CCNA AZ Storage Questions

75 of 228 questions · Page 2/4 · AZ Storage topic · Answers revealed

76
MCQeasy

A company hosts documents in Azure Blob Storage. The files must remain available if one availability zone in the region fails. Which redundancy option should the administrator choose?

A.LRS, because it keeps three copies within one datacenter.
B.ZRS, because it stores copies across multiple availability zones in the region.
C.GRS, because it automatically makes the account available in another region for reads.
D.RA-GRS, because it is the only option that keeps a secondary copy.
AnswerB

ZRS places copies of the data across availability zones in the same region, which helps the storage remain available during a zone failure.

Why this answer

B is correct because Zone-Redundant Storage (ZRS) synchronously replicates data across three Azure availability zones within a primary region, ensuring data remains accessible if one zone fails. This meets the requirement for high availability within a single region without relying on a secondary region.

Exam trap

The trap here is that candidates often confuse LRS (three copies in one datacenter) with zone-level redundancy, or they incorrectly assume GRS or RA-GRS are needed for intra-region availability, when ZRS is the correct choice for zone failure protection within a single region.

How to eliminate wrong answers

Option A is wrong because Locally Redundant Storage (LRS) replicates data three times within a single datacenter, not across availability zones, so it does not protect against an entire zone failure. Option C is wrong because Geo-Redundant Storage (GRS) replicates data to a secondary region, but it does not provide zone-level redundancy within the primary region; it also does not automatically enable reads from the secondary region without manual failover or RA-GRS. Option D is wrong because Read-Access Geo-Redundant Storage (RA-GRS) provides a secondary read-only copy in another region, but it is not the only option with a secondary copy (GRS also has one), and it does not address zone failure within the primary region.

77
MCQhard

A media company stores project video assets in Azure Blob Storage. The business requires the data to survive a single availability zone outage in the primary region. In addition, if the primary region becomes unavailable, operations staff must still be able to read the most recently replicated copy from the secondary region right away, even if writes are temporarily unavailable. Which redundancy option best meets this requirement?

A.ZRS
B.GZRS
C.RA-GRS
D.RA-GZRS
AnswerD

Read-access geo-zone-redundant storage combines zone resilience with geo-replication and secondary read access.

Why this answer

RA-GZRS (Read-Access Geo-Zone-Redundant Storage) is correct because it combines zone-redundant storage (ZRS) within the primary region to survive a single availability zone outage, and geo-redundant storage (GRS) to replicate data to a secondary region. The 'RA' prefix enables read access to the secondary region immediately after a primary region failure, allowing operations staff to read the most recently replicated copy even if writes are temporarily unavailable.

Exam trap

The trap here is that candidates often confuse GZRS with RA-GZRS, forgetting that GZRS alone does not provide read access to the secondary region; the 'RA' prefix is required for immediate read access during a primary region outage.

How to eliminate wrong answers

Option A (ZRS) is wrong because while it survives a single availability zone outage within the primary region, it does not replicate data to a secondary region, so it cannot provide read access during a primary region outage. Option B (GZRS) is wrong because although it provides zone-redundant storage in the primary region and geo-replication to a secondary region, it does not include read access to the secondary region; the secondary copy is only available for failover (which requires a manual or Microsoft-initiated process), not immediate reads. Option C (RA-GRS) is wrong because it provides read access to the secondary region, but it uses locally redundant storage (LRS) in the primary region, which does not survive a single availability zone outage (LRS replicates within a single data center, not across zones).

78
MCQmedium

Based on the exhibit, what should you do so the report can open the file tomorrow morning?

A.Change the blob to the Hot access tier and allow it to rehydrate before the report runs.
B.Change the blob to the Cool access tier only, because Cool is always immediately readable.
C.Create a snapshot of the archived blob and use the snapshot instead.
D.Enable versioning on the storage account so the file becomes readable again.
AnswerA

Archive blobs are offline and cannot be read until they are rehydrated to an online tier. Moving the blob to Hot is the appropriate action when access is needed soon, because it restores immediate read availability after the rehydration completes.

Why this answer

The blob is currently in the Archive access tier, which requires manual rehydration (changing the tier to Hot or Cool) before it can be read. Rehydration can take up to 15 hours, so changing the blob to the Hot access tier now and allowing it to complete rehydration before the report runs tomorrow ensures the file is available for reading.

Exam trap

The trap here is that candidates assume the Cool access tier is always immediately readable, forgetting that blobs in the Archive tier must be rehydrated to any online tier before access, and that rehydration time is significant.

How to eliminate wrong answers

Option B is wrong because the Cool access tier is not immediately readable for blobs currently in the Archive tier; rehydration is required regardless of the target tier, and Cool tier blobs are only immediately readable if they were never archived. Option C is wrong because you cannot create a snapshot of an archived blob; snapshots require the blob to be in a readable state (Hot or Cool), and the snapshot itself would also be inaccessible until the base blob is rehydrated. Option D is wrong because enabling versioning does not make an archived blob readable; versioning creates new versions of the blob, but the existing archived version remains in the Archive tier and still requires rehydration to be accessed.

79
MCQhard

A finance department stores spreadsheets in an Azure file share. Yesterday a user deleted a subfolder tree, but other folders were modified after that point and must not be rolled back. The administrator wants to restore only the deleted subfolder tree to its state from yesterday. What should the administrator use?

A.Restore the entire share from Azure Backup to the yesterday recovery point.
B.Use the Azure Files snapshot taken before the deletion and copy back only the required folders.
C.Enable blob soft delete on the storage account and then recover the folders.
D.Create a new file share and use synchronization to merge the deleted content.
AnswerB

A snapshot provides point-in-time data, letting the administrator restore only the deleted folder tree.

Why this answer

Option B is correct because Azure Files supports snapshot-based restore at the share level. By taking a snapshot before the deletion, the administrator can mount that snapshot as a read-only copy of the share, then copy back only the deleted subfolder tree without affecting any modifications made to other folders after the snapshot was taken. This meets the requirement of restoring only the deleted content while preserving later changes.

Exam trap

The trap here is that candidates confuse Azure Files snapshots with Azure Backup or blob soft delete, assuming any recovery mechanism can selectively restore without understanding that only snapshots allow granular copy-back without affecting current data.

How to eliminate wrong answers

Option A is wrong because restoring the entire share from Azure Backup to the yesterday recovery point would roll back all folders to that point in time, including the modifications made after the deletion, which violates the requirement to preserve those changes. Option C is wrong because blob soft delete applies only to Azure Blob Storage (block blobs, append blobs, page blobs), not to Azure Files (SMB file shares); it cannot recover deleted folders in a file share. Option D is wrong because creating a new file share and using synchronization (e.g., Azure File Sync) would not recover the deleted subfolder tree from a previous state; synchronization merges current content and does not provide point-in-time recovery of deleted items.

80
MCQmedium

An application uploads documents by using one of the storage account access keys. The team wants to rotate keys without interrupting uploads. Which process should the administrator follow?

A.Regenerate both keys at the same time so the account is fully refreshed.
B.Switch the app to the secondary key, regenerate the primary key, and then update the app back later.
C.Disable shared key authorization before rotating the keys.
D.Delete the storage account and create a new one with the same name.
AnswerB

Azure Storage provides two account keys so you can rotate credentials with no downtime. The correct approach is to move the application to the secondary key first, verify that it works, regenerate the primary key, and then later rotate the app back if needed. This preserves access throughout the process and avoids a period where the application has no valid key.

Why this answer

Option B is correct because it follows the safe key rotation pattern: switch the application to use the secondary key, regenerate the primary key (which invalidates the old primary key), and then later update the application back to the primary key if desired. This ensures the application never loses access during the rotation, as it always has a valid key in use.

Exam trap

The trap here is that candidates may think regenerating both keys at once is acceptable, not realizing that the application would lose access immediately, or they may overcomplicate the solution by disabling authorization or recreating the account.

How to eliminate wrong answers

Option A is wrong because regenerating both keys simultaneously would leave the application without a valid key, causing immediate upload failures. Option C is wrong because disabling shared key authorization before rotating keys would block all access using keys, including the application's current key, causing downtime. Option D is wrong because deleting and recreating the storage account would change the account endpoints and require reconfiguration of all clients, causing significant disruption and potential data loss.

81
MCQmedium

A development subnet must access an Azure Storage account privately, but the security team does not want to create a private IP in the VNet. They only want the subnet identity to be extended to the storage service. Which feature should the administrator configure?

A.Private endpoint
B.Service endpoint
C.Azure Front Door
D.Network security group outbound rule
AnswerB

A service endpoint extends the VNet and subnet identity to the supported Azure service without creating a private IP address in the VNet. That fits the requirement exactly because the team wants private access semantics from the subnet while avoiding a private endpoint. It is the correct choice when the main goal is to restrict service access to a subnet rather than provide a private IP-based connection.

Why this answer

A service endpoint extends the VNet identity to the Azure Storage service, allowing traffic from the subnet to reach the storage account over the Azure backbone network without requiring a private IP. This meets the requirement of private access without creating a private IP in the VNet, as the subnet's identity is used for access control via the storage account firewall.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming both require a private IP, but service endpoints use the subnet's identity without assigning a private IP, which is the key distinction tested in this question.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP address from the VNet to the storage account, which directly contradicts the security team's requirement to avoid creating a private IP in the VNet. Option C is wrong because Azure Front Door is a global load balancer and application delivery service that operates at the edge, not a feature for extending subnet identity to a storage service for private access. Option D is wrong because a network security group outbound rule controls traffic filtering but does not extend subnet identity or provide private connectivity to Azure Storage.

82
Multi-Selecteasy

A Python app running on an Azure VM must upload blobs to one container in a storage account. The app must not store a storage account key or SAS token on the VM. Which two actions should the administrator take? Select two.

Select 2 answers
A.Enable a system-assigned managed identity on the VM.
B.Assign the Storage Blob Data Contributor role to that managed identity at the container scope.
C.Store the storage account access key in an environment variable on the VM.
D.Generate a service SAS and copy it into the application configuration.
E.Assign the Contributor role on the resource group to the managed identity.
AnswersA, B

A system-assigned managed identity lets the VM request Azure access tokens without storing secrets on the server. The identity is automatically created and tied to that VM, which fits a simple single-VM app. This is the safest starting point when a workload must authenticate to Azure Storage without an account key or SAS token.

Why this answer

A system-assigned managed identity on the VM allows Azure AD authentication without storing any credentials on the VM. By assigning the Storage Blob Data Contributor role to that identity at the container scope, the app can use Azure AD tokens to authenticate and upload blobs, eliminating the need for a storage account key or SAS token.

Exam trap

The trap here is that candidates often confuse the Contributor role (which grants management-level access) with the Storage Blob Data Contributor role (which grants data-plane access), and may overlook that scoping the role to the container (rather than the storage account or resource group) is the most secure and correct approach.

83
MCQhard

A media archive stores large video files that must survive a zone failure in the primary region and also be replicated to a paired region for disaster recovery. The archive team does not want anyone to read from the secondary region during normal operations, and cost should be lower than the read-access variant. Which redundancy option should you configure?

A.LRS, because it keeps copies in a single datacenter and is the lowest-cost option.
B.ZRS, because it protects against zone failures but not regional outages.
C.GZRS, because it adds zone redundancy and geo-replication without enabling secondary read access.
D.RA-GRS, because the read-access copy is needed whenever data is replicated to another region.
AnswerC

GZRS matches the requirement precisely. It protects the data from a zone failure by distributing copies across availability zones in the primary region. It also replicates the data to a paired secondary region for disaster recovery. Because the team does not want secondary read access during normal operations, the non-read-access version is the correct and typically lower-cost choice compared with RA-GZRS.

Why this answer

GZRS (Geo-Zone-Redundant Storage) is correct because it combines zone redundancy (three copies across availability zones in the primary region) with geo-replication to a paired secondary region, but crucially does not enable read access to the secondary region by default. This satisfies the requirement to survive a zone failure, provide disaster recovery to a paired region, and prevent reads from the secondary during normal operations, all at a lower cost than RA-GRS which includes secondary read access.

Exam trap

The trap here is that candidates often confuse GZRS with RA-GRS, assuming geo-replication always includes read access to the secondary region, but GZRS explicitly omits that read-access feature to lower cost while still providing zone and geo redundancy.

How to eliminate wrong answers

Option A is wrong because LRS (Locally Redundant Storage) keeps three copies within a single datacenter and does not protect against a zone failure (which spans multiple datacenters) nor provides geo-replication to a paired region. Option B is wrong because ZRS (Zone-Redundant Storage) protects against zone failures within the primary region but does not replicate data to a paired region for disaster recovery. Option D is wrong because RA-GRS (Read-Access Geo-Redundant Storage) enables read access to the secondary region, which violates the requirement that no one should read from the secondary region during normal operations, and it also costs more than GZRS.

84
MCQeasy

A monthly report file must automatically move to a cheaper online tier after 90 days in Azure Blob Storage. Which feature should the administrator configure?

A.Blob lifecycle management
B.Archive rehydration policy
C.Snapshot retention
D.Storage account failover
AnswerA

Lifecycle management can automatically transition blobs between tiers based on age or other rules, reducing manual administration.

Why this answer

Blob lifecycle management is the correct feature because it allows administrators to define rules that automatically transition blobs to a cheaper access tier (e.g., from Hot to Cool) after a specified number of days. This policy operates at the storage account or container level and can move data to the Cool or Archive tier based on age, meeting the requirement of moving the report file after 90 days without manual intervention.

Exam trap

The trap here is that candidates may confuse 'archive rehydration' (which moves data from Archive to a cheaper tier? No, it moves to an online tier) with lifecycle management, or think snapshot retention can handle tiering, but snapshots are only for versioning and recovery, not cost-based tier transitions.

How to eliminate wrong answers

Option B is wrong because archive rehydration policy is used to restore blobs from the Archive tier back to an online tier (Hot or Cool) for access, not to move data to a cheaper tier. Option C is wrong because snapshot retention manages the number of point-in-time snapshots of a blob, not the automatic tiering of the base blob based on age. Option D is wrong because storage account failover is a disaster recovery feature that switches the primary region to a secondary region in the event of an outage, unrelated to data lifecycle tiering.

85
Multi-Selectmedium

Your company plans to migrate on-premises file shares to Azure Files. You need to choose the appropriate Azure Files configuration for different scenarios. Which three of the following statements are correct? (Choose three.)

Select 3 answers
.Azure Files supports SMB protocol, which allows mounting file shares from Windows, Linux, and macOS clients.
.Azure file shares can be accessed over the internet using SMB 3.0 with encryption, provided port 445 is open.
.Azure Files supports NFS protocol only for Premium file shares.
.Azure file shares can be used as a backing store for Azure SQL Managed Instance databases.
.Azure Files supports both SMB and NFS protocols for Standard file shares.
.Azure Files requires a VPN or ExpressRoute for any access from on-premises.

Why this answer

Azure Files supports the SMB protocol, which is compatible with Windows, Linux, and macOS clients. This allows file shares to be mounted across different operating systems, making it a versatile solution for hybrid environments.

Exam trap

The trap here is that candidates often assume Azure Files requires a VPN or ExpressRoute for on-premises access, but SMB 3.0 with encryption can work over the internet if port 445 is open, and they may also incorrectly think NFS is supported on Standard file shares.

86
Matchingmedium

Match each access scenario to the SAS or key type that best fits it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

User delegation SAS

Service SAS

Account SAS

Storage account key

Why these pairings

Interactive logins use user delegation SAS; automated backups use system-assigned managed identity; cross-tenant access requires a service principal with certificate; VM patching uses system-assigned managed identity; app access to SQL uses user-assigned managed identity; key rotation uses storage account access keys.

87
MCQmedium

A Windows file server VM must mount an Azure file share by using domain credentials instead of a storage account key. The organization already manages users in Active Directory Domain Services. Which authentication option should be configured for Azure Files?

A.Shared key authentication, because it is the default for Azure file shares.
B.Identity-based authentication with Active Directory Domain Services.
C.A service SAS created for the share and mapped as a network drive.
D.Anonymous access with public network restrictions disabled.
AnswerB

Azure Files can use identity-based authentication so Windows clients access the share with their domain identities instead of storage keys. In an environment that already has Active Directory Domain Services, that is the appropriate configuration for SMB-based access. It supports centralized identity management, aligns with existing Windows admin practices, and avoids embedding account keys in scripts or connection strings.

Why this answer

Azure Files supports identity-based authentication using Active Directory Domain Services (AD DS), which allows domain-joined Windows VMs to mount Azure file shares using their existing domain credentials instead of a storage account key. This enables Kerberos-based authentication and preserves NTFS permissions, meeting the requirement to avoid shared key access.

Exam trap

The trap here is that candidates may confuse shared key authentication (Option A) as the only supported method for Azure Files, overlooking the identity-based authentication capability that integrates with on-premises AD DS for domain-joined VMs.

How to eliminate wrong answers

Option A is wrong because shared key authentication uses the storage account key, not domain credentials, and is not the correct method for identity-based access. Option C is wrong because a service SAS provides time-limited delegated access via a token, not domain authentication, and cannot be mapped as a network drive using domain credentials. Option D is wrong because anonymous access disables authentication entirely and is not supported for Azure file shares with domain credentials; public network restrictions are unrelated to authentication method.

88
MCQmedium

A contractor must import data into one blob container for six hours. The contractor should not receive the storage account key, and access must be limited to that container only. Which credential should the administrator generate?

A.A storage account access key, because it can be copied into the import tool.
B.A user delegation SAS, because it is signed with Microsoft Entra credentials and is time limited.
C.A shared key connection string, because it works with any tool that needs blob access.
D.A managed identity token, because the contractor can use it outside Azure directly.
AnswerB

A user delegation SAS is the most appropriate credential when you want temporary, scoped access to blob data without exposing the storage account key. It is generated using Microsoft Entra authorization, can be constrained to a specific container, and can expire after six hours. That combination gives the contractor only the access needed for the import task while keeping the underlying account credentials protected.

Why this answer

A user delegation SAS is signed with Microsoft Entra credentials (formerly Azure AD) and can be scoped to a specific blob container with a time limit. This meets the requirement of granting the contractor access only to that container for six hours without exposing the storage account key.

Exam trap

The trap here is that candidates often confuse a user delegation SAS with a service SAS or account SAS, mistakenly thinking any SAS is sufficient, but only a user delegation SAS avoids using the storage account key and can be precisely scoped to a single container with time-bound access.

How to eliminate wrong answers

Option A is wrong because a storage account access key grants full administrative access to the entire storage account, not just a single container, and it cannot be time-limited. Option C is wrong because a shared key connection string includes the storage account access key, which would expose full account access to the contractor. Option D is wrong because a managed identity token is designed for Azure resources to authenticate to Azure services, not for external users or tools outside Azure, and it cannot be scoped to a single container.

89
MCQmedium

An administrator is deploying a new storage account for an application. The account must support blob containers, an Azure Files share, lifecycle rules for blobs, and standard access tiers. The application does not need premium performance for a single data service. Which storage account kind should be chosen?

A.BlobStorage, because it is optimized only for block blob workloads.
B.General-purpose v1, because it can host any storage object type.
C.General-purpose v2, because it supports blobs, files, access tiers, and lifecycle management.
D.BlockBlobStorage, because it is the best choice for any application that stores files.
AnswerC

General-purpose v2 is the recommended all-purpose storage account type for most Azure workloads. It supports blobs and files in the same account, offers Hot, Cool, and Archive access tiers, and supports lifecycle management for blobs. That combination matches the application requirements without forcing a premium specialized account.

Why this answer

General-purpose v2 (GPv2) storage accounts are the correct choice because they support all storage object types (blobs, files, queues, tables), standard access tiers (hot, cool, archive), and lifecycle management policies for blobs. This meets all the stated requirements without needing premium performance for a single data service.

Exam trap

The trap here is that candidates often confuse BlobStorage (which supports only blobs and lifecycle management) with General-purpose v2 (which supports blobs, files, lifecycle management, and access tiers), leading them to select BlobStorage when the requirement includes Azure Files shares.

How to eliminate wrong answers

Option A is wrong because BlobStorage accounts are optimized exclusively for block blob workloads and do not support Azure Files shares or lifecycle management policies. Option B is wrong because General-purpose v1 accounts lack support for standard access tiers and lifecycle management, and they are legacy accounts with fewer features. Option D is wrong because BlockBlobStorage accounts are premium-performance accounts designed only for block blobs and append blobs, not for Azure Files shares or standard access tiers.

90
MCQmedium

A web API running in an Azure App Service needs to read and write blobs in a storage account. The operations team does not want to store secrets in app settings or rotate credentials manually. What should they enable on the App Service?

A.A storage account access key stored in Key Vault
B.A system-assigned managed identity
C.A shared access signature embedded in the application settings
D.A service endpoint on the App Service integration subnet
AnswerB

A system-assigned managed identity lets the app authenticate without storing any credentials.

Why this answer

A system-assigned managed identity allows the App Service to authenticate to Azure Storage without storing any secrets. The identity is automatically managed by Azure AD, and the App Service can use it to obtain an OAuth 2.0 token for accessing blob storage via RBAC. This eliminates the need for manual credential rotation and secret storage.

Exam trap

The trap here is that candidates often confuse managed identities with Key Vault integration, thinking that storing a key in Key Vault solves the secret rotation problem, but the access key itself is still a long-lived secret that requires manual rotation and is stored in the app settings as a reference.

How to eliminate wrong answers

Option A is wrong because storing a storage account access key in Key Vault still requires the App Service to authenticate to Key Vault (which could use a managed identity), but the question explicitly wants to avoid storing secrets in app settings and rotating credentials manually; the access key itself is a long-lived secret that must be rotated. Option C is wrong because a shared access signature (SAS) is a token that must be generated, stored, and rotated, which violates the requirement to avoid manual credential rotation and secret storage. Option D is wrong because a service endpoint on the App Service integration subnet only restricts network access to the storage account; it does not provide any authentication mechanism for the App Service to read and write blobs.

91
MCQmedium

A hub VNet already has a VPN gateway connected to on-premises. A spoke VNet must send on-premises traffic through the hub gateway without deploying its own gateway. Which peering settings are needed?

A.Enable forwarded traffic on both peerings and add a route table to the spoke subnet.
B.Enable gateway transit on the hub peering and use remote gateways on the spoke peering.
C.Create a private endpoint in the spoke VNet and route on-premises traffic through it.
D.Deploy a second VPN gateway in the spoke and connect it in active-active mode.
AnswerB

This combination lets the spoke VNet use the hub gateway for on-premises connectivity.

Why this answer

Option B is correct because it enables gateway transit on the hub-side peering connection and uses remote gateways on the spoke-side peering connection. This configuration allows the spoke VNet to route on-premises traffic through the hub's VPN gateway without deploying its own gateway, leveraging the hub as a transit point.

Exam trap

The trap here is that candidates often confuse 'forwarded traffic' with 'gateway transit' — forwarded traffic only allows VNet-to-VNet traffic forwarding, while gateway transit specifically enables a spoke to use a hub's VPN gateway for external connectivity.

How to eliminate wrong answers

Option A is wrong because enabling forwarded traffic on both peerings only allows traffic to be forwarded between VNets but does not enable the spoke to use the hub's VPN gateway; a route table on the spoke subnet is needed for custom routing but is insufficient without gateway transit. Option C is wrong because a private endpoint is used for secure access to Azure PaaS services over a private IP, not for routing on-premises traffic through a hub VPN gateway. Option D is wrong because deploying a second VPN gateway in the spoke defeats the purpose of avoiding a separate gateway and does not utilize peering settings; active-active mode is a redundancy feature, not a transit solution.

92
MCQmedium

A finance team stores PDF statements in Azure Blob Storage. The workload must survive a zone failure in the primary region, and if the entire region becomes unavailable, auditors still need read-only access to the copies in the secondary region. Which redundancy option should you choose?

A.ZRS, because it keeps copies across zones but does not replicate to another region.
B.RA-GZRS, because it combines zone redundancy with geo-replication and read access to the secondary region.
C.LRS, because it keeps three copies in a single datacenter and is sufficient for regional resilience.
D.GRS, because it provides geo-replication and always allows direct reads from the secondary region.
AnswerB

RA-GZRS is designed for exactly this requirement. It replicates data across zones in the primary region and also asynchronously replicates to a paired secondary region. The read-access feature means you can still retrieve data from the secondary endpoint if the primary region is unavailable, which is useful for audit or continuity scenarios.

Why this answer

RA-GZRS (Read-Access Geo-Zone-Redundant Storage) is the correct choice because it combines zone redundancy (synchronous replication across Azure availability zones within the primary region) with geo-replication (asynchronous replication to a secondary region), and crucially enables read access to the secondary region even when the primary is unavailable. This meets the requirement to survive a zone failure (via ZRS) and provide read-only access during a full regional outage (via the read-access geo-replication endpoint).

Exam trap

The trap here is that candidates often confuse GRS with RA-GRS, forgetting that standard GRS does not allow direct reads from the secondary region without a manual or automatic failover, while RA-GZRS (and RA-GRS) explicitly provide that read access.

How to eliminate wrong answers

Option A (ZRS) is wrong because while it protects against zone failures by replicating data synchronously across availability zones, it does not replicate to a secondary region, so it cannot provide read-only access during a full regional outage. Option C (LRS) is wrong because it replicates data only within a single datacenter (three copies in one storage scale unit), offering no protection against a zone failure or a full regional outage. Option D (GRS) is wrong because although it provides geo-replication to a secondary region, it does not allow direct reads from the secondary region unless a failover is initiated; the read-access capability requires the RA prefix (RA-GRS or RA-GZRS).

93
MCQmedium

A user accidentally deleted a nested folder tree from an Azure file share yesterday. Other folders were modified after the deletion and must not be rolled back. The administrator wants to restore only the deleted folder tree. What is the best recovery method?

A.Use a file share snapshot and copy the deleted folder tree back into the live share.
B.Delete the current share and restore the whole share from the most recent backup.
C.Change the share’s access tier from Hot to Cool and then refresh the folder view.
D.Enable soft delete for blobs in the same storage account and recover the folder from there.
AnswerA

A snapshot captures the file share at a point in time, which allows the administrator to browse the earlier state and restore only the deleted folders. This is ideal when the goal is targeted recovery without reverting later changes elsewhere in the share.

Why this answer

Azure file share snapshots provide a point-in-time, read-only copy of the entire file share. By mounting a snapshot taken before the accidental deletion, the administrator can browse the snapshot's directory structure and copy only the deleted folder tree back into the live share. This approach restores the lost data without affecting any other files or folders that were modified after the snapshot was taken, meeting the requirement to avoid rolling back other changes.

Exam trap

The trap here is that candidates may confuse Azure file share snapshots with blob soft delete or assume that restoring from a full backup is the only option, failing to recognize that snapshots allow granular, non-destructive recovery of specific folders without affecting other changes.

How to eliminate wrong answers

Option B is wrong because deleting the current share and restoring the whole share from the most recent backup would roll back all modifications made after the backup, including the changes that must not be rolled back. Option C is wrong because changing the access tier from Hot to Cool does not recover deleted data; it only changes the storage tier's pricing and performance characteristics, and refreshing the folder view has no effect on deleted items. Option D is wrong because soft delete for blobs applies to Azure Blob Storage, not to Azure Files; file shares do not support blob soft delete, and the recovery mechanism for files is file share snapshots, not blob-level recovery.

94
MCQmedium

A storage account must stay online for applications, but administrators have a temporary freeze on configuration changes. Users can still view the account, but attempts to change the access tier, create a container, or update networking all fail. What most likely caused the behavior?

A.A CanNotDelete lock was applied to the storage account.
B.A ReadOnly lock was applied to the storage account.
C.An Azure Policy audit assignment was applied to the storage account.
D.The account was moved to a different subscription.
AnswerB

ReadOnly is the correct explanation because it blocks write operations on the locked scope. That includes changing account settings, creating child resources such as containers, and modifying networking configuration. Read-only access still allows users to view the resource, which matches the symptom described in the scenario. This lock is useful when all configuration changes must be paused.

Why this answer

A ReadOnly lock (Azure Resource Manager lock) prevents any modification to the storage account, including changing the access tier, creating containers, or updating networking settings, while still allowing read operations like viewing the account. This matches the described behavior exactly because the lock is applied at the resource scope and blocks all write/delete operations, but does not affect read access.

Exam trap

The trap here is that candidates often confuse CanNotDelete locks with ReadOnly locks, mistakenly thinking that a deletion-prevention lock also blocks modifications, when in fact only ReadOnly locks block all write operations.

How to eliminate wrong answers

Option A is wrong because a CanNotDelete lock prevents deletion of the storage account but still allows modifications such as changing the access tier, creating containers, or updating networking — it does not block write operations. Option C is wrong because an Azure Policy audit assignment only evaluates and logs compliance without enforcing a deny effect; it does not actively block configuration changes. Option D is wrong because moving a storage account to a different subscription does not inherently block configuration changes; the account remains fully functional and modifiable after the move, unless additional locks or policies are applied.

95
Multi-Selecteasy

A team wants a storage option that stays available if one availability zone in the primary region fails. Which two redundancy options meet that requirement? Select two.

Select 2 answers
A.Zone-redundant storage (ZRS).
B.Geo-zone-redundant storage (GZRS).
C.Locally redundant storage (LRS).
D.Geo-redundant storage (GRS).
E.Read-access geo-redundant storage (RA-GRS).
AnswersA, B

ZRS replicates data across multiple availability zones in the primary region, which helps the storage remain available if one zone fails.

Why this answer

Zone-redundant storage (ZRS) synchronously replicates data across three Azure availability zones within the primary region. If one zone fails, the data remains accessible from the other zones, ensuring high availability without requiring failover to a secondary region.

Exam trap

The trap here is that candidates often confuse geo-redundant options (GRS/RA-GRS) as providing zone-level protection, but they only use LRS in the primary region, which does not survive a single availability zone failure.

96
MCQmedium

You need to move infrequently accessed blob data automatically from the Hot tier to the Cool tier after 30 days to reduce cost. What should you configure?

A.Blob soft delete
B.Lifecycle management rules
C.A private endpoint
D.A CanNotDelete lock
AnswerB

Lifecycle management automates tier transitions such as Hot to Cool.

Why this answer

Azure Blob Storage lifecycle management rules allow you to automatically transition blobs from the Hot tier to the Cool tier based on age or other conditions. By configuring a rule that moves blobs to the Cool tier after 30 days from creation or last modification, you reduce storage costs for infrequently accessed data without manual intervention.

Exam trap

The trap here is that candidates confuse blob soft delete (which only handles recovery) with lifecycle management (which handles automated tiering and deletion), leading them to choose soft delete when the question asks about cost optimization through tier transitions.

How to eliminate wrong answers

Option A is wrong because blob soft delete protects against accidental deletion or overwrite by retaining deleted blobs for a specified retention period, but it does not automate tier transitions. Option C is wrong because a private endpoint provides secure network connectivity to the storage account over a private IP address in your virtual network, and has no role in data lifecycle management. Option D is wrong because a CanNotDelete lock prevents deletion of the storage account or container as a whole, but does not affect blob tiering or cost optimization.

97
MCQmedium

A legal department archived a 120-GB blob three weeks ago. They now need the file available for review later today, and waiting more than a day would delay a court filing. What should the administrator do to make the blob readable as quickly as possible?

A.Copy the blob to a new container and leave it in the Archive tier until the users need it.
B.Start rehydration from Archive and choose High priority.
C.Change the access tier from Archive directly to Cool and then download the blob immediately.
D.Enable soft delete on the container and restore the blob from deleted items.
AnswerB

Archive blobs cannot be read immediately. To make the blob available within the shortest practical time, the administrator should rehydrate it and select High priority so Azure processes the request faster than the standard option.

Why this answer

Option B is correct because rehydrating a blob from the Archive tier with High priority typically makes the blob readable within 1 hour, meeting the urgent same-day requirement. The Archive tier is offline, so the blob must be rehydrated (changed to an online tier like Hot or Cool) before it can be accessed. High-priority rehydration is designed for time-sensitive scenarios like this court filing deadline.

Exam trap

The trap here is that candidates may think changing the access tier directly (Option C) is instantaneous, but Azure requires a rehydration process that can take up to 15 hours for standard priority, making High-priority rehydration (Option B) the only viable choice for same-day access.

How to eliminate wrong answers

Option A is wrong because copying a blob while it remains in the Archive tier does not change its offline status; the copy would also be in the Archive tier and still require rehydration before reading. Option C is wrong because changing the access tier directly from Archive to Cool triggers a standard-priority rehydration that can take up to 15 hours, which exceeds the 'later today' requirement and would delay the court filing. Option D is wrong because soft delete is used to recover accidentally deleted blobs, not to restore blobs that are in the Archive tier; the blob was archived, not deleted, so soft delete does not apply.

98
Multi-Selecthard

A web app uses a managed identity to read blobs from a storage account. Security now wants to ensure no future requests can authenticate with shared keys and the app should continue to use secretless access. Which two changes should the administrator make? Select two.

Select 2 answers
A.Assign the Storage Blob Data Reader role to the managed identity on the storage account or container.
B.Disable shared key access on the storage account.
C.Generate a service SAS and place it in an app setting.
D.Rotate the storage account keys weekly.
E.Grant Reader access to the resource group because it includes the storage account.
AnswersA, B

The data-plane role authorizes blob reads for the managed identity without storing secrets in the application.

Why this answer

Option A is correct because assigning the Storage Blob Data Reader role to the managed identity enables Azure RBAC-based, secretless access to blobs. This aligns with the requirement to use managed identities for authentication, eliminating the need for keys or SAS tokens. Option B is correct because disabling shared key access on the storage account enforces the security policy that no future requests can authenticate using shared keys, while the managed identity continues to work via Azure AD authentication.

Exam trap

The trap here is that candidates often confuse disabling shared key access with rotating keys or using SAS tokens, thinking those actions also enforce secretless access, but only disabling shared key access actually blocks key-based authentication while managed identity continues to work seamlessly.

99
MCQmedium

A web app running in Azure App Service must upload images to a blob container without storing any account keys, passwords, or connection strings in configuration. The app uses only one Azure resource. What should the administrator configure?

A.A system-assigned managed identity on the App Service and an Azure RBAC role on the storage account.
B.The storage account key, because it is the simplest way to authenticate an application securely.
C.A shared access signature embedded in the app settings, because SAS is the same as managed identity.
D.An anonymous public container with write access disabled on the account.
AnswerA

A system-assigned managed identity is ideal when one Azure resource needs to access storage without secrets. The identity is created and deleted with the App Service, and RBAC can grant only the storage permissions required. This removes the need to embed keys or connection strings and aligns with credential-free application access.

Why this answer

A system-assigned managed identity allows the App Service to authenticate to Azure Storage without storing any credentials in configuration. By assigning the RBAC role (e.g., Storage Blob Data Contributor) to that identity, the app can securely upload images using Azure AD authentication, meeting the requirement of no account keys, passwords, or connection strings.

Exam trap

The trap here is that candidates often confuse shared access signatures (SAS) with managed identities, thinking SAS can be used without storing secrets, but SAS tokens still require a key to generate and must be stored or regenerated, whereas managed identity eliminates all stored credentials.

How to eliminate wrong answers

Option B is wrong because storing the storage account key in configuration violates the requirement to avoid any keys or secrets, and it introduces a security risk if the key is exposed. Option C is wrong because a shared access signature (SAS) is a token that must be stored or generated with a key, and it is not equivalent to managed identity; managed identity uses Azure AD tokens without any stored secrets. Option D is wrong because an anonymous public container with write access disabled prevents any uploads, and enabling write access would expose the container to unauthenticated users, violating security best practices.

100
MCQhard

An administrator wants a storage account to be accessible only from one subnet. The storage account should still use its public FQDN, the team does not want a private IP address in the VNet, and they do not want to manage private DNS zones. Which solution should be used?

A.Create a private endpoint and disable public network access.
B.Enable a service endpoint on the subnet and restrict the storage firewall to that subnet.
C.Peer the subnet to a dedicated storage VNet and route traffic through peering.
D.Assign a route table with a host route to the storage account.
AnswerB

A service endpoint allows the subnet to access the storage account over the Azure backbone while the storage account still uses its public FQDN and does not require a private IP in the VNet. Because the administrator also wants to avoid private DNS zone management, this is the best fit. The storage firewall can then be restricted to the specific subnet.

Why this answer

Option B is correct because a service endpoint allows the storage account to be accessed from a specific subnet while still using the public FQDN. By enabling a service endpoint on the subnet and configuring the storage firewall to allow traffic only from that subnet, the administrator meets all requirements: no private IP, no private DNS zones, and access restricted to one subnet.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that only private endpoints can restrict network access, but service endpoints combined with firewall rules achieve the same restriction without changing the endpoint type or requiring DNS management.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP address to the storage account within the VNet, which the team explicitly does not want, and it also requires managing private DNS zones. Option C is wrong because VNet peering does not restrict access to a single subnet; it connects entire VNets and still requires the storage account to be accessible via private IP or public endpoint, and it does not eliminate the need for private DNS. Option D is wrong because a route table with a host route does not enforce access control; it only influences network traffic routing and cannot restrict which subnet can access the storage account.

101
Multi-Selecteasy

An analyst needs a blob that is currently in the Archive tier to be downloadable within the next hour. Which two actions should the administrator take? Select two.

Select 2 answers
A.Change the blob access tier from Archive to Hot or Cool.
B.Choose High priority rehydration for the tier change.
C.Download the blob directly from the Archive tier without changing its tier.
D.Delete the blob and restore it from a soft delete snapshot.
E.Add a lifecycle rule to move the blob to Archive again after it is downloaded.
AnswersA, B

A blob in Archive is offline and cannot be read until it is rehydrated into an online tier. Moving it to Hot or Cool starts that rehydration process and makes the blob available again. This is the required administrative step when a previously archived blob must be downloaded for use.

Why this answer

Option A is correct because to make a blob in the Archive tier accessible for download, you must first change its access tier to Hot or Cool. This initiates a rehydration process that moves the blob data from offline storage to an online tier, making it available for read operations. The rehydration can take up to 15 hours, but selecting High priority rehydration (Option B) can reduce this to under 1 hour, meeting the analyst's requirement.

Exam trap

The trap here is that candidates may think blobs in the Archive tier can be downloaded directly or that deleting and restoring from soft delete bypasses the rehydration requirement, but neither action changes the offline storage status of the blob.

102
Multi-Selecteasy

A team wants one Azure Files share to be used by both Windows and Linux virtual machines. Which two mounting approaches are valid? Select two.

Select 2 answers
A.Map the share on Windows by using the built-in SMB client.
B.Mount the share on Linux by using an SMB/CIFS client such as mount.cifs.
C.Mount the share on Linux by using the Azure Blob service endpoint.
D.Use an Azure VPN gateway to make the file share mount possible.
E.Use an Azure load balancer to present the share to both VMs.
AnswersA, B

Windows can mount Azure Files shares through SMB using File Explorer, net use, or PowerShell. This is the normal Windows client approach.

Why this answer

Option A is correct because Windows includes a built-in SMB client that can directly map an Azure Files share using its UNC path (e.g., \\storageaccount.file.core.windows.net\sharename). This leverages the SMB 3.0 protocol, which Azure Files supports over the public internet with encryption, requiring no additional gateway or VPN.

Exam trap

The trap here is that candidates assume Azure Files requires a VPN or ExpressRoute for secure mounting, but Azure Files SMB 3.0 with encryption works securely over the public internet, making options like D unnecessary.

103
MCQmedium

A Windows VM and a Linux VM in Azure must use the same shared working folder for application files. The team does not want to run a separate file server, and both VMs must be able to mount the share by using native operating system tools. What should the administrator deploy?

A.An Azure Blob container mounted as a local NTFS volume on both VMs
B.An Azure Files share mounted from Windows by using SMB and from Linux by using SMB or the Azure Files mount command
C.A managed disk attached to both VMs in read-write mode
D.An Azure Queue storage account with application-level file synchronization
AnswerB

Azure Files is designed for shared file access from both Windows and Linux. It provides a managed file share that can be mounted with native tools, avoiding the need to operate a separate file server. This matches the requirement for a common working folder accessible from both operating systems.

Why this answer

Option B is correct because Azure Files provides fully managed SMB (Server Message Block) file shares that can be mounted natively from both Windows (using SMB) and Linux (using SMB or the dedicated Azure Files mount command). This meets the requirement of a shared working folder without needing a separate file server, and both operating systems can use their native tools to access the share.

Exam trap

The trap here is that candidates may confuse Azure Blob storage (object storage) with Azure Files (file shares) and assume Blob can be mounted locally, or they may incorrectly think a managed disk can be attached to multiple VMs simultaneously without understanding the limitations of shared disk attachments.

How to eliminate wrong answers

Option A is wrong because Azure Blob containers cannot be mounted as a local NTFS volume; they are object storage accessed via HTTPS/REST APIs, not block-level or file-level storage, and do not support native OS mounting without third-party tools. Option C is wrong because a managed disk cannot be attached to multiple VMs in read-write mode simultaneously; Azure managed disks support shared disk attachments only with specific configurations (e.g., Azure Shared Disks) and typically require cluster-aware file systems, not native OS mounting for a simple shared folder. Option D is wrong because Azure Queue storage is a messaging service for asynchronous communication, not a file storage solution, and it cannot be mounted or used as a shared working folder for application files.

104
MCQhard

Your application stores compliance records in Azure Blob Storage. The records must remain in a write-once-read-many state for three years and must not be altered or deleted during that period. What should you configure?

A.Blob soft delete
B.Immutable blob storage with a time-based retention policy
C.Lifecycle management to move data to Archive
D.A shared access signature
AnswerB

This enforces write-once-read-many protection for the specified period.

Why this answer

Immutable blob storage with a time-based retention policy enforces a WORM (Write-Once, Read-Many) state, preventing any modification or deletion of blobs for a specified retention period. This meets the requirement of keeping compliance records unaltered for three years, as the policy locks the data at the storage level, overriding any user permissions or delete operations.

Exam trap

The trap here is that candidates often confuse soft delete (which only recovers deleted blobs) with immutability, or think lifecycle management or SAS can enforce retention, but neither prevents modification or deletion during the required period.

How to eliminate wrong answers

Option A is wrong because blob soft delete only protects against accidental deletion by retaining deleted blobs for a configurable period, but it does not prevent modification or enforce a write-once-read-many state. Option C is wrong because lifecycle management moves blobs to Archive tier based on age or last access, but it does not prevent deletion or modification during the retention period; Archive tier blobs can still be deleted or overwritten by authorized users. Option D is wrong because a shared access signature (SAS) provides delegated access to blobs with permissions and expiry, but it does not enforce immutability or prevent alteration/deletion by users with valid SAS tokens or other permissions.

105
MCQmedium

You need to choose a storage redundancy option that provides the lowest cost and protects data against local hardware failure within a single datacenter only. Which redundancy option should you select?

A.LRS
B.ZRS
C.GRS
D.GZRS
AnswerA

LRS provides local redundancy within a single datacenter at the lowest cost.

Why this answer

LRS (Locally Redundant Storage) replicates data three times within a single datacenter (or availability zone) in the same region, protecting against local hardware failures such as disk or server crashes. It is the lowest-cost redundancy option because it does not incur the additional replication costs of cross-zone or cross-region copying. This meets the requirement of protecting data against local hardware failure within a single datacenter only.

Exam trap

The trap here is that candidates often confuse LRS with ZRS, mistakenly thinking ZRS is also single-datacenter, when in fact ZRS spans multiple datacenters (availability zones) and costs more, failing the 'lowest cost' and 'single datacenter' constraints.

How to eliminate wrong answers

Option B (ZRS) is wrong because it replicates data synchronously across three Azure availability zones within a region, which spans multiple datacenters and incurs higher cost than LRS. Option C (GRS) is wrong because it replicates data to a secondary region (hundreds of miles away) for disaster recovery, providing geo-redundancy at a significantly higher cost than LRS. Option D (GZRS) is wrong because it combines zone-redundant storage (ZRS) with geo-replication to a secondary region, offering the highest durability and cost, far exceeding the single-datacenter scope required.

106
Multi-Selecteasy

An application runs in a subnet and must reach a storage account over the public endpoint, but only that subnet should be allowed. The team does not want to use a private endpoint. Which two configurations should the administrator use? Select two.

Select 2 answers
A.Enable the Microsoft.Storage service endpoint on the subnet.
B.Add the subnet to the storage account's virtual network rules.
C.Create a private endpoint for the storage account.
D.Assign the Reader role to the subnet.
E.Turn on blob soft delete.
AnswersA, B

A service endpoint extends the subnet identity to the storage service so the subnet can be authorized without a private IP address.

Why this answer

Enabling the Microsoft.Storage service endpoint on the subnet (A) ensures that traffic from the subnet to the storage account's public endpoint is routed through the Azure backbone network and uses the source IP of the subnet's virtual network, allowing the storage account firewall to identify the traffic. Adding the subnet to the storage account's virtual network rules (B) then explicitly permits only that subnet's traffic, denying all other public endpoint access. Together, these two configurations restrict access to the storage account's public endpoint exclusively to the specified subnet without requiring a private endpoint.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming private endpoints are required for subnet-specific access, but service endpoints plus virtual network rules achieve the same restriction on the public endpoint without the cost or complexity of private endpoints.

107
MCQmedium

A company has 15 branch Windows file servers that must show the same shared drive content. Users should keep working during short WAN outages, and local servers should cache frequently used files. Which Azure feature should you deploy?

A.Azure Blob Storage with lifecycle rules, because it can present files to multiple branches.
B.Azure File Sync, because it synchronizes on-premises file servers with an Azure file share and supports cloud tiering.
C.A private endpoint to Blob Storage, because it provides local caching for SMB file shares.
D.A managed disk shared across the branch servers, because it gives the same content to all locations.
AnswerB

Azure File Sync is designed for this exact scenario. It keeps an Azure file share as the central source of truth while synchronizing branch servers and optionally tiering infrequently used files to the cloud. That gives users local performance, file-share consistency, and better resilience during temporary WAN disruptions. It is the best fit when multiple Windows servers need synchronized file content.

Why this answer

Azure File Sync is the correct choice because it synchronizes on-premises Windows file servers with an Azure file share, enabling multi-site file server consolidation. It supports cloud tiering, which caches frequently accessed files locally on each branch server while freeing up space by tiering cold data to the cloud. This ensures users can continue working during short WAN outages, as local caches provide access to synced files even when connectivity is lost.

Exam trap

The trap here is that candidates often confuse Azure Blob Storage with Azure Files, assuming blob storage can serve SMB file shares directly, but Azure Blob Storage does not support SMB protocol natively without Azure Files or third-party tools.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage with lifecycle rules is designed for object storage (blobs), not SMB file shares, and cannot present the same shared drive content to multiple Windows file servers via SMB without additional services like Azure NetApp Files or Azure Files. Option C is wrong because a private endpoint to Blob Storage provides secure network connectivity but does not offer local caching for SMB file shares; it only enables private IP access to blob storage, not file-level synchronization or caching. Option D is wrong because a managed disk cannot be shared across multiple branch servers simultaneously; Azure shared disks support only a limited number of cluster nodes (e.g., 2-3) and are not designed for wide-area file synchronization or caching across 15 locations.

108
MCQeasy

An archive of legal documents is accessed only a few times each month, but when someone needs a document it must open immediately without a rehydration wait. Which access tier should be used?

A.Hot tier
B.Cool tier
C.Archive tier
D.Geo-redundant storage (GRS)
AnswerB

Cool tier keeps data online and immediately available while reducing cost for infrequent access.

Why this answer

The Cool tier is designed for data that is infrequently accessed but must be available immediately when needed, with a lower storage cost than Hot tier but higher access costs. Since the archive is accessed only a few times per month and requires instant retrieval without rehydration delay, Cool tier meets both requirements, whereas Archive tier would impose a rehydration wait of up to 15 hours.

Exam trap

The trap here is that candidates confuse the 'Archive' tier name with the use case of 'archival data' and overlook the critical requirement for immediate access, mistakenly choosing Archive tier despite its mandatory rehydration delay.

How to eliminate wrong answers

Option A is wrong because the Hot tier is optimized for frequent access (multiple times per day) and has higher storage costs, making it cost-inefficient for data accessed only a few times per month. Option C is wrong because the Archive tier requires a rehydration process (taking up to 15 hours) before data can be read, which violates the requirement for immediate opening without wait. Option D is wrong because Geo-redundant storage (GRS) is a replication strategy (not an access tier) that provides durability across regions but does not address access frequency or rehydration latency.

109
MCQmedium

A team runs a Windows service on an Azure virtual machine that uploads invoices to Blob storage every few minutes. Security policy forbids storing account keys or long-lived SAS tokens on the VM. The service must authenticate without human interaction. What should the administrator configure?

A.Generate a SAS token with a 1-year expiry and store it in an encrypted file on the VM.
B.Assign the VM a managed identity and grant it Storage Blob Data Contributor on the container or storage account.
C.Share the storage account access key with the service account and rotate it monthly.
D.Create a storage firewall rule that allows the VM's public IP address and keep using anonymous access.
AnswerB

A managed identity lets the VM authenticate to Azure Storage without storing credentials. Granting Storage Blob Data Contributor provides the data-plane permissions needed to upload blobs while keeping access tied to Entra ID and RBAC. This satisfies the requirement for noninteractive authentication and avoids account keys or long-lived SAS tokens.

Why this answer

Option B is correct because assigning a managed identity to the VM allows it to authenticate to Azure Blob Storage without any secrets stored on the VM. The managed identity provides an automatically managed service principal in Azure AD, and by granting the Storage Blob Data Contributor role, the service obtains the necessary permissions to upload invoices. This satisfies the security policy forbidding account keys or long-lived SAS tokens and enables unattended authentication.

Exam trap

The trap here is that candidates may think a SAS token or access key is acceptable if encrypted or rotated, but the security policy explicitly forbids storing any secrets on the VM, making managed identity the only compliant option.

How to eliminate wrong answers

Option A is wrong because storing a SAS token with a 1-year expiry in an encrypted file on the VM violates the security policy that forbids storing long-lived SAS tokens on the VM, and the token could be compromised if the VM is breached. Option C is wrong because sharing the storage account access key with the service account violates the security policy forbidding account keys on the VM, and monthly rotation does not eliminate the risk of key exposure. Option D is wrong because anonymous access to Blob storage is disabled by default and cannot be used for authenticated uploads; a storage firewall rule allowing the VM's public IP does not provide authentication credentials, and the service would still lack authorization to write blobs.

110
MCQhard

A compliance team stores signed contract scans in Azure Blob Storage. The data must remain available if one zone in the primary region fails. If the entire primary region is unavailable, the team also needs to read the secondary copy while recovery work is underway. Which redundancy option should you choose for the storage account?

A.ZRS, because it protects against a single zone failure in one region.
B.GRS, because it keeps a geo-replicated copy but does not provide zone redundancy in the primary region.
C.GZRS, because it combines zone redundancy with geo-replication and supports failover recovery.
D.RA-GZRS, because it combines zone redundancy, geo-replication, and read access to the secondary region.
AnswerD

RA-GZRS is the only option listed that satisfies both requirements simultaneously. It protects against a zone failure in the primary region through zone-redundant storage and also keeps a geo-replicated secondary copy in another region. The read-access feature lets administrators or applications read from the secondary endpoint during a regional outage or while validating recovery, which is exactly what the scenario requires.

Why this answer

RA-GZRS (Read-Access Geo-Zone-Redundant Storage) is the correct choice because it provides synchronous zone-level redundancy within the primary region (protecting against a single zone failure) and asynchronous geo-replication to a secondary region. Additionally, it enables read access to the secondary region at all times, allowing the compliance team to read the secondary copy immediately if the primary region becomes unavailable, without waiting for a failover.

Exam trap

The trap here is that candidates often confuse GZRS with RA-GZRS, overlooking that GZRS does not provide read access to the secondary region unless a failover is performed, while the question explicitly requires the ability to read the secondary copy immediately during primary region unavailability.

How to eliminate wrong answers

Option A is wrong because ZRS only protects against a single zone failure within the primary region but does not provide any geo-replication or read access to a secondary region if the entire primary region fails. Option B is wrong because GRS provides geo-replication but lacks zone redundancy in the primary region, meaning a single zone failure could disrupt availability before geo-failover occurs. Option C is wrong because GZRS combines zone redundancy and geo-replication but does not allow read access to the secondary region unless a failover is initiated, which does not meet the requirement for immediate read access during recovery.

111
MCQmedium

You have a storage account that stores infrequently accessed data that must remain available immediately when requested. You need to minimize storage costs. Which access tier should you use?

A.Premium
B.Hot
C.Cool
D.Archive
AnswerC

Cool is appropriate for infrequently accessed data that still needs immediate availability.

Why this answer

The Cool access tier is designed for data that is infrequently accessed but still requires immediate availability when requested, offering lower storage costs than the Hot tier while maintaining low latency access. Since the data must remain available immediately, the Archive tier is unsuitable due to its multi-hour retrieval latency, and the Premium tier is optimized for high-performance scenarios, not cost minimization.

Exam trap

The trap here is that candidates often choose Archive for its lowest storage cost, overlooking the critical requirement for immediate availability, which Archive cannot provide due to its mandatory rehydration latency.

How to eliminate wrong answers

Option A is wrong because the Premium tier uses SSD-backed storage with high transaction costs and is intended for low-latency, high-throughput workloads (e.g., VMs, databases), not for minimizing storage costs on infrequently accessed data. Option B is wrong because the Hot tier has higher storage costs per GB than Cool, making it suboptimal for infrequently accessed data where cost savings are prioritized. Option D is wrong because the Archive tier has the lowest storage cost but requires a multi-hour rehydration process (up to 15 hours for standard access) before data is available immediately, violating the requirement for immediate availability.

112
MCQmedium

A team runs a Windows VM in Azure that uploads invoices to a blob container. Security policy forbids storing storage account keys or long-lived SAS tokens on the VM. The app must keep working until the VM is deleted, and access should disappear automatically when the VM is removed. What should the administrator configure?

A.Assign the VM's managed identity the Storage Blob Data Contributor role on the storage account or container.
B.Create an account SAS token with write permissions and store it in a secure file on the VM.
C.Assign the Reader role on the storage account to the VM's computer account.
D.Enable shared key access and rotate the storage account keys regularly.
AnswerA

This uses Entra ID-based authorization without storing secrets on the VM. A managed identity is tied to the VM lifecycle, so when the VM is deleted, the identity is removed too. The Storage Blob Data Contributor role grants the data-plane permissions needed to upload blobs, while keeping access scoped to only the required storage resource.

Why this answer

Option A is correct because assigning the VM's managed identity the Storage Blob Data Contributor role on the storage account or container allows the VM to authenticate to Azure Blob Storage without storing any keys or tokens. Managed identities provide an automatically managed service principal in Azure AD, and the application can use the Azure Instance Metadata Service (IMDS) to obtain an access token. When the VM is deleted, the managed identity is automatically removed, and the role assignment becomes invalid, so access disappears immediately.

Exam trap

The trap here is that candidates confuse the Reader role (management plane) with data plane roles like Storage Blob Data Contributor, or they assume that storing a SAS token securely is acceptable despite the explicit policy forbidding it.

How to eliminate wrong answers

Option B is wrong because storing an account SAS token in a secure file on the VM violates the security policy that forbids storing long-lived tokens on the VM, and the token does not automatically expire when the VM is deleted. Option C is wrong because the Reader role on the storage account grants read-only access to the storage account's management plane (e.g., viewing account properties), not data plane operations like uploading blobs; the VM needs Storage Blob Data Contributor for write access to the container. Option D is wrong because enabling shared key access and rotating keys still requires storing the storage account key on the VM, which violates the security policy, and key rotation does not automatically revoke access when the VM is deleted.

113
MCQeasy

A finance department wants several Windows virtual machines to map the same shared drive letter and work with the same files at the same time. Which Azure Storage service should you configure?

A.Azure Blob container
B.Azure Files share
C.Archive blob tier
D.Storage account access key only
AnswerB

Azure Files provides SMB-based file shares that Windows VMs can map as network drives, which matches shared-drive usage.

Why this answer

Azure Files provides fully managed file shares in the cloud that support the SMB protocol, allowing multiple Windows VMs to mount the same share with a consistent drive letter (e.g., Z:) and access the same files concurrently. This meets the finance department's requirement for shared access with a mapped drive letter, which Azure Blob storage cannot provide because it uses REST APIs rather than SMB.

Exam trap

The trap here is that candidates confuse Azure Blob storage (object storage) with Azure Files (file storage), assuming that any storage service can provide a mapped drive letter, but only Azure Files supports SMB-based file shares for concurrent VM access.

How to eliminate wrong answers

Option A is wrong because Azure Blob containers are object storage accessed via REST APIs or SDKs, not via a mapped drive letter, and they do not support concurrent file-level sharing with SMB. Option C is wrong because the Archive blob tier is a cost-optimized access tier for infrequently accessed blobs, not a storage service for shared file access with drive mapping. Option D is wrong because a storage account access key alone is an authentication method, not a storage service; it cannot provide a shared drive letter or file-sharing capability.

114
MCQmedium

A blob was moved to the Archive tier last month. A project team now needs the file available later today, and they expect to read it several times during review. What should the administrator do first?

A.Copy the blob directly from Archive to a local machine and reopen it there.
B.Start a rehydration request and move the blob to the Hot tier with high priority.
C.Change the blob to the Cool tier immediately and expect it to become available within minutes.
D.Create a lifecycle rule to move the blob back to Hot automatically on the next day.
AnswerB

Archive data must be rehydrated before it can be read. If the team needs the file later today and will access it repeatedly, rehydrating it to Hot with high priority is the fastest practical choice.

Why this answer

Option B is correct because a blob in the Archive tier is offline and must be rehydrated (changed to Hot or Cool) before it can be accessed. Using high-priority rehydration ensures the blob becomes available within 1 hour, which meets the requirement for later today. The Hot tier is appropriate since the team expects to read the blob several times, providing low-latency access without incurring read costs from Cool tier.

Exam trap

The trap here is that candidates assume changing the tier directly (e.g., to Cool) makes the blob instantly accessible, but in reality, any tier change from Archive triggers a rehydration process with significant latency, and only high-priority rehydration guarantees availability within an hour.

How to eliminate wrong answers

Option A is wrong because you cannot directly copy or download a blob from the Archive tier; it must first be rehydrated to an online tier (Hot or Cool) before any read or copy operation. Option C is wrong because changing the blob tier directly from Archive to Cool triggers a standard-priority rehydration that can take up to 15 hours, not minutes, which does not meet the 'later today' requirement. Option D is wrong because lifecycle rules operate on a schedule (typically daily) and cannot be triggered immediately; waiting until the next day would not make the blob available later today.

115
Multi-Selecthard

A compliance team wants newly uploaded monthly reports to remain in the Hot tier for 90 days and then move automatically to a cheaper online tier without becoming offline. Which two configurations should the administrator use? Select two.

Select 2 answers
A.Create a blob lifecycle management rule.
B.Configure the rule to transition blobs from Hot to Cool after 90 days.
C.Transition the blobs to Archive after 90 days so they cost less than Cool.
D.Use file share snapshots because lifecycle rules do not apply to blobs.
E.Enable soft delete on the container to change access tiers automatically.
AnswersA, B

Lifecycle management automates tier changes based on object age, which fits recurring report data perfectly.

Why this answer

Option A is correct because Azure Blob Lifecycle Management rules allow administrators to automate tier transitions for blobs based on age or other conditions. Option B is correct because transitioning from Hot to Cool after 90 days meets the requirement of moving to a cheaper online tier (Cool is online and less expensive than Hot) while keeping the data accessible without becoming offline.

Exam trap

The trap here is that candidates often confuse the Archive tier as a 'cheaper online' option, but Archive is offline and requires rehydration, while Cool is the correct online tier for cost savings after 90 days.

116
MCQhard

A records team stores monthly regulatory exports in a blob container. The files are rarely opened, but auditors may request one specific file later the same day. The team wants the lowest storage cost possible while keeping a path to restore a single file on demand. Which approach should you use?

A.Keep the blobs in the Hot tier and rely on lifecycle rules to delete them after 90 days.
B.Move the blobs to the Archive tier and use high-priority rehydration when a file is requested.
C.Move the blobs to the Cool tier because it is offline until accessed.
D.Use the Cold tier because it requires a rehydration job before the blob becomes readable.
AnswerB

Archive is the correct storage tier when the files are rarely accessed and cost reduction is the priority. Archived blobs are offline, so they cannot be read immediately. However, if auditors need one file later the same day, the administrator can initiate rehydration. High-priority rehydration is the best choice when faster access is needed for a specific archived blob and the team is willing to pay for the quicker retrieval path.

Why this answer

The Archive tier offers the lowest storage cost for rarely accessed data, and high-priority rehydration allows a single file to be restored within approximately one hour, meeting the auditor's same-day request requirement. This approach minimizes cost while retaining the ability to retrieve a specific file on demand.

Exam trap

The trap here is that candidates confuse the Archive tier's offline nature with the Cool or Cold tiers, or assume that the lowest storage cost must come from an online tier, ignoring that Archive's rehydration feature still allows on-demand retrieval at a higher retrieval cost but lower overall storage expense.

How to eliminate wrong answers

Option A is wrong because keeping blobs in the Hot tier incurs the highest storage cost, and lifecycle rules only delete blobs after 90 days, not reduce cost for rarely accessed data. Option C is wrong because the Cool tier is not offline; it is an online tier with higher storage cost than Archive and no rehydration requirement, but it does not provide the lowest storage cost. Option D is wrong because the Cold tier (if referring to Azure's Cold tier, which is a sub-tier of Cool) is online and does not require a rehydration job; the statement incorrectly describes it as requiring rehydration, which is a property of the Archive tier.

117
Multi-Selecteasy

A Windows VM and a Linux VM are both joined to the same Active Directory Domain Services domain. Which two authentication methods can be used to mount the same Azure Files share over SMB? Select two.

Select 2 answers
A.Storage account key
B.Active Directory Domain Services credentials
C.Blob SAS token
D.Network security group rule
E.Azure resource lock
AnswersA, B

The storage account key can authenticate SMB mounts from supported Windows and Linux clients.

Why this answer

Option A is correct because the storage account key provides administrative access to the Azure Files share, allowing any SMB client (Windows or Linux) to mount the share by using the key as the credential. Option B is correct because when both VMs are joined to the same Active Directory Domain Services domain, the Azure Files share can be enabled for AD DS authentication, allowing domain-joined clients to mount the share using their domain credentials.

Exam trap

The trap here is that candidates often confuse Azure Files authentication with Blob Storage authentication, mistakenly selecting a SAS token as a valid method for SMB mounting, when in fact SAS tokens are only used for REST-based access to Blob or File storage (via HTTPS), not for SMB protocol.

118
MCQmedium

A team enabled Azure Files for a Windows-based application. The app can reach the storage account, but the mount fails because users cannot authenticate with the share. The team does not want to use the storage account key. What is the best next step?

A.Turn off the storage account firewall and retry the mount anonymously.
B.Grant the VM or user an Azure Files data-plane role, such as Storage File Data SMB Share Contributor, and use identity-based authentication.
C.Create a network security group rule that allows TCP 445 to the share.
D.Convert the storage account to a premium block blob account.
AnswerB

When Azure Files is accessed over SMB without storage keys, the administrator should use identity-based authentication and assign the appropriate Azure Files data-plane role. This provides the permissions needed to mount and use the share while avoiding storage account keys. It is the correct fix when network access works but authorization fails.

Why this answer

Option B is correct because Azure Files supports identity-based authentication over SMB using either on-premises Active Directory Domain Services (AD DS) or Azure Active Directory Domain Services (Azure AD DS). By granting the VM or user the Storage File Data SMB Share Contributor role, the team enables Kerberos-based authentication, eliminating the need for the storage account key. This approach allows the mount to succeed while meeting the requirement to avoid using the shared key.

Exam trap

The trap here is that candidates often confuse network-level connectivity (TCP 445) with authentication requirements, assuming that opening the port alone will fix the mount failure, when in fact the issue is the lack of a valid identity-based authentication mechanism.

How to eliminate wrong answers

Option A is wrong because turning off the storage account firewall and mounting anonymously is not supported for Azure Files SMB shares; anonymous access is disabled by default and cannot be used for authentication. Option C is wrong because a network security group rule allowing TCP 445 is necessary for SMB connectivity but does not address the authentication failure; the issue is identity-based authentication, not network reachability. Option D is wrong because converting the storage account to a premium block blob account would change the account type to one that does not support Azure Files (block blobs are for object storage, not file shares), and it would not resolve the authentication problem.

119
Multi-Selecteasy

A partner must upload files to one blob container for 12 hours. You do not want to share the storage account key. Which two temporary access methods can be used? Select two.

Select 2 answers
A.Service SAS, because it grants scoped access to a container or blob for a limited time.
B.User delegation SAS, because it is issued with Microsoft Entra ID and supports limited-time access.
C.Storage account shared key, because it can be time-limited when copied into an email.
D.Anonymous access, because it can be enabled for the container and expires automatically after 12 hours.
E.Resource lock, because it can restrict the partner to one container without requiring any token.
AnswersA, B

A service SAS can grant short-lived access with precise permissions and scope.

Why this answer

Option A is correct because a Service SAS (Shared Access Signature) allows you to delegate limited-time, scoped access to a specific container or blob without exposing the storage account key. It can be configured with a start time, expiry time, and permissions (e.g., write, read), making it ideal for a 12-hour upload window. This method ensures the partner can only access the designated container for the required duration.

Exam trap

The trap here is that candidates often confuse a Service SAS with the storage account shared key, mistakenly thinking the key can be time-limited when shared, or they overlook that anonymous access lacks any expiry mechanism and cannot be used for controlled, temporary access.

120
Multi-Selecteasy

A development team needs one storage account to host blob containers, Azure Files shares, and blob lifecycle management rules. Which two statements about the account are correct? Select two.

Select 2 answers
A.It should be a General-purpose v2 storage account.
B.It must be a BlobStorage account.
C.It can host both blob containers and Azure Files shares.
D.It must use only zone-redundant storage to use lifecycle rules.
E.It cannot use lifecycle management for blobs.
AnswersA, C

A General-purpose v2 account supports blob storage, Azure Files, and lifecycle management features.

Why this answer

A General-purpose v2 (GPv2) storage account is required because it supports the latest storage features, including blob lifecycle management rules, blob containers, and Azure Files shares. GPv2 accounts provide the necessary REST API endpoints and management capabilities for lifecycle policies, which are not available in older account types like BlobStorage or General-purpose v1.

Exam trap

The trap here is that candidates often confuse the BlobStorage account type as a universal blob solution, forgetting it cannot host Azure Files shares, and they may also incorrectly assume lifecycle management requires a specific replication redundancy like ZRS.

121
MCQeasy

A VM-based application needs to read from Azure Storage without storing a password, access key, or other secret in code or configuration. The identity should also be removed automatically if the VM is deleted. What should you enable?

A.A system-assigned managed identity
B.A user-assigned managed identity
C.A storage account access key
D.A shared access signature
AnswerA

A system-assigned managed identity is attached to the VM itself, enabling secretless access and automatic cleanup when the VM is deleted.

Why this answer

A system-assigned managed identity is the correct choice because it is tied directly to the lifecycle of the Azure VM: when the VM is deleted, the identity is automatically removed. It allows the VM to authenticate to Azure Storage without storing any secrets in code or configuration, using Azure AD tokens obtained via the Azure Instance Metadata Service (IMDS) endpoint at 169.254.169.254.

Exam trap

The trap here is that candidates often confuse user-assigned managed identities with system-assigned ones, overlooking the key requirement that the identity must be automatically removed when the VM is deleted, which only system-assigned identities guarantee.

How to eliminate wrong answers

Option B is wrong because a user-assigned managed identity is a standalone Azure resource that is not automatically deleted when the VM is deleted; it must be manually cleaned up, which violates the requirement for automatic removal. Option C is wrong because a storage account access key is a static secret that must be stored in code or configuration, directly contradicting the requirement to avoid storing secrets. Option D is wrong because a shared access signature (SAS) is a token that must be generated and stored in code or configuration, and it does not provide automatic identity removal tied to the VM lifecycle.

122
MCQmedium

A lifecycle rule moved old audit logs to the Archive tier. A support engineer now needs to read one archived blob, and the download request fails with a message that the blob is archived. The engineer can wait several hours for the data to become available. What should the administrator do?

A.Enable versioning on the storage account so the archived blob can be read immediately.
B.Change the blob tier from Archive to Hot or Cool to start rehydration.
C.Move the blob to a different container in the same storage account.
D.Switch the storage account replication from LRS to ZRS.
AnswerB

Archived blobs are offline and cannot be read until they are rehydrated. Changing the access tier to Hot or Cool begins the rehydration process, after which the blob becomes available again. Because the engineer can wait, this is the correct administrative action rather than copying the data elsewhere or changing account settings.

Why this answer

Option B is correct because archived blobs in Azure Storage are offline and cannot be read directly. To access the data, the blob must first be rehydrated by changing its tier to Hot or Cool, which initiates an asynchronous copy of the blob data to an online tier. This process can take up to 15 hours, matching the engineer's ability to wait several hours.

Exam trap

The trap here is that candidates may confuse storage account settings (versioning, replication, container moves) with blob-tier operations, failing to recognize that only a tier change initiates rehydration for archived blobs.

How to eliminate wrong answers

Option A is wrong because enabling versioning creates new versions of blobs on writes, but does not change the tier of existing archived blobs; the archived blob remains offline and unreadable. Option C is wrong because moving a blob to a different container does not alter its tier; the blob stays in the Archive tier and remains inaccessible. Option D is wrong because changing replication from LRS to ZRS affects redundancy and durability, but does not affect the blob's tier or its offline status; the archived blob still requires rehydration.

123
Multi-Selecthard

A 180-GB blob is in the Archive tier. A legal team needs the file available later today and expects to open it several times during review. Which two actions should the administrator take? Select two.

Select 2 answers
A.Initiate rehydration of the blob to the Hot tier.
B.Leave the blob in Archive and rely on first access to trigger rehydration.
C.Choose High priority rehydration.
D.Copy the blob to a new container and keep it in Archive.
E.Apply a lifecycle rule that moves the blob to Cool after rehydration completes.
AnswersA, C

Archive blobs must be rehydrated before access. Moving the blob to Hot makes it immediately usable after the rehydration finishes.

Why this answer

Rehydrating the blob from Archive to Hot tier makes it immediately accessible for frequent reads, as the Hot tier is optimized for high access rates. The legal team needs to open the file several times later today, so Hot tier is appropriate. Option A is correct because it explicitly initiates the rehydration process to a tier that supports frequent access.

Exam trap

The trap here is that candidates may think Archive blobs are automatically rehydrated on first read (like Cool tier's 'first access' feature), but Archive requires explicit rehydration, and the priority setting (Standard vs. High) determines the speed of that rehydration.

124
MCQmedium

A business-critical application uses an Azure storage account. The company requires that data remain available even if an entire Azure region becomes unavailable. Which redundancy option should you choose?

A.LRS
B.ZRS
C.GRS
D.GZRS
AnswerD

This best matches the requirement for both zone and region resilience.

Why this answer

D (GZRS) is correct because it combines zone-redundant storage (ZRS) within a primary region with geo-redundant replication to a secondary region, ensuring data remains available even if an entire Azure region becomes unavailable. This meets the business-critical requirement for regional disaster recovery while maintaining high durability and availability.

Exam trap

The trap here is that candidates often confuse GRS with GZRS, thinking GRS provides zone redundancy, but GRS only uses LRS in the primary region, making it vulnerable to zone-level failures within that region.

How to eliminate wrong answers

Option A (LRS) is wrong because it replicates data three times within a single datacenter, providing no protection against a full regional outage. Option B (ZRS) is wrong because it replicates data synchronously across three availability zones within a single region, but does not provide geo-replication to a secondary region. Option C (GRS) is wrong because it replicates data to a secondary region asynchronously, but uses LRS within the primary region, meaning a regional outage could cause data loss if the primary region fails before the async replication completes.

125
Multi-Selecteasy

A company wants a storage account that keeps a readable copy in the secondary region and lets read operations continue if the primary region becomes unavailable. Which two redundancy options meet this requirement? Select two.

Select 2 answers
A.Locally redundant storage (LRS)
B.Zone-redundant storage (ZRS)
C.Geo-redundant storage (GRS)
D.Read-access geo-redundant storage (RA-GRS)
E.Read-access geo-zone-redundant storage (RA-GZRS)
AnswersD, E

RA-GRS replicates data to a secondary region and allows read access from that secondary endpoint.

Why this answer

Read-access geo-redundant storage (RA-GRS) is correct because it provides geo-redundant replication (GRS) with the added ability to read from the secondary region at all times, even when the primary region is available. If the primary region becomes unavailable, read operations can continue using the readable copy in the secondary region, meeting the requirement for continuous read access.

Exam trap

The trap here is that candidates often select GRS (Option C) thinking it provides read access to the secondary region, but GRS only allows read access after a failover, not continuously, which is a key distinction tested in the AZ-104 exam.

126
MCQmedium

A support engineer must download a blob that was moved to the Archive tier by a lifecycle rule. The file must be available as soon as possible for an investigation. What should the engineer do first?

A.Download the blob directly from the Archive tier because archived blobs are always online.
B.Change the blob's tier to Hot or Cool and wait for rehydration to complete.
C.Move the blob to a different container in the same account to make it downloadable immediately.
D.Disable the lifecycle rule so the blob becomes immediately readable again.
AnswerB

Archived blobs are stored offline, so they must be rehydrated before the data can be read or downloaded. Changing the tier to Hot or Cool starts that process. If the engineer needs the blob available as quickly as possible, the appropriate administrative action is to initiate rehydration rather than trying to access the file directly from Archive.

Why this answer

Option B is correct because blobs in the Archive tier are offline and must be rehydrated to a Hot or Cool tier before they can be accessed. Rehydration can take up to 15 hours, but setting the tier to Hot or Cool initiates the process, making the blob available as soon as possible for investigation.

Exam trap

The trap here is that candidates may assume archived blobs are still accessible for download or that lifecycle rules can be disabled to instantly restore access, but Azure requires explicit tier change and rehydration before any read operation.

How to eliminate wrong answers

Option A is wrong because archived blobs are not always online; they are stored in an offline state and cannot be directly downloaded without rehydration. Option C is wrong because moving a blob to a different container does not change its tier or rehydrate it; the blob remains in the Archive tier and still inaccessible. Option D is wrong because disabling the lifecycle rule does not affect the blob's current tier; the blob remains in the Archive tier and must be explicitly rehydrated to become readable.

127
MCQmedium

You need to synchronize an on-premises Windows file server with an Azure file share so that branch offices can continue using the local server while keeping cloud-based copies of the files. Which service should you configure?

A.Azure File Sync
B.Blob versioning
C.Azure NetApp Files
D.Storage account failover
AnswerA

Azure File Sync is designed to synchronize on-premises Windows file servers with Azure file shares.

Why this answer

Azure File Sync is the correct service because it enables you to centralize your on-premises file shares in Azure Files while maintaining local access to the data. It uses a sync agent installed on the Windows file server to replicate files to an Azure file share, allowing branch offices to continue using the local server with cloud-based copies for backup, disaster recovery, or multi-site access. This directly meets the requirement of keeping the on-premises server operational while maintaining cloud copies.

Exam trap

The trap here is that candidates often confuse Azure File Sync with Azure NetApp Files or Blob storage features, mistakenly thinking that any cloud storage service can synchronize on-premises data, but only Azure File Sync provides bidirectional sync with an on-premises Windows file server.

How to eliminate wrong answers

Option B is wrong because Blob versioning is a feature of Azure Blob Storage that maintains previous versions of blobs for data protection and recovery, but it does not synchronize on-premises file servers with the cloud. Option C is wrong because Azure NetApp Files provides high-performance NFS and SMB file shares for enterprise workloads, but it is a fully managed cloud service that does not sync with on-premises file servers. Option D is wrong because Storage account failover is a disaster recovery feature that automatically switches to a secondary region in the event of a primary region outage, but it does not provide ongoing synchronization between on-premises and cloud file shares.

128
MCQmedium

An administrator archives monthly log exports in a blob container to reduce storage cost. During an audit, one archived blob must be downloaded and opened later the same day. What must the administrator do before the blob can be read?

A.Read the blob directly from the Archive tier because archive data remains immediately online
B.Change the blob tier from Archive to Hot or Cool and wait for rehydration to finish
C.Copy the blob to a new container in the same account to bypass the archive restriction
D.Assign an Azure RBAC role to the auditor so the archived blob becomes available immediately
AnswerB

Changing the tier from Archive to an online tier starts rehydration, after which the blob becomes readable again.

Why this answer

Blobs stored in the Archive tier are offline and must be rehydrated to the Hot or Cool tier before they can be read. Rehydration can take up to 15 hours, so the administrator must initiate a tier change and wait for completion before downloading the blob. Option B correctly identifies this required step.

Exam trap

The trap here is that candidates assume Archive tier blobs are always accessible with the right permissions, but Azure explicitly keeps Archive blobs offline to minimize cost, requiring a manual rehydration step before any read or copy operation.

How to eliminate wrong answers

Option A is wrong because Archive tier blobs are not immediately online; they are offline and require rehydration before access. Option C is wrong because copying a blob from the Archive tier directly is not possible without first rehydrating it; the copy operation will fail or implicitly trigger rehydration, which still requires waiting. Option D is wrong because RBAC roles control access permissions, not the online/offline state of the blob; even with the correct role, the blob remains offline in the Archive tier.

129
Multi-Selecthard

An Azure Function App and an Azure Automation runbook both need to upload, read, and delete blobs in one container. You must avoid stored secrets and keep the permissions as limited as possible. Which two configuration choices should you make? Select two.

Select 2 answers
A.Create a user-assigned managed identity that can be attached to both Azure resources.
B.Grant Storage Blob Data Contributor on the target container to that identity.
C.Store the storage account access key in both app settings and runbook variables.
D.Assign Contributor on the storage account because it automatically includes all blob data permissions.
E.Use a shared SAS token without an expiration date for both workloads.
AnswersA, B

A user-assigned managed identity is reusable across resources and avoids storing secrets in application code or configuration.

Why this answer

Option A is correct because a user-assigned managed identity provides a secure, credential-free authentication method for Azure resources. It allows both the Function App and Automation runbook to authenticate to Azure Storage without storing any secrets, meeting the requirement to avoid stored secrets.

Exam trap

The trap here is that candidates often confuse the Contributor role on the storage account with data plane permissions, not realizing that Contributor only grants management plane access and does not allow blob operations.

130
MCQhard

Quarterly invoices were moved to the Archive tier by a lifecycle rule. An auditor now needs one specific blob available for download within the next hour. What should the administrator do?

A.Change the lifecycle rule so the blob will automatically move back to Hot on the next run.
B.Set the blob directly to the Hot tier and download it immediately.
C.Start a high-priority rehydration of the blob to the Hot tier, then wait for completion before downloading.
D.Copy the archived blob to another container by using the portal copy command.
AnswerC

Archive tier data is offline and must be rehydrated before it can be read. High-priority rehydration is the fastest recovery option when the blob is needed urgently, and Hot is appropriate when the user wants normal online access after the operation completes.

Why this answer

Option C is correct because blobs in the Archive tier are offline and must be rehydrated to an online tier (Hot or Cool) before they can be accessed. A high-priority rehydration completes within one hour, meeting the auditor's deadline. Changing a lifecycle rule (A) or directly setting the tier (B) does not initiate the necessary rehydration process, and copying an archived blob (D) fails because the blob is offline.

Exam trap

The trap here is that candidates assume you can directly change the tier of an archived blob (like from Cool to Hot) without realizing that Archive-tier blobs are offline and require a separate rehydration step before any tier change or access is possible.

How to eliminate wrong answers

Option A is wrong because modifying a lifecycle rule only affects future blob transitions; it does not trigger immediate rehydration of an already archived blob. Option B is wrong because you cannot directly set the tier of an archived blob to Hot; the blob must first be rehydrated via a copy operation or tier change that initiates data retrieval from offline storage. Option D is wrong because the portal copy command requires the source blob to be online; copying an archived blob without prior rehydration will fail with an error indicating the blob is in the Archive tier.

131
MCQhard

An Azure Automation job running on a VM uses a managed identity to upload and overwrite JSON files in one container named configs. The job must not list, delete, or modify any other containers in the storage account. Which role assignment is the best choice?

A.Storage Blob Data Contributor at the configs container scope
B.Storage Blob Data Owner at the storage account scope
C.Contributor at the resource group scope
D.Storage Queue Data Contributor at the storage account scope
AnswerA

This role grants the blob data permissions the automation job needs while avoiding storage account keys or SAS tokens. Assigning it at the container scope ensures the identity can work only inside the configs container and cannot touch unrelated containers. It is the narrowest assignment that still allows upload and overwrite operations, which makes it the best least-privilege choice.

Why this answer

The Storage Blob Data Contributor role at the container scope grants the managed identity the necessary permissions to upload and overwrite blobs (including JSON files) within the 'configs' container, while explicitly preventing listing, deleting, or modifying other containers in the storage account. This role includes the 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write' action, which allows overwriting existing blobs, but does not include any actions on the container itself (like listing or deleting containers) or on other containers. Scoping the role to the specific container ensures the principle of least privilege is strictly followed.

Exam trap

The trap here is that candidates often choose Storage Blob Data Owner at the storage account scope (Option B) because they think 'Owner' is necessary for overwriting files, but they overlook that 'Contributor' at the container scope already includes write permission and avoids granting excessive container management rights.

How to eliminate wrong answers

Option B is wrong because Storage Blob Data Owner at the storage account scope grants full control over all blobs and containers in the entire storage account, including the ability to list, delete, and modify any container, which violates the requirement to restrict access to only the 'configs' container. Option C is wrong because Contributor at the resource group scope provides full management access to all resources in the resource group, including the ability to delete the storage account itself, and does not restrict blob-level operations to a single container. Option D is wrong because Storage Queue Data Contributor is designed for Azure Queue storage (messages), not Blob storage (JSON files), and has no permissions to upload or overwrite blobs in a container.

132
MCQmedium

A workload uses Azure Blob Storage for customer uploads. The team wants protection against a datacenter failure within the primary region and wants data copied to a paired region for disaster recovery, but they do not need to read from the secondary region during normal operations. Which redundancy option fits best?

A.ZRS
B.GZRS
C.RA-GZRS
D.GRS
AnswerB

GZRS protects against zone failure and also replicates data to a paired region for disaster recovery.

Why this answer

GZRS (Geo-Zone-Redundant Storage) is correct because it combines ZRS within the primary region (synchronously replicating data across three Azure availability zones) with asynchronous geo-replication to a paired secondary region. This provides protection against both a datacenter failure (via ZRS) and a full region failure (via geo-replication), while the lack of read access from the secondary during normal operations matches the requirement exactly.

Exam trap

The trap here is that candidates often confuse GRS with GZRS, assuming GRS provides zone-level redundancy, but GRS only uses LRS in the primary region, leaving data vulnerable to a single datacenter failure within that region.

How to eliminate wrong answers

Option A (ZRS) is wrong because it only replicates data synchronously across availability zones within a single region, offering no protection against a full datacenter failure that affects the entire primary region. Option C (RA-GZRS) is wrong because it adds read-access to the secondary region, which the team explicitly does not need during normal operations, and this extra capability incurs additional cost and complexity. Option D (GRS) is wrong because it replicates data asynchronously to a paired region but uses LRS within the primary region, meaning a datacenter failure within the primary region could cause data loss if the LRS copy is lost before geo-replication completes.

133
Drag & Dropmedium

Arrange the steps to create an Azure Storage account with a container and upload a blob.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create storage account, create container, set access, upload blob, generate SAS.

134
Multi-Selecteasy

A Windows VM in Azure must upload log files to a blob container every hour. Security policy forbids storing the storage account key or any long-lived SAS token on the VM. Which two actions should the administrator take? Select two.

Select 2 answers
A.Enable a system-assigned managed identity on the VM.
B.Assign the Storage Blob Data Contributor role to that identity on the storage account or container.
C.Copy the storage account access key into a configuration file on the VM.
D.Assign the Reader role at the resource group scope to the VM identity.
E.Create a shared access signature that never expires and place it on the VM.
AnswersA, B

A system-assigned managed identity gives the VM an Azure identity without storing secrets on the server. It can authenticate to Azure Storage through Microsoft Entra ID.

Why this answer

A system-assigned managed identity on the VM allows it to authenticate to Azure AD without storing any credentials. By assigning the Storage Blob Data Contributor role to that identity on the storage account or container, the VM can upload logs using Azure AD authentication, which satisfies the security policy forbidding storage account keys or long-lived SAS tokens.

Exam trap

The trap here is that candidates often confuse the Reader role (which only grants control plane read access) with data plane roles like Storage Blob Data Contributor, or mistakenly think a non-expiring SAS is acceptable despite the explicit security policy forbidding long-lived credentials.

135
MCQmedium

An administrator archived monthly log exports in a blob container six weeks ago. An auditor now needs to open one of those files later today, and the file must be readable from Azure Storage rather than restored from a separate backup copy. What should the administrator do?

A.Open the blob directly from the Archive tier because archived blobs remain online for read access.
B.Start rehydration of the blob to the Hot tier before opening it.
C.Change the blob to the Cold tier, because Cold is designed for archived content.
D.Use a snapshot of the archived blob, because snapshots can be opened even when the base blob is archived.
AnswerB

Archived blobs are not immediately readable, so the administrator must rehydrate the blob back to an online tier first. Hot is appropriate when the file needs to be accessible again as soon as the rehydration completes and may be used actively during the audit. This is the correct operational response when the blob must be read later the same day.

Why this answer

Option B is correct because blobs in the Archive tier are offline and cannot be read directly. To access the data, the blob must first be rehydrated to the Hot or Cool tier, which changes its state to online and readable. Rehydration can take up to 15 hours, so the administrator must start this process well before the auditor needs the file.

Exam trap

The trap here is that candidates assume archived blobs are still readable because they appear in the storage account listing, but Azure's Archive tier explicitly stores data offline, requiring explicit rehydration before any read operation.

How to eliminate wrong answers

Option A is wrong because archived blobs are stored offline and are not accessible for read operations until rehydrated; they remain online only for metadata and tier changes. Option C is wrong because the Cold tier is a separate access tier designed for infrequently accessed data, not for archived content; changing to Cold does not rehydrate the blob from the Archive tier. Option D is wrong because snapshots of an archived blob are also in the Archive tier and inherit the same offline state; they cannot be read without rehydrating the base blob or the snapshot itself.

136
Multi-Selecthard

A company has an Azure Storage account that stores application files in Blob Storage. VMs in AppSubnet must access the blobs by using the standard storage account name, but traffic must stay private and the public endpoint must not be used. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create a private endpoint for the blob service in AppSubnet.
B.Enable a service endpoint for Microsoft.Storage on AppSubnet.
C.Link a private DNS zone for privatelink.blob.core.windows.net to the VNet.
D.Generate a shared access signature and email it to the VMs.
E.Add a virtual network rule to the storage account and keep the public endpoint open.
AnswersA, C

A private endpoint gives the storage account a private IP address inside the VNet, so the VM traffic stays on private addressing and avoids the public endpoint.

Why this answer

Option A is correct because a private endpoint assigns the blob service a private IP address from the AppSubnet, allowing VMs to access the storage account using the standard storage account name (e.g., mystorageaccount.blob.core.windows.net) while keeping all traffic within the Microsoft Azure backbone network and bypassing the public endpoint entirely. This satisfies the requirement that traffic must stay private and the public endpoint must not be used.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming both provide the same level of privacy, but service endpoints still use the public endpoint for the data plane while private endpoints provide a fully private IP address and eliminate public internet exposure.

137
MCQeasy

A team wants an Azure Storage account to be reachable only from a single Azure virtual network and to use a private IP address inside that network. Which option should the administrator configure?

A.A service endpoint on the subnet.
B.A private endpoint for the storage account.
C.A public IP address with an NSG inbound allow rule.
D.A VPN gateway connection to the storage account.
AnswerB

A private endpoint gives the storage account a private IP address in the VNet, which is the best fit for private-only access.

Why this answer

A private endpoint assigns a private IP address from the virtual network to the storage account, making it reachable only from that VNet over the Microsoft backbone network. This meets the requirement of exclusive access and private IP usage, unlike a service endpoint which still exposes the storage account to the public internet via its public endpoint.

Exam trap

The trap here is confusing service endpoints with private endpoints: both restrict access to a VNet, but only a private endpoint provides a private IP address and fully removes public internet exposure.

How to eliminate wrong answers

Option A is wrong because a service endpoint extends the VNet identity to the storage account's public endpoint but does not assign a private IP address; the storage account remains accessible via its public endpoint from the internet. Option C is wrong because a public IP address with an NSG rule still exposes the storage account to the internet, and storage accounts do not have a public IP address that can be directly controlled by an NSG. Option D is wrong because a VPN gateway connects on-premises networks to Azure VNets, not to individual storage accounts, and does not provide a private IP address for the storage account.

138
MCQeasy

A legal department stores scanned contracts that are kept for compliance and are almost never opened. They want the lowest storage cost, and it is acceptable if files take time to become available before download. Which blob tier should you choose?

A.Hot
B.Cool
C.Archive
D.Cold
AnswerC

Archive is the lowest-cost online-disabled tier for long-term retention. Because the team can wait for access, this tier minimizes storage cost and fits rarely opened compliance documents.

Why this answer

The Archive tier is designed for data that is rarely accessed and has the lowest storage cost among Azure Blob Storage tiers. It requires rehydration (which can take up to 15 hours) before files become available, making it ideal for compliance data that is almost never opened and where delayed access is acceptable.

Exam trap

The trap here is that candidates may confuse 'Cold' with a valid Azure tier (it is not) or choose Cool thinking it is the cheapest, but Archive is the actual lowest-cost tier for rarely accessed data with acceptable retrieval delay.

How to eliminate wrong answers

Option A is wrong because the Hot tier is optimized for frequent access and has the highest storage cost, which contradicts the requirement for lowest storage cost. Option B is wrong because the Cool tier is for data accessed infrequently (at least 30 days) but still has higher storage cost than Archive and offers near-instant access, not the delayed availability that is acceptable here. Option D is wrong because 'Cold' is not a valid Azure Blob Storage tier; the correct tiers are Hot, Cool, and Archive (with Premium as a separate block blob tier).

139
MCQhard

A partner needs temporary read-only access to a single blob in a storage account for the next 24 hours. The partner must not be able to list other blobs or write data. What should you provide?

A.The storage account access key.
B.A service SAS scoped to the blob with read permission and an expiry time.
C.A private endpoint to the storage account.
D.Contributor access to the storage account.
AnswerB

This is the least-privilege option for temporary, blob-specific access.

Why this answer

A service SAS scoped to a specific blob with read permission and an expiry time provides the exact temporary, read-only access required. It restricts access to only that blob, prevents listing other blobs, and automatically expires after 24 hours, meeting all security and functional requirements.

Exam trap

The trap here is that candidates often confuse a service SAS with an account SAS or storage account keys, mistakenly thinking any SAS or key can be scoped, but only a service SAS can be scoped to a single blob with precise permissions and expiry.

How to eliminate wrong answers

Option A is wrong because the storage account access key grants full administrative access to the entire storage account, including the ability to list, read, write, and delete all blobs, which violates the principle of least privilege and the requirement for read-only access to a single blob. Option C is wrong because a private endpoint provides network-level isolation by connecting the storage account to a virtual network, but it does not grant any data access permissions or restrict access to a single blob; it still requires additional authorization (e.g., SAS or RBAC) and does not prevent listing or writing. Option D is wrong because Contributor role at the storage account level allows full management of the account and data, including listing and writing blobs, far exceeding the required read-only access to a single blob.

140
MCQmedium

A finance team stores monthly invoice PDFs in Azure and wants the data to remain available if an entire availability zone in the region fails. They do not need read access to a secondary region, and they want to keep the storage service simple. Which redundancy option should they choose for the storage account?

A.Locally redundant storage (LRS), because it protects against a single disk failure inside one datacenter.
B.Zone-redundant storage (ZRS), because it replicates data across zones in the same region.
C.Geo-redundant storage (GRS), because it automatically provides the lowest-cost cross-region protection.
D.Geo-zone-redundant storage (GZRS), because it is required whenever zone resilience is needed.
AnswerB

ZRS stores copies of the data across multiple availability zones in the same region. That design helps the account remain available during a zone outage without requiring a paired region or secondary read access.

Why this answer

Zone-redundant storage (ZRS) replicates data synchronously across three Azure availability zones within the same region, ensuring durability even if an entire zone fails. This meets the requirement for intra-region zone failure protection without needing a secondary region, and it keeps the storage service simple by avoiding the complexity of geo-replication.

Exam trap

The trap here is that candidates often confuse 'zone failure' with 'regional failure' and incorrectly choose GRS or GZRS, overlooking that ZRS provides sufficient protection within a single region at lower cost and complexity.

How to eliminate wrong answers

Option A is wrong because LRS only replicates data three times within a single datacenter, so it cannot survive an entire availability zone failure. Option C is wrong because GRS replicates data to a secondary region, which the question explicitly states is not needed, and it is not the lowest-cost cross-region option (LRS is cheaper). Option D is wrong because GZRS combines zone-redundancy with geo-redundancy, which adds cross-region replication that is not required and increases complexity and cost.

141
MCQhard

A 180-GB blob was moved to the Archive tier last week. A legal team now needs the file available later today for repeated review, and they are willing to pay more to shorten the wait. Which action should the administrator take first?

A.Rehydrate the blob to Cool tier by using Standard priority.
B.Rehydrate the blob to Hot tier by using High priority.
C.Copy the blob into another Archive tier container and wait for replication.
D.Change the storage account redundancy to ZRS so the blob becomes accessible faster.
AnswerB

High priority rehydration is the fastest supported path, and Hot makes the blob ready for repeated access.

Why this answer

The Archive tier requires rehydration (changing the blob tier) before the data can be accessed. Rehydrating to the Hot tier with High priority is the fastest method, typically completing within 1 hour, which meets the legal team's need for later today. Standard priority rehydration can take up to 15 hours, making it too slow for the required timeline.

Exam trap

The trap here is that candidates may think changing redundancy or copying the blob can bypass the rehydration requirement, but Azure Archive blobs must be explicitly rehydrated to an online tier before any read access is possible.

How to eliminate wrong answers

Option A is wrong because rehydrating to the Cool tier with Standard priority can take up to 15 hours, which is too slow for the legal team's need for later today. Option C is wrong because copying a blob within the Archive tier does not change its tier; the copy remains in the Archive tier and is still inaccessible without rehydration. Option D is wrong because changing redundancy to ZRS does not affect the blob's tier or its accessibility; the blob remains in the Archive tier and must be rehydrated first.

142
MCQhard

Users in Branch01 access an Azure file share over SMB. Performance is poor because frequently used files are downloaded repeatedly across the WAN. You need to keep a local cache on a Windows Server in Branch01 while keeping Azure Files as the central file share. What should you deploy?

A.Azure File Sync
B.Blob versioning
C.Share snapshots
D.A private endpoint
AnswerA

Azure File Sync provides a local cache on Windows Server while keeping Azure Files central.

Why this answer

Azure File Sync is the correct solution because it enables caching of Azure file shares on a Windows Server at the branch location, providing local access to frequently used files while keeping Azure Files as the central authoritative store. It uses a sync engine to maintain a local cache and leverages the SMB protocol for access, reducing WAN latency by serving files from the local server.

Exam trap

The trap here is that candidates often confuse Azure File Sync with simply mounting an Azure file share via SMB or using a private endpoint, not realizing that File Sync specifically provides a local caching mechanism on a Windows Server to solve WAN latency issues.

How to eliminate wrong answers

Option B (Blob versioning) is wrong because it is a feature for Azure Blob Storage that preserves previous versions of objects, not for caching or local access of file shares. Option C (Share snapshots) is wrong because they provide point-in-time read-only copies of an Azure file share for backup or restore, not a local cache for performance improvement. Option D (A private endpoint) is wrong because it provides a private IP address for accessing Azure Files over a virtual network, but it does not create a local cache on a branch server; it only improves network connectivity.

143
MCQhard

Your application stores compliance documents in Azure Blob Storage. The documents must be kept in a write-once-read-many state for five years and must not be altered or removed during that time. What should you configure?

A.Blob soft delete
B.Immutable blob storage with a time-based retention policy
C.Blob lifecycle management to move data to Cool tier
D.A shared access signature
AnswerB

Immutable storage provides WORM protection for the specified retention period.

Why this answer

Immutable blob storage with a time-based retention policy enforces a write-once-read-many (WORM) state, ensuring that blobs cannot be modified or deleted for a specified retention period. This directly meets the requirement of keeping compliance documents unaltered for five years, as the policy locks the data at the storage level, overriding any user permissions or delete operations.

Exam trap

The trap here is that candidates confuse blob soft delete (which only recovers deleted blobs but does not prevent modification) with immutable storage, or mistakenly think lifecycle management or SAS tokens can enforce a write-once-read-many state.

How to eliminate wrong answers

Option A is wrong because blob soft delete protects against accidental deletion by retaining deleted blobs for a configurable period, but it does not prevent modification or enforce a write-once-read-many state; blobs can still be overwritten or deleted during the soft-delete retention period. Option C is wrong because blob lifecycle management automates tier transitions (e.g., moving data to Cool or Archive tiers) based on age or conditions, but it does not provide any immutability or prevent modification or deletion of blobs. Option D is wrong because a shared access signature (SAS) grants delegated access to storage resources with specific permissions and expiry, but it does not enforce immutability or prevent authorized users from modifying or deleting blobs.

144
Multi-Selectmedium

You are designing a disaster recovery strategy for Azure Blob Storage. The storage account is configured with geo-redundant storage (GRS). Which three of the following statements about GRS and failover are true? (Choose three.)

Select 3 answers
.With GRS, data is replicated asynchronously to a paired secondary region.
.In the event of a regional outage, you can initiate a customer-managed failover to the secondary region.
.After a failover, the secondary region becomes the new primary and replication to the original primary is automatically established.
.GRS provides three copies of your data within the primary region and three additional copies in the secondary region.
.GRS guarantees zero data loss if a failover is triggered.
.Once a failover is completed, you cannot fail back to the original primary region.

Why this answer

Geo-redundant storage (GRS) replicates data asynchronously to a paired secondary region, ensuring durability even during a regional outage. In such an outage, you can initiate a customer-managed failover to promote the secondary region as the new primary. GRS maintains three copies (LRS) in the primary region and three additional copies in the secondary region, providing six total replicas.

Exam trap

The trap here is that candidates often assume GRS provides synchronous replication with zero data loss, but it is asynchronous, and they may also think failover is irreversible, when in fact you can fail back.

145
Multi-Selecthard

A hub-and-spoke environment already has an Azure VPN gateway deployed in the hub VNet. A spoke VNet must send on-premises traffic through that existing gateway, and administrators must be able to manage the peering from either side without creating a separate gateway in the spoke. Which two peering settings are required? Select two.

Select 2 answers
A.Enable Allow gateway transit on the hub-to-spoke peering.
B.Enable Use remote gateways on the spoke-to-hub peering.
C.Enable Allow forwarded traffic on both peerings as the only required setting.
D.Enable Allow gateway transit on the spoke-to-hub peering.
E.Create a user-defined route that points all on-premises prefixes to the hub VNet gateway.
AnswersA, B

This allows the hub VNet gateway to be shared with the peered spoke network.

Why this answer

Option A is correct because enabling 'Allow gateway transit' on the hub-to-spoke peering allows the hub VNet to advertise its VPN gateway routes to the spoke VNet. This setting is configured on the peering from the hub side and is a prerequisite for the spoke to use the hub's gateway for on-premises connectivity.

Exam trap

The trap here is that candidates often confuse 'Allow forwarded traffic' with 'Allow gateway transit', thinking that enabling forwarded traffic alone is sufficient for gateway sharing, but forwarded traffic only applies to traffic from an NVA, not from a VPN gateway.

146
MCQeasy

A storage account must accept traffic only from a single subnet. The team wants to keep using the storage account's public endpoint and does not want to deploy a private endpoint. What should you configure?

A.A private endpoint and private DNS zone
B.A service endpoint on the subnet and a storage firewall rule that allows that subnet
C.Read-access geo-redundant storage (RA-GRS)
D.Archive access tier for the container
AnswerB

A service endpoint lets the subnet reach the storage account over the public endpoint while the firewall restricts access to that subnet only.

Why this answer

Option B is correct because a service endpoint on the subnet extends the virtual network identity to the storage account, and a storage firewall rule that allows that subnet restricts access to only traffic originating from that subnet. This meets the requirement of using the public endpoint without deploying a private endpoint, as the storage account's public endpoint remains accessible but is locked down to the specified subnet via the firewall rule.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that restricting access to a subnet requires a private endpoint, but service endpoints with firewall rules achieve the same goal using the public endpoint.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns the storage account a private IP from the virtual network, which removes the use of the public endpoint entirely, contradicting the requirement. Option C is wrong because RA-GRS is a replication strategy that provides read-only access to a secondary region for disaster recovery, not a network access control mechanism. Option D is wrong because the archive access tier is for cost-effective storage of infrequently accessed data, with no impact on network access restrictions.

147
MCQmedium

A contractor needs to upload files to one blob container for the next two hours. The contractor must not learn the storage account key, and access should expire automatically without manual cleanup. What is the best way to grant access?

A.Share the storage account key and ask the contractor to stop using it after two hours.
B.Create an account SAS with broad permissions and send it to the contractor by email.
C.Generate a user delegation SAS from Entra ID with only the required container permissions and a two-hour expiry.
D.Assign the contractor the Storage Blob Data Contributor role at the storage account scope.
AnswerC

A user delegation SAS is generated from Entra ID credentials, so the administrator does not expose the storage account key. It can be scoped to a single container, limited to upload permissions, and given a short expiration time. That combination satisfies least privilege and automatic expiration for temporary contractor access.

Why this answer

A user delegation SAS is the correct choice because it is secured with Entra ID credentials rather than the storage account key, ensuring the contractor never learns the key. The SAS can be scoped to exactly the required container permissions and a two-hour expiry, providing automatic, time-limited access without manual cleanup. This approach aligns with the principle of least privilege and eliminates the need to share or rotate storage account keys.

Exam trap

The trap here is that candidates often confuse an account SAS (which still uses the storage account key) with a user delegation SAS (which uses Entra ID), leading them to choose Option B because they think any SAS automatically avoids key exposure, but only the user delegation SAS truly prevents the contractor from learning the key.

How to eliminate wrong answers

Option A is wrong because sharing the storage account key violates the requirement that the contractor must not learn the key, and it does not provide automatic expiry—manual cleanup would be required to revoke access. Option B is wrong because an account SAS is signed with the storage account key, meaning the contractor could potentially derive or infer the key from the SAS token, and it typically grants broader permissions than necessary, failing the principle of least privilege. Option D is wrong because assigning the Storage Blob Data Contributor role at the storage account scope grants persistent, role-based access that does not automatically expire after two hours, requiring manual removal of the role assignment.

148
MCQmedium

A team wants to allow a subnet to access a storage account only from that subnet, but they do not want to create a private endpoint or change DNS. The storage account should still be reachable through its public endpoint, just not from other networks. What should the administrator configure?

A.A private endpoint for the storage account and a private DNS zone.
B.A public IP address for the subnet and a storage account firewall exception.
C.A service endpoint on the subnet and a storage firewall rule allowing that subnet.
D.An NSG rule that permits outbound TCP 443 to the storage account.
AnswerC

Service endpoints keep the public endpoint but restrict access based on the VNet or subnet identity.

Why this answer

Option C is correct because a service endpoint on the subnet extends the virtual network identity to the storage account, allowing the storage firewall to restrict access to traffic originating from that specific subnet. This ensures the storage account remains reachable via its public endpoint, but only from the configured subnet, without requiring a private endpoint or DNS changes.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming only private endpoints can restrict access to a storage account, or they mistakenly think NSG rules can control inbound access to PaaS services like storage accounts.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns the storage account a private IP in the virtual network, which changes the access path and typically requires DNS modifications, contradicting the requirement to avoid private endpoints and DNS changes. Option B is wrong because assigning a public IP to a subnet does not control access to the storage account; the storage firewall can only filter by source IP or virtual network/subnet, not by a subnet's public IP. Option D is wrong because an NSG rule controlling outbound traffic from the subnet does not enforce inbound restrictions on the storage account; the storage account's firewall must explicitly allow the subnet, and NSGs alone cannot restrict access to the storage account's public endpoint from other networks.

149
Multi-Selectmedium

You are designing a storage solution for a large-scale data analytics application that will run in Azure. The solution needs to support high-throughput writes, hierarchical namespace for organizing data, and the ability to assign POSIX-like permissions to directories and files. Additionally, the solution must support lifecycle management policies to tier data to cooler storage tiers after 30 days and enable blob-level versioning. Which four of the following features or services should you include in your design? (Choose all that apply. There are four correct answers.)

Select 4 answers
.Azure Data Lake Storage Gen2
.Azure Files with SMB protocol
.Hierarchical namespace
.Azure Blob Storage lifecycle management
.Azure NetApp Files
.Blob versioning

Why this answer

Azure Data Lake Storage Gen2 (ADLS Gen2) is the correct foundational service because it combines Azure Blob Storage with a hierarchical namespace, enabling POSIX-like access control lists (ACLs) for directories and files. This service is specifically designed for high-throughput analytics workloads, supporting both hierarchical namespace and blob-level operations. Lifecycle management policies and blob versioning are built-in Azure Blob Storage features that work seamlessly with ADLS Gen2 to automate data tiering and maintain data integrity.

Exam trap

The trap here is that candidates often confuse Azure Files or Azure NetApp Files as suitable for analytics workloads with POSIX permissions, but these services lack the hierarchical namespace and blob-level lifecycle/versioning features that are native to ADLS Gen2 and Azure Blob Storage.

150
Multi-Selecthard

A legal team archived a 200-GB blob last quarter. They now need to open it repeatedly later today for review, and waiting more than a day would delay the case. Which two actions should the administrator take? Select two.

Select 2 answers
A.Start a rehydration request and target the Hot tier.
B.Set the rehydration priority to High.
C.Copy the blob directly while it remains in the Archive tier.
D.Change the blob back to the Archive tier after the request starts.
E.Take a snapshot first and expect it to make the archived blob readable immediately.
AnswersA, B

Archive blobs cannot be read directly, so the first step is to rehydrate them to an online tier.

Why this answer

Option A is correct because rehydrating a blob from the Archive tier to the Hot tier makes it accessible for frequent reads. The Hot tier is optimized for high-frequency access, which matches the legal team's need to open the blob repeatedly later today. Rehydration is the only way to change the blob's tier from Archive to an online tier like Hot.

Exam trap

The trap here is that candidates may think setting the rehydration priority to High alone is sufficient, but without specifying a target tier (like Hot), the rehydration request is incomplete and the blob remains archived.

← PreviousPage 2 of 4 · 228 questions totalNext →

Ready to test yourself?

Try a timed practice session using only AZ Storage questions.