CCNA AZ Storage Questions

75 of 228 questions · Page 1/4 · AZ Storage topic · Answers revealed

1
MCQeasy

A reporting application stores files in Azure Blob Storage. The business wants the secondary region to be readable if the primary region becomes unavailable. Which redundancy option should you use?

A.LRS, because it stores all copies in one region only.
B.ZRS, because it replicates across availability zones.
C.RA-GRS, because it provides geo-replication with read access to the secondary endpoint.
D.Archive, because archived blobs are stored cheaply for long-term retention.
AnswerC

RA-GRS keeps a replicated copy in a paired region and allows read access to the secondary endpoint, which fits the requirement for secondary-region reads.

Why this answer

Option C (RA-GRS) is correct because it provides geo-replication by asynchronously copying data to a secondary region and enables read access to that secondary endpoint. If the primary region becomes unavailable, the application can continue reading from the secondary region, meeting the business requirement for readable secondary access during a primary outage.

Exam trap

The trap here is that candidates often confuse ZRS (zone-redundant within a region) with geo-redundant options, or mistakenly think LRS provides any cross-region resilience, when only RA-GRS offers both geo-replication and read access to the secondary region.

How to eliminate wrong answers

Option A is wrong because LRS (Locally Redundant Storage) stores three replicas within a single data center in one region only, providing no protection against a regional outage or secondary region read access. Option B is wrong because ZRS (Zone-Redundant Storage) replicates across availability zones within a single region, offering no geo-replication to a secondary region for disaster recovery. Option D is wrong because the Archive access tier is for cost-effective long-term storage of infrequently accessed data, not for replication or providing readable secondary access during an outage.

2
MCQmedium

A partner company needs write access to a single blob container for 24 hours. The partner does not have an Azure subscription in your tenant, and the team does not want to share the storage account key. Which access method is the best choice?

A.Grant the partner Contributor access on the storage account
B.Create a user delegation SAS with write permission and a short expiration time
C.Share the storage account access key and let the partner create their own token
D.Enable anonymous public write access on the container
AnswerB

A user delegation SAS provides temporary access without exposing the storage account key and can be tightly scoped.

Why this answer

A user delegation SAS is the best choice because it provides time-limited, scoped write access to a specific blob container without exposing the storage account key. It is secured with Azure AD credentials and can be configured with a short expiration time (e.g., 24 hours), meeting the partner's requirement for temporary access. This method ensures the partner does not need an Azure subscription in your tenant and avoids sharing the account key.

Exam trap

The trap here is that candidates often confuse a user delegation SAS with a service SAS or account SAS, or mistakenly think that granting RBAC roles like Contributor is the simplest way to provide access, without realizing it grants far more permissions than needed and violates the principle of least privilege.

How to eliminate wrong answers

Option A is wrong because granting Contributor access on the storage account would give the partner full control over the storage account (including the ability to read/write all containers and manage resources), which is overly permissive and not scoped to a single blob container. Option C is wrong because sharing the storage account access key would grant unrestricted access to the entire storage account (all containers, blobs, and operations) and violates the requirement to not share the key. Option D is wrong because enabling anonymous public write access on the container would allow any unauthenticated user to write blobs, which is a severe security risk and does not provide controlled, partner-specific access.

3
MCQeasy

A user deleted one Excel file from a file share backed up with Azure Backup. You want to restore only that file, not the entire share. What should you use?

A.A full VM restore
B.A file-level restore from the backup recovery point
C.A metric alert rule
D.A private endpoint
AnswerB

File-level restore lets you recover a single file or folder from a specific recovery point without replacing the whole protected workload.

Why this answer

Azure Backup for Azure Files supports file-level restore from a recovery point. When you select a recovery point in the Azure portal, you can browse the file share contents and restore individual files or folders to the original or an alternate location, without restoring the entire share. This is achieved by mounting the recovery point as a read-only share via the SMB protocol, allowing you to copy the specific file.

Exam trap

The trap here is that candidates may assume Azure Backup only supports full share or VM restores, overlooking the file-level restore capability that is explicitly available for Azure Files backups.

How to eliminate wrong answers

Option A is wrong because a full VM restore would restore an entire virtual machine, not a single file from a file share, and is unnecessary and inefficient for this scenario. Option C is wrong because a metric alert rule is used to monitor performance metrics (e.g., IOPS, throughput) and trigger notifications, not to restore files. Option D is wrong because a private endpoint provides secure network connectivity to Azure services over a private IP address, but it does not perform data restoration.

4
MCQeasy

A web app in Azure needs to upload files to a blob container. The development team wants the app to authenticate without storing a storage account key or password in code. Which approach should the administrator configure?

A.Embed the storage account key in the application settings
B.Assign a managed identity to the app and grant it storage permissions
C.Use the public endpoint and anonymous access
D.Use an archive tier for the container
AnswerB

A managed identity lets the app authenticate to Azure Storage without storing credentials. Azure handles the identity lifecycle, and access is controlled with role assignments.

Why this answer

Option B is correct because Azure Managed Identity provides an automatically managed service principal in Azure AD, allowing the web app to authenticate to Azure Blob Storage without storing any credentials in code or configuration. By assigning the managed identity to the app and granting it the appropriate RBAC role (e.g., Storage Blob Data Contributor), the app can obtain an Azure AD token to securely access the blob container.

Exam trap

The trap here is that candidates may confuse managed identity with other authentication methods like SAS tokens or connection strings, or incorrectly assume that embedding keys in app settings is acceptable because it's 'not in code,' but Azure explicitly considers this a security risk for production workloads.

How to eliminate wrong answers

Option A is wrong because embedding the storage account key in application settings still stores a secret in the app configuration, violating the requirement to avoid storing keys or passwords in code. Option C is wrong because using the public endpoint with anonymous access bypasses authentication entirely, which is insecure and does not meet the requirement for authenticated uploads. Option D is wrong because an archive tier (e.g., Cool, Cold, or Archive) is a storage optimization tier for cost savings on infrequently accessed data, not an authentication mechanism.

5
Multi-Selectmedium

You are managing an Azure Storage account that hosts a large number of blobs. You need to ensure that data can be recovered if blobs are accidentally deleted or overwritten. Which three of the following actions should you take? (Choose three.)

Select 3 answers
.Enable soft delete for blobs.
.Enable blob versioning.
.Configure a lifecycle management policy to move blobs to the Cool tier.
.Enable point-in-time restore for block blobs.
.Enable Azure Defender for Storage.
.Set the default access tier to Archive.

Why this answer

Soft delete for blobs preserves deleted blobs for a specified retention period, allowing recovery from accidental deletion. Blob versioning maintains previous versions of a blob, enabling restoration if a blob is overwritten or deleted. Point-in-time restore for block blobs allows reverting the container to an earlier state, recovering from bulk accidental modifications or deletions.

Together, these three features provide comprehensive protection against accidental data loss.

Exam trap

The trap here is that candidates often confuse lifecycle management or tier changes as data protection mechanisms, but they are cost-management features, not recovery features; the correct answers are all specifically designed for data recovery from accidental deletion or overwrite.

6
MCQmedium

You need a storage redundancy option that keeps data available if an entire availability zone in the primary region fails, but you do not need cross-region replication. Which redundancy option should you choose?

A.LRS
B.ZRS
C.GRS
D.RA-GRS
AnswerB

ZRS protects against the loss of a single availability zone in the primary region.

Why this answer

B is correct because Zone-Redundant Storage (ZRS) synchronously replicates data across three Azure availability zones within a single region, ensuring data remains available if an entire zone fails. This meets the requirement of no cross-region replication while providing zone-level fault tolerance.

Exam trap

The trap here is that candidates often confuse ZRS with LRS, thinking LRS provides zone redundancy, but LRS only replicates within one data center, not across zones.

How to eliminate wrong answers

Option A is wrong because Locally Redundant Storage (LRS) replicates data only within a single data center in a single availability zone, so it cannot survive an entire zone failure. Option C is wrong because Geo-Redundant Storage (GRS) includes cross-region replication to a secondary region, which is not needed per the requirement. Option D is wrong because Read-Access Geo-Redundant Storage (RA-GRS) also includes cross-region replication and adds read access to the secondary region, exceeding the stated need.

7
Matchingmedium

Match each storage networking requirement to the Azure storage network control that should be used.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Storage firewall with a virtual network rule and service endpoint

Private endpoint with private DNS zone

Trusted Microsoft services exception

Storage firewall IP network rule

Why these pairings

Azure storage network controls: service endpoints for VNet access, private endpoints for private connectivity, IP firewall for public IP restrictions, trusted services exception, route tables for custom routing, and disabling public access for complete lockdown.

8
MCQhard

A platform team wants one Azure storage account for application logs in Blob containers and a shared working directory for a Windows admin VM and a Linux automation VM. The account must support blob lifecycle rules, standard performance, and future private endpoint access. Which storage account kind should the administrator create?

A.BlobStorage, because it is optimized for blob data and can store logs efficiently.
B.StorageV2 (general-purpose v2), because it supports blobs, Azure Files, lifecycle management, and modern network features.
C.FileStorage, because it is the best option when Azure Files is required.
D.BlockBlobStorage, because it provides the highest performance for operational data.
AnswerB

General-purpose v2 is the correct choice because it supports both Blob storage and Azure Files, includes lifecycle management for blobs, and offers the current feature set expected for private endpoints and standard administration. It is the normal recommendation when you need multiple storage services in one account.

Why this answer

StorageV2 (general-purpose v2) is the correct choice because it supports Blob storage, Azure Files (required for the shared working directory), blob lifecycle management rules, and advanced networking features like private endpoints. It also provides standard performance, meeting all stated requirements. Other storage kinds lack either Azure Files support or lifecycle management capabilities.

Exam trap

The trap here is that candidates often choose BlobStorage because they focus on 'blob lifecycle rules' and 'logs,' forgetting that the shared working directory requires Azure Files, which BlobStorage does not support.

How to eliminate wrong answers

Option A is wrong because BlobStorage is optimized only for block blobs and append blobs, and it does not support Azure Files, which is needed for the shared working directory. Option C is wrong because FileStorage is designed exclusively for Azure Files with premium performance, not standard performance, and it does not support blob lifecycle management or general-purpose blob containers. Option D is wrong because BlockBlobStorage is a premium performance tier for block blobs only, lacks Azure Files support, and does not support standard performance or lifecycle management rules.

9
MCQmedium

An organization wants a single Azure storage account that can host blob containers, Azure Files shares, and lifecycle management rules for blob data. Which storage account kind should the administrator create?

A.BlobStorage
B.FileStorage
C.General-purpose v2 (StorageV2)
D.BlockBlobStorage
AnswerC

General-purpose v2 is the standard Azure storage account type for most administrative scenarios. It supports blobs and Azure Files, and it includes the features needed for lifecycle management and modern access controls. This makes it the correct choice when an application needs multiple storage services in one account.

Why this answer

General-purpose v2 (StorageV2) is the only storage account kind that supports blobs, Azure Files, and lifecycle management rules for blob data. It provides a unified account for all Azure Storage data services, including blobs, files, queues, and tables, and it natively supports lifecycle management policies to automatically tier or delete blob data based on age or other conditions.

Exam trap

The trap here is that candidates often confuse the specialized storage account kinds (BlobStorage, FileStorage, BlockBlobStorage) with the general-purpose v2 account, mistakenly thinking that a dedicated account type is required for each service, when in fact general-purpose v2 is the Swiss Army knife that supports all of them plus lifecycle management.

How to eliminate wrong answers

Option A is wrong because BlobStorage accounts are legacy accounts that support only block blobs and append blobs, not Azure Files shares or lifecycle management rules (lifecycle management is only available on general-purpose v2 accounts). Option B is wrong because FileStorage accounts are specialized for Azure Files premium shares only, and they do not support blob containers or lifecycle management rules for blob data. Option D is wrong because BlockBlobStorage accounts are designed exclusively for high-performance block blob workloads with premium performance, and they do not support Azure Files shares or lifecycle management rules.

10
Matchingmedium

Match each storage resiliency requirement to the Azure redundancy option that best satisfies it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

ZRS

LRS

RA-GRS

RA-GZRS

Why these pairings

LRS replicates within a single datacenter; ZRS across zones; GRS across regions; RA-GRS adds read access to GRS; RA-ZRS adds read access to ZRS. LRS is cheapest, GRS is highest durability.

11
MCQmedium

A compliance team keeps signed contract scans in blob storage. The files are usually not accessed, but when they are needed they must be available immediately without waiting for rehydration. The team wants the lowest-cost online tier that still allows immediate reads. Which access tier should you choose?

A.Hot
B.Cool
C.Cold
D.Archive
AnswerC

Cold is an online tier intended for infrequently accessed data that still must remain immediately readable.

Why this answer

The Cold tier (C) is correct because it is the lowest-cost online access tier that provides immediate read access without requiring rehydration. Unlike the Archive tier, Cold tier data is always online and can be read instantly, while still offering lower storage costs than Cool or Hot tiers for data that is rarely accessed.

Exam trap

The trap here is that candidates often choose Cool or Hot because they assume 'lowest cost' means Archive, forgetting that Archive is offline and requires rehydration, or they overlook the Cold tier as a newer, lower-cost online option.

How to eliminate wrong answers

Option A (Hot) is wrong because it is designed for frequently accessed data and has the highest storage cost, making it unnecessarily expensive for files that are rarely accessed. Option B (Cool) is wrong because although it is lower cost than Hot, it is still more expensive than Cold for data accessed infrequently, and Cold is the lowest-cost online tier. Option D (Archive) is wrong because it is an offline tier that requires rehydration (which can take up to 15 hours) before data can be read, violating the requirement for immediate availability.

12
MCQmedium

A contractor needs to upload data into one specific blob container for six hours. The administrator must avoid sharing the storage account key and should grant only the minimum permissions needed. Which access method should be used?

A.A service SAS scoped to the container with write permission and an expiry time in six hours.
B.The storage account access key, because it is easier to revoke later.
C.A shared key rotation policy, because it grants time-limited access to one container.
D.A user-assigned managed identity assigned to the contractor’s laptop.
AnswerA

A service SAS can be scoped to a single container, limited to the needed permissions, and set to expire automatically. That makes it the best fit for temporary contractor upload access without exposing the full storage account key.

Why this answer

A service SAS scoped to the container with write permission and an expiry time of six hours is correct because it provides time-limited, delegated access to a specific blob container without exposing the storage account key. This meets the requirement of granting only the minimum permissions needed (write) for the six-hour duration, and the SAS can be revoked by regenerating the storage account key if necessary.

Exam trap

The trap here is that candidates often confuse a service SAS with a stored access policy, or they mistakenly think a managed identity can be assigned to an external device, when in reality managed identities are only for Azure resources and require Azure AD integration.

How to eliminate wrong answers

Option B is wrong because sharing the storage account key grants full administrative access to all storage services (blobs, tables, queues, files) and cannot be scoped to a single container or time-limited, violating the principle of least privilege. Option C is wrong because a shared key rotation policy is not an access method; it is a security policy to automatically rotate storage account keys, and it does not provide time-limited access to a specific container. Option D is wrong because a user-assigned managed identity cannot be assigned to a contractor’s laptop; managed identities are designed for Azure resources (e.g., VMs, App Services) and require Azure AD authentication, which is not feasible for an external contractor’s local device.

13
MCQhard

A storage account must be accessible only from one Azure subnet. The security team does not want a private endpoint or private DNS zone, and they are fine with the storage account continuing to use its public FQDN. Which configuration should you use?

A.Create a service endpoint on the subnet and allow that subnet in the storage account firewall.
B.Create a private endpoint for the storage account and disable public network access.
C.Use an NSG rule to allow only the subnet to reach port 443 on the storage account.
D.Associate a route table that sends storage traffic to an Azure firewall appliance.
AnswerA

A service endpoint is the correct design because it restricts access to a specific subnet without creating a private IP address for the storage account. The storage account can continue to use its public FQDN, which matches the requirement. By enabling the service endpoint on the subnet and then permitting that subnet in the storage firewall, traffic is locked down while avoiding private endpoint and private DNS complexity.

Why this answer

Option A is correct because a service endpoint extends the virtual network identity to the Azure Storage service, allowing the storage account firewall to restrict access to traffic originating from the specific subnet. This meets the requirement of limiting access to one Azure subnet without using a private endpoint or DNS zone, and the storage account continues to use its public FQDN.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that restricting access to a subnet requires a private IP address, when in fact service endpoints provide subnet-level access control while preserving the public endpoint.

How to eliminate wrong answers

Option B is wrong because it requires creating a private endpoint and disabling public network access, which contradicts the requirement that the security team does not want a private endpoint or private DNS zone. Option C is wrong because an NSG rule cannot filter traffic to a storage account's public endpoint by subnet identity; NSGs operate at the network layer and cannot enforce access control based on Azure service-level identities, so traffic from other subnets could still reach the storage account if the public endpoint is accessible. Option D is wrong because associating a route table with an Azure firewall does not restrict access to the storage account by subnet; it only controls routing and inspection, not identity-based access control, and the storage account's public endpoint would still be reachable from any subnet.

14
Multi-Selecteasy

A development team wants redundancy within the primary region but does not need replication to a secondary region. Which two Azure storage redundancy options meet this requirement? Select two.

Select 2 answers
A.LRS, because it keeps multiple copies in one datacenter and does not replicate to another region.
B.ZRS, because it keeps copies across zones in one region and also avoids geo-replication.
C.GRS, because it replicates to a secondary region and therefore matches the requirement.
D.RA-GRS, because it adds read access to the secondary region and still remains single-region only.
E.RA-GZRS, because it combines zone redundancy with readable geo-replication to another region.
AnswersA, B

LRS stays in one region and does not create a secondary-region copy.

Why this answer

A is correct because Locally Redundant Storage (LRS) replicates data three times within a single datacenter in the primary region, providing redundancy against local hardware failures without any replication to a secondary region. This meets the requirement of intra-region redundancy only.

Exam trap

The trap here is that candidates often confuse 'redundancy within the primary region' with any option that includes 'redundant' in its name, leading them to select GRS or RA-GRS which actually replicate to a secondary region.

15
MCQmedium

A partner organization needs write access to a single blob container for 24 hours. You want to avoid sharing the storage account key and minimize access scope. Which access mechanism should you provide?

A.A storage account key
B.A user delegation SAS
C.A container stored access policy without a token
D.An Azure Policy assignment
AnswerB

A user delegation SAS can be limited to the container, permissions, and short lifetime required.

Why this answer

A user delegation SAS is the correct choice because it provides time-limited, delegated access to a specific blob container using Azure AD credentials, without exposing the storage account key. It allows you to grant write access for exactly 24 hours to a single container, minimizing the access scope as required.

Exam trap

The trap here is that candidates may confuse a user delegation SAS with a service SAS or account SAS, but the key distinction is that a user delegation SAS uses Azure AD for signing, avoiding the need to share the storage account key while still providing scoped, time-limited access.

How to eliminate wrong answers

Option A is wrong because sharing a storage account key grants full administrative access to the entire storage account, not just a single container, and violates the requirement to avoid sharing the key. Option C is wrong because a container stored access policy without a token does not provide any access mechanism; it only defines constraints for SAS tokens but requires a SAS to be generated. Option D is wrong because an Azure Policy assignment is used for governance and compliance enforcement, not for granting direct data access to a blob container.

16
Matchingmedium

Match each lifecycle management requirement to the blob tier transition or action that should be configured.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Transition to Cool

Transition to Archive

Rehydrate from Archive

Delete blob

Why these pairings

Lifecycle management rules define actions (tier changes or deletion) based on age or access. The actions correspond to moving to cooler tiers (cool, cold, archive) or deleting, and can apply to snapshots.

17
MCQeasy

A company wants its file share data to be automatically copied to a paired Azure region, and administrators want to read the secondary copy during a disaster test. Which redundancy option should they use?

A.ZRS
B.LRS
C.RA-GRS
D.Cool
AnswerC

RA-GRS replicates data to a paired secondary region and allows read access to that secondary endpoint. This fits the need to test or inspect the secondary copy during a disaster exercise.

Why this answer

RA-GRS (Read-Access Geo-Redundant Storage) is correct because it replicates data to a paired secondary region asynchronously and provides read-only access to that secondary copy. This allows administrators to read the secondary copy during a disaster test without impacting the primary region. ZRS and LRS do not replicate to a paired region, and Cool is a tier, not a redundancy option.

Exam trap

The trap here is that candidates confuse 'redundancy options' with 'access tiers' (like Cool) or assume that any geo-replication option (like GRS) automatically provides read access, but only RA-GRS explicitly enables reading the secondary copy without initiating a failover.

How to eliminate wrong answers

Option A is wrong because ZRS (Zone-Redundant Storage) replicates data synchronously across three Azure availability zones within a single region, not to a paired secondary region, so it does not meet the requirement for cross-region replication. Option B is wrong because LRS (Locally Redundant Storage) replicates data three times within a single datacenter in a single region, providing no cross-region copy for disaster recovery testing. Option D is wrong because Cool is an access tier (for blob storage) that optimizes cost for infrequently accessed data, not a redundancy option; it does not provide any replication or secondary copy.

18
MCQmedium

An application runs on an Azure VM in a subnet and must access a storage account over the public endpoint without using a private IP address. The administrator wants to restrict access so only that subnet can reach the account. What should be configured?

A.Create a private endpoint for the storage account and disable the public endpoint.
B.Enable a service endpoint for Microsoft.Storage on the subnet and add the subnet to the storage account network rules.
C.Allow trusted Microsoft services to bypass the firewall.
D.Add a user-defined route that points storage traffic to the virtual network gateway.
AnswerB

A service endpoint lets the subnet reach the storage account over the Azure backbone while still using the storage account's public endpoint. Adding the subnet to the storage firewall allows only that subnet to connect. This meets the requirement to avoid a private IP while restricting access to a specific subnet.

Why this answer

Option B is correct because a service endpoint for Microsoft.Storage extends the virtual network identity to the subnet, allowing the storage account firewall to accept traffic from that subnet via its public endpoint. This meets the requirement of restricting access to the storage account's public endpoint without using a private IP address.

Exam trap

The trap here is that candidates confuse service endpoints with private endpoints, assuming that restricting access to a subnet requires a private IP, when service endpoints can achieve subnet-level restriction over the public endpoint without changing the IP addressing.

How to eliminate wrong answers

Option A is wrong because creating a private endpoint assigns a private IP to the storage account within the VNet, which disables the public endpoint — contradicting the requirement to use the public endpoint. Option C is wrong because allowing trusted Microsoft services bypasses the firewall for services like Azure Backup or Azure DevOps, but does not restrict access to a specific subnet; it opens access broadly to Microsoft services. Option D is wrong because a user-defined route (UDR) that points storage traffic to the virtual network gateway would force traffic through the gateway (e.g., for forced tunneling), but does not enforce access control at the storage account firewall; the storage account would still accept traffic from any IP unless network rules are configured.

19
MCQmedium

A web app running in Azure App Service must upload files to a blob container. The team wants to avoid storing any secrets in application settings and wants the app to authenticate without a password or access key. What should the administrator configure?

A.Store the storage account key in the app configuration and use it from the application
B.Enable a system-assigned managed identity for the app and grant it a storage data role
C.Create an anonymous public container so the app can upload without authentication
D.Use a shared access signature generated from the storage account root key
AnswerB

Managed identity allows the app to authenticate to Storage with Microsoft Entra ID and no stored secret.

Why this answer

Option B is correct because a system-assigned managed identity allows the App Service to authenticate to Azure Storage without storing any secrets. By granting the identity the 'Storage Blob Data Contributor' role via Azure RBAC, the app can upload files using Azure AD authentication, eliminating the need for passwords or access keys.

Exam trap

The trap here is that candidates often confuse managed identities with SAS tokens or access keys, assuming any form of shared secret is acceptable, but the question explicitly requires no secrets in application settings and no password or access key.

How to eliminate wrong answers

Option A is wrong because storing the storage account key in app configuration violates the requirement to avoid storing secrets, and the key is a long-lived credential that could be exposed. Option C is wrong because anonymous public containers allow unauthenticated uploads, which is a security risk and does not meet the requirement for controlled authentication. Option D is wrong because a shared access signature (SAS) is still derived from a key and must be stored or generated at runtime, introducing a secret management issue.

20
MCQeasy

A storage account must stay reachable through its public endpoint, but only Azure workloads in AppSubnet should be allowed to access it. No private IP is required. What should you configure?

A.A private endpoint in AppSubnet.
B.A service endpoint on AppSubnet and a storage firewall VNet rule.
C.A VPN gateway between AppSubnet and the storage account.
D.A public IP address on the storage account.
AnswerB

Service endpoints let the subnet access the storage account securely through its public endpoint, and the firewall can restrict access to that subnet.

Why this answer

A service endpoint on AppSubnet extends the Azure backbone network to the subnet, allowing traffic to the storage account's public endpoint without a private IP. The storage firewall VNet rule then restricts access to only traffic originating from that specific subnet, meeting the requirement of public endpoint reachability with Azure workload-only access.

Exam trap

The trap here is that candidates confuse private endpoints (which remove public endpoint access) with service endpoints (which preserve public endpoint access while restricting traffic), leading them to choose the private endpoint option despite the explicit requirement to keep the public endpoint reachable.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP from the subnet to the storage account, which removes public endpoint access entirely, contradicting the requirement to keep the storage account reachable through its public endpoint. Option C is wrong because a VPN gateway is used for hybrid connectivity between on-premises and Azure, not for restricting access to Azure workloads within the same region; it adds unnecessary complexity and cost. Option D is wrong because a storage account already has a public IP by default; assigning a separate public IP does not restrict access to AppSubnet and is not a supported configuration for access control.

21
Multi-Selecteasy

Which two authentication methods let an app access blob data without storing the storage account key on the machine? Select two.

Select 2 answers
A.Microsoft Entra ID authorization with an appropriate Azure RBAC role.
B.A user delegation SAS generated through Microsoft Entra ID.
C.The storage account access key.
D.A service SAS generated directly from the account key.
E.Anonymous public access to the container.
AnswersA, B

Entra ID plus RBAC lets the app authenticate as a user, group, or managed identity without handling a storage key.

Why this answer

Option A is correct because Microsoft Entra ID authorization with an appropriate Azure RBAC role (e.g., Storage Blob Data Contributor) allows an app to authenticate to blob storage using OAuth 2.0 tokens, eliminating the need to store the storage account key on the machine. Option B is correct because a user delegation SAS is signed with Microsoft Entra ID credentials and can be generated without the account key, providing time-limited, scoped access to blob data.

Exam trap

The trap here is that candidates often confuse a service SAS (which still requires the account key) with a user delegation SAS (which does not), or they mistakenly think that anonymous access is a valid authentication method for an app.

22
MCQmedium

Based on the exhibit, which method should the administrator use to grant the partner time-limited access to one container?

A.Generate a service SAS by using the storage account key and email the URL to the partner.
B.Generate a user delegation SAS after authenticating with Microsoft Entra ID.
C.Make the container public and remove the SAS requirement from the partner workflow.
D.Assign the partner Storage Blob Data Contributor on the storage account and let them sign in interactively.
AnswerB

A user delegation SAS is the safest temporary access method in this scenario because it does not require exposing the storage account key. It is signed with Microsoft Entra credentials, can be scoped to one container, and can be set to expire after six hours. That makes it easy to grant and revoke access while limiting permissions.

Why this answer

A user delegation SAS is secured with Microsoft Entra ID credentials and can be scoped to a specific container with a time-limited expiry, meeting the requirement for time-limited access to one container. Unlike a service SAS, which uses the storage account key and grants broader permissions, the user delegation SAS provides finer-grained control and does not expose the account key. This method is the recommended approach for granting delegated, time-bound access to Azure Storage resources.

Exam trap

The trap here is that candidates often confuse a service SAS (which uses the storage account key and is easier to generate) with a user delegation SAS, not realizing that the user delegation SAS provides superior security and granularity for time-limited, container-scoped access without exposing the account key.

How to eliminate wrong answers

Option A is wrong because a service SAS generated from the storage account key exposes the account key indirectly and cannot be scoped to a single container with time-limited access as securely as a user delegation SAS; it also lacks the ability to enforce Microsoft Entra ID-based authentication. Option C is wrong because making the container public removes all access control, granting anonymous read access to everyone, which violates the requirement for time-limited and partner-specific access. Option D is wrong because assigning Storage Blob Data Contributor on the storage account grants persistent, broad permissions that are not time-limited, and interactive sign-in does not provide a scoped, time-bound URL for the partner to use programmatically.

23
MCQhard

You store long-term financial statements in Azure Blob Storage. The files are almost never accessed, but when they are needed they must be readable immediately without waiting for rehydration. You need to minimize cost. Which access tier should you use?

A.Hot
B.Cool
C.Archive
D.Premium
AnswerB

Cool provides lower cost for infrequently accessed data while keeping it immediately available.

Why this answer

The Cool access tier is optimal for data that is infrequently accessed but must be available immediately when needed, offering lower storage costs than Hot while maintaining low-latency read access. Archive would require rehydration (taking hours) before reading, violating the requirement for immediate readability. Hot is more expensive for long-term storage of rarely accessed data, and Premium is designed for high-performance workloads, not cost-efficient archival.

Exam trap

The trap here is that candidates often choose Archive thinking it is the cheapest option, but they overlook the requirement for 'immediate readability without waiting for rehydration,' which Archive cannot satisfy.

How to eliminate wrong answers

Option A is wrong because the Hot tier has higher storage costs per GB than Cool, making it suboptimal for long-term storage of almost never accessed files. Option C is wrong because the Archive tier requires rehydration (which can take up to 15 hours) before data can be read, violating the requirement for immediate readability without waiting. Option D is wrong because the Premium tier is optimized for low-latency, high-transaction workloads (e.g., Azure Virtual Desktop disks) and incurs significantly higher costs, making it unsuitable for cost-minimized long-term storage of rarely accessed financial statements.

24
MCQeasy

A help desk engineer must be able to start, stop, and resize only VM-App01. The engineer must not gain access to any other virtual machines or resource groups in the subscription. What scope should you use for the Azure RBAC role assignment?

A.Assign the role at the subscription scope so the engineer can manage any VM in the subscription.
B.Assign the role at the virtual machine scope for VM-App01 only.
C.Assign the role at the resource group scope that contains VM-App01.
D.Assign the role at a management group scope so the team can standardize access.
AnswerB

This limits the role to a single resource and matches the requirement exactly.

Why this answer

Option B is correct because Azure RBAC allows you to assign a role at the virtual machine scope, which restricts permissions to that specific resource only. By assigning a role like 'Virtual Machine Contributor' at the scope of VM-App01, the help desk engineer can start, stop, and resize only that VM without gaining access to any other VMs or resource groups in the subscription.

Exam trap

The trap here is that candidates often default to resource group scope thinking it is granular enough, but they overlook that resource group scope grants access to all resources within that group, not just the single VM.

How to eliminate wrong answers

Option A is wrong because assigning the role at the subscription scope grants permissions to all virtual machines and resources within the subscription, violating the requirement to restrict access to only VM-App01. Option C is wrong because assigning the role at the resource group scope would allow the engineer to manage all VMs within that resource group, not just VM-App01. Option D is wrong because assigning the role at a management group scope would apply permissions to all subscriptions and resources under that management group, far exceeding the required scope.

25
MCQmedium

A Windows VM and a Linux VM in Azure need to use the same shared folder for application artifacts. The team wants a managed file service instead of running a separate file server VM, and both operating systems must be able to mount the share using a standard protocol. Which solution should the administrator implement?

A.Create a blob container and mount it as a file system from both virtual machines.
B.Create an Azure Files share and mount it over SMB from both virtual machines.
C.Use an Azure managed disk and attach it to both virtual machines.
D.Create an Azure Files share and force the Linux VM to use NFS while the Windows VM uses SMB.
AnswerB

Azure Files is the managed file service designed for shared file access. SMB is supported by Windows natively and can also be mounted from Linux using standard tools. This gives both VMs access to the same share without introducing a separate file server VM, which fits the requirement precisely.

Why this answer

Azure Files provides a fully managed file share that supports both SMB and NFS protocols. Since the question requires a managed file service accessible by both Windows and Linux VMs using a standard protocol, the correct solution is to create an Azure Files share and mount it over SMB from both VMs. Windows natively supports SMB, and Linux can mount SMB shares using the CIFS-utils package, meeting the requirement without running a separate file server VM.

Exam trap

The trap here is that candidates may assume Azure Files supports both SMB and NFS on the same share, but in reality each share is protocol-specific, and mixing protocols is not allowed, making Option D a common distractor.

How to eliminate wrong answers

Option A is wrong because a blob container is an object storage service, not a file system; mounting it as a file system requires third-party tools or FUSE drivers, and it does not natively support standard file-sharing protocols like SMB or NFS. Option C is wrong because an Azure managed disk can only be attached to a single VM at a time (except for shared disks, which require a cluster-aware file system and are not a managed file service). Option D is wrong because Azure Files shares are protocol-specific; you cannot force a single share to serve both SMB and NFS simultaneously—each share is created with either SMB or NFS protocol, and mixing protocols on the same share is not supported.

26
MCQeasy

Before changing a managed data disk attached to a VM, you want a point-in-time copy that can be restored later if the change fails. What should you create?

A.Managed disk snapshot
B.Availability set
C.Image
D.Resource lock
AnswerA

A snapshot creates a point-in-time copy of a managed disk that you can use later for restore or cloning.

Why this answer

A managed disk snapshot is a point-in-time, read-only copy of a managed disk that can be used to restore the disk to that exact state if a change fails. Snapshots are incremental, capturing only the changes since the last snapshot, and they exist independently of the source disk, allowing you to create a new disk from the snapshot for recovery.

Exam trap

The trap here is that candidates often confuse a snapshot with an image, thinking both serve the same purpose, but an image is used for deployment and includes OS configuration, while a snapshot is a raw disk copy for recovery without any generalization.

How to eliminate wrong answers

Option B (Availability set) is wrong because an availability set is a logical grouping of VMs to ensure high availability across fault and update domains, not a mechanism for creating point-in-time copies of disks. Option C (Image) is wrong because an image captures the entire VM configuration, including the OS and data disks, but it is used to deploy new VMs, not to create a restore point for a specific data disk; images are generalized and cannot be used to revert a disk to a previous state. Option D (Resource lock) is wrong because a resource lock prevents accidental deletion or modification of a resource at the management scope, but it does not create a copy of the disk data; it only protects the resource from changes, not from data corruption or failed updates.

27
Multi-Selecthard

A help desk group must use the Azure portal to start a virtual machine, stop or deallocate it, and see its current state, but they must not change any other VM settings. Which three Microsoft.Compute actions should be included in a custom role? Select three.

Select 3 answers
A.Microsoft.Compute/virtualMachines/read
B.Microsoft.Compute/virtualMachines/start/action
C.Microsoft.Compute/virtualMachines/deallocate/action
D.Microsoft.Compute/virtualMachines/write
E.Microsoft.Compute/virtualMachines/delete
AnswersA, B, C

Read access is needed so the portal can display the VM and its current operational state.

Why this answer

Option A is correct because the Microsoft.Compute/virtualMachines/read permission is required to view the current state of a virtual machine in the Azure portal. Without this read action, the help desk group would not be able to see the VM's status, which is essential for their task of monitoring and managing the VM lifecycle.

Exam trap

The trap here is that candidates often confuse the write action with the specific start and deallocate actions, incorrectly assuming that write is needed for power operations, when in fact write grants full configuration change capabilities that exceed the required scope.

28
MCQeasy

An engineering team stores build artifacts that are downloaded every day by developers for a week after release, then rarely after that. Which tier should the administrator choose for the period when the artifacts are still actively used?

A.Hot
B.Archive
C.Cool
D.Cold
AnswerA

Hot is the best fit for data that is accessed frequently over a short period, such as newly released build artifacts.

Why this answer

The Hot tier is the correct choice for the period when build artifacts are actively used because it provides the lowest access latency and highest throughput, which is essential for daily downloads by developers. Azure Blob Storage's Hot tier is optimized for frequent access patterns (e.g., multiple times per day) and incurs no data retrieval costs, making it cost-effective for this high-access phase.

Exam trap

The trap here is that candidates often confuse 'Cool' as a middle-ground choice for weekly access, but the Cool tier's retrieval cost and higher latency make it suboptimal for daily downloads, whereas Hot is the only tier designed for frequent, low-latency access without retrieval penalties.

How to eliminate wrong answers

Option B (Archive) is wrong because it is designed for data that is rarely accessed (e.g., less than once per year) and has a retrieval latency of up to 15 hours, which is unacceptable for daily downloads. Option C (Cool) is wrong because it is optimized for data accessed infrequently (e.g., once per month) and incurs a per-GB retrieval cost, making it more expensive than Hot for daily access patterns. Option D (Cold) is wrong because it is intended for data that is accessed very rarely (e.g., once per quarter) and has higher retrieval costs and latency compared to Hot, which is not suitable for active daily use.

29
Multi-Selecthard

A contractor needs to upload files into one blob container for six hours. The administrator must avoid sharing the storage account key and wants the access to expire automatically. Which two actions should the administrator take? Select two.

Select 2 answers
A.Generate a user delegation SAS for the contractor.
B.Generate a service SAS by using the account key.
C.Set the SAS expiry to six hours.
D.Enable anonymous blob access on the container.
E.Create a storage account access key specifically for the contractor.
AnswersA, C

A user delegation SAS avoids exposing the storage account key and is signed through Microsoft Entra authentication.

Why this answer

A user delegation SAS is secured with Azure AD credentials rather than the storage account key, allowing the administrator to grant time-limited access without exposing the key. Setting the SAS expiry to six hours ensures the contractor's access automatically expires after the required duration, meeting both security and time-bound requirements.

Exam trap

The trap here is that candidates often confuse a service SAS (which requires the account key) with a user delegation SAS (which uses Azure AD), leading them to select Option B instead of A, missing the key requirement to avoid sharing the storage account key.

30
MCQeasy

An employee accidentally deletes several folders from an Azure file share. The administrator must recover only those folders from yesterday, not roll back the whole share. What should the administrator use?

A.The latest Azure file share snapshot
B.The storage account access key
C.A shared access signature
D.A private endpoint to the storage account
AnswerA

A snapshot captures the share at a point in time and allows restoring only the needed folders.

Why this answer

Azure file share snapshots capture the state of the share at a point in time. By mounting a snapshot taken yesterday, the administrator can browse the snapshot's directory structure and copy only the deleted folders back to the live share, without affecting other files. This provides granular recovery without rolling back the entire share.

Exam trap

The trap here is that candidates might confuse snapshots with storage account failover or backup vaults, assuming that only a full restore is possible, when in fact snapshots allow granular, file-level recovery without affecting the current share state.

How to eliminate wrong answers

Option B is wrong because the storage account access key provides full administrative access to the entire storage account, but it cannot selectively recover individual folders from a previous point in time. Option C is wrong because a shared access signature (SAS) grants delegated, time-limited access to specific resources, but it does not provide any versioning or snapshot recovery capability. Option D is wrong because a private endpoint connects the storage account to a virtual network securely, but it offers no data recovery functionality.

31
MCQmedium

An administrator moved old log blobs to the Archive tier last month. An auditor now needs one blob for review later today. What must happen before the blob can be opened?

A.Download the blob directly from the Archive tier and open it immediately
B.Change the blob to Hot or Cool and wait for rehydration to complete
C.Create a snapshot of the blob and open the snapshot instead
D.Copy the blob to another container without changing its tier
AnswerB

Archived blobs must be rehydrated back to an online tier before their contents can be read.

Why this answer

Blobs in the Archive tier are offline and cannot be read directly. To access the data, you must first change the blob's access tier to Hot or Cool (rehydrate it), which can take up to 15 hours depending on the rehydration priority. Only after rehydration completes can the blob be downloaded and opened.

Exam trap

The trap here is that candidates assume archived blobs are still readable like Cool or Hot tier blobs, or that a snapshot or copy operation can bypass the rehydration requirement, but Azure enforces that the data must be physically moved back to an online tier before any access is allowed.

How to eliminate wrong answers

Option A is wrong because blobs in the Archive tier are offline and cannot be downloaded or opened directly; attempting to do so results in an error (e.g., HTTP 409 or 403). Option C is wrong because creating a snapshot of an archived blob does not change its tier; the snapshot remains in the Archive tier and is also inaccessible until rehydrated. Option D is wrong because copying an archived blob to another container without changing its tier leaves the copy in the Archive tier, which remains offline and unreadable.

32
Multi-Selecthard

A web app already reads blobs by using a managed identity. Security now requires blocking any future requests that use shared key authorization, while the app must continue to work without storing secrets. Which two changes should the administrator make? Select two.

Select 2 answers
A.Disable shared key access on the storage account.
B.Assign the managed identity a data-plane role such as Storage Blob Data Reader.
C.Replace the managed identity with a storage account key in the app settings.
D.Remove all network rules from the storage account.
E.Create a service SAS and embed it in the code.
AnswersA, B

Disabling shared key access prevents new requests from authenticating with account keys while leaving Entra-based access available.

Why this answer

Option A is correct because disabling shared key access on the storage account enforces the security requirement to block future requests that use shared key authorization. This setting, when enabled, rejects any request that does not use Azure AD authentication, such as those signed with storage account keys or SAS tokens. Since the web app already uses a managed identity, it can continue to authenticate via Azure AD without storing secrets, ensuring the app works seamlessly after the change.

Exam trap

The trap here is that candidates often think disabling shared key access will break the app, but they overlook that a managed identity with the correct RBAC role can authenticate via Azure AD, so the app continues to work without shared keys or secrets.

33
Matchingmedium

Match each data-access pattern to the blob tier or required action.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hot

Cool

Archive

Rehydrate from Archive

Why these pairings

Azure Blob Storage tiers are Hot (frequent access), Cool (infrequent, 30-day minimum), and Archive (rare, 180-day minimum). Rehydration is needed to access Archive blobs. Azure Files sync is used for replication.

34
MCQmedium

You need to grant an external partner temporary read access to a single blob in an Azure storage account without giving access to the account key. What should you create?

A.A storage account access key
B.A shared access signature (SAS)
C.A resource lock
D.A private endpoint
AnswerB

A SAS provides scoped, time-limited access to the specific blob.

Why this answer

A shared access signature (SAS) is the correct solution because it provides delegated, time-limited access to a specific Azure storage resource (such as a single blob) without exposing the storage account key. You can configure the SAS with read-only permissions, an expiration time, and apply it to a specific blob URL, meeting the requirement for temporary external read access.

Exam trap

The trap here is that candidates often confuse a shared access signature with a storage account access key, mistakenly thinking the key can be shared for temporary access, or they incorrectly assume a resource lock or private endpoint can control data access permissions.

How to eliminate wrong answers

Option A is wrong because a storage account access key grants full administrative access to the entire storage account, not temporary or scoped access to a single blob, and sharing it violates the principle of least privilege. Option C is wrong because a resource lock prevents accidental deletion or modification of a resource but does not grant any access permissions or control read access to data. Option D is wrong because a private endpoint provides secure network connectivity to the storage account over a private IP address, but it does not grant data access permissions or provide temporary, scoped access to a specific blob.

35
MCQmedium

A DevOps pipeline runs on an on-premises build server and must deploy ARM templates to a resource group in Azure without using a user password. The server is not in Azure, so managed identity is not available. What should the administrator create?

A.A system-assigned managed identity on the build server.
B.A user-assigned managed identity attached to the on-premises server.
C.A service principal for the pipeline, with certificate-based or federated authentication.
D.A shared access signature for the target resource group.
AnswerC

An on-premises build server cannot use Azure managed identity directly, so the correct approach is to create a service principal and grant it the required RBAC permissions. Using certificate-based or federated authentication avoids storing a user password and supports secure non-interactive deployment from outside Azure.

Why this answer

Option C is correct because the on-premises build server cannot use Azure managed identities (which require an Azure resource). Instead, a service principal with certificate-based or federated authentication provides a secure, passwordless identity for the pipeline to authenticate to Azure AD and deploy ARM templates. This aligns with the principle of using Azure AD application credentials for non-Azure workloads.

Exam trap

The trap here is that candidates assume managed identities can be used on any server, but Azure restricts them to Azure-hosted resources, forcing the use of service principals for on-premises scenarios.

How to eliminate wrong answers

Option A is wrong because a system-assigned managed identity can only be created on an Azure resource (e.g., an Azure VM), not on an on-premises server. Option B is wrong because a user-assigned managed identity also requires an Azure resource to host it; attaching it to an on-premises server is not supported. Option D is wrong because a shared access signature (SAS) is a delegation token for specific Azure storage resources (e.g., blobs, queues), not for authenticating to Azure AD or deploying ARM templates to a resource group.

36
MCQmedium

A VM-based app must upload invoices to a blob container every hour. Security prohibits storing account keys or SAS tokens on the VM. The app should authenticate with Microsoft Entra ID and be allowed only to write blobs in one container. What should you configure?

A.Create an account SAS token and store it in the VM's application settings.
B.Enable a managed identity on the VM and assign Storage Blob Data Contributor at the container scope.
C.Assign Reader on the storage account so the VM can reach the container securely.
D.Grant Storage Account Contributor at the subscription scope so the app can manage all storage resources.
AnswerB

A managed identity lets the VM authenticate to Azure Storage through Microsoft Entra ID without storing credentials on the server. Assigning Storage Blob Data Contributor at the container scope gives the app the ability to upload and modify blob data only where needed. This is the least-privilege approach and aligns with secure operational practice for Azure administrators.

Why this answer

Option B is correct because enabling a managed identity on the VM allows the app to authenticate with Microsoft Entra ID without storing any secrets. Assigning the Storage Blob Data Contributor role at the container scope grants the VM’s managed identity the minimum required permission to write blobs only to that specific container, adhering to the principle of least privilege.

Exam trap

The trap here is that candidates often confuse the Reader role (which only allows read access to the storage account's control plane) with the ability to write data, or they incorrectly assume that a broad role like Storage Account Contributor is acceptable because it 'covers' the storage account, ignoring the security constraint and the need for data-plane permissions at the container scope.

How to eliminate wrong answers

Option A is wrong because storing an account SAS token in the VM's application settings violates the security requirement that prohibits storing account keys or SAS tokens on the VM. Option C is wrong because the Reader role on the storage account only allows read access to the account's metadata and configuration, not write access to blobs in a container. Option D is wrong because granting Storage Account Contributor at the subscription scope provides far too broad permissions, allowing the app to manage all storage resources across the subscription, which violates the principle of least privilege and does not restrict write access to a single container.

37
MCQhard

A finance operations team manages virtual machines in RG-App. They must start, stop, deallocate, and view VM properties for any VM in that resource group. They must not be able to delete VMs, read NIC settings, or manage disks. What should the administrator do?

A.Assign the built-in Virtual Machine Contributor role at the subscription scope.
B.Create a custom role with only the required VM actions and assign it at the RG-App scope.
C.Assign the built-in Reader role at the RG-App scope and let the team use portal buttons.
D.Assign the built-in Contributor role at the resource group scope.
AnswerB

This limits permissions to the exact VM operations needed and confines access to RG-App only.

Why this answer

Option B is correct because the required permissions (start, stop, deallocate, view properties) are a subset of the built-in Virtual Machine Contributor role, but that role also includes delete and other management actions. A custom role allows you to grant only the specific Microsoft.Compute/virtualMachines/start/action, Microsoft.Compute/virtualMachines/deallocate/action, and Microsoft.Compute/virtualMachines/read permissions, while explicitly excluding delete, NIC read, and disk management actions. Assigning this custom role at the RG-App scope ensures the team can manage VMs without broader access.

Exam trap

The trap here is that candidates often assume the built-in Virtual Machine Contributor role is sufficient because it covers VM management, but they overlook that it includes delete and other broader permissions that must be explicitly excluded via a custom role.

How to eliminate wrong answers

Option A is wrong because the built-in Virtual Machine Contributor role at subscription scope grants permissions to delete VMs, read NIC settings, and manage disks, which violates the requirement to prevent those actions. Option C is wrong because the built-in Reader role only allows read operations (Microsoft.Compute/virtualMachines/read) and does not include start, stop, or deallocate actions, so the team cannot perform those operations via portal buttons or any other method. Option D is wrong because the built-in Contributor role at the resource group scope includes full management permissions, including delete, read NIC settings, and manage disks, which exceeds the required permissions and violates the restriction.

38
MCQmedium

A storage account hosts blobs used by a public website. You need to reduce the risk of accidental deletion by developers while allowing updates to existing blobs. What should you configure?

A.Enable blob soft delete.
B.Enable immutable storage for the container.
C.Move the account to premium performance.
D.Enable static website hosting only.
AnswerA

This retains deleted blobs for recovery while allowing normal blob updates.

Why this answer

Blob soft delete protects against accidental deletion by retaining deleted blobs for a specified retention period, allowing recovery. This meets the requirement to reduce risk from developers while still permitting updates to existing blobs, as soft delete only applies to delete operations, not overwrites.

Exam trap

The trap here is that candidates confuse blob soft delete with immutable storage, assuming both prevent deletion, but immutable storage also blocks updates, which violates the requirement to allow modifications to existing blobs.

How to eliminate wrong answers

Option B is wrong because immutable storage prevents any modification or deletion of blobs during the policy period, which blocks the required ability to update existing blobs. Option C is wrong because moving to premium performance (Azure Premium Block Blob Storage) does not provide any deletion protection; it only offers consistent low-latency and higher IOPS for workloads like high-transaction applications. Option D is wrong because enabling static website hosting only configures a container for serving static content via a web endpoint; it does not implement any deletion safeguards or versioning.

39
MCQmedium

An application writes transaction logs to a storage account in a region that supports availability zones. The business wants the account to stay available if one datacenter or zone fails, but it does not need a secondary region replica. Which redundancy option should you choose?

A.LRS, because it keeps three copies within a single datacenter and is enough for any zone failure.
B.ZRS, because it replicates synchronously across zones in the same region and survives a zone outage.
C.GRS, because it adds a geographically replicated secondary region for disaster recovery.
D.RA-GRS, because read access to the secondary region is the best protection against a zone failure.
AnswerB

ZRS keeps data synchronously replicated across multiple availability zones within one region. That design helps the storage account remain available when a zone or datacenter becomes unavailable, which matches the requirement. It avoids the added complexity and cost of geo-replication because a secondary region is not required.

Why this answer

B is correct because Zone-Redundant Storage (ZRS) synchronously replicates data across three Azure availability zones within the same region. This design ensures that if one datacenter or zone fails, the storage account remains available and durable without requiring a secondary region replica, exactly matching the business requirement.

Exam trap

The trap here is that candidates often confuse LRS's three-copy replication within one datacenter as sufficient for zone failures, not realizing that a zone can contain multiple datacenters and LRS does not span zones, while ZRS is specifically designed for zone-level resilience.

How to eliminate wrong answers

Option A is wrong because LRS (Locally Redundant Storage) keeps three copies within a single datacenter; it cannot survive a full zone failure since an entire zone may contain multiple datacenters, and LRS does not span zones. Option C is wrong because GRS (Geo-Redundant Storage) adds a secondary region replica, which is unnecessary and more expensive when only zone-level resilience is needed. Option D is wrong because RA-GRS (Read-Access Geo-Redundant Storage) also involves a secondary region and provides read access there, but it does not address zone failures within the primary region and introduces unnecessary geo-replication cost and complexity.

40
MCQhard

An analytics platform stores daily export files in Azure Blob Storage. The business wants the storage account to survive a failure of any one availability zone and also keep a replicated copy in a paired region for disaster recovery. No one needs to read from the secondary region unless a disaster recovery event occurs. Which redundancy option should be used?

A.ZRS
B.GRS
C.GZRS
D.RA-GRS
AnswerC

GZRS is designed for workloads that need both zone resilience and geo-replication without requiring read access to the secondary region. It keeps the primary copy spread across zones in the region and replicates that data to a paired region for disaster recovery. That matches the requirement exactly.

Why this answer

C is correct because GZRS (Geo-Zone-Redundant Storage) combines zone-redundant storage (ZRS) within the primary region, ensuring the storage account survives any single availability zone failure, with geo-redundant replication to a paired region for disaster recovery. The secondary region copy is read-only unless a failover is initiated, matching the requirement that no one reads from the secondary region unless a disaster recovery event occurs.

Exam trap

The trap here is that candidates often confuse GZRS with RA-GZRS, assuming that geo-redundant storage always provides read-access to the secondary region, but GZRS does not—only RA-GZRS does, and the question explicitly states no one needs to read from the secondary region unless a disaster recovery event occurs.

How to eliminate wrong answers

Option A is wrong because ZRS provides zone-level redundancy within a single region but does not replicate data to a paired region, failing the disaster recovery requirement. Option B is wrong because GRS replicates data to a paired region but uses LRS within the primary region, meaning a single availability zone failure could cause data loss or unavailability in the primary region. Option D is wrong because RA-GRS offers read-access to the secondary region at all times, which violates the requirement that no one reads from the secondary region unless a disaster recovery event occurs.

41
Matchingeasy

Match each blob tier or protection feature to the correct description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Best for data accessed frequently and kept immediately available.

Best for infrequently accessed data that still remains online.

Stores data offline and requires rehydration before it can be read.

Moves archived data back to an online tier so it can be accessed again.

Helps prevent modification or deletion for a retention period.

Why these pairings

The hot, cool, and archive tiers differ in access frequency and cost structure. Soft delete, immutable storage, and point-in-time restore are protection features that prevent data loss or tampering.

42
MCQmedium

A finance department shares a resource group containing a critical VM and a storage account. Administrators must still be able to update settings and apply patches, but no one should accidentally delete the resources. Which lock should be applied at the resource group level?

A.ReadOnly lock, because it is the most restrictive option.
B.CanNotDelete lock.
C.A policy assignment that denies delete operations.
D.No lock, because RBAC permissions already prevent deletion.
AnswerB

CanNotDelete is the appropriate lock when administrators must continue making changes but want to prevent accidental deletion. Applied at the resource group level, it protects the VM and storage account from removal while allowing normal management operations to continue.

Why this answer

The CanNotDelete lock (option B) is correct because it prevents users from deleting the resource group or its resources, while still allowing read and update operations. This meets the requirement that administrators can update settings and apply patches, but accidental deletion is blocked. ReadOnly locks would block all write operations, including patching, which is too restrictive for this scenario.

Exam trap

The trap here is that candidates often confuse ReadOnly locks with the most restrictive option and assume it is the best choice, without considering that it blocks all write operations, including necessary updates and patching.

How to eliminate wrong answers

Option A is wrong because a ReadOnly lock prevents all write operations, including updates and patching, which contradicts the requirement that administrators must be able to update settings and apply patches. Option C is wrong because a policy assignment that denies delete operations is a more complex solution that requires custom policy definitions and assignment, whereas a resource lock is the simpler, built-in mechanism designed specifically for this purpose. Option D is wrong because RBAC permissions alone do not prevent accidental deletion; a user with Contributor or Owner role can delete resources, and locks provide an additional layer of protection beyond RBAC.

43
MCQmedium

Based on the exhibit, what should the administrator do to prevent anyone from changing the retention settings after validation?

A.Lock the immutability policy after validation is complete.
B.Move the container to the Cool access tier to preserve the retention period.
C.Create a blob snapshot every day so the retention settings cannot be edited.
D.Enable container public access so the audit logs are easier to verify.
AnswerA

An unlocked immutability policy allows authorized changes during setup and testing. Once the retention period is validated, locking the policy prevents shortening or weakening retention settings later, which is exactly what the compliance note requires.

Why this answer

Option A is correct because locking the immutability policy (also known as a legal hold or time-based retention policy) prevents any user—including administrators—from modifying or deleting the policy. Once locked, the retention settings become irrevocable, ensuring that data cannot be altered or overwritten during the specified retention period. This is a critical step for compliance with regulations such as SEC 17a-4 or FINRA.

Exam trap

The trap here is that candidates often confuse 'locking' a policy with other storage management actions like changing access tiers or creating snapshots, mistakenly believing those actions can enforce immutability when only a locked policy provides the required legal protection.

How to eliminate wrong answers

Option B is wrong because moving the container to the Cool access tier does not prevent changes to retention settings; it only changes the storage cost and latency, not the immutability configuration. Option C is wrong because creating a blob snapshot does not lock retention settings; snapshots are point-in-time copies that can be deleted or modified independently, and they do not enforce immutability on the base blob. Option D is wrong because enabling container public access would expose the data to anonymous read requests, which violates security best practices and does not protect retention settings from being changed.

44
Multi-Selecthard

A legal team stores scanned contracts in Blob Archive. Auditors will need to open several files next week for about five days and then the documents should return to the lowest practical storage cost. Which two actions should the administrator plan? Select two.

Select 2 answers
A.Download the blobs directly from Archive with a normal read operation.
B.Initiate a rehydration to the Cool tier before the review window.
C.Set the blobs to the Hot tier permanently as soon as the review starts.
D.Move the blobs back to Archive after the review window ends.
E.Change the storage account redundancy to RA-GRS so the files can be read.
AnswersB, D

Rehydrating to Cool makes the data online again at a lower cost than Hot, which fits infrequent access during a short review.

Why this answer

Option B is correct because blobs in the Archive tier are offline and cannot be read directly; they must first be rehydrated to a hot or cool tier. Rehydrating to the Cool tier is appropriate for a five-day access window and avoids the higher cost of the Hot tier. After the review, moving the blobs back to Archive (Option D) ensures the lowest practical storage cost for long-term retention.

Exam trap

The trap here is that candidates assume Archive blobs can be read directly (like a normal download) or that changing redundancy (RA-GRS) somehow bypasses the offline nature of Archive, when in fact rehydration is mandatory and redundancy settings only affect replication, not tier accessibility.

45
MCQmedium

A web app running in Azure App Service must read blobs from a storage account. The app must authenticate without storing secrets or SAS tokens, and administrators should grant only blob data permissions, not storage management permissions. What should you configure?

A.The storage account access key in an application setting, because it works with any blob operation.
B.A system-assigned managed identity for the app with Storage Blob Data Reader assigned at the storage scope.
C.The Contributor role on the storage account, because it includes both management and data permissions.
D.A service endpoint on the subnet, because service endpoints are used for application authentication.
AnswerB

A managed identity lets the app authenticate to Azure Storage without storing credentials, and the Storage Blob Data Reader role grants only blob data read access. Assigning the role at the storage account scope keeps the permission focused on the intended resource while avoiding management-plane rights. This is the most secure operational pattern for an Azure-hosted app that only needs to read blobs.

Why this answer

Option B is correct because a system-assigned managed identity allows the App Service to authenticate to Azure Storage without storing any secrets or SAS tokens. By assigning the Storage Blob Data Reader role at the storage account scope, you grant only the necessary blob read permissions while explicitly excluding any storage management permissions (e.g., creating or deleting storage accounts). This aligns with the principle of least privilege and eliminates credential management overhead.

Exam trap

The trap here is that candidates often confuse RBAC roles like Contributor (which grants management permissions only) with data plane roles like Storage Blob Data Reader, or they mistakenly think service endpoints provide authentication instead of network-level access control.

How to eliminate wrong answers

Option A is wrong because using the storage account access key grants full management and data plane access to the storage account, which violates the requirement to avoid storing secrets and to restrict permissions to blob data only. Option C is wrong because the Contributor role is an Azure RBAC management role that includes permissions to manage the storage account itself (e.g., update firewall rules, regenerate keys) but does not grant any data plane access to blobs; it also fails the requirement to avoid storing secrets. Option D is wrong because a service endpoint on a subnet is a network-level feature that restricts traffic to the storage account from a specific virtual network, not an authentication mechanism; it does not provide identity-based access or eliminate the need for secrets.

46
MCQhard

You need to allow a partner application to upload files to a blob container for the next 24 hours. The partner must not receive the storage account key. What should you provide?

A.The storage account access key
B.A shared access signature (SAS)
C.The connection string with the account key
D.A Recovery Services vault
AnswerB

A SAS provides limited access for a defined time and permission scope.

Why this answer

A shared access signature (SAS) provides delegated, time-limited access to a specific Azure Storage resource (like a blob container) without exposing the storage account key. By generating a SAS token with write permissions and a 24-hour expiry, you grant the partner application the ability to upload files while maintaining security and control over the access window.

Exam trap

The trap here is that candidates often confuse a SAS with a connection string or access key, mistakenly thinking that any shared credential will work, but the exam specifically tests the ability to grant time-limited, scoped access without exposing the account key.

How to eliminate wrong answers

Option A is wrong because providing the storage account access key grants full, unrestricted access to the entire storage account, including all containers, blobs, tables, and queues, with no time limit or granular permission control. Option C is wrong because the connection string with the account key embeds the storage account key, which exposes the same full-access risk as option A and violates the requirement that the partner must not receive the key. Option D is wrong because a Recovery Services vault is used for Azure Backup and Site Recovery scenarios, not for granting delegated access to blob storage.

47
Drag & Dropmedium

Order the steps to configure Azure AD Connect for hybrid identity.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Install, choose sync method, connect to Azure AD, filter domains, then finalize.

48
MCQmedium

A finance team stores application blobs in an Azure Storage account. The data must remain available if a single availability zone in the region is lost, and the team does not need automatic read access from another region. Which redundancy option best meets the requirement?

A.Locally redundant storage (LRS), which keeps three copies in one datacenter only.
B.Zone-redundant storage (ZRS), which replicates data across availability zones in the same region.
C.Geo-redundant storage (GRS), which replicates data to a paired region and supports failover.
D.Read-access geo-redundant storage (RA-GRS), which allows reads from the secondary region.
AnswerB

ZRS stores multiple copies of the data across availability zones within one region, so the storage account can remain available if one zone is lost. This matches the requirement for zone failure resiliency without introducing cross-region read access or the extra complexity of geo-failover. It is the least expansive redundancy option that still provides protection against a zone outage.

Why this answer

Zone-redundant storage (ZRS) replicates your data synchronously across three Azure availability zones within the primary region. This ensures that if a single zone fails, the data remains available and durable without requiring any manual intervention or failover, meeting the requirement of no automatic read access from another region.

Exam trap

The trap here is that candidates often confuse 'availability within a region' with 'disaster recovery across regions,' leading them to choose GRS or RA-GRS when the requirement is only to survive a single availability zone failure, not a full regional outage.

How to eliminate wrong answers

Option A is wrong because LRS keeps three copies within a single datacenter, so losing that datacenter (or its availability zone) would cause data loss or unavailability. Option C is wrong because GRS replicates data to a paired secondary region, which provides cross-region durability but also introduces a failover mechanism that is not required here; it also does not protect against a single-zone failure within the primary region without relying on the secondary region. Option D is wrong because RA-GRS adds read access to the secondary region, which is explicitly not needed, and like GRS, it does not provide zone-level redundancy within the primary region.

49
MCQmedium

A hub VNet already has a VPN gateway connected to on-premises networks. A new spoke VNet must reach those on-premises networks through the existing gateway without deploying another gateway. Which peering settings are required?

A.Enable gateway transit on the hub peering and use remote gateways on the spoke peering.
B.Enable forwarded traffic on both peerings and leave gateway settings disabled.
C.Enable use remote gateways on the hub peering and gateway transit on the spoke peering.
D.Create a private endpoint between the two VNets.
AnswerA

To let a spoke VNet use the hub's gateway, the hub side must allow gateway transit and the spoke side must be configured to use the remote gateway. This combination lets the spoke send traffic to on-premises networks through the existing hub VPN gateway, avoiding duplicate gateway deployment. It is the standard design for hub-and-spoke environments that centralize connectivity and reduce cost and operational overhead.

Why this answer

Option A is correct because to allow a spoke VNet to use the hub VNet's VPN gateway without deploying its own, you must enable 'Use remote gateways' on the spoke peering and 'Gateway transit' on the hub peering. This configuration allows the spoke to route traffic destined for on-premises networks through the hub's VPN gateway, leveraging the existing site-to-site VPN connection.

Exam trap

The trap here is that candidates often confuse which peering (hub or spoke) gets which setting, incorrectly assuming 'Use remote gateways' goes on the hub and 'Gateway transit' on the spoke, or they think 'Forwarded traffic' is sufficient for gateway routing.

How to eliminate wrong answers

Option B is wrong because enabling 'Forwarded traffic' on both peerings only allows traffic to be forwarded between VNets but does not enable gateway transit; without gateway transit and use remote gateways, the spoke cannot use the hub's VPN gateway. Option C is wrong because it reverses the required settings: 'Use remote gateways' must be enabled on the spoke peering, not the hub, and 'Gateway transit' must be enabled on the hub peering, not the spoke. Option D is wrong because a private endpoint is used to connect privately to a specific Azure service (e.g., Storage, SQL) over the Microsoft backbone, not to route traffic through a VPN gateway to on-premises networks.

50
MCQmedium

A Windows file server VM in Azure must mount an Azure file share by using existing Active Directory Domain Services credentials instead of a storage account key. The organization already has domain-joined Windows servers in the environment. What should the administrator configure on the storage account?

A.Enable Azure Files identity-based authentication with Active Directory Domain Services.
B.Enable blob soft delete and mount the share with a blob container SAS token.
C.Enable a service endpoint for Microsoft.Storage on the subnet.
D.Create a shared access signature for the file share and map it as a local drive.
AnswerA

Azure Files can use AD DS-based Kerberos authentication for SMB access. This allows the VM to authenticate with existing domain credentials instead of using a storage account key.

Why this answer

Option A is correct because Azure Files supports identity-based authentication over SMB using Active Directory Domain Services (AD DS). By enabling this on the storage account, the administrator can mount the file share using existing domain credentials instead of a storage account key, provided the client VM is domain-joined and the share is configured with appropriate NTFS permissions. This eliminates the need to manage or expose storage account keys.

Exam trap

The trap here is that candidates often confuse network-level controls (like service endpoints) or key-based access methods (like SAS tokens) with identity-based authentication, failing to recognize that only enabling AD DS authentication on the storage account allows the use of existing domain credentials.

How to eliminate wrong answers

Option B is wrong because blob soft delete is a data protection feature for Azure Blob Storage, not for Azure Files, and mounting a share with a blob container SAS token is not applicable to file shares. Option C is wrong because a service endpoint for Microsoft.Storage on the subnet only restricts network access to the storage account from that subnet; it does not enable identity-based authentication or replace the need for a storage account key. Option D is wrong because creating a shared access signature (SAS) for the file share still requires a SAS token (a form of key-based access) rather than using existing Active Directory Domain Services credentials for authentication.

51
MCQmedium

A line-of-business application stores transaction logs in an Azure Storage account. The app must keep working if one availability zone in the primary region fails, and administrators want read access to the secondary copy if the primary region becomes unavailable. Which redundancy option should you choose?

A.LRS, because it keeps three local copies in one datacenter and is the simplest choice.
B.RA-GRS, because it provides geo-replication and read access to the secondary region.
C.GZRS, because it combines zone redundancy in the primary region with geo-replication.
D.RA-GZRS, because it keeps the primary region zone-redundant and allows read access to the secondary copy.
AnswerD

RA-GZRS is the only option listed that combines zone-redundant storage in the primary region with geo-replication and read access to the secondary endpoint. That satisfies both the availability-zone failure requirement and the need to read data during a regional outage. It is the strongest choice when you need resilience across both datacenter-level and regional failure scenarios.

Why this answer

RA-GZRS (Read-Access Geo-Zone-Redundant Storage) is correct because it combines zone-redundant storage (ZRS) across availability zones in the primary region, ensuring continued operation if one zone fails, with geo-replication to a secondary region. Additionally, the 'RA' prefix enables read access to the secondary copy if the primary region becomes unavailable, meeting both requirements.

Exam trap

The trap here is that candidates often confuse GZRS with RA-GZRS, overlooking that GZRS does not grant read access to the secondary region unless a failover is initiated, while RA-GZRS explicitly allows read access to the secondary copy at all times.

How to eliminate wrong answers

Option A is wrong because LRS (Locally Redundant Storage) only keeps three copies within a single datacenter and does not protect against an availability zone failure or provide geo-replication. Option B is wrong because RA-GRS (Read-Access Geo-Redundant Storage) provides geo-replication and read access to the secondary region, but it does not offer zone redundancy in the primary region; it uses LRS in the primary region, so a zone failure could still cause downtime. Option C is wrong because GZRS (Geo-Zone-Redundant Storage) provides zone redundancy in the primary region and geo-replication, but it does not include read access to the secondary copy; the secondary copy is only available for failover, not for read access during an outage.

52
MCQeasy

An administrator moved a blob to the Archive tier last month. A user needs to open it tomorrow. What must happen before the file can be read?

A.Change the blob to Hot or Cool and wait for rehydration to complete
B.Create a snapshot of the archived blob
C.Enable versioning on the storage account
D.Move the storage account to LRS redundancy
AnswerA

Archive blobs are offline, so they must be rehydrated to an online tier such as Hot or Cool before they can be read.

Why this answer

To read a blob in the Archive tier, it must first be rehydrated to the Hot or Cool tier. This process, called rehydration, changes the blob's tier and makes it accessible for reading. Until rehydration completes, the blob remains offline and cannot be read.

Exam trap

The trap here is that candidates may think archived blobs can be read directly or that other operations like snapshots or versioning bypass the rehydration requirement, but Azure explicitly requires tier change and rehydration before any read access.

How to eliminate wrong answers

Option B is wrong because creating a snapshot of an archived blob does not change its tier; the snapshot inherits the Archive tier and remains offline. Option C is wrong because enabling versioning creates new versions of blobs but does not rehydrate archived blobs; archived versions remain inaccessible. Option D is wrong because changing redundancy to LRS does not affect the blob's tier; the blob stays in the Archive tier and remains offline until rehydrated.

53
MCQmedium

Based on the exhibit, what is the best access change to let John download blobs from only the invoices container?

A.Assign Reader at the storage account scope so John can view the storage account and its data.
B.Assign Storage Blob Data Reader at the invoices container scope.
C.Assign Storage Account Contributor at the resource group scope.
D.Make the invoices container public and keep John's existing Contributor role.
AnswerB

Blob downloads require a data-plane role, not the Contributor role on the storage account. Assigning Storage Blob Data Reader at the container scope gives John only the read permissions needed for invoices and avoids granting access to other containers or management operations.

Why this answer

Option B is correct because assigning the Storage Blob Data Reader role at the invoices container scope grants John the minimum permissions needed to download blobs from that specific container. This role provides read access to blob data without allowing any write or management operations, and scoping it to the container ensures John cannot access other containers in the storage account.

Exam trap

The trap here is that candidates often confuse management-plane roles (like Reader or Contributor) with data-plane roles, assuming that any role with 'read' or 'contributor' in the name grants access to blob data, when in fact only specific data-plane roles (e.g., Storage Blob Data Reader) provide the necessary permissions for blob operations.

How to eliminate wrong answers

Option A is wrong because the Reader role at the storage account scope only allows viewing the storage account's configuration and metadata, not reading blob data; it does not include the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read permission required to download blobs. Option C is wrong because Storage Account Contributor at the resource group scope grants full management access to the storage account, including the ability to delete or modify the account, which is excessive and does not specifically grant blob data read permissions. Option D is wrong because making the invoices container public would allow anonymous access to all blobs in that container, bypassing Azure RBAC entirely and violating security best practices; John's existing Contributor role still does not grant blob data read permissions.

54
MCQmedium

A development team needs a single Azure Storage account for blob containers, Azure Files shares, and blob lifecycle rules. The account must support standard performance and allow future use of access tiers. Which account kind should you create?

A.BlobStorage because it is optimized for blobs and supports lifecycle management.
B.StorageV2 because it supports blobs, Azure Files, lifecycle management, and access tiers.
C.FileStorage because it is designed for file shares and can also host blob lifecycle rules.
D.BlockBlobStorage because it provides the best performance for lifecycle policies and file shares.
AnswerB

StorageV2 is the correct choice because it is the general-purpose v2 account type. It supports blob containers, Azure Files shares, blob access tiers, lifecycle management rules, and the standard capabilities used in most Azure administration scenarios. It is also the recommended account type when a team wants one storage account for multiple storage services and operational features.

Why this answer

StorageV2 (general-purpose v2) is the only account kind that supports blobs, Azure Files shares, lifecycle management policies, and all access tiers (hot, cool, archive) with standard performance. BlobStorage lacks Azure Files support, FileStorage is premium-only and does not support lifecycle rules, and BlockBlobStorage is premium-only and does not support Azure Files or lifecycle management.

Exam trap

Microsoft often tests the misconception that BlobStorage accounts are sufficient for mixed workloads, but they intentionally omit that BlobStorage cannot host Azure Files shares, making StorageV2 the only viable choice when both blob and file storage are required with lifecycle management.

How to eliminate wrong answers

Option A is wrong because BlobStorage accounts support only block blobs and append blobs, not Azure Files shares, and while they support lifecycle management, they cannot host file shares. Option C is wrong because FileStorage accounts are premium-only (SSD-based) and do not support blob lifecycle management rules or standard performance tiers. Option D is wrong because BlockBlobStorage accounts are premium-only, designed for high-throughput block blob workloads, and do not support Azure Files shares or lifecycle management policies.

55
Matchingmedium

Match each file-sharing requirement to the best Azure Files mounting or integration approach.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Azure File Sync

SMB with AD DS-based identity authentication

NFS 4.1 share

SAS token

Why these pairings

SMB mounting requires storage account credentials; NFS needs private endpoint; REST API for programmatic access; Azure AD DS enables identity-based access; File Sync caches on-premises.

56
MCQmedium

An analytics team stores exported reports in a storage account. They want the data to survive a zone failure and a regional outage, and if the primary region becomes unavailable they also want read-only access to the replica while failover is being planned. Which redundancy option should you select?

A.GZRS
B.RA-GZRS
C.RA-GRS
D.ZRS
AnswerB

RA-GZRS combines zone-redundant storage with geo-replication and also allows read access to the secondary region.

Why this answer

RA-GZRS (Read-Access Geo-Zone-Redundant Storage) is correct because it combines zone-redundant storage (ZRS) within the primary region with geo-redundant replication to a secondary region, and crucially provides read-only access to the secondary replica even when the primary region is available. This meets the requirement for data survival during both a zone failure and a regional outage, while allowing read-only access to the replica during failover planning.

Exam trap

The trap here is that candidates often confuse GZRS with RA-GZRS, forgetting that the 'RA' prefix is required to enable read access to the secondary region before a failover occurs.

How to eliminate wrong answers

Option A (GZRS) is wrong because while it provides zone redundancy and geo-replication, it does not enable read access to the secondary region unless a failover is initiated; the secondary is offline for reads until then. Option C (RA-GRS) is wrong because it uses LRS (locally redundant storage) in the primary region, which does not survive a zone failure (only a single datacenter failure). Option D (ZRS) is wrong because it only protects against zone failures within a single region and does not provide geo-replication for regional outage protection or read access to a secondary replica.

57
MCQeasy

A partner must upload files to one blob container for 12 hours. You do not want to share the storage account key, and the access should expire automatically. Which access method should you use?

A.Role assignment in Azure RBAC
B.Shared access signature (SAS)
C.Private endpoint
D.Storage account lock
AnswerB

A SAS can grant scoped, time-limited access to a container or blob without exposing the storage account key.

Why this answer

A shared access signature (SAS) is the correct choice because it provides time-limited, delegated access to a specific blob container without exposing the storage account key. You can set an expiry time of 12 hours, and the SAS token can be generated with only the permissions needed (e.g., write). Once the token expires, access is automatically revoked, meeting the requirement for automatic expiration.

Exam trap

The trap here is that candidates often confuse RBAC with SAS, thinking that a role assignment can be made temporary, but RBAC does not support automatic expiration; only SAS provides time-bound, delegated access without sharing the account key.

How to eliminate wrong answers

Option A is wrong because Azure RBAC role assignments do not have a built-in automatic expiration mechanism; they grant persistent access until explicitly removed, and they cannot be scoped to a single blob container with a time limit. Option C is wrong because a private endpoint provides a secure network connection to the storage account over a private IP, but it does not control or expire access to specific containers or blobs. Option D is wrong because a storage account lock prevents accidental deletion or modification of the storage account itself, but it does not provide time-limited access to blob containers.

58
MCQhard

An archive team stores legal exhibits in Azure Blob Storage. The files are downloaded only during quarterly audits, but when an auditor needs one, it must be readable immediately without waiting for a rehydration job. The team wants the lowest practical cost after the first 30 days and does not want to move blobs manually each quarter. What should the administrator configure?

A.Keep the blobs in Hot tier permanently and delete them manually after each audit cycle.
B.Use a lifecycle management rule to move the blobs to Cool tier after 30 days.
C.Move the blobs to Archive tier after 30 days and rehydrate them when audits begin.
D.Store the files in Premium block blob storage and use snapshots for audit recovery.
AnswerB

Cool tier remains online and immediately readable, while costing less than Hot for infrequent access.

Why this answer

Option B is correct because Azure Blob Storage lifecycle management rules can automatically move blobs from Hot to Cool tier after 30 days, reducing storage costs while keeping data immediately accessible. Cool tier offers lower storage costs than Hot tier with the same low-latency read access, satisfying the requirement for instant auditor access without manual intervention.

Exam trap

The trap here is that candidates often confuse Archive tier's low storage cost with immediate accessibility, forgetting that Archive requires a rehydration step that can take hours, while Cool tier provides instant access at a slightly higher but still cost-effective rate.

How to eliminate wrong answers

Option A is wrong because keeping blobs in Hot tier permanently incurs the highest storage cost, and manual deletion each quarter violates the 'do not want to move blobs manually' requirement. Option C is wrong because moving blobs to Archive tier after 30 days would require a rehydration job (taking up to 15 hours) before auditors can read them, contradicting the 'readable immediately' requirement. Option D is wrong because Premium block blob storage is designed for low-latency workloads with high transaction costs, not for archival data, and snapshots do not provide tier-based cost savings or automate tier transitions.

59
MCQmedium

A contractor needs temporary access to upload and download files in only one blob container for 8 hours. You do not want to share the storage account key, and you want to revoke access later without affecting other containers. What should you create?

A.A storage account access key, because it can be limited to one container by policy.
B.A container-level SAS token backed by a stored access policy, so you can limit and revoke access.
C.Anonymous public access on the container, because it is the easiest way to time-limit access.
D.Azure RBAC on the storage account only, because RBAC automatically expires after a few hours.
AnswerB

A container-level SAS with a stored access policy is ideal for temporary access to one container. It avoids sharing the account key, limits permissions and lifetime to exactly what is needed, and gives you a revocation point through the stored access policy. That combination is safer than broad key-based access and more operationally flexible than changing account-wide settings.

Why this answer

A container-level SAS token backed by a stored access policy is the correct solution because it allows you to grant temporary, scoped access to a single blob container without exposing the storage account key. The stored access policy enables you to revoke the SAS token at any time by modifying or deleting the policy, which immediately invalidates all tokens associated with it, without affecting other containers.

Exam trap

The trap here is that candidates often confuse a container-level SAS with a stored access policy, thinking a SAS alone provides revocability, but without a stored access policy, a SAS token cannot be revoked before its expiry time.

How to eliminate wrong answers

Option A is wrong because a storage account access key grants full administrative access to the entire storage account, cannot be scoped to a single container, and cannot be revoked without regenerating the key (which affects all containers). Option C is wrong because anonymous public access allows anyone to read blobs without authentication, cannot enforce time-limited access for uploads, and cannot be revoked granularly without disabling public access entirely. Option D is wrong because Azure RBAC on the storage account does not automatically expire after a few hours; RBAC assignments persist until explicitly removed, and they apply to the entire storage account or container level only with proper scope, but they cannot provide time-bound access without additional tooling like Azure AD PIM.

60
MCQmedium

A storage account must be accessible only from one virtual network, and the storage service must have a private IP address inside that network. Public network access should be disabled. Which solution should the administrator use?

A.Add a storage firewall rule that allows the subnet's public IP range
B.Configure a service endpoint for the subnet and keep public access enabled
C.Create a private endpoint for the storage account in the virtual network
D.Peer the virtual network to the storage account's region
AnswerC

A private endpoint gives the storage account a private IP address in the VNet and supports disabling public access.

Why this answer

Option C is correct because a private endpoint assigns the storage account a private IP address from the virtual network's address space, using Azure Private Link to route traffic entirely over the Microsoft backbone. This ensures the storage account is accessible only from that virtual network and allows public network access to be disabled, meeting both requirements.

Exam trap

The trap here is confusing service endpoints (which still leave the public endpoint enabled and only provide source-side filtering) with private endpoints (which provide a private IP and fully disable public access).

How to eliminate wrong answers

Option A is wrong because adding a storage firewall rule for the subnet's public IP range does not give the storage account a private IP address; it only restricts access to traffic from that public IP range, and the storage account still has a public endpoint. Option B is wrong because configuring a service endpoint keeps the storage account's public endpoint enabled and does not provide a private IP address; it only allows traffic from the subnet to be routed via the Azure backbone, but public access remains. Option D is wrong because VNet peering connects virtual networks, not a storage account to a virtual network; storage accounts are not peered, and this does not assign a private IP or disable public access.

61
MCQmedium

You need to create a storage account that provides the lowest-cost redundant storage for non-critical data and only needs protection against local disk or server failure within a single datacenter. Which redundancy option should you choose?

A.LRS
B.ZRS
C.GRS
D.GZRS
AnswerA

LRS provides redundancy within a single datacenter at the lowest cost.

Why this answer

A is correct because Locally Redundant Storage (LRS) replicates data three times within a single datacenter in the same region, protecting against local disk or server failures. It is the lowest-cost redundancy option, making it ideal for non-critical data that does not require protection against zone- or region-level outages.

Exam trap

The trap here is that candidates may choose ZRS or GRS thinking they need 'redundancy' without realizing the question specifically limits the scope to local failures within a single datacenter, making LRS the cheapest and sufficient option.

How to eliminate wrong answers

Option B (ZRS) is wrong because it replicates data synchronously across three Azure availability zones within a region, providing higher durability than needed for single-datacenter protection and at a higher cost. Option C (GRS) is wrong because it includes LRS within the primary region plus asynchronous replication to a secondary region, offering region-level disaster recovery at significantly higher cost. Option D (GZRS) is wrong because it combines ZRS in the primary region with asynchronous replication to a secondary region, providing the highest durability and cost, far exceeding the requirement for local disk or server failure protection.

62
MCQmedium

A reporting system requires a storage account that is zone resilient in the primary region and also keeps a geo-replicated secondary copy that can be read during an outage. Which redundancy option should you select?

A.ZRS, because it protects against zone failure and also provides a readable secondary region.
B.GRS, because it stores a secondary copy in another region but does not offer zone redundancy in the primary region.
C.RA-GZRS, because it combines zone redundancy, geo-replication, and read access to the secondary region.
D.LRS, because local replication is enough when the workload already has application-level retries.
AnswerC

RA-GZRS provides the strongest fit for this scenario. It combines synchronous zone redundancy in the primary region with asynchronous geo-replication to a secondary region, and it allows read access to that secondary copy. That combination meets both the availability and reporting requirements described in the question.

Why this answer

RA-GZRS (Read-Access Geo-Zone-Redundant Storage) is the correct choice because it provides synchronous replication across three Azure availability zones in the primary region for zone resilience, asynchronous geo-replication to a secondary region for disaster recovery, and enables read access to the secondary copy during an outage. This meets all three requirements: zone resiliency, geo-replication, and readable secondary region.

Exam trap

The trap here is that candidates often confuse GRS with RA-GZRS, overlooking that GRS lacks zone redundancy in the primary region and does not provide read access to the secondary copy unless explicitly enabled via RA-GRS or RA-GZRS.

How to eliminate wrong answers

Option A is wrong because ZRS (Zone-Redundant Storage) only replicates data synchronously across availability zones in the primary region and does not provide geo-replication or a readable secondary region. Option B is wrong because GRS (Geo-Redundant Storage) provides geo-replication to a secondary region but does not offer zone redundancy in the primary region; it uses LRS locally. Option D is wrong because LRS (Locally Redundant Storage) replicates data three times within a single datacenter, offering no zone resilience, no geo-replication, and no readable secondary copy, making it unsuitable for the stated requirements.

63
MCQmedium

A partner company needs to upload files to a single blob container for the next 24 hours. The partner should not receive the storage account key, and the access should be limited to that container only. Which access mechanism should you provide?

A.A container-level SAS token with write permission and a 24-hour expiry.
B.The storage account key, because it is easier for external users to use.
C.A management group role assignment, because RBAC can restrict access to one blob container.
D.A private endpoint, because it grants the partner write access over a private IP.
AnswerA

A SAS token is the right tool for short-lived, scoped access to one container. It avoids sharing the storage account key, and you can limit the permissions to write only with a precise expiration time. That makes it well suited for partner uploads, temporary transfers, and other delegated storage tasks.

Why this answer

A container-level SAS token with write permission and a 24-hour expiry is correct because it provides time-limited, delegated access to a specific blob container without exposing the storage account key. The SAS token is generated with the container as the resource scope, write permission (add/create), and an expiry time of 24 hours, meeting all requirements: no key sharing, container-only access, and time-bound access.

Exam trap

The trap here is that candidates may confuse SAS tokens with storage account keys, thinking a key is simpler for external users, or mistakenly believe RBAC at a management group scope can be narrowed to a single container, when in fact RBAC for containers requires the scope to be the container itself (via Azure RBAC for Data Actions) and is not available at management group level.

How to eliminate wrong answers

Option B is wrong because sharing the storage account key grants full administrative access to the entire storage account (all containers, blobs, queues, tables, and settings), violating the requirement to limit access to a single container and avoid exposing the key. Option C is wrong because RBAC role assignments at the management group scope apply to all subscriptions and resources under that management group, not to a single blob container; RBAC can be scoped to a container only at the resource group or storage account level, not at the management group level. Option D is wrong because a private endpoint provides network-level isolation (private IP connectivity) but does not grant write permissions or control access to a specific container; it only ensures traffic stays on a private network, and permissions are still managed via keys, SAS, or RBAC.

64
MCQmedium

A business-critical storage account must survive a zone outage in the primary region and also keep a read-only copy in the paired region for reporting if the primary region becomes unavailable. Which redundancy option should you choose?

A.ZRS because it protects against a single datacenter failure.
B.RA-GZRS because it provides zone redundancy and read access to the secondary region.
C.GZRS because it provides a readable secondary region by default.
D.RA-GRS because it provides zone redundancy and read access to the secondary region.
AnswerB

RA-GZRS is the correct option because it combines zone-redundant storage in the primary region with geo-replication to the paired region, and it allows read access to the secondary copy. That matches both requirements: resilience to a zone outage and a readable secondary copy for reporting or failover scenarios. It is the highest-resilience option in this list.

Why this answer

Option B (RA-GZRS) is correct because it combines zone-redundant storage (ZRS) within the primary region, ensuring data survives a zone outage, with read-access geo-redundant storage (RA-GRS) to the paired region, providing a readable secondary copy for reporting if the primary region becomes unavailable. This meets both requirements: zone-level fault tolerance and read-only access to the secondary region during a primary outage.

Exam trap

The trap here is that candidates confuse GZRS (which requires a failover for read access) with RA-GZRS (which provides always-on read access to the secondary region), or mistakenly think RA-GRS offers zone redundancy when it only uses LRS in the primary region.

How to eliminate wrong answers

Option A is wrong because ZRS only protects against a single datacenter (zone) failure within the primary region but does not provide any replication to a secondary region, so it cannot serve a read-only copy for reporting if the primary region is unavailable. Option C is wrong because GZRS provides zone redundancy and geo-replication to a secondary region, but by default the secondary region is not readable; it requires a failover to become writable, and read access is not available without a separate configuration (RA-GZRS). Option D is wrong because RA-GRS provides read access to the secondary region but uses LRS (locally redundant storage) in the primary region, not zone redundancy, so it does not survive a zone outage in the primary region.

65
MCQmedium

A lifecycle rule moves blobs to the archive tier after 90 days. A file was archived 2 weeks ago, and a reporting job now needs to read it tomorrow morning. What should you expect?

A.The file is immediately readable, but only through the archive endpoint and at a higher request rate.
B.The file must be rehydrated to an online tier before it can be read, so access is delayed.
C.The file is permanently deleted when it enters archive, so the job must use a backup restore.
D.The file can be read immediately if the account has read-access geo-redundancy enabled.
AnswerB

Archive tier is offline storage. If a job needs the blob tomorrow, the blob must first be rehydrated to an online tier such as hot or cool. Rehydration takes time, so the data is not instantly available. This is an important operational consideration when lifecycle policies move data to archive based on age.

Why this answer

Option B is correct because blobs in the Azure Archive tier are offline and cannot be read directly. To access the data, you must first rehydrate the blob to an online tier (Hot, Cool, or Cold) using a copy or change-tier operation, which introduces a delay (typically up to 15 hours for standard priority rehydration). The file was archived only 2 weeks ago, so it is still in the Archive tier and requires rehydration before the reporting job can read it tomorrow morning.

Exam trap

The trap here is that candidates assume the Archive tier is simply a 'cold' storage that can be read slowly, but in reality it is an offline tier requiring explicit rehydration, which introduces significant latency.

How to eliminate wrong answers

Option A is wrong because the Archive tier is an offline tier; blobs are not immediately readable through any endpoint, and there is no 'archive endpoint' for direct reads — access requires rehydration to an online tier. Option C is wrong because blobs in the Archive tier are not deleted; they remain stored with the same data integrity and can be rehydrated when needed — permanent deletion only occurs if a lifecycle policy explicitly includes a delete action. Option D is wrong because read-access geo-redundancy (RA-GRS) provides read access to a secondary region during an outage, but it does not change the offline nature of the Archive tier — the blob must still be rehydrated before it can be read from any endpoint.

66
MCQhard

A platform team created a BlobStorage account for application logs. Later they discovered the same account must also host an Azure Files share for a Linux automation server, and lifecycle rules must continue to manage blob tiers. Standard performance is sufficient. What should they do?

A.Keep the BlobStorage account and add a private endpoint
B.Recreate the storage as a StorageV2 general-purpose v2 account
C.Convert the account to Premium Block Blob storage
D.Create a separate file server VM and keep the BlobStorage account unchanged
AnswerB

A StorageV2 account supports both blob features such as lifecycle management and Azure Files shares in the same account. The earlier BlobStorage kind is too limited for the file-share requirement, so the correct administrative action is to create a general-purpose v2 account and migrate the data. This also preserves standard performance and keeps the storage design simpler than splitting services across separate accounts.

Why this answer

A BlobStorage account is a specialized storage account that supports only block blobs and append blobs, not Azure Files shares. To host both blobs and Azure Files, you need a general-purpose v2 (StorageV2) account, which supports all Azure Storage services including blobs, files, queues, and tables, while also allowing lifecycle management policies for blob tiering. Recreating the account as StorageV2 meets both requirements without sacrificing blob lifecycle rules.

Exam trap

The trap here is that candidates assume a BlobStorage account can be 'upgraded' or that adding features like private endpoints or premium performance will enable Azure Files, when in fact the account kind is immutable after creation and must be recreated as StorageV2.

How to eliminate wrong answers

Option A is wrong because adding a private endpoint to a BlobStorage account does not enable Azure Files support; private endpoints control network access, not storage service capabilities. Option C is wrong because Premium Block Blob storage is designed for high-performance workloads with low latency and does not support Azure Files shares, nor does it allow lifecycle management rules for blob tiering (tiers are fixed). Option D is wrong because creating a separate file server VM introduces unnecessary complexity, cost, and management overhead, whereas the requirement can be met natively by using a StorageV2 account that supports both blobs and Azure Files.

67
Multi-Selecteasy

A Windows VM mounts an Azure Files share by using SMB and identity-based authentication. Which two permission layers can affect access to folders in the share? Select two.

Select 2 answers
A.Azure RBAC permissions on the file share
B.NTFS permissions on files and folders
C.Network security group rules on the storage account
D.Blob access tier settings
E.Route table next-hop selection
AnswersA, B

Share-level RBAC determines whether the identity can connect to and use the Azure Files share.

Why this answer

Azure RBAC permissions on the file share (Option A) control whether a user or service principal can mount the share or perform management operations, such as listing or modifying share properties. When identity-based authentication is used (Kerberos or Azure AD Kerberos), RBAC roles like 'Storage File Data SMB Share Reader' or 'Contributor' are required to grant access at the share level before any file-level permissions apply.

Exam trap

The trap here is that candidates often confuse network-level controls (NSGs, route tables) with identity-based access controls, or incorrectly assume Blob access tiers apply to Azure Files shares, when in fact only RBAC and NTFS permissions govern folder access in this scenario.

68
MCQhard

Your company stores monthly reports in Azure Blob Storage. The reports are rarely accessed, but when needed they must be read within seconds rather than hours. You need to minimize storage cost while preserving near-immediate availability. Which access tier should you use?

A.Hot
B.Cool
C.Archive
D.Premium
AnswerB

Cool minimizes cost for infrequently accessed data while keeping it available online.

Why this answer

Cool tier is correct because it offers low storage cost for infrequently accessed data while maintaining near-immediate (milliseconds) retrieval latency. The reports are rarely accessed but must be available within seconds, which Cool tier satisfies, whereas Archive would incur hours-long rehydration delays.

Exam trap

The trap here is that candidates often choose Archive tier thinking it is the cheapest option for rarely accessed data, but they overlook the critical requirement for 'within seconds' availability, which Archive cannot provide without a time-consuming rehydration process.

How to eliminate wrong answers

Option A is wrong because Hot tier has higher storage cost per GB, which is unnecessary for rarely accessed data and would not minimize storage cost. Option C is wrong because Archive tier, while cheapest for storage, requires manual rehydration that can take up to 15 hours, violating the 'within seconds' availability requirement. Option D is wrong because Premium tier is designed for high-performance, low-latency workloads (e.g., Azure Virtual Desktop) and incurs the highest cost, making it unsuitable for cost minimization on rarely accessed reports.

69
MCQmedium

A hub VNet contains a VPN gateway that provides access to on-premises resources. A spoke VNet is peered to the hub and must send on-premises traffic through the hub gateway without deploying its own gateway. What peering configuration is required?

A.Enable forwarded traffic on both peerings and disable gateway transit.
B.Enable gateway transit on the hub peering and Use remote gateways on the spoke peering.
C.Create a second VPN gateway in the spoke and peer the two gateways.
D.Configure the spoke subnet with a service endpoint to the hub gateway subnet.
AnswerB

This is the correct hub-and-spoke gateway sharing configuration. The hub peering must allow gateway transit, and the spoke peering must use the remote gateway in the hub. Together, these settings let the spoke route on-premises traffic through the hub VPN gateway without deploying a second gateway.

Why this answer

Option B is correct because to route spoke VNet traffic through the hub VPN gateway without deploying a separate gateway in the spoke, you must enable 'Use remote gateways' on the spoke peering and 'Gateway transit' on the hub peering. This configuration allows the spoke to use the hub's VPN gateway for on-premises connectivity, leveraging the transitive routing capability of VNet peering.

Exam trap

The trap here is that candidates often confuse 'forwarded traffic' with 'gateway transit'—forwarded traffic only allows traffic from a third VNet to pass through the peering, but it does not enable the hub's VPN gateway to be used by the spoke; gateway transit is the specific setting required for this scenario.

How to eliminate wrong answers

Option A is wrong because disabling gateway transit on the hub peering prevents the spoke from using the hub's VPN gateway, and enabling forwarded traffic alone does not provide gateway transit functionality. Option C is wrong because deploying a second VPN gateway in the spoke defeats the requirement to avoid deploying its own gateway and introduces unnecessary cost and complexity. Option D is wrong because service endpoints are used for secure access to Azure PaaS services (e.g., Azure Storage) over the Azure backbone, not for routing traffic to a VPN gateway or on-premises resources.

70
MCQeasy

An Azure Files share must stay available if one availability zone in its primary region fails. The business does not need replication to another region. Which redundancy option should you choose for the storage account?

A.Locally redundant storage (LRS)
B.Zone-redundant storage (ZRS)
C.Geo-redundant storage (GRS)
D.Read-access geo-redundant storage (RA-GRS)
AnswerB

ZRS stores synchronously replicated copies across availability zones in the same region, so the share remains available if one zone fails.

Why this answer

Zone-redundant storage (ZRS) synchronously replicates your Azure Files share across three Azure availability zones within the primary region. This ensures the share remains available if one zone fails, without requiring replication to another region. LRS only replicates within a single data center, while GRS and RA-GRS involve secondary region replication, which the business does not need.

Exam trap

The trap here is that candidates often choose LRS thinking it provides zone-level redundancy, but LRS only replicates within a single data center, not across zones, making it insufficient for the stated availability requirement.

How to eliminate wrong answers

Option A is wrong because locally redundant storage (LRS) replicates data three times within a single data center in a single availability zone, so it cannot survive a zone-level failure. Option C is wrong because geo-redundant storage (GRS) replicates data to a secondary region, which the business explicitly does not require, and it still uses LRS in the primary region, making it vulnerable to a zone failure. Option D is wrong because read-access geo-redundant storage (RA-GRS) also replicates to a secondary region and adds read access there, but the business does not need any cross-region replication, and like GRS, it relies on LRS in the primary region.

71
MCQmedium

Based on the exhibit, the security team wants AppSubnet to access an Azure Storage account through the public endpoint, but only that subnet should be allowed. They do not want a private IP or DNS changes. What should the administrator configure?

A.Enable the Microsoft.Storage service endpoint on AppSubnet and add AppSubnet as a network rule on the storage account.
B.Create a private endpoint for the storage account and disable public access.
C.Attach a route table that sends storage traffic to the internet.
D.Grant the subnet a Reader role assignment on the storage account.
AnswerA

This keeps the storage account on its public endpoint while restricting access to the selected subnet. Service endpoints identify the traffic as coming from the approved VNet, and the storage firewall rule then allows only AppSubnet. Because no private IP or DNS change is needed, this is the best fit for the requirement.

Why this answer

Option A is correct because enabling the Microsoft.Storage service endpoint on AppSubnet allows traffic from that subnet to reach the storage account over the Azure backbone network using the public endpoint, without requiring a private IP or DNS changes. Adding AppSubnet as a network rule on the storage account restricts access exclusively to that subnet, fulfilling the security team's requirement.

Exam trap

The trap here is that candidates often confuse service endpoints (which use public endpoints with subnet-level restriction) with private endpoints (which use private IPs and DNS changes), leading them to choose the private endpoint option despite the explicit 'no private IP or DNS changes' constraint.

How to eliminate wrong answers

Option B is wrong because creating a private endpoint assigns a private IP to the storage account and changes DNS resolution, which violates the requirement of no private IP or DNS changes. Option C is wrong because attaching a route table that sends storage traffic to the internet does not restrict access to AppSubnet; it merely forces traffic out via the internet, bypassing Azure's service endpoint optimization and not enforcing subnet-level access control. Option D is wrong because granting the subnet a Reader role assignment on the storage account controls management-plane access (e.g., viewing storage account properties) but does not control data-plane access (e.g., reading/writing blobs), which is required for network-level restriction.

72
MCQmedium

A reporting team stores read-only analytics files in Azure Blob Storage. The files must replicate to a paired region so they survive a regional outage, and analysts want to read the secondary copy through the secondary endpoint without waiting for failover. Which redundancy option should the administrator choose?

A.LRS
B.ZRS
C.GRS
D.RA-GRS
AnswerD

RA-GRS adds read access to the secondary region, which meets the analyst requirement without a failover event.

Why this answer

RA-GRS (Read-Access Geo-Redundant Storage) is the correct choice because it replicates data to a paired secondary region (geo-redundancy) and enables read access to the secondary copy via the secondary endpoint without requiring a failover. This meets the requirement for both regional disaster recovery and immediate read access to the secondary copy.

Exam trap

The trap here is that candidates often confuse GRS with RA-GRS, assuming that GRS automatically provides read access to the secondary copy, but in reality, GRS requires a failover to make the secondary endpoint readable, while RA-GRS explicitly enables read access without failover.

How to eliminate wrong answers

Option A (LRS) is wrong because it only replicates data within a single data center in the primary region, providing no protection against a regional outage. Option B (ZRS) is wrong because it replicates data synchronously across three availability zones within a single region, but does not replicate to a paired region, so it cannot survive a full regional outage. Option C (GRS) is wrong because while it replicates data to a paired region, it does not allow read access to the secondary copy unless a failover is initiated; the secondary endpoint is not available for reads until then.

73
MCQeasy

A company stores customer documents in Azure Blob Storage. The business requires the data to stay available if one availability zone in the region has an outage. Which redundancy option should the administrator choose?

A.Locally redundant storage (LRS)
B.Zone-redundant storage (ZRS)
C.Geo-redundant storage (GRS)
D.Read-access geo-redundant storage (RA-GRS)
AnswerB

ZRS keeps synchronous copies across multiple availability zones in the same region, which helps the storage remain available during a single-zone failure.

Why this answer

Zone-redundant storage (ZRS) replicates data synchronously across three Azure availability zones within a primary region, ensuring data remains accessible if one zone fails. This meets the requirement for intra-region zone-level fault tolerance without the cost or complexity of geo-replication.

Exam trap

The trap here is that candidates often confuse 'zone redundancy' with 'geo-redundancy' and pick GRS or RA-GRS, not realizing that those options protect against region-wide outages, not zone-level failures within a single region.

How to eliminate wrong answers

Option A is wrong because Locally redundant storage (LRS) replicates data three times within a single data center in one availability zone, so an entire zone outage would make data unavailable. Option C is wrong because Geo-redundant storage (GRS) replicates data to a paired secondary region for cross-region disaster recovery, but it does not protect against a single zone outage within the primary region unless combined with ZRS (i.e., GZRS). Option D is wrong because Read-access geo-redundant storage (RA-GRS) adds read access to the secondary region but still does not provide zone-level redundancy within the primary region; it also incurs higher cost and latency for the geo-replication feature.

74
Multi-Selecteasy

A support engineer finds a blob that was moved to the Archive tier by a lifecycle rule and must download it today. Which two actions are required before the blob can be read? Select two.

Select 2 answers
A.Change the blob access tier from Archive to Hot or Cool.
B.Wait until the rehydration operation finishes.
C.Download the blob directly from Archive without any tier change.
D.Disable the lifecycle management policy for the storage account.
E.Create a new container and copy the archived blob into it.
AnswersA, B

Archived blobs are offline, so the blob must first be rehydrated into an online tier such as Hot or Cool before it can be read.

Why this answer

Option A is correct because a blob in the Archive tier is offline and cannot be read directly. You must change its access tier to Hot or Cool (a process called rehydration) to make it available for download. This tier change initiates an asynchronous operation that moves the blob from the archived state to an online tier.

Exam trap

The trap here is that candidates often think they can directly download or copy an archived blob without rehydration, overlooking that Archive tier blobs are offline and require a tier change operation to become readable.

75
MCQeasy

A storage account must be reachable only from resources in one Azure subnet, and public network access should not be used. Which configuration best meets this requirement?

A.Enable blob versioning on the storage account
B.Create a private endpoint for the storage account in the subnet
C.Assign a ReadOnly lock to the storage account
D.Enable a shared access signature
AnswerB

A private endpoint gives the storage account a private IP address in the subnet, so traffic stays on private network paths.

Why this answer

A private endpoint assigns the storage account a private IP address from the specified Azure subnet, effectively bringing the storage account into the virtual network. This ensures that all traffic to the storage account stays within the Microsoft Azure backbone network and never traverses the public internet, meeting the requirement to restrict access exclusively to resources in that subnet while disabling public network access.

Exam trap

The trap here is that candidates often confuse network-level access controls (private endpoints) with data-level access controls (SAS tokens) or management-level controls (locks), mistakenly thinking a SAS token or a lock can restrict network access to a specific subnet.

How to eliminate wrong answers

Option A is wrong because enabling blob versioning only preserves previous versions of blobs for data protection and recovery; it does not restrict network access to a specific subnet. Option C is wrong because assigning a ReadOnly lock prevents accidental deletion or modification of the storage account but has no effect on network-level access control or subnet restriction. Option D is wrong because a shared access signature (SAS) provides delegated, time-limited access to storage resources but still relies on the public endpoint and does not restrict access to a specific subnet or disable public network access.

Page 1 of 4 · 228 questions totalNext →

Ready to test yourself?

Try a timed practice session using only AZ Storage questions.