only the telemetry needed for those investigations. Which two sources should they enable? Select two.

Select 2 answers
A.Configure diagnostic settings on the storage account to send resource logs to the workspace.
B.Export the subscription Azure Activity log to the same workspace.
C.Enable guest-level Windows event collection on a random virtual machine.
D.Turn on NSG flow logs for every subnet in the subscription.
E.Use Azure Advisor recommendations as the source of telemetry.
AnswersA, B

Storage diagnostic settings send the account's resource logs into Log Analytics for later querying and correlation.

Why this answer

Option A is correct because diagnostic settings on a storage account can be configured to send resource logs (such as storage write operations, including details of failed writes) to a Log Analytics workspace. This allows the team to investigate write failures directly from the storage account's telemetry.

Exam trap

The trap here is that candidates may confuse Azure Activity Logs (which are subscription-level and include role assignment changes) with Azure resource logs (which are resource-specific), and may incorrectly think that NSG flow logs or VM guest logs are needed for storage or role change investigations.

120
Multi-Selecteasy

A storage account's platform logs must be searchable later with KQL in a central workspace. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create a diagnostic setting on the storage account
B.Configure a NAT gateway on the storage subnet
C.Send the logs to a Log Analytics workspace
D.Assign the Reader role on the subscription
E.Enable a VM backup policy
AnswersA, C

Diagnostic settings tell Azure which resource logs and metrics to export from the storage account.

Why this answer

Option A is correct because a diagnostic setting on the storage account is required to route platform logs (e.g., storage read/write/delete operations) to a destination. Option C is correct because a Log Analytics workspace is the destination that enables KQL-based searching and analysis of those logs. Without both, the logs cannot be stored in a central, queryable repository.

Exam trap

The trap here is that candidates may think simply enabling logging on the storage account (e.g., via the 'Logging' blade) is sufficient, but without a diagnostic setting and a Log Analytics workspace destination, the logs are not searchable with KQL in a central workspace.

121
Multi-Selectmedium

You are responsible for managing a large Azure environment with multiple subscriptions. You need to ensure compliance with company policies by auditing resource changes and enabling automated remediation for non-compliant resources. Which three of the following Azure services or features should you use? (Choose three.)

Select 3 answers
.Azure Policy to define and enforce rules for resource configurations.
.Azure Activity Log to record and review all management operations on resources.
.Azure Automation with runbooks to automatically remediate non-compliant resources.
.Azure Security Center (Defender for Cloud) to monitor for security threats.
.Azure Resource Graph to query and visualize resource properties across subscriptions.
.Azure Blueprints to package and deploy environment definitions.

Why this answer

Azure Policy is correct because it allows you to define and enforce rules for resource configurations, ensuring compliance with company policies. The Activity Log is correct because it records all management operations, providing an audit trail for resource changes. Azure Automation with runbooks is correct because it can be triggered by Azure Policy or Activity Log alerts to automatically remediate non-compliant resources, such as stopping an unapproved VM or applying a required tag.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure Blueprints, thinking Blueprints provides ongoing auditing, when in fact Blueprints is only for initial deployment and does not monitor or remediate changes after deployment.

122
MCQhard

After a bad script ran, one file at C:\Finance\Q4.xlsx was deleted from a Windows VM. The VM is still running, and the team wants only that file restored without replacing the operating system disk or restarting the VM. What should the administrator use from Azure Backup?

A.Restore the entire VM to a new instance so the deleted file comes back automatically.
B.Perform a file-level restore from the recovery point and copy only the missing file back.
C.Restore the managed disks and replace the existing disks on the running VM.
D.Use Azure Monitor logs to reconstruct the file because the backup vault stores telemetry.
AnswerB

File-level restore is the correct Azure Backup workflow when only a specific file or folder must be recovered. The administrator mounts the recovery point, browses the backed-up file system, and copies back the missing file without replacing disks or redeploying the VM. This keeps the running server intact and minimizes recovery time and operational risk. It is the least disruptive way to recover a single deleted file.

Why this answer

Azure Backup for Azure VMs supports file-level restore (FLR) from recovery points without requiring a full VM restore or disk replacement. This allows you to mount the recovery point as a drive on the running VM, browse the file system, and copy only the missing file (C:\Finance\Q4.xlsx) back to its original location. The VM remains online and no OS disk replacement or restart is needed.

Exam trap

The trap here is that candidates often assume file-level restore requires the VM to be stopped or that only full VM or disk restore options are available, but Azure Backup's file-level restore feature is specifically designed for granular recovery on a running VM.

How to eliminate wrong answers

Option A is wrong because restoring the entire VM to a new instance would create a separate VM, not restore the file to the existing running VM, and it would incur unnecessary cost and complexity. Option C is wrong because restoring managed disks and replacing the existing disks on the running VM would require stopping the VM, detaching the old disks, and attaching the restored disks, which violates the requirement of not restarting the VM. Option D is wrong because Azure Monitor logs do not store file content or telemetry from backup vaults; they collect metrics and logs for monitoring, not file-level data for reconstruction.

123
MCQmedium

Based on the exhibit, the team wants a single notification setup that can be reused by several alert rules across different subscriptions. What should the administrator create?

A.A Log Analytics workspace with custom tables
B.An action group
C.A management group
D.A resource lock
AnswerB

An action group centralizes notification and automation actions and can be linked to many alerts. That makes it the correct reusable mechanism for email, SMS, and webhook delivery across multiple alert rules and subscriptions.

Why this answer

An action group is the correct choice because it is a reusable Azure Monitor resource that defines notification preferences (e.g., email, SMS, webhook, ITSM) and can be associated with multiple alert rules across different subscriptions. This allows the team to create a single notification setup once and reference it from any alert rule, ensuring consistent notification behavior without duplicating configuration.

Exam trap

The trap here is that candidates often confuse management groups (which organize subscriptions) with action groups (which handle notifications), mistakenly thinking a management group can centralize alert notifications across subscriptions when it cannot.

How to eliminate wrong answers

Option A is wrong because a Log Analytics workspace with custom tables is used for collecting, storing, and querying log data, not for defining notification actions; it cannot be directly reused as a notification setup for alert rules. Option C is wrong because a management group is a hierarchical container for organizing and managing access, policies, and compliance across multiple subscriptions, but it does not provide notification or action capabilities for alerts. Option D is wrong because a resource lock prevents accidental deletion or modification of resources, but it has no role in configuring alert notifications or actions.

124
MCQhard

Your company wants to know when an Azure service outage in the region might affect subscribed resources, even if no metric threshold has been crossed yet. Which alert type should you configure?

A.A metric alert
B.A Service Health alert
C.A budget alert
D.A boot diagnostics alert
AnswerB

Service Health alerts notify you about Azure service issues, planned maintenance, and health advisories relevant to your subscription.

Why this answer

Service Health alerts are designed to notify you about Azure service incidents, maintenance, health advisories, and security advisories that may impact your subscribed resources. Unlike metric alerts, they trigger based on Azure's own health status rather than any metric threshold you configure, making them ideal for detecting region-wide outages before they affect your specific metrics.

Exam trap

The trap here is that candidates often confuse metric alerts (which require a threshold) with Service Health alerts (which are event-driven from Azure's own health signals), leading them to choose metric alerts when the question explicitly states 'no metric threshold has been crossed yet.'

How to eliminate wrong answers

Option A is wrong because metric alerts monitor specific resource metrics (e.g., CPU percentage, memory usage) and only fire when a defined threshold is crossed; they cannot detect an Azure service outage that hasn't yet impacted those metrics. Option C is wrong because budget alerts are part of Cost Management and track spending against a defined budget, not service health or outages. Option D is wrong because boot diagnostics alerts are specific to virtual machine boot failures and are not designed to monitor Azure service health or regional outages.

125
MCQeasy

Based on the exhibit, you need to return only the failed operations from the log entries. Which KQL query should you use?

A.AzureActivity | where ActivityStatusValue == "Failed" | project TimeGenerated, OperationName, Caller
B.AzureActivity | summarize count() by Caller
C.AzureActivity | top 10 by TimeGenerated
D.AzureActivity | where ActivityStatusValue == "Succeeded"
AnswerA

This filters the table to failed rows and keeps the useful columns for review.

Why this answer

Option A is correct because the KQL query filters the AzureActivity table using the `where` clause to return only rows where `ActivityStatusValue` equals 'Failed', then projects the relevant columns `TimeGenerated`, `OperationName`, and `Caller`. This directly meets the requirement to return only failed operations from the log entries.

Exam trap

The trap here is that candidates may confuse the `ActivityStatusValue` field with other status fields like `Status` or `ResultType`, or mistakenly choose an aggregation query (Option B) that summarizes data without filtering, failing to meet the precise requirement to return only failed operations.

How to eliminate wrong answers

Option B is wrong because it uses `summarize count() by Caller`, which aggregates the total number of operations per caller without filtering for failed operations, thus returning counts for all statuses. Option C is wrong because it uses `top 10 by TimeGenerated`, which returns the ten most recent log entries regardless of their status, failing to isolate failed operations. Option D is wrong because it filters for `ActivityStatusValue == 'Succeeded'`, which explicitly returns only successful operations, the opposite of what is required.

126
MCQmedium

You need to notify the security team whenever anyone deletes a resource group in the subscription. Which alert type should you configure?

A.A metric alert on CPU percentage
B.A budget alert
C.An activity log alert
D.A log alert based only on guest OS event logs
AnswerC

This targets Azure control-plane events such as deletions.

Why this answer

Option C is correct because an activity log alert monitors subscription-level events recorded in the Azure Activity Log, including resource group deletion operations. When a user deletes a resource group, the 'Microsoft.Resources/subscriptions/resourceGroups/delete' operation is logged, and an activity log alert can be configured to trigger on that specific operation, sending notifications to the security team.

Exam trap

The trap here is that candidates often confuse activity log alerts with log alerts based on guest OS logs, not realizing that resource group deletions are control plane events captured in the Activity Log, not in guest OS event logs.

How to eliminate wrong answers

Option A is wrong because a metric alert on CPU percentage monitors performance metrics of Azure resources (like VMs or App Services) and cannot detect administrative operations such as resource group deletions. Option B is wrong because a budget alert is designed to notify when spending exceeds a defined cost threshold, not to track resource management actions like deletions. Option D is wrong because a log alert based only on guest OS event logs monitors logs from within a virtual machine's operating system and cannot capture Azure subscription-level control plane events like resource group deletions.

127
MCQhard

Your operations team needs to run Kusto queries across collected sign-in logs, VM performance counters, and Azure Activity Log data in a central location. What should you deploy?

A.A Log Analytics workspace
B.An availability zone
D.A standard public IP address
AnswerA

This is the service designed for centralized log retention and KQL-based analysis.

Why this answer

A Log Analytics workspace is the central repository in Azure that ingests and stores diagnostic data from multiple sources, including sign-in logs (Azure AD), VM performance counters (Azure Monitor for VMs), and Azure Activity Logs. It supports Kusto Query Language (KQL) for running complex queries across all collected data, making it the correct choice for this requirement.

Exam trap

The trap here is that candidates may confuse a Log Analytics workspace with other networking or compute resources, thinking a NAT gateway or public IP is needed for data ingestion, when in fact Azure Monitor agents and diagnostic settings send data directly to the workspace without requiring public internet exposure.

How to eliminate wrong answers

Option B is wrong because an availability zone is a physically separate datacenter within an Azure region used for high availability and disaster recovery, not a data storage or query service. Option C is wrong because a NAT gateway provides outbound internet connectivity for virtual networks, not a location for storing or querying logs. Option D is wrong because a standard public IP address is a static IP resource for inbound/outbound communication, not a data repository or query engine.

128
Multi-Selecteasy

A team needs an alert that emails the operations group whenever a VM's average CPU percentage stays above 85% for 10 minutes. Which two Azure Monitor components must you configure? Select two.

Select 2 answers
A.A metric alert rule on the VM CPU metric
B.An action group with an email receiver
C.A Recovery Services vault
D.A private endpoint for the virtual machine
E.A blob lifecycle management policy
AnswersA, B

This defines the threshold condition that Azure Monitor evaluates against the VM's CPU metric.

Why this answer

A metric alert rule on the VM CPU metric is required because it continuously monitors the 'Percentage CPU' metric and triggers when the average value exceeds 85% for a duration of 10 minutes. This rule evaluates the condition using the aggregation type 'Average' and the window size set to PT10M (ISO 8601 format). Without this rule, no alert condition exists to detect the threshold breach.

Exam trap

The trap here is that candidates often forget that an action group (with email, SMS, or webhook receivers) is a separate, required component that must be linked to the metric alert rule to actually send the notification; without it, the alert rule fires but no one gets emailed.

129
MCQmedium

Based on the exhibit, the VM backup item was accidentally deleted from the vault yesterday, but the VM itself still exists. What should you do to resume protection with the existing backup item?

A.Delete the VM and recreate it so the backup can start again.
B.Recover or undelete the backup item from the vault before the soft-delete retention expires.
C.Create a new action group so the vault can re-enable protection.
D.Disable diagnostic settings on the vault and then re-enable them.
AnswerB

Because soft delete is enabled and the retention window is still open, the deleted backup item can be recovered from the Recovery Services vault. Undeleting the item restores the backup relationship without requiring a new protection configuration or a rebuild of the VM.

Why this answer

Azure Backup uses soft-delete for backup items, which retains deleted backup data for 14 days by default. Since the backup item was accidentally deleted yesterday, it is still in the soft-delete state and can be recovered or undeleted from the vault before the retention period expires. Once recovered, protection can be resumed on the existing VM without data loss or reconfiguration.

Exam trap

The trap here is that candidates may think deleting a backup item permanently removes all data, but Azure Backup's soft-delete feature retains the data for 14 days, allowing recovery without recreating the VM or backup configuration.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the VM is unnecessary and would cause downtime; the existing VM can be protected again by recovering the soft-deleted backup item. Option C is wrong because action groups are used for alerting and notifications, not for enabling backup protection on a vault. Option D is wrong because diagnostic settings control logging and monitoring of the vault, not the recovery or re-enabling of backup items.

130
MCQmedium

You want Azure to identify security improvements, underutilized resources, and cost-saving opportunities across your subscriptions. Which Azure service should you use?

A.Azure Advisor
B.Azure Policy
C.Azure Backup
D.Virtual network peering
AnswerA

Azure Advisor provides optimization and best-practice recommendations.

Why this answer

Azure Advisor is the correct service because it provides personalized recommendations across five categories: Reliability, Security, Performance, Operational Excellence, and Cost. It analyzes your deployed resources and usage patterns to identify security improvements (e.g., missing network security groups), underutilized resources (e.g., idle virtual machines), and cost-saving opportunities (e.g., reserved instance purchases). This aligns directly with the question's requirement for a unified service that delivers these insights across subscriptions.

Exam trap

The trap here is that candidates confuse Azure Advisor's proactive recommendations with Azure Policy's reactive compliance enforcement, mistakenly thinking Policy can identify underutilized resources or cost-saving opportunities when it only enforces rules.

How to eliminate wrong answers

Option B is wrong because Azure Policy is a governance tool that enforces compliance rules (e.g., tagging requirements, allowed SKUs) across resources, but it does not analyze usage patterns or provide cost-saving or security improvement recommendations. Option C is wrong because Azure Backup is a data protection service for creating and managing backup policies for Azure resources (e.g., VMs, SQL databases), not for identifying underutilized resources or cost-saving opportunities. Option D is wrong because Virtual network peering is a networking feature that connects two Azure virtual networks for direct traffic routing, with no capability to analyze resource utilization or provide security or cost recommendations.

131
MCQmedium

A developer deleted a single configuration file on a Windows Azure VM. The administrator wants to restore only that file from the latest backup without replacing the entire VM. Which restore workflow should be used?

A.Restore the entire VM to a new instance
B.Use file recovery from the backup item
C.Create a new storage account and copy the file from there
D.Enable a resource lock on the VM
AnswerB

File recovery lets an administrator mount the backup content and copy back only the deleted file or folder. That is the most efficient option when the VM itself is healthy and only a small set of files needs to be recovered. It avoids downtime and avoids replacing the whole virtual machine or disk set.

Why this answer

Option B is correct because Azure Backup provides file-level recovery for Azure VMs using the 'File Recovery' feature. This allows you to mount the recovery point as a drive on the VM (or another machine) and copy individual files without restoring the entire VM. It uses iSCSI to present the backup snapshot directly to the VM for granular file access.

Exam trap

The trap here is that candidates may assume file-level recovery is not possible with Azure VM backups and choose the full VM restore option, not realizing that Azure Backup supports granular file recovery via iSCSI mounting.

How to eliminate wrong answers

Option A is wrong because restoring the entire VM to a new instance would replace the entire VM and is overkill for a single file, incurring unnecessary time and cost. Option C is wrong because creating a new storage account and copying the file from there does not leverage Azure Backup's recovery points; the file is not directly accessible from a storage account without restoring the backup first. Option D is wrong because enabling a resource lock on the VM prevents accidental deletion or modification but does not provide any file restoration capability.

132
MCQhard

Several Azure Monitor alerts across different subscriptions must notify the same on-call group by email, SMS, and webhook whenever they fire. The operations team wants to define the notification target once and reuse it from future metric alerts, log alerts, and activity log alerts. What should be created?

A.An action group that can be attached to multiple Azure Monitor alert rules.
B.A metric alert with the same threshold applied to every resource that needs notification.
C.A diagnostic setting on each resource so the contact list is stored with the logs.
D.A Log Analytics workbook used as the shared notification destination.
AnswerA

An action group is the reusable notification target in Azure Monitor. You define the recipients and actions once, then attach that action group to any metric, log, or activity log alert that should notify the same people. This separates alert detection from alert delivery, which keeps the design consistent across subscriptions and reduces repeated configuration. It is the right feature when the notification method must be shared broadly.

Why this answer

An action group in Azure Monitor is the correct solution because it defines a reusable collection of notification channels (email, SMS, webhook) that can be attached to multiple alert rules across different subscriptions. This allows the operations team to define the on-call group notification target once and reuse it for metric alerts, log alerts, and activity log alerts, ensuring consistent notification behavior.

Exam trap

The trap here is that candidates confuse alert rules (which define the condition to trigger) with action groups (which define the notification destination), leading them to select a metric alert or diagnostic setting instead of the reusable notification container.

How to eliminate wrong answers

Option B is wrong because a metric alert is a type of alert rule that triggers based on a metric threshold, not a notification target; it cannot be reused across different alert types or subscriptions to define the same contact list. Option C is wrong because a diagnostic setting is used to stream resource logs to destinations like Log Analytics or storage, not to define notification contacts for alert rules. Option D is wrong because a Log Analytics workbook is a visualization and analysis tool for querying log data, not a mechanism for routing alert notifications via email, SMS, or webhook.

133
MCQeasy

Based on the exhibit, what should the administrator configure so the operations team receives an email when the VM's average CPU stays above 80% for 10 minutes?

A.Create a diagnostic setting on the VM and send platform logs to Log Analytics.
B.Create an action group and attach it to the metric alert rule.
C.Assign a Reader role to the operations team on the VM resource.
D.Enable a resource lock on the VM to prevent CPU spikes.
AnswerB

An action group is the Azure Monitor component that delivers notifications or runs automation when an alert fires. The metric alert already defines the CPU condition, so the missing piece is the action group to email the operations team. Once linked, the alert can evaluate continuously and send the required notification whenever the threshold is met.

Why this answer

To send an email when a metric threshold is breached, you must first create an action group that defines the notification action (e.g., email, SMS). Then, when configuring the metric alert rule for 'Percentage CPU' with a condition of 'greater than 80%' for 10 minutes, you attach that action group to the alert rule. This ensures that when the alert fires, the defined email notification is sent to the operations team.

Exam trap

The trap here is that candidates confuse diagnostic settings (which send data to a destination) with alert rules (which evaluate conditions and trigger notifications), leading them to pick Option A even though it does not include the action group needed for email delivery.

How to eliminate wrong answers

Option A is wrong because a diagnostic setting sends platform logs and metrics to a Log Analytics workspace for analysis, but it does not directly trigger email notifications; you would still need an alert rule with an action group to send the email. Option C is wrong because assigning the Reader role grants read-only access to the VM's properties and metrics, but it does not configure any alerting or notification mechanism. Option D is wrong because a resource lock prevents accidental deletion or modification of the VM, but it has no effect on CPU usage or alerting; it cannot prevent CPU spikes or send notifications.

134
Matchingmedium

A backup engineer is reviewing policy-related settings in a Recovery Services vault. Match each backup setting to the behavior it controls.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Determines when the VM backup job runs, such as daily at a specific time.

Determines how long a recovery point is kept before it expires.

Keeps short-term snapshots available for quick restores before they age out.

Preserves deleted backup data for a recovery window instead of removing it immediately.

Represents the protected VM that is registered in the vault.

Why these pairings

Backup frequency sets how often; retention range sets how long; snapshot retention keeps local copy; schedule sets time; tier defines storage type; alerts notify on issues.

135
MCQhard

An organization must retain Azure Key Vault audit data for 18 months, search the data in Log Analytics, and keep a second copy if the workspace retention policy is later shortened. The operations team already has an action group for notifications. What should be configured on the Key Vault?

A.Create an activity log alert and point it at the existing action group.
B.Create a diagnostic setting that streams AuditEvent logs to Log Analytics and a storage account.
C.Create a metric alert on the Key Vault and archive the alert history.
D.Enable only resource metrics and rely on workspace retention for compliance.
AnswerB

A diagnostic setting on the Key Vault can export resource logs to Log Analytics for querying and also to a storage account for durable retention. That meets both investigation and long-term preservation requirements. The action group can still be used separately for notifications, but it does not replace the log collection path. This is the only option that addresses both searchable telemetry and an independent retained copy.

Why this answer

Option B is correct because Azure Key Vault audit data is captured via the AuditEvent category in diagnostic settings. By configuring a diagnostic setting to stream AuditEvent logs to both a Log Analytics workspace (for querying and long-term retention up to 18 months) and a storage account (for a second copy independent of workspace retention policy changes), the organization meets all requirements. The existing action group is not needed for this data retention and search scenario.

Exam trap

The trap here is that candidates confuse activity log alerts or metric alerts with diagnostic settings, not realizing that audit data retention and search require streaming the AuditEvent category to Log Analytics and a storage account, not just monitoring or metrics.

How to eliminate wrong answers

Option A is wrong because activity log alerts monitor operational events on the Azure resource (e.g., key vault creation or deletion), not the AuditEvent log data itself, and they do not provide retention or secondary copy capabilities. Option C is wrong because metric alerts on Key Vault track performance metrics (e.g., latency, requests), not audit logs, and archiving alert history does not retain the raw AuditEvent data for 18 months. Option D is wrong because resource metrics alone do not include AuditEvent logs, and relying solely on workspace retention fails to provide a second copy if the retention policy is later shortened.

136
MCQhard

Your company needs to retain Azure Activity Log data longer than the built-in retention period and make it available for future analysis. What should you configure?

A.Diagnostic settings for the Activity Log
B.A CanNotDelete lock on the subscription
C.An availability set
D.An NSG flow log only
AnswerA

Diagnostic settings export Activity Log data to destinations that support longer retention and analysis.

Why this answer

Azure Activity Log has a default retention period of 30 days for Standard tier subscriptions and 90 days for others. To retain data longer, you must configure diagnostic settings to stream the Activity Log to a Log Analytics workspace (for long-term querying) or to an Azure Storage account (for archival). Diagnostic settings allow you to define the retention duration beyond the built-in limit, enabling future analysis.

Exam trap

The trap here is that candidates confuse the default retention period of the Activity Log with the ability to extend it, mistakenly thinking locks or other resource configurations can preserve log data, when only diagnostic settings enable long-term retention and export.

How to eliminate wrong answers

Option B is wrong because a CanNotDelete lock prevents accidental deletion of the subscription or its resources but does not extend data retention or capture Activity Log data. Option C is wrong because an availability set is a logical grouping of VMs to ensure high availability during maintenance or failures; it has no role in log retention or monitoring. Option D is wrong because an NSG flow log captures IP traffic flowing through a Network Security Group, not the subscription-level Activity Log events; it is used for network security analysis, not for retaining Activity Log data.

137
MCQeasy

Based on the exhibit, what should the administrator change if the business wants backups to be kept for 30 days instead of 7 days?

A.Change the backup schedule from daily to hourly.
B.Increase the retain daily backup points setting to 30 days.
C.Increase the instant recovery snapshot retention to 30 days.
D.Enable a CanNotDelete lock on the Recovery Services vault.
AnswerB

The requirement is about how long daily recovery points are kept, not how often backups run. The policy setting that controls that is the retention value for daily backup points. Updating it from 7 days to 30 days keeps the restore points available for the required period while leaving the backup schedule unchanged.

Why this answer

The backup retention policy in Azure Backup is configured via the 'Retain daily backup points' setting, which specifies how many days daily recovery points are kept. To change retention from 7 to 30 days, the administrator must increase this value to 30. This directly controls the lifespan of daily backups in the Recovery Services vault.

Exam trap

The trap here is confusing 'instant recovery snapshot retention' (short-term local snapshots) with 'daily backup point retention' (long-term vault retention), leading candidates to incorrectly select option C.

How to eliminate wrong answers

Option A is wrong because changing the backup schedule from daily to hourly affects the frequency of backups, not the retention duration; hourly backups would create more points but still expire based on the retention setting. Option C is wrong because instant recovery snapshot retention controls how long the local snapshot (used for fast restores) is kept before being deleted, not the overall backup retention in the vault. Option D is wrong because a CanNotDelete lock prevents accidental deletion of the Recovery Services vault but does not affect backup retention policies.

138
MCQmedium

You need to send an email whenever CPU utilization on VM-Prod01 exceeds 90 percent for 15 minutes. Which Azure Monitor components should you configure?

A.A metric alert and an action group
B.An activity log alert only
C.A resource lock and Azure Advisor
D.A budget alert and a private endpoint
AnswerA

A metric alert detects the threshold breach and the action group sends the email notification.

Why this answer

A metric alert monitors a specific resource metric (like CPU utilization) and triggers when a condition (e.g., >90%) is met for a given duration (15 minutes). An action group defines the notification or remediation action (e.g., sending an email). Together, they fulfill the requirement to send an email when CPU utilization exceeds 90% for 15 minutes.

Exam trap

The trap here is confusing activity log alerts (which monitor control-plane events) with metric alerts (which monitor performance data), leading candidates to incorrectly select an activity log alert for CPU utilization monitoring.

How to eliminate wrong answers

Option B is wrong because an activity log alert monitors changes to Azure resources (e.g., VM creation, deletion, or configuration changes) and cannot track performance metrics like CPU utilization. Option C is wrong because a resource lock prevents accidental deletion or modification of resources, and Azure Advisor provides optimization recommendations; neither monitors metrics nor sends alerts. Option D is wrong because a budget alert monitors cost thresholds, not performance metrics, and a private endpoint enables secure network connectivity to Azure services, not alerting.

139
MCQmedium

The operations team wants an email and SMS notification whenever any production virtual machine's average CPU stays above 85 percent for 10 minutes. They also want to reuse the same notification targets for future alerts. What should they configure?

A.A diagnostic setting on each VM that sends metrics to a storage account
B.An action group attached to a metric alert rule
C.A Log Analytics query alert with no notification target
D.A resource lock on the virtual machines
AnswerB

An action group centralizes the email and SMS targets, and a metric alert can evaluate CPU percentage over a 10-minute window. Linking the alert to the action group gives the team reusable notifications for future monitoring rules without recreating contact information each time.

Why this answer

Option B is correct because an action group in Azure Monitor defines the notification targets (email, SMS, etc.) for alerts, and a metric alert rule can be configured to trigger when the average CPU percentage exceeds 85% for 10 minutes. By attaching the same action group to multiple alert rules, the operations team can reuse the notification targets for future alerts without reconfiguring them each time.

Exam trap

The trap here is that candidates often confuse diagnostic settings (which only export data) with alert rules that require an action group to deliver notifications, or they mistakenly think a resource lock can provide monitoring capabilities.

How to eliminate wrong answers

Option A is wrong because a diagnostic setting that sends metrics to a storage account only archives data for later analysis; it does not generate real-time notifications via email or SMS. Option C is wrong because a Log Analytics query alert without a notification target cannot send any alerts; it requires an action group to deliver notifications. Option D is wrong because a resource lock prevents accidental deletion or modification of resources but has no capability to monitor performance metrics or send notifications.

140
MCQeasy

A user accidentally deleted a file from an Azure VM. The administrator wants to recover only the deleted file from the most recent backup instead of restoring the entire VM. What should the administrator use?

A.File recovery from the Azure Backup restore process
B.A new VM image
C.A metric alert
D.An NSG flow log
AnswerA

File recovery lets the administrator mount or browse backup data and restore only the needed files instead of the full VM.

Why this answer

Azure Backup's file-level recovery (also known as item-level restore) allows you to recover individual files or folders from a VM backup point without restoring the entire VM. This is achieved by mounting the recovery point as a drive on the same or another VM, enabling direct file copy. Option A is correct because this feature is specifically designed for granular recovery of deleted files from the most recent backup.

Exam trap

The trap here is that candidates may confuse Azure Backup's full VM restore with its file-level recovery capability, assuming that only a complete VM restore is possible from a backup.

How to eliminate wrong answers

Option B is wrong because creating a new VM image would require building a fresh VM from a generalized image, which does not recover the specific deleted file and would not leverage the existing backup. Option C is wrong because a metric alert monitors performance metrics (e.g., CPU, memory) and triggers notifications; it has no capability to recover files. Option D is wrong because an NSG flow log records IP traffic through a Network Security Group for auditing and analysis; it cannot restore deleted files.

141
MCQeasy

Your team wants every protected Azure VM in a vault to be backed up once each day and kept for 30 days. Which Recovery Services vault setting should you configure?

A.A diagnostic setting
B.A resource lock
C.A backup policy
D.An action group
AnswerC

A backup policy defines when backups run and how long recovery points are retained, which matches the daily backup and 30-day retention requirement.

Why this answer

A backup policy defines the frequency and retention duration for backups. By configuring a backup policy with a daily backup schedule and a retention period of 30 days, you ensure that each protected Azure VM in the Recovery Services vault is backed up once per day and the backups are kept for 30 days. This is the correct setting to meet the team's requirements.

Exam trap

The trap here is that candidates may confuse a backup policy with other vault settings like diagnostic settings or resource locks, thinking they control backup frequency or retention, when in fact only the backup policy directly defines the schedule and retention for protected items.

How to eliminate wrong answers

Option A is wrong because a diagnostic setting is used to stream or export resource logs and metrics to destinations like Log Analytics, Storage, or Event Hubs, not to define backup schedules or retention. Option B is wrong because a resource lock prevents accidental deletion or modification of the Recovery Services vault itself, but does not control backup frequency or retention duration. Option D is wrong because an action group defines notifications and actions (e.g., email, SMS, webhook) triggered by alerts, not backup scheduling or retention policies.

142
Multi-Selecthard

A backup operations team exports Recovery Services vault logs to Log Analytics. They need a query that returns only failed backup jobs from the last 24 hours and displays just the vault name, protected item name, and error description. Which two KQL operators should the query include? Select two.

Select 2 answers
A.where
B.project
C.summarize
D.join
E.extend
AnswersA, B

Where filters rows so the query returns only failed jobs from the last 24 hours.

Why this answer

The `where` operator filters the Log Analytics data to include only rows where the backup job status equals 'Failed' and the timestamp falls within the last 24 hours. This is essential for narrowing down the dataset to the specific failed jobs the team needs.

Exam trap

The trap here is that candidates often confuse `extend` with `project`—both can manipulate columns, but only `project` drops all unlisted columns, while `extend` keeps all original columns and adds new ones, failing to limit the output to the required fields.

143
MCQmedium

Based on the exhibit, a backup administrator accidentally stopped protection for a critical VM and then deleted its backup item. The team wants Azure Backup to retain the deleted item long enough to recover it after the mistake is discovered the next day. What should be enabled on the vault?

A.Soft delete for backup data
B.A read-only resource lock on the VM
C.A network security group rule allowing port 445
D.Instant restore snapshots set to 30 days
AnswerA

Soft delete keeps deleted backup data recoverable for a grace period, which is exactly what the team needs after a mistaken deletion is discovered later. It provides protection against accidental loss of backup items.

Why this answer

Soft delete for backup data is the correct answer because it provides a safety net for accidentally deleted backup items. When enabled, Azure Backup retains deleted backup data for an additional 14 days (default) in a soft-deleted state, allowing administrators to recover the data before it is permanently purged. This directly addresses the scenario where protection was stopped and the backup item was deleted, as the data remains recoverable within the retention period.

Exam trap

The trap here is that candidates may confuse soft delete for backup data with resource locks or network security rules, mistakenly thinking that protecting the VM itself or enabling network access will preserve deleted backup items, when in fact only the vault-level soft delete feature retains the backup data after deletion.

How to eliminate wrong answers

Option B is wrong because a read-only resource lock on the VM prevents modifications to the VM itself but does not protect backup data stored in the Recovery Services vault; it has no effect on backup items or their deletion. Option C is wrong because a network security group rule allowing port 445 is used for SMB file sharing or replication traffic, not for backup recovery or retention of deleted backup items. Option D is wrong because instant restore snapshots set to 30 days control how long the VM snapshot is retained for faster restore operations, but they do not protect against accidental deletion of the backup item or extend the retention period for deleted data.

144
Multi-Selecteasy

You need to monitor CPU on a small set of VMs while keeping ingestion costs low. Which two actions are the best choices? Select two.

Select 2 answers
A.Use Azure Monitor platform metrics for CPU instead of collecting guest logs
B.Collect only the required diagnostic categories and performance counters
C.Collect all Windows event logs from every VM
D.Create a separate workspace for each VM
E.Enable verbose guest logging on every server
AnswersA, B

Platform metrics are built in and usually cheaper than sending extra guest log data.

Why this answer

Azure Monitor platform metrics for CPU are collected automatically from the Azure VM host at no additional cost, providing basic CPU utilization data without requiring the Log Analytics agent or incurring data ingestion charges. This approach keeps costs low because platform metrics are included in the Azure Monitor pricing, whereas guest-level metrics require log ingestion and storage fees. For a small set of VMs where only CPU monitoring is needed, platform metrics are sufficient and cost-effective.

Exam trap

The trap here is that candidates often assume guest-level logging is required for CPU monitoring, but Azure Monitor platform metrics already provide host-level CPU data at no extra cost, making options like verbose logging or full event collection unnecessary and costly.

145
MCQmedium

A storage account is failing writes, and the team also wants to correlate those errors with subscription-level changes such as role assignments or deployments. What should the administrator configure?

A.Rotate the storage account keys and review access from the portal activity feed.
B.Create diagnostic settings on the storage account and the subscription that send logs to the same Log Analytics workspace.
C.Place the storage account behind an availability set so writes remain available during maintenance.
D.Enable a service endpoint from the application subnet and check whether the firewall blocks the writes.
AnswerB

Diagnostic settings are the correct mechanism for exporting both resource logs and subscription Activity log events to Log Analytics. Putting them in the same workspace lets the team correlate storage failures with changes such as deployments or role assignments in one KQL query.

Why this answer

Option B is correct because diagnostic settings on both the storage account and the subscription can stream platform logs (e.g., StorageWrite failures) and activity logs (e.g., role assignments, deployments) to the same Log Analytics workspace. This enables correlated queries across resource-level operational issues and subscription-level changes, allowing the administrator to identify if a recent role assignment or deployment caused the write failures.

Exam trap

The trap here is that candidates may think the Activity Log alone (Option A) is sufficient for correlation, but it lacks the resource-level diagnostic data needed to see the actual write failures, while diagnostic settings to a common Log Analytics workspace provide the necessary cross-layer query capability.

How to eliminate wrong answers

Option A is wrong because rotating storage account keys does not help correlate write failures with subscription-level changes; it only regenerates access keys, and the portal activity feed shows management-plane operations but not correlated analysis with storage diagnostics. Option C is wrong because an availability set is a virtual machine high-availability construct that does not apply to storage accounts; storage accounts are inherently redundant and not placed in availability sets. Option D is wrong because enabling a service endpoint and checking firewall rules addresses network access issues, not the correlation of write failures with subscription-level changes like role assignments or deployments.

146
MCQhard

You need to keep Azure activity log data for longer than the default retention period and make it available for analysis. What should you configure?

A.Diagnostic settings for the activity log
B.A resource lock on the subscription
C.An availability zone
D.A scale set autoscale policy
AnswerA

Diagnostic settings let you send activity log data to supported destinations for retention and analysis.

Why this answer

The default retention period for Azure activity logs is 90 days. To retain activity log data beyond this period and make it available for analysis (e.g., in a Log Analytics workspace, storage account, or Event Hubs), you must configure diagnostic settings for the activity log. This allows you to stream the log data to a destination of your choice, where you can set custom retention policies.

Exam trap

The trap here is that candidates often confuse the default retention period (90 days) with the ability to extend it via simple settings, not realizing that diagnostic settings are required to route the data to a persistent destination for longer retention and analysis.

How to eliminate wrong answers

Option B is wrong because a resource lock prevents accidental deletion or modification of resources but does not affect log retention or data availability. Option C is wrong because an availability zone is a physically separate datacenter within an Azure region used for high availability and disaster recovery, not for log retention or analysis. Option D is wrong because a scale set autoscale policy automatically adjusts the number of VM instances based on demand, which has no relation to activity log data retention or analysis.

147
MCQeasy

Based on the exhibit, which Azure feature should the administrator use to track this kind of platform-wide service issue?

A.Service Health, because it reports Azure platform incidents that affect customers in a region.
B.Resource Health, because it shows whether a specific virtual machine is healthy or unavailable.
C.Activity Log, because it lists every administrative action taken in the subscription.
D.Azure Advisor, because it gives recommendations to improve the virtual machine configuration.
AnswerA

Service Health is the right source for official Azure platform incidents and advisories. It tells administrators when a Microsoft-managed service is having a regional or global issue that may affect their resources.

Why this answer

Service Health is the correct feature because it provides a personalized dashboard of all Azure service incidents, planned maintenance, and health advisories that impact the customer's subscriptions and regions. It aggregates platform-wide issues (e.g., regional outages or degradation) that Azure engineering has confirmed, making it the appropriate tool for tracking a platform-wide service issue affecting multiple resources in a region.

Exam trap

The trap here is that candidates confuse Resource Health (which shows the health of a single resource) with Service Health (which shows platform-wide incidents), leading them to select Resource Health when the question explicitly asks about a 'platform-wide service issue' affecting multiple resources in a region.

How to eliminate wrong answers

Option B is wrong because Resource Health focuses on the health of individual Azure resources (e.g., a specific virtual machine) and reports whether that resource is available or degraded due to platform or customer actions, not platform-wide service incidents. Option C is wrong because the Activity Log records all control-plane operations (e.g., create, delete, update) performed on resources in a subscription, but it does not capture underlying platform health events or service outages. Option D is wrong because Azure Advisor provides proactive recommendations for cost, security, reliability, and performance optimization based on resource configurations, but it does not report on current or past platform-wide service issues.

148
MCQmedium

A security team needs platform logs and metrics from an Azure Key Vault to be searchable later in a Log Analytics workspace so they can investigate administrative changes and access trends. What should you configure on the Key Vault?

A.Azure Monitor private link scope
B.A diagnostic setting that sends logs and metrics to the workspace
C.An activity log alert on the subscription only
D.A resource lock on the Key Vault
AnswerB

Diagnostic settings are the Azure feature that forwards resource logs and metrics from a service like Key Vault to a Log Analytics workspace. That makes the data searchable with KQL for investigations, reporting, and trend analysis. It is the correct configuration when the goal is to centralize operational telemetry from a specific Azure resource.

Why this answer

A diagnostic setting on Azure Key Vault allows you to stream platform logs (e.g., AuditEvent) and metrics (e.g., ServiceApiHit) to a Log Analytics workspace. This makes the data searchable via KQL queries for investigating administrative changes and access trends, fulfilling the security team's requirement.

Exam trap

The trap here is that candidates may confuse diagnostic settings with activity logs or alerts, thinking that activity log alerts or resource locks provide log searchability, when only a diagnostic setting can route platform logs and metrics to a Log Analytics workspace for querying.

How to eliminate wrong answers

Option A is wrong because an Azure Monitor private link scope is used to privately connect a Log Analytics workspace to a virtual network, not to send logs from a Key Vault. Option C is wrong because an activity log alert on the subscription only triggers notifications based on subscription-level events; it does not collect or store Key Vault platform logs and metrics for later search. Option D is wrong because a resource lock prevents accidental deletion or modification of the Key Vault, but it does not enable log collection or searchability.

149
MCQeasy

A company wants an alert to be sent by email and SMS whenever a production virtual machine's CPU percentage goes above 80 percent. The administrator also wants the notification targets to be reusable by other alerts later. What should the administrator configure first?

A.A metric alert rule only
B.An action group
C.A service health alert
D.A diagnostic setting
AnswerB

An action group stores the notification targets, such as email and SMS recipients, so multiple alerts can reuse the same response action.

Why this answer

An action group (B) is the correct first configuration because it defines the notification targets (email, SMS) that can be reused across multiple alert rules. In Azure Monitor, alert rules are decoupled from notification actions; you create an action group once and then reference it in any metric alert rule, including the CPU percentage threshold rule needed here. This ensures the administrator can meet the requirement for reusable notification targets.

Exam trap

The trap here is that candidates often think a metric alert rule inherently includes notification settings, but Azure separates the condition (alert rule) from the notification method (action group) to enforce reusability and centralized management.

How to eliminate wrong answers

Option A is wrong because a metric alert rule alone only defines the condition (CPU > 80%) and the action to take, but it does not include the notification targets (email, SMS) — those must be defined separately in an action group. Option C is wrong because a service health alert monitors Azure service issues (e.g., outages, planned maintenance), not the performance metrics of a specific virtual machine like CPU percentage. Option D is wrong because a diagnostic setting controls the collection and routing of platform logs and metrics to destinations like Log Analytics or Storage, but it does not trigger alerts or send notifications via email/SMS.

150
Multi-Selecteasy

A user deleted several files from an Azure VM, and the administrator wants to use Azure Backup file recovery. Which two items are needed to start the recovery process? Select two.

Select 2 answers
A.A recovery point
B.An application security group
C.The file recovery script downloaded from the vault
D.A metric alert rule
E.A user-assigned managed identity
AnswersA, C

A recovery point contains the backed-up data from which files can be recovered.

Why this answer

Azure Backup file recovery requires a recovery point (A) because it represents the snapshot of the VM's data at a specific time from which files can be restored. The file recovery script (C) is downloaded from the Recovery Services vault and mounts the recovery point as a drive on the VM, enabling file-level access. Without both, the recovery process cannot proceed.

Exam trap

The trap here is that candidates may think a user-assigned managed identity (E) is needed for authentication to access the vault, but the file recovery script handles authentication via a temporary SAS token embedded in the script, not via managed identities.

← PreviousPage 2 of 3 · 191 questions totalNext →

Ready to test yourself?

Try a timed practice session using only AZ Monitoring questions.