Microsoft Azure Solutions Architect Expert AZ-305 (AZ-305) — Questions 175

999 questions total · 14pages · All types, answers revealed

Page 1 of 14

Page 2
1
Multi-Selecteasy

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to collect logs from on-premises firewalls and send them to Sentinel. Which TWO connectors can you use? (Choose two.)

Select 2 answers
A.DNS
B.Syslog
C.Common Event Format (CEF)
D.Azure Activity Log
E.Windows Security Events via AMA
AnswersB, C

Syslog is a standard protocol for log collection; many firewalls support it.

Why this answer

Syslog is a standard protocol for sending log messages from network devices, including firewalls, to a central collector. Common Event Format (CEF) is a syslog-based format that normalizes logs from different security products, making them easier to parse and analyze in Sentinel. Both connectors allow on-premises firewalls to forward their logs to a Log Analytics agent or AMA, which then sends them to Sentinel.

Exam trap

The trap here is that candidates may confuse 'Syslog' with 'DNS' or 'Windows Security Events' because they think any log source can be collected via a generic connector, but Sentinel requires specific connectors for each data source type.

2
MCQmedium

A company runs a legacy on-premises application that relies on a SQL Server database. They want to use Azure as a disaster recovery site with a recovery point objective of less than 15 minutes. They need to be able to fail back to the on-premises environment after a disaster. Which Azure service should they use?

A.Azure Site Recovery
B.Azure Backup
C.Azure SQL Database
D.Azure Traffic Manager
AnswerA

Azure Site Recovery replicates on-premises VMs to Azure with low RPO and supports failback to on-premises.

Why this answer

Azure Site Recovery (ASR) orchestrates replication, failover, and failback of on-premises SQL Server workloads to Azure, supporting a Recovery Point Objective (RPO) of less than 15 minutes through continuous replication. It enables failback to the original on-premises environment after a disaster, which is a critical requirement for this scenario.

Exam trap

The trap here is that candidates often confuse Azure Backup (which is for archival backups) with Azure Site Recovery (which is for replication and failover), leading them to select Azure Backup despite its inability to meet the sub-15-minute RPO or support failback.

How to eliminate wrong answers

Option B (Azure Backup) is wrong because it provides point-in-time backups with a typical RPO of hours or daily, not sub-15-minute continuous replication, and it does not support orchestrated failback to on-premises. Option C (Azure SQL Database) is wrong because it is a PaaS database service that cannot replicate an on-premises SQL Server instance for failback; it would require migrating the database schema and data, not providing disaster recovery replication. Option D (Azure Traffic Manager) is wrong because it is a DNS-based traffic load balancer that routes user traffic, not a replication or disaster recovery service for SQL Server databases.

3
MCQhard

You are designing a disaster recovery solution for a multi-tier application. The application consists of a web tier, an application tier, and a database tier running SQL Server on Azure VMs. The RPO must be 5 seconds, and the RTO must be 15 minutes. You need to recommend a SQL Server availability solution that meets these requirements. What should you use?

A.Azure SQL Database Managed Instance automatic backups
B.Azure Site Recovery with replication of SQL Server VMs
C.SQL Server log shipping
D.SQL Server Always On Availability Groups with synchronous commit and automatic failover
AnswerD

Synchronous commit ensures zero data loss (RPO=0) and automatic failover can achieve RTO under 15 minutes.

Why this answer

Option A is correct because SQL Server Always On Availability Groups with synchronous commit can achieve an RPO of 5 seconds and an RTO of minutes with automatic failover. Option B is wrong because log shipping has a higher RPO (minutes to hours). Option C is wrong because Azure SQL Database Managed Instance automatic backups have an RPO of up to 5 minutes.

Option D is wrong because Azure Site Recovery replication for SQL Server can have an RPO of a few seconds but RTO may exceed 15 minutes due to recovery time.

4
MCQmedium

Refer to the exhibit. An organization deploys this ARM template to create a storage account. They need to ensure that data is replicated synchronously across two Azure regions. Does this template meet the requirement?

A.No, the template uses RA-GRS
B.Yes, GRS provides synchronous replication
C.No, the template uses LRS
D.No, GRS provides asynchronous replication
AnswerD

GRS replicates asynchronously to a secondary region.

Why this answer

The template uses GRS (Geo-Redundant Storage), which replicates data asynchronously from the primary region to the secondary region. Because the replication is asynchronous, there is a potential for data loss if a regional disaster occurs before the secondary region is fully updated. The requirement specifies synchronous replication across two Azure regions, which is only provided by Azure Storage’s geo-zone-redundant storage (GZRS) with read-access (RA-GZRS) or by using Azure Files with synchronous replication via Azure File Sync or a third-party solution.

Therefore, GRS does not meet the synchronous requirement.

Exam trap

The trap here is that candidates often confuse GRS’s geo-redundancy with synchronous replication, not realizing that GRS uses asynchronous replication to the secondary region, while synchronous replication is only available within a single region (LRS, ZRS) or across availability zones (ZRS).

How to eliminate wrong answers

Option A is wrong because RA-GRS (Read-Access Geo-Redundant Storage) is not used in the template; the template specifies GRS, and RA-GRS also uses asynchronous replication, so it would not meet the synchronous requirement either. Option B is wrong because GRS provides asynchronous replication, not synchronous; synchronous replication across regions is not a feature of standard Azure Storage replication options. Option C is wrong because the template does not use LRS (Locally Redundant Storage); it uses GRS, which replicates to a secondary region, but the core issue is that GRS is asynchronous, not synchronous.

5
MCQhard

A company runs a critical database on Azure SQL Database in the West US region. They need to implement disaster recovery to East US with an RPO of 1 minute and RTO of 1 hour. They also want to use the secondary database for read-only workloads during normal operations. The solution must be fully managed. Which Azure SQL Database feature should they enable?

A.Active geo-replication with failover group
B.Auto-failover group with read-scale
C.Geo-restore
D.Zone-redundant configuration
AnswerB

Auto-failover groups manage failover for one or more databases, support read-only access to the secondary, and meet the RPO/RTO requirements.

Why this answer

Active geo-replication with a failover group (Option B) provides a fully managed disaster recovery solution with an RPO of 1 minute and RTO of 1 hour. It allows the secondary database in East US to be used for read-only workloads during normal operations via the read-scale listener endpoint. This meets all requirements: fully managed, low RPO/RTO, and read-only access to the secondary.

Exam trap

The trap here is confusing Active geo-replication (manual failover, no read-scale) with Auto-failover groups (automatic failover, read-scale), leading candidates to pick Option A even though it lacks the read-scale capability and automatic RTO guarantee.

How to eliminate wrong answers

Option A is wrong because Active geo-replication alone does not include a failover group; without the failover group, you cannot achieve the 1-hour RTO (manual failover takes longer) and you lose the automatic orchestration of read-scale endpoints. Option C is wrong because Geo-restore is a point-in-time recovery method with an RPO of 1 hour and RTO of 12-24 hours, far exceeding the required 1-minute RPO and 1-hour RTO, and it does not support read-only workloads on a secondary. Option D is wrong because Zone-redundant configuration provides high availability within a single region, not disaster recovery across regions, and does not offer a secondary for read-only workloads.

6
MCQmedium

A company runs a data analytics application that stores large volumes of structured data in a relational format. The data is write-intensive and the application needs to scale horizontally for high throughput. The solution must support SQL queries, including joins and ACID transactions. Which Azure database service should they choose?

A.Azure Database for PostgreSQL - Hyperscale (Citus)
B.Azure SQL Database Hyperscale
C.Azure Cosmos DB (SQL API)
D.Azure Synapse Analytics
AnswerA

Citus is a managed PostgreSQL service that scales out horizontally across multiple nodes and supports full SQL, joins, and ACID transactions.

Why this answer

Azure Database for PostgreSQL - Hyperscale (Citus) is correct because it provides horizontal scaling (sharding) across multiple nodes while preserving full SQL support, including JOINs and ACID transactions. Citus distributes data across worker nodes using a coordinator node, enabling write-intensive workloads to achieve high throughput through parallelized writes. This makes it ideal for large-volume, relational, write-heavy analytics applications that require relational integrity.

Exam trap

The trap here is that candidates often confuse Azure SQL Database Hyperscale's 'scale-out' read replicas with true horizontal write scaling, or they assume Cosmos DB's SQL API supports relational queries and transactions, when in fact it is a NoSQL store with limited consistency and no JOIN support.

How to eliminate wrong answers

Option B (Azure SQL Database Hyperscale) is wrong because it scales compute and storage vertically, not horizontally for write throughput; it is designed for large databases with high read scalability, not write-intensive horizontal scaling. Option C (Azure Cosmos DB SQL API) is wrong because it is a NoSQL database that does not support SQL JOINs or ACID transactions across multiple documents; it uses eventual consistency by default and lacks relational integrity. Option D (Azure Synapse Analytics) is wrong because it is a massively parallel processing (MPP) data warehouse optimized for analytical queries on large datasets, not for transactional, write-intensive workloads with ACID compliance; it uses a columnar store and does not support point-write transactions with the same isolation levels as a relational OLTP database.

7
MCQeasy

You have an Azure SQL Database that stores sales data. You need to ensure that the database can recover to any point in time within the last 35 days. What should you configure?

A.Configure the point-in-time restore (PITR) retention period to 35 days
B.Configure long-term retention (LTR) backups with a retention of 35 days
C.Create a secondary database in the same region
D.Enable geo-replication with a readable secondary
AnswerA

PITR allows restoring to any point within the retention period.

Why this answer

Point-in-time restore (PITR) for Azure SQL Database allows you to restore a database to any point within the configured retention period. The default retention is 7 days, but you can increase it up to 35 days. By setting the PITR retention period to 35 days, you meet the requirement to recover to any point in time within the last 35 days.

Exam trap

The trap here is confusing long-term retention (LTR) with point-in-time restore (PITR); candidates often think LTR provides point-in-time recovery, but LTR only retains full backups at fixed intervals and cannot restore to an arbitrary point within the retention window.

How to eliminate wrong answers

Option B is wrong because long-term retention (LTR) backups are designed for retaining full backups for extended periods (up to 10 years) and do not support point-in-time recovery; they only allow restoration to specific full backup timestamps, not any point in time. Option C is wrong because creating a secondary database in the same region provides high availability and failover capability but does not enable point-in-time recovery to any arbitrary time within the last 35 days. Option D is wrong because geo-replication with a readable secondary provides disaster recovery and read-scale out, but it does not offer point-in-time restore functionality; it replicates data asynchronously and cannot recover to an arbitrary past point.

8
MCQeasy

You need to store semi-structured data from IoT devices in Azure. The data has varying schemas and high write throughput. Which Azure service should you use?

A.Azure Blob Storage.
B.Azure SQL Database.
C.Azure Cosmos DB.
D.Azure Table Storage.
AnswerC

Supports varying schemas and high throughput.

Why this answer

Option D is correct because Azure Cosmos DB supports semi-structured data with flexible schemas and high write throughput. Option A is wrong because Azure SQL Database is relational and less flexible for varying schemas. Option B is wrong because Azure Blob Storage is for unstructured data.

Option C is wrong because Azure Table Storage has limited throughput and schema flexibility.

9
Multi-Selecthard

Which TWO options can be used to automatically replicate Azure SQL Database to a secondary region for disaster recovery with no data loss in the event of a regional outage?

Select 2 answers
A.Use auto-failover groups with data synchronization.
B.Enable active geo-replication for the database.
C.Set up log shipping to a secondary server.
D.Deploy Azure Site Recovery to replicate the SQL Server VM.
E.Configure failover groups with automatic failover policy.
AnswersA, E

Auto-failover groups replicate data synchronously and handle automatic failover.

Why this answer

Auto-failover groups with data synchronization (Option A) and failover groups with automatic failover policy (Option E) are both correct because failover groups in Azure SQL Database provide automatic, synchronous replication of data to a secondary region, ensuring zero data loss during a regional outage. The automatic failover policy triggers a failover without manual intervention, and the synchronous commit mode guarantees that transactions are committed on both primary and secondary before acknowledging success, meeting the RPO=0 requirement.

Exam trap

The trap here is that candidates often confuse active geo-replication with failover groups, assuming both provide zero data loss, but only failover groups with synchronous replication and automatic failover policy guarantee RPO=0, while active geo-replication is asynchronous and thus allows data loss.

10
MCQeasy

A company uses Microsoft Entra ID for identity management. They need to automate the process of granting access to resources for employees and external partners, and require periodic access reviews to ensure compliance. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Privileged Identity Management (PIM)
B.Microsoft Entra ID Entitlement Management
C.Microsoft Entra ID Conditional Access
D.Microsoft Entra ID Identity Protection
AnswerB

Entitlement Management allows you to create access packages that define the resources and policies for access. It can automate the request workflow and integrate with access reviews for periodic recertification.

Why this answer

Microsoft Entra ID Entitlement Management is the correct feature because it enables automation of access request workflows for employees and external partners, including time-limited access packages and periodic access reviews to enforce compliance. This directly matches the requirement for granting access and ensuring ongoing governance through reviews.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Entitlement Management because both involve access and reviews, but PIM is strictly for privileged roles, not for general resource access automation for employees and partners.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) focuses on just-in-time privileged role activation and oversight for admin roles, not on automating general resource access for employees and partners or managing access reviews for non-privileged users. Option C is wrong because Conditional Access enforces real-time access policies based on signals like location or device compliance, but it does not automate the initial granting of access or provide periodic review capabilities. Option D is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-in anomalies), but it does not handle access request workflows or compliance-driven access reviews.

11
MCQeasy

A company runs an Azure SQL Database in a single region. They need to ensure that the database can be restored to any point in time within the last 90 minutes with a granularity of 1 minute. Which feature should they enable?

A.Active geo-replication
B.Auto-failover groups
C.Point-in-time restore
D.Long-term backup retention
AnswerC

Point-in-time restore allows restoring a database to any second within the retention period, meeting the requirement of 1-minute granularity.

Why this answer

Point-in-time restore (PITR) for Azure SQL Database automatically creates backups every 5-10 minutes and retains them for the default retention period of 7 days (configurable up to 35 days). This allows restoring the database to any second within the retention window, meeting the requirement of 1-minute granularity for the last 90 minutes. The feature is built-in and does not require any additional configuration beyond setting the desired retention period.

Exam trap

The trap here is that candidates often confuse point-in-time restore with disaster recovery features like geo-replication or failover groups, but the question specifically asks for restoring to a point in time within 90 minutes with 1-minute granularity, which is exclusively provided by PITR.

How to eliminate wrong answers

Option A is wrong because Active geo-replication is designed for continuous data replication to a secondary region for disaster recovery, not for point-in-time restores within a single region. Option B is wrong because Auto-failover groups manage automatic failover of multiple databases across regions, but they do not provide point-in-time restore capability. Option D is wrong because Long-term backup retention (LTR) extends backup retention beyond 35 days (up to 10 years) using weekly, monthly, or yearly backups, but it does not offer the 1-minute granularity required for the last 90 minutes; LTR backups are taken at coarser intervals.

12
MCQeasy

Your organization plans to deploy Microsoft Entra ID Governance. You need to ensure that access to critical applications is reviewed quarterly by the application owners. Which Microsoft Entra ID feature should you use?

A.Microsoft Entra ID Privileged Identity Management
B.Microsoft Entra ID Entitlement Management
C.Microsoft Entra ID Terms of Use
D.Microsoft Entra ID Access Reviews
AnswerD

Access Reviews enable periodic attestation of access by owners.

Why this answer

Microsoft Entra ID Access Reviews (Option D) is the correct feature because it enables recurring, delegated review of user access to applications, groups, or roles. By configuring an access review with quarterly frequency and assigning application owners as reviewers, you directly meet the requirement for periodic attestation of access to critical applications. This is the specific Entra ID capability designed for governance-driven access recertification.

Exam trap

The trap here is that candidates confuse Entitlement Management (which includes access packages and can trigger reviews) with the dedicated Access Reviews feature, but the question explicitly asks for the feature that ensures reviews are conducted quarterly by application owners, which is the core purpose of Access Reviews, not a secondary function of Entitlement Management.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Privileged Identity Management (PIM) is focused on just-in-time privileged role activation and approval workflows, not on recurring access reviews for all users of critical applications. Option B is wrong because Microsoft Entra ID Entitlement Management handles automated access request and approval workflows via access packages, but it does not natively provide the recurring review cycle that Access Reviews offer. Option C is wrong because Microsoft Entra ID Terms of Use is a policy acceptance feature that requires users to consent to terms before accessing an application, but it does not perform any periodic review or attestation of existing access.

13
MCQhard

An organization is migrating on-premises Oracle databases to Azure. They require minimal code changes and support for Oracle PL/SQL stored procedures. Which Azure data service best meets these requirements?

A.Azure Database for MySQL
B.Azure Database for PostgreSQL with Oracle compatibility
C.Azure SQL Database
D.Azure Cosmos DB
AnswerB

Supports PL/SQL with extension.

Why this answer

Azure Database for PostgreSQL with the Oracle compatibility extension (e.g., orafce) provides support for Oracle PL/SQL stored procedures and syntax, minimizing code changes during migration. This service is designed to handle Oracle workloads with minimal re-engineering, unlike other Azure database options that lack native Oracle compatibility.

Exam trap

The trap here is that candidates often assume Azure SQL Database is the natural choice for Oracle migrations due to its relational nature, but it lacks native PL/SQL support, whereas PostgreSQL with Oracle compatibility is the correct service for minimizing code changes.

How to eliminate wrong answers

Option A is wrong because Azure Database for MySQL does not support Oracle PL/SQL stored procedures or Oracle-specific syntax, requiring significant code rewrites. Option C is wrong because Azure SQL Database uses T-SQL, not PL/SQL, and lacks direct compatibility with Oracle stored procedures, necessitating manual conversion. Option D is wrong because Azure Cosmos DB is a NoSQL database that does not support relational Oracle PL/SQL stored procedures or schema-based migrations.

14
MCQeasy

You need to design a solution to store log data from multiple Azure services. The data must be retained for 7 years for compliance purposes and should be queryable for analysis. Which Azure service should you use as the primary storage for these logs?

A.Azure Data Lake Storage
B.Azure SQL Database
C.Azure Blob Storage
D.Azure Log Analytics workspace
AnswerD

Log Analytics provides long-term retention and powerful KQL querying.

Why this answer

Option B is correct because Azure Log Analytics workspaces (part of Azure Monitor) can ingest logs from multiple services, retain data for up to 7 years (with extended retention), and support KQL queries. Option A (Azure Blob Storage) can store logs but is not optimized for interactive querying. Option C (Azure Data Lake Storage) is for big data analytics, not primarily for logs.

Option D (Azure SQL Database) is not designed for high-volume log ingestion and may be costly.

15
MCQeasy

A company plans to deploy a web application on Azure App Service that will be accessed by users worldwide. The application must have a single endpoint and use Azure Web Application Firewall (WAF) policies. Which Azure service should be placed in front of the App Service to meet these requirements?

A.Azure Application Gateway
B.Azure Load Balancer
C.Azure Front Door
D.Azure Traffic Manager
AnswerC

Azure Front Door is a global application delivery network with integrated WAF and single endpoint.

Why this answer

Option A (Azure Front Door) provides global load balancing, SSL offload, and WAF integration, making it the best choice. Option B (Azure Application Gateway) is a regional service, not global. Option C (Azure Traffic Manager) provides DNS-based load balancing but no WAF.

Option D (Azure Load Balancer) is layer 4 and does not support WAF.

16
MCQmedium

Your company, Contoso Ltd., is migrating its on-premises e-commerce application to Azure. The application consists of a web frontend, an API layer, and a SQL Server database. The migration must meet the following requirements: - The web frontend must automatically scale out based on CPU utilization. - The API layer must be stateless and scale out based on request count. - The database must be a managed service with high availability and disaster recovery across Azure regions. - All components must be secured using Azure Firewall and Web Application Firewall (WAF). - The solution must minimize operational overhead. You propose the following architecture: - Azure App Service for the web frontend with autoscaling rules based on CPU. - Azure Functions for the API layer (stateless, scaling based on request count). - Azure SQL Database with active geo-replication for the database. - Azure Front Door with WAF policies for global load balancing and security. - Azure Firewall to control outbound traffic. Which component of this design should be reconsidered to better meet the requirement to minimize operational overhead?

A.Replace Azure App Service with Azure Virtual Machine Scale Sets
B.Replace Azure Front Door with Azure Traffic Manager
C.Replace Azure Functions with Azure Kubernetes Service (AKS)
D.Replace Azure SQL Database with Azure SQL Managed Instance
AnswerC

AKS provides a container orchestration platform for stateless APIs with better control and scaling, and is more aligned with minimizing operational overhead for a microservices architecture compared to Functions, which is better for event-driven workloads.

Why this answer

Azure Functions is not ideal for a stateful API layer; Azure App Service (Web Apps) or Azure Kubernetes Service (AKS) would be better. However, the question says the API layer is stateless, so Azure Functions could work. But for a typical API layer, Azure App Service is more appropriate and easier to manage.

The correct answer is to replace Azure Functions with Azure App Service API apps or AKS. The distractors include other services that are not optimal.

17
Multi-Selecthard

A solution stores critical VM backups in Azure. The company wants protection against accidental or malicious deletion of backups. Which two controls should be included?

Select 2 answers
A.Disabling backup alerts
B.Storing all backups on the original VM disk
C.Soft delete for Azure Backup
D.Multi-user authorization or resource locks where applicable
AnswersC, D

Soft delete retains deleted backup data for recovery.

Why this answer

Soft delete for Azure Backup (Option C) is correct because it retains backup data for an additional 14 days after deletion, allowing recovery from accidental or malicious deletion. This feature is enabled by default for Recovery Services vaults and protects backup data even if the backup itself is deleted, providing a critical safety net against data loss.

Exam trap

The trap here is that candidates may overlook the need for both a data-level protection (soft delete) and a resource-level protection (resource locks), assuming one control is sufficient, or they may mistakenly think disabling alerts or storing backups on the same disk provides any deletion protection.

18
Multi-Selectmedium

A company uses Azure Site Recovery to replicate VMs from the primary region to the secondary region. During a disaster, they want to ensure that the failover process is automated and includes runbooks to perform post-failover actions. Which TWO components are required? (Choose two.)

Select 2 answers
A.Azure Automation runbooks
B.Azure Site Recovery Recovery Plans
C.Azure Monitor alerts
D.Azure Logic Apps
E.Azure Backup
AnswersA, B

Runbooks can perform post-failover actions.

Why this answer

Options B and D are correct. Azure Automation runbooks can be integrated into recovery plans to execute tasks after failover. Recovery Plans in Azure Site Recovery allow you to sequence the failover of VMs and include runbooks.

Option A is wrong because Azure Backup is not involved in failover. Option C is wrong because Azure Logic Apps is not the standard way; Automation is used. Option E is wrong because Azure Monitor is for monitoring, not failover automation.

19
MCQhard

A healthcare organization is migrating a regulatory-compliant application to Azure. The application must be isolated from the internet and accessible only from on-premises networks via a private IP address. The solution must minimize latency and maximize throughput for large data transfers. Which Azure networking solution should the organization implement?

A.Azure Private Link
B.Azure VPN Gateway
C.Azure Virtual WAN
D.Azure ExpressRoute
AnswerD

ExpressRoute offers dedicated private connections with low latency and high throughput, ideal for large data transfers.

Why this answer

Option A (Azure VPN Gateway) uses IPSec tunnels over the internet, which may not provide the lowest latency and throughput. Option B (Azure ExpressRoute) provides dedicated private connections with higher bandwidth, lower latency, and more reliability than VPN. Option C (Azure Private Link) provides private connectivity to PaaS services but does not connect on-premises to VNets.

Option D (Azure Virtual WAN) is a hub-and-spoke architecture that can incorporate ExpressRoute, but the question asks for the best solution to connect on-premises to Azure privately. ExpressRoute is the optimal choice for low latency and high throughput.

20
MCQmedium

A company runs a three-tier application on Azure VMs in the West US region. They want to enable disaster recovery to East US using Azure Site Recovery. The application requires that the web tier starts first, then the application tier, and finally the database tier after a consistency check. They also need to be able to perform non-disruptive DR drills. Which Azure Site Recovery capabilities should they use together?

A.Recovery Plan with pre/post actions and Test Failover
B.Network mapping and IP customization
C.Replication policy with crash-consistent snapshots
D.Azure Automation runbooks and Azure Monitor alerts
AnswerA

Correct. Recovery Plans orchestrate startup order with scripts, and Test Failover allows isolated drills.

Why this answer

Option A is correct because a Recovery Plan in Azure Site Recovery allows you to define the startup order of tiers (web, app, database) using pre-actions and post-actions, which can invoke Azure Automation runbooks or scripts to perform the consistency check. Test Failover enables non-disruptive DR drills by creating an isolated copy of the replicated VMs in East US without impacting the production environment. Together, these capabilities meet both the ordered startup and drill requirements.

Exam trap

The trap here is that candidates may confuse general Azure automation or networking features (like runbooks or network mapping) with the specific ASR capabilities required for ordered startup and drills, overlooking that Recovery Plan and Test Failover are the exact ASR features designed for these purposes.

How to eliminate wrong answers

Option B is wrong because network mapping and IP customization handle network connectivity and IP address assignment during failover, but they do not control the startup order of tiers or enable non-disruptive drills. Option C is wrong because a replication policy with crash-consistent snapshots provides a point-in-time copy of VMs, but it does not orchestrate the sequence of tier startup or support test failovers. Option D is wrong because Azure Automation runbooks and Azure Monitor alerts can automate tasks and monitor health, but they are not native ASR capabilities for defining recovery plan steps or performing DR drills; runbooks can be used within recovery plans, but the question asks for ASR capabilities, and alerts alone do not enable drills.

21
MCQhard

A company uses Microsoft Entra ID (Microsoft Entra ID) and Microsoft Intune. They want to block access to all corporate cloud applications (e.g., Office 365, Azure portal) from devices that are not enrolled in Intune or do not meet the company's compliance policies. The solution must work seamlessly for all cloud apps without requiring per-app configuration. Which Microsoft Entra ID feature should they configure?

A.Conditional Access policy with 'Require device to be marked as compliant' grant control
B.Microsoft Entra ID Identity Protection
C.Privileged Identity Management (PIM)
D.Microsoft Entra ID B2C
AnswerA

Correct: Conditional Access can be scoped to 'All cloud apps' and require device compliance, which uses Intune compliance policies.

Why this answer

Option A is correct because a Conditional Access policy with the 'Require device to be marked as compliant' grant control enforces device compliance across all cloud apps (Office 365, Azure portal, etc.) without per-app configuration. This works by integrating with Intune compliance policies and checking device enrollment status at the time of authentication, blocking non-compliant or unenrolled devices at the Entra ID level.

Exam trap

The trap here is that candidates often confuse Identity Protection (risk-based) with Conditional Access (policy-based), or assume that per-app configuration is required, when in fact Conditional Access applies globally to all cloud apps registered in Entra ID.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Identity Protection is designed to detect and respond to identity-based risks (e.g., leaked credentials, anonymous IP addresses), not to enforce device compliance or enrollment for cloud app access. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not device-level access controls. Option D is wrong because Microsoft Entra ID B2C is a customer-facing identity service for external users (e.g., social logins), not for blocking corporate cloud apps based on device compliance.

22
MCQeasy

A company needs to provide secure remote administration access to Azure virtual machines for their IT team. The VMs are in a virtual network with no public IP addresses. The IT team uses browsers to connect. The solution should not require any custom software on the client machines. Which Azure service should they use?

A.Azure Bastion
B.Just-in-Time VM access
C.Azure VPN Gateway
D.Microsoft Entra ID Domain Services
AnswerA

Correct. Azure Bastion provides browser-based RDP/SSH connectivity without public IPs or client software.

Why this answer

Azure Bastion provides secure, seamless RDP/SSH connectivity to Azure virtual machines directly in the Azure portal over TLS. Because the VMs have no public IP addresses, Bastion acts as a jump server that is deployed inside the virtual network, eliminating the need for any public exposure. Since the IT team uses browsers and cannot install custom software, Bastion's native browser-based HTML5 client meets the requirement perfectly.

Exam trap

The trap here is that candidates often confuse Just-in-Time VM access (which still requires a public IP and a client) with Bastion's fully browser-based, no-public-IP solution, or they mistakenly think a VPN gateway provides browser-based RDP/SSH without client software.

How to eliminate wrong answers

Option B (Just-in-Time VM access) is wrong because it only reduces the attack surface by temporarily opening ports on existing public IPs or NSGs; it does not eliminate the need for public IPs and still requires a client-side RDP/SSH client, not a browser. Option C (Azure VPN Gateway) is wrong because it requires installing a VPN client on each IT team member's machine and does not provide browser-based access; it also requires a public endpoint for the VPN gateway itself. Option D (Microsoft Entra ID Domain Services) is wrong because it provides managed domain services (LDAP, Kerberos, NTLM) for authentication and group policy, not remote desktop or SSH connectivity to VMs.

23
MCQmedium

A healthcare organization is migrating its on-premises applications to Azure. The applications use custom authentication and authorization logic and require low latency between application tiers. The organization needs to ensure that the applications can scale out dynamically based on user demand, and that costs are minimized by only paying for resources when they are used. The applications are expected to have variable traffic patterns, with peak usage during business hours and low usage at night. You need to design a compute solution that meets these requirements. What should you recommend?

A.Migrate the applications to Azure Virtual Machine Scale Sets with autoscaling.
B.Migrate the applications to Azure App Service with autoscaling enabled.
C.Migrate the applications to Azure Functions with consumption plan.
D.Migrate the applications to Azure Kubernetes Service (AKS) with cluster autoscaler.
AnswerB

App Service supports custom auth, autoscaling, and consumption-based billing.

Why this answer

Option B is correct because Azure App Service with autoscaling allows dynamic scaling, supports custom authentication, and you only pay for the resources used. Option A is wrong because Azure Functions is event-driven, not ideal for stateful custom authentication. Option C is wrong because Azure Kubernetes Service (AKS) adds complexity and cost for this use case.

Option D is wrong because Azure Virtual Machine Scale Sets require more management of VMs and are less cost-effective for variable traffic.

24
MCQhard

A company runs a critical application on Azure SQL Managed Instance in the West US region. They need a disaster recovery solution that provides automatic failover to a secondary region (East US) with no data loss (synchronous replication) and a recovery time objective (RTO) of less than 1 hour. They also want to offload read-only workloads to the secondary during normal operations. Which Azure feature should they implement?

A.Auto-failover groups with synchronous replication
B.Active geo-replication
C.Geo-restore of backups
D.Azure Site Recovery
AnswerA

Auto-failover groups for Managed Instance support synchronous replication to a secondary region, ensuring zero data loss. RTO is under 1 hour, and the secondary can be used for read-only workloads.

Why this answer

Auto-failover groups with synchronous replication is the correct choice because Azure SQL Managed Instance supports failover groups that can use synchronous replication to ensure zero data loss (RPO=0) when both regions are within the same paired region. The automatic failover capability meets the RTO of less than 1 hour, and the secondary region can be used for read-only query offloading by connecting to the secondary listener endpoint.

Exam trap

The trap here is that candidates often confuse active geo-replication (which supports readable secondaries but only asynchronous replication) with auto-failover groups (which support synchronous replication and automatic failover), leading them to choose active geo-replication despite the zero data loss requirement.

How to eliminate wrong answers

Option B is wrong because active geo-replication does not support synchronous replication for SQL Managed Instance; it uses asynchronous replication, which can result in data loss. Option C is wrong because geo-restore of backups is a manual process with RTO measured in hours or days, not less than 1 hour, and does not provide automatic failover or read-only offloading. Option D is wrong because Azure Site Recovery is designed for IaaS VMs and on-premises workloads, not for PaaS services like Azure SQL Managed Instance, and cannot achieve synchronous replication with zero data loss for this service.

25
MCQeasy

You are designing a monitoring solution for a critical application hosted on Azure Virtual Machines. The application is latency-sensitive and you need to be alerted when CPU usage exceeds 90% for more than 5 minutes. Which Azure Monitor feature should you use?

A.Service health alert
B.Metric alert
C.Log alert
D.Activity log alert
AnswerB

Metric alerts monitor numeric values like CPU percentage and can trigger on threshold conditions.

Why this answer

Metric alerts in Azure Monitor evaluate resource metrics (like CPU percentage) at regular intervals and trigger actions when a threshold is breached for a specified duration. Since the question involves a latency-sensitive application and a numeric threshold (CPU > 90% for 5 minutes), a metric alert is the correct choice because it provides near-real-time, low-latency evaluation directly from the VM's performance counters.

Exam trap

The trap here is that candidates often confuse Log alerts (which are powerful for complex queries) with Metric alerts, forgetting that Log alerts introduce latency from log ingestion and indexing, making them inappropriate for time-sensitive, threshold-based CPU monitoring.

How to eliminate wrong answers

Option A is wrong because Service Health alerts notify about Azure service-level issues (e.g., regional outages, planned maintenance), not about the performance of your specific virtual machines. Option C is wrong because Log alerts query log data (e.g., from Azure Monitor Logs or Application Insights) and have inherent ingestion and query latency, making them unsuitable for sub-5-minute, latency-sensitive CPU threshold alerts. Option D is wrong because Activity Log alerts monitor changes to Azure resources (e.g., VM creation, deletion, or configuration changes), not the operational metrics like CPU usage.

26
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically detect and respond to high-risk sign-in events, such as sign-ins from malware-linked IP addresses or leaked credentials. When such risks are detected, they want to require multi-factor authentication (MFA) or block the sign-in. They also need a dashboard to review risk events and generate reports. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID Privileged Identity Management (PIM)
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID Conditional Access
D.Microsoft Entra ID Identity Governance
AnswerB

Identity Protection detects risks such as leaked credentials, sign-ins from anonymous IP addresses, and malware-linked IP addresses. It provides risk-based conditional access policies and a dashboard for reporting.

Why this answer

Microsoft Entra ID Identity Protection is the correct feature because it is specifically designed to automatically detect and respond to high-risk sign-in events, such as sign-ins from malware-linked IP addresses or leaked credentials. It provides risk-based conditional access policies that can require MFA or block sign-ins, and it includes a dashboard for reviewing risk events and generating reports. This aligns directly with the scenario's requirements for detection, automated response, and reporting.

Exam trap

The trap here is that candidates often confuse Conditional Access with Identity Protection, not realizing that Conditional Access is the enforcement mechanism while Identity Protection is the detection and risk-scoring engine that provides the necessary risk signals.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is focused on managing, controlling, and monitoring access to privileged roles, not on detecting or responding to sign-in risks like leaked credentials or malware-linked IPs. Option C is wrong because Conditional Access is a policy engine that enforces access controls (like MFA) based on conditions, but it does not itself detect risk events or provide a risk dashboard; it relies on Identity Protection to supply risk signals. Option D is wrong because Identity Governance handles access reviews, entitlement management, and lifecycle workflows, not real-time risk detection or automated response to high-risk sign-ins.

27
MCQhard

You deploy the above ARM template. The deployment succeeds. However, you cannot access the storage account from the Azure portal. What is the most likely reason?

A.The storage account is configured to require HTTPS traffic only.
B.The network ACLs deny all traffic by default, and no allow rules are configured.
C.The minimum TLS version is set to TLS 1.2, which is not supported by the portal.
D.The encryption key source is set to Microsoft.Storage, which prevents portal access.
AnswerB

Default action is Deny with no IP or virtual network rules, blocking portal access.

Why this answer

Option B is correct because the ARM template likely includes a network ACL configuration that, by default, denies all traffic. Without explicit allow rules for the Azure portal's IP ranges or the 'Allow trusted Microsoft services' exception, the portal cannot reach the storage account's management endpoints, resulting in an inability to access it from the portal despite a successful deployment.

Exam trap

The trap here is that candidates often overlook network ACLs as a cause for portal access failure, mistakenly focusing on TLS versions or encryption settings, which do not affect basic connectivity from the Azure portal.

How to eliminate wrong answers

Option A is wrong because requiring HTTPS traffic only does not block portal access; the portal uses HTTPS to communicate with storage accounts, so this setting would not prevent access. Option C is wrong because the Azure portal fully supports TLS 1.2; setting the minimum TLS version to 1.2 does not block portal access, as the portal uses TLS 1.2 or higher. Option D is wrong because setting the encryption key source to Microsoft.Storage is the default and does not affect portal access; portal connectivity is independent of encryption key management.

28
Multi-Selectmedium

Which TWO of the following are valid Azure Policy effects that can be used to enforce compliance?

Select 2 answers
A.DeployIfNotExists
B.Deny
C.AuditIfNotExists
D.Modify
E.AutoRemediate
AnswersA, D

DeployIfNotExists deploys resources if they are missing, enforcing compliance.

Why this answer

DeployIfNotExists is a valid Azure Policy effect that evaluates resources after creation and deploys a template to remediate non-compliant resources, such as automatically installing the Log Analytics agent on VMs missing it. This effect enforces compliance by actively deploying resources to meet policy rules, making it correct for this question.

Exam trap

The trap here is that candidates often confuse 'AuditIfNotExists' with a remediation effect, but it only audits and does not enforce compliance, while 'AutoRemediate' sounds plausible but is not a real Azure Policy effect.

29
MCQeasy

Your company has a hybrid identity environment with Microsoft Entra ID and an on-premises Active Directory. You need to enable single sign-on (SSO) for users accessing Microsoft 365 applications from domain-joined devices. Which authentication method should you configure?

A.Microsoft Entra Pass-through Authentication
B.Microsoft Entra password hash synchronization
C.Microsoft Entra Seamless SSO
D.Active Directory Federation Services (AD FS)
AnswerC

Seamless SSO provides automatic sign-in for domain-joined devices.

Why this answer

Option A is correct. Seamless SSO automatically signs users in when they are on domain-joined devices connected to the corporate network. Option B is wrong because Pass-through Authentication validates passwords on-premises but does not provide SSO.

Option C is wrong because password hash sync does not provide SSO by itself. Option D is wrong because federation with AD FS can provide SSO but is more complex than Seamless SSO for this scenario.

30
Multi-Selecthard

Your organization is designing a governance solution for multiple Azure subscriptions. You need to enforce that all resources are created in specific Azure regions (East US and West Europe only). Additionally, any resource group must have a cost center tag. Which THREE Azure components should you use? (Choose three.)

Select 3 answers
A.Azure Policy
B.Azure Blueprints
C.Policy Initiative
D.Management Groups
E.Role-Based Access Control (RBAC)
AnswersA, C, D

Azure Policy can enforce allowed locations and require tags on resource groups.

Why this answer

Azure Policy is correct because it allows you to define and enforce rules for resource creation, such as restricting allowed locations to East US and West Europe. By assigning a built-in or custom policy definition to a management group or subscription, you can prevent any resource from being created outside the specified regions. This directly addresses the requirement to enforce regional compliance.

Exam trap

The trap here is that candidates often confuse Azure Blueprints (which packages and deploys resources) with Azure Policy (which enforces rules), or they overlook that Management Groups are needed to apply policies across multiple subscriptions efficiently.

31
MCQmedium

A company is designing a disaster recovery solution for Azure VMs running a critical application. They need a Recovery Time Objective (RTO) of less than 1 hour and a Recovery Point Objective (RPO) of 15 minutes. The solution should be cost-effective and allow testing without affecting production. Which Azure service should they use?

A.Azure Migrate
B.Azure Backup
C.Azure Front Door
D.Azure Site Recovery
AnswerD

Azure Site Recovery meets the RTO and RPO requirements and supports testing.

Why this answer

Azure Site Recovery provides replication with RPO as low as 15 minutes and enables failover with RTO typically less than 1 hour. It also supports non-disruptive disaster recovery drills. Option A is wrong because Azure Backup has a higher RPO and RTO.

Option C is wrong because Azure Migrate is for migration, not DR. Option D is wrong because Azure Front Door is for global load balancing.

32
MCQeasy

A company uses Microsoft Entra ID. They need to automatically block sign-ins from users whose accounts have been identified as high-risk for compromise. They also want users to be prompted to reset their password when the risk is detected. Which Microsoft Entra ID feature should they use?

A.Identity Protection with user risk policy
B.Conditional Access with location policy
C.Microsoft Entra ID MFA
D.Microsoft Entra ID Privileged Identity Management
AnswerA

User risk policy can block sign-in or force password change when a user is deemed high risk.

Why this answer

Identity Protection with a user risk policy is the correct feature because it allows automatic blocking of sign-ins when a user's account is flagged as high-risk by Microsoft's machine learning models. Additionally, the policy can be configured to require a secure password reset (self-service password reset) as a remediation action, directly meeting both requirements.

Exam trap

The trap here is that candidates often confuse Conditional Access (which handles location, device, and app conditions) with Identity Protection's risk-based policies, but only Identity Protection directly evaluates user risk and triggers automated password reset remediation.

How to eliminate wrong answers

Option B is wrong because Conditional Access with a location policy controls access based on geographic location (e.g., blocking sign-ins from untrusted countries), not on user risk level. Option C is wrong because Microsoft Entra ID MFA adds a second authentication factor but does not automatically block sign-ins based on risk or force a password reset. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and oversight, not risk-based sign-in blocking or password reset prompts.

33
MCQeasy

A company deploys a web application on Azure VMs in a single region. They need to distribute incoming HTTPS traffic across multiple VMs, offload SSL termination, and provide session persistence. Which Azure load balancing solution should they choose?

A.Azure Load Balancer (Standard SKU)
B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerB

Provides Layer 7 load balancing, SSL offload, session persistence, and health probes.

Why this answer

Azure Application Gateway is the correct choice because it is a Layer 7 load balancer that supports SSL termination, session persistence (via cookie-based affinity), and HTTP/HTTPS traffic distribution. Unlike Azure Load Balancer (Layer 4), it can inspect application-layer headers and offload SSL decryption, meeting all three requirements.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming all load balancers handle SSL termination, but only Layer 7 solutions like Application Gateway or Front Door can offload HTTPS traffic and provide cookie-based session persistence.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot perform SSL termination or application-layer session persistence; it only distributes traffic based on IP and port. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic router that does not handle SSL termination or session persistence; it directs clients to endpoints based on DNS resolution, not proxying traffic. Option D is wrong because Azure Front Door is a global Layer 7 service with SSL termination and session affinity, but it is designed for multi-region distribution and CDN scenarios, not for a single-region VM deployment where Application Gateway is the more appropriate and cost-effective choice.

34
MCQmedium

You need to monitor Azure resources and send alerts when the CPU usage of a virtual machine exceeds 90% for 5 minutes. Which two Azure services should you use? (Select TWO.)

A.Azure Monitor Action Groups
B.Log Analytics
C.Azure Monitor
D.Application Insights
E.Event Grid
AnswerA, C

Action groups define the notification actions for alerts.

Why this answer

Azure Monitor is the core service for collecting and analyzing metrics and logs from Azure resources. It can be configured with metric alerts that trigger when CPU usage exceeds 90% for 5 minutes. Action Groups define the notification and response actions (e.g., email, SMS, webhook) that are executed when the alert fires, making them essential for sending alerts.

Exam trap

The trap here is that candidates often confuse Log Analytics (a log query tool) with Azure Monitor (the alerting engine), or mistakenly think Application Insights can monitor VM-level metrics, when it is designed for application-level telemetry.

How to eliminate wrong answers

Option B is wrong because Log Analytics is a tool for querying and analyzing log data, not for creating metric-based alerts or sending notifications directly. Option D is wrong because Application Insights is focused on application performance monitoring (APM) for web applications, not infrastructure-level VM CPU metrics. Option E is wrong because Event Grid is a serverless event routing service used for reacting to Azure resource state changes (e.g., VM creation), not for monitoring CPU thresholds or sending alerts.

35
MCQeasy

Your company has a Azure subscription with multiple resource groups. You need to ensure that all resources are tagged with a 'CostCenter' tag. What should you use?

A.Azure Policy
B.Azure Blueprints
C.Management Groups
D.Azure RBAC
AnswerA

Azure Policy can enforce tagging rules.

Why this answer

Azure Policy is the correct choice because it enforces organizational standards and compliance by evaluating resources for non-compliance with defined rules, such as requiring a specific tag. You can create a policy that audits or denies resources missing the 'CostCenter' tag, ensuring all resources are tagged automatically or during deployment.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure Blueprints, thinking Blueprints can enforce tags directly, but Blueprints only define the initial state and do not enforce ongoing compliance like Policy does.

How to eliminate wrong answers

Option B is wrong because Azure Blueprints is used for orchestrating the deployment of resource groups, policies, role assignments, and ARM templates as a repeatable environment, not for enforcing tags on individual resources. Option C is wrong because Management Groups provide a hierarchical structure for organizing subscriptions and applying policies at scale, but they are not the direct enforcement mechanism for tagging resources. Option D is wrong because Azure RBAC manages access control by assigning roles to users, groups, or applications, and does not enforce resource tagging.

36
MCQhard

Your company is deploying a critical application on Azure VMs. The application requires a static private IP address that does not change even if the VM is stopped and deallocated. The VM must be placed in an availability zone for high availability. Which networking approach should you use?

A.Use Azure Firewall to provide static private IP and load balancing.
B.Assign a static private IP address to the VM's NIC and use a standard public load balancer.
C.Use Azure Traffic Manager to assign static private IP.
D.Use Application Gateway with a static private IP.
AnswerB

Static private IP persists even when VM is deallocated, and load balancer provides high availability.

Why this answer

Option A is correct because a standard public load balancer can be used in front of VMs, and static private IPs can be assigned via NIC-level static IP allocation. Option B is incorrect because Azure Firewall is not for load balancing. Option C is incorrect because Traffic Manager is a DNS-based load balancer for global traffic.

Option D is incorrect because Application Gateway is a layer 7 load balancer, but it does not provide static private IP for the VM itself.

37
MCQhard

Refer to the exhibit. You are reviewing an ARM template for deploying a storage account. The template is missing the storage account name parameter definition. What will happen when you attempt to deploy this template?

A.The deployment will prompt the user to provide the missing parameter.
B.The deployment will fail with a validation error because the parameter is not defined.
C.The deployment will succeed using a default name based on the resource group.
D.The deployment will create a storage account with a random name.
AnswerB

The template is invalid; the deployment engine will reject it.

Why this answer

In Azure Resource Manager (ARM) templates, all parameters must be explicitly defined in the `parameters` section of the template. If a parameter is referenced (e.g., in the `resources` section) but not defined, the deployment fails with a validation error before any resource provisioning begins. This is because ARM validates the template structure and parameter definitions during the pre-deployment validation phase, and an undefined parameter is considered a syntax error.

Exam trap

The trap here is that candidates may assume Azure will automatically prompt for or generate a missing parameter, similar to how some Azure Portal experiences handle missing inputs, but ARM templates strictly enforce parameter definitions and fail fast on validation.

How to eliminate wrong answers

Option A is wrong because ARM templates do not prompt the user for missing parameters; they fail validation if a referenced parameter is not defined. Option C is wrong because there is no default name generation based on the resource group; storage account names must be explicitly provided or generated via a defined parameter or variable. Option D is wrong because ARM does not automatically assign random names; the deployment fails before any resource creation occurs.

38
MCQmedium

A media company needs to store large video files that are frequently accessed for the first month, then infrequently after that. They want to minimize storage costs while ensuring files are instantly accessible when needed. Which storage strategy should they implement?

A.Store all files in the hot access tier
B.Manually move files between tiers using AzCopy
C.Store all files in the archive access tier
D.Use Azure Blob Storage lifecycle management to move files from hot to cool after 30 days
AnswerD

Lifecycle management automates tiering to optimize cost and access.

Why this answer

Option D is correct because Azure Blob Storage lifecycle management allows you to define rules that automatically transition blobs from the hot tier (frequent access) to the cool tier (infrequent access) after a specified number of days. This meets the requirement of instant accessibility for the first month and cost minimization thereafter, as the cool tier offers lower storage costs with the same low-latency access as the hot tier.

Exam trap

The trap here is that candidates may choose manual tiering (Option B) thinking it offers more control, but the exam tests the understanding that Azure's built-in lifecycle management is the automated, cost-optimized solution for predictable access patterns, and that archive tier (Option C) is not instantly accessible.

How to eliminate wrong answers

Option A is wrong because storing all files in the hot access tier incurs higher storage costs for the infrequently accessed period after the first month, failing to minimize costs. Option B is wrong because manually moving files between tiers using AzCopy is not a scalable or automated solution; it requires ongoing operational overhead and does not provide a policy-driven, cost-effective strategy for large volumes of files. Option C is wrong because the archive access tier has a retrieval latency of several hours (up to 15 hours for rehydration), which violates the requirement for instant accessibility when files are needed.

39
MCQmedium

A company is designing a solution for storing sensitive documents in Azure Blob Storage. They require that all data be encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, they want to prevent any accidental deletion of the key vault and its keys. Which combination of actions should they take?

A.Assign the Key Vault Contributor role to only the security team
B.Configure firewall rules to restrict network access
C.Enable soft-delete and purge protection on the key vault
D.Enable diagnostic settings and send logs to a Log Analytics workspace
AnswerC

Soft-delete and purge protection prevent deletion.

Why this answer

Option A is correct because enabling soft-delete and purge protection on the key vault prevents accidental deletion. Option B is incorrect because RBAC alone does not prevent deletion. Option C is incorrect because firewall rules do not prevent deletion.

Option D is incorrect because logging does not prevent deletion.

40
Multi-Selecthard

Which THREE of the following are best practices for designing a business continuity solution using Azure Site Recovery? (Select THREE.)

Select 3 answers
A.Configure automatic failover for all VMs without manual intervention
B.Perform test failovers regularly to validate the recovery plan
C.Use recovery plans to orchestrate failover of multi-tier applications
D.Use a single target region for all VMs to simplify management
E.Enable replication for all VMs that are critical to the application
AnswersB, C, E

Regular testing ensures the plan works.

Why this answer

Options A, C, and D are correct. Testing failover regularly validates the DR plan. Using a recovery plan orchestrates failover of multi-tier applications.

Enabling replication for all critical VMs ensures protection. Option B is wrong because using a single target region for all VMs can cause resource contention; multiple target regions may be needed. Option E is wrong because manual failover should be used only if automatic fails.

41
Multi-Selectmedium

Which TWO of the following are valid design considerations for implementing Azure SQL Database geo-replication? (Choose two.)

Select 2 answers
A.Geo-replication ensures zero data loss during failover
B.Geo-replication supports up to four readable secondary replicas
C.Geo-replication provides automatic failover without manual intervention
D.Geo-replication requires a listener for client connections
E.Geo-replication can be used to offload read-only workloads
AnswersB, E

You can have up to four readable secondaries in different regions.

Why this answer

Geo-replication creates readable secondaries in a paired region for disaster recovery. Option B (automatically failover without data loss) is incorrect because geo-replication is asynchronous, so there may be data loss. Option D (supports up to 4 readable secondaries) is correct.

Option E (can be used for read-only query offloading) is correct. Option A is incorrect because failover is manual or you can use auto-failover groups. Option C is incorrect because geo-replication does not require a listener; connection strings point to the server name.

42
MCQeasy

You are reviewing the data protection settings of an Azure Blob Storage container using the above JSON. Which of the following is true?

A.Deleted blobs are retained for 30 days
B.Blobs can be restored to any point within the last 7 days
C.Previous versions of blobs are retained
D.Versioning is disabled
AnswerC

Versioning is enabled.

Why this answer

Option C is correct because the JSON shows that the `versioning` property is set to `Enabled` for the Blob Storage container. When versioning is enabled, every modification to a blob creates a new version, and previous versions are retained indefinitely (or until explicitly deleted or a lifecycle management policy removes them). This directly supports the statement that previous versions of blobs are retained.

Exam trap

The trap here is that candidates may confuse versioning with soft delete or point-in-time restore, assuming that versioning alone provides a specific retention period or point-in-time recovery capability, when in fact versioning retains all versions indefinitely unless a lifecycle policy is applied.

How to eliminate wrong answers

Option A is wrong because the JSON does not specify a soft-delete retention period; the `deleteRetentionPolicy` is not shown or is set to a different value, and the default soft-delete retention for blobs is 7 days, not 30 days. Option B is wrong because point-in-time restore requires both versioning and change feed to be enabled, and the JSON does not indicate that change feed is enabled; additionally, point-in-time restore has a maximum retention period of 30 days, not 7 days. Option D is wrong because the JSON explicitly shows `"versioning": "Enabled"`, meaning versioning is enabled, not disabled.

43
MCQmedium

A software company hosts 100 small Azure SQL databases for different clients. Each database has low average usage but experiences unpredictable spikes. The company wants to minimize costs while allowing each database to burst up to a maximum resource limit during spikes. They also need to easily add new databases without manual sizing. Which Azure SQL Database deployment option should they use?

A.Elastic pools
B.Single databases with DTU-based tiers
C.Managed Instance
D.Hyperscale single database
AnswerA

Elastic pools allow sharing resources among databases, support bursting to a per-database max, and make adding databases easy.

Why this answer

Elastic pools allow multiple databases with low average usage and unpredictable spikes to share a fixed pool of resources (eDTUs or eVCores), enabling each database to burst up to a maximum limit while minimizing overall cost. This model also supports easy addition of new databases without manual sizing, as they are simply added to the pool and share its allocated resources.

Exam trap

The trap here is that candidates may choose single databases with DTU-based tiers because they think 'bursting' requires dedicated resources, but they overlook the cost inefficiency and manual sizing overhead of managing many small databases individually.

How to eliminate wrong answers

Option B is wrong because single databases with DTU-based tiers require individual sizing and do not share resources, leading to higher costs for many low-usage databases that need burst capacity. Option C is wrong because Managed Instance is designed for lift-and-shift scenarios with full SQL Server instance-level features, not for cost-efficient multi-tenant database management with burst behavior. Option D is wrong because Hyperscale single database is optimized for very large databases (up to 100 TB) with high throughput and fast scaling, not for many small databases with unpredictable spikes where resource sharing is more cost-effective.

44
MCQmedium

A company stores unstructured data such as documents and images in Azure Blob Storage. The data is accessed frequently for the first month, then only rarely for the next year, and after that must be retained for 10 years for compliance. The company wants to minimize storage costs by automatically moving data to the most cost-effective storage tiers. Which Azure Blob Storage feature should they implement?

A.Lifecycle management policies
B.Azure Data Lake Storage access tiers
C.Soft delete
D.Immutability policies
AnswerA

Azure Blob Storage lifecycle management policies enable automatic transition of blobs to cooler tiers (Cool, Archive) based on age. The policy can move data from Hot to Cool after 30 days, then to Archive after one year, meeting the access pattern and minimizing costs.

Why this answer

Lifecycle management policies in Azure Blob Storage allow you to automatically transition blobs to cooler tiers (e.g., from Hot to Cool, then to Archive) based on age or last modification time. This directly matches the requirement to move data from frequent access (first month) to rare access (next year) and then to long-term retention (10 years) while minimizing costs.

Exam trap

The trap here is that candidates confuse storage tiers (Hot, Cool, Archive) with the automation feature (lifecycle management) that moves data between them, assuming tiers alone handle cost optimization without explicit policies.

How to eliminate wrong answers

Option B is wrong because Azure Data Lake Storage access tiers (Hot, Cool, Archive) are storage tiers themselves, not an automated policy; they require manual tier selection or lifecycle rules to move data between them. Option C is wrong because soft delete is a data protection feature that recovers accidentally deleted blobs, not a cost-optimization mechanism for tier transitions. Option D is wrong because immutability policies (WORM) prevent data modification or deletion for compliance, but do not automate tier transitions or reduce storage costs.

45
MCQmedium

You are designing an identity solution for a multinational corporation that uses Microsoft Entra ID. The company has a complex organizational structure with multiple subsidiaries. You need to ensure that users from one subsidiary cannot access resources in another subsidiary unless explicitly granted. The solution must minimize administrative overhead. What should you use?

A.Administrative units
B.Conditional Access policies
C.Microsoft Entra B2B collaboration
D.Custom directory roles
AnswerA

Administrative units allow you to delegate administration and resource access per subsidiary.

Why this answer

Option D is correct. Administrative units in Microsoft Entra ID allow you to delegate administration and restrict access to a subset of users and resources. Option A is wrong because Conditional Access policies control access based on conditions but do not provide administrative boundaries.

Option B is wrong because custom roles can be created but administrative units are designed for scoping. Option C is wrong because B2B collaboration is for external users, not internal subsidiaries.

46
MCQhard

A multinational company uses Microsoft Entra ID and several Azure subscriptions. Security administrators need to review privileged role assignments every month and require justification for continued access. Which design should be recommended?

A.Azure Monitor metric alerts
B.Management group locks
C.Microsoft Entra Privileged Identity Management with access reviews
D.Azure Policy guest configuration
AnswerC

PIM supports eligible role assignments, activation controls, and access reviews for privileged roles.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) with access reviews is the correct design because it provides time-bound, just-in-time privileged role assignments and requires users to periodically justify their continued access through automated access reviews. This directly meets the monthly review and justification requirement for privileged roles, as PIM integrates with Entra ID to enforce approval workflows and expiration policies.

Exam trap

The trap here is that candidates often confuse Azure RBAC management tools (like management locks or Azure Policy) with identity governance tools, mistakenly thinking they can control user role assignments, when in fact only Entra ID PIM provides the required review and justification workflow for privileged roles.

How to eliminate wrong answers

Option A is wrong because Azure Monitor metric alerts are used to detect and notify on performance or operational metrics (e.g., CPU usage, response times) and cannot enforce or review privileged role assignments. Option B is wrong because management group locks prevent accidental deletion or modification of Azure resources at the management group scope but do not manage identity or role assignments in Entra ID. Option D is wrong because Azure Policy guest configuration audits and configures settings inside virtual machines (e.g., OS compliance) and has no capability to review or justify privileged role assignments in Entra ID.

47
MCQmedium

A company runs a mission-critical multi-tier application on Azure VMs in West US. The application consists of database VMs, application VMs, and web VMs. During a disaster, the VMs must be recovered in a specific order: database tier first, then application tier, then web tier. The recovery point objective (RPO) is 5 minutes and recovery time objective (RTO) is 15 minutes. The company wants to periodically test the recovery process without impacting production. After failover to East US, the VMs must retain their private IP addresses to avoid DNS propagation delays. Which combination of Azure Site Recovery features should they configure?

A.A recovery plan, planned failover, and network mapping
B.A recovery plan, test failover, and network mapping
C.A recovery plan, test failover, and static IP address assignment
D.A recovery plan, planned failover, and static IP address assignment
AnswerC

Recovery Plan defines the order and includes scripting; test failover enables safe testing; static IP assignment in the target network ensures VMs keep their IP addresses after failover.

Why this answer

Option C is correct because a recovery plan enforces the required startup order (database → application → web), test failover allows non-disruptive validation of the recovery process, and static IP address assignment ensures VMs retain their private IP addresses after failover to East US, avoiding DNS propagation delays. This combination meets the RPO of 5 minutes and RTO of 15 minutes while satisfying the requirement for periodic testing without impacting production.

Exam trap

The trap here is that candidates confuse network mapping (which only maps source to target networks) with static IP address assignment (which preserves the exact private IP), leading them to choose Option B instead of C.

How to eliminate wrong answers

Option A is wrong because planned failover is used for zero-data-loss migrations or planned downtime scenarios, not for disaster recovery testing, and it does not support non-disruptive validation of the recovery process. Option B is wrong because network mapping only maps source and target networks for IP address assignment but does not guarantee that VMs retain their exact private IP addresses after failover; static IP assignment is required for that. Option D is wrong because planned failover is not suitable for periodic testing of disaster recovery, as it assumes a controlled shutdown and can impact production if used incorrectly.

48
Multi-Selecthard

You are designing a disaster recovery (DR) solution for a critical application hosted on Azure VMs. The solution must meet the following requirements: - Recovery Point Objective (RPO) of 15 minutes. - Recovery Time Objective (RTO) of 1 hour. - Automatically fail over to a secondary region in the event of a regional outage. - Support for non-disruptive DR testing. Which THREE components should you include in the solution? (Choose three.)

Select 3 answers
A.Azure Backup
B.Azure Site Recovery test failover capability
C.Azure Site Recovery
D.Azure Traffic Manager
E.Azure Front Door
AnswersB, C, D

Test failover enables non-disruptive DR testing.

Why this answer

Option A, Option B, and Option E are correct. Azure Site Recovery provides replication and orchestration of failover to a secondary region, meeting RPO of 15 minutes and RTO of 1 hour. Azure Traffic Manager can be used to route traffic to the secondary region after failover.

Azure Site Recovery supports non-disruptive DR testing with test failover. Option C is wrong because Azure Backup is for backup, not DR with automatic failover. Option D is wrong because Azure Front Door is a global load balancer but does not provide DR orchestration; Traffic Manager is sufficient.

49
Multi-Selecthard

Which THREE considerations are important when designing a highly available Azure SQL Database solution?

Select 3 answers
A.Auto-failover groups
B.Transparent Data Encryption
C.Active geo-replication
D.Zone redundancy
E.Read scale-out
AnswersA, C, D

Enables automatic failover across regions.

Why this answer

Active geo-replication provides read-scale and failover to a secondary region. Zone redundancy provides resilience within a region. Auto-failover groups enable automatic failover.

Read scale-out is not related to HA. Transparent Data Encryption is for security, not HA.

50
MCQhard

Refer to the exhibit. Your team deploys this ARM template to a resource group in West US. After deployment, you need to ensure the storage account is geo-redundant. What is the most efficient way to modify the template to achieve this?

A.Add a second storage account resource with Geo-redundant replication.
B.Change the 'kind' property to 'BlobStorage'.
C.Change the 'apiVersion' to a newer version.
D.Change the 'sku.name' property from 'Standard_LRS' to 'Standard_GRS'.
AnswerD

Standard_GRS provides geo-redundant storage.

Why this answer

Option D is correct because changing the 'sku.name' property from 'Standard_LRS' to 'Standard_GRS' directly modifies the replication type of the existing storage account to geo-redundant storage (GRS). This is the most efficient approach as it updates the single resource in-place without adding extra resources or altering the storage account's kind or API version.

Exam trap

The trap here is that candidates may think adding a new resource or changing the API version is necessary, but the most efficient way is to modify the existing resource's 'sku.name' property, which directly controls replication redundancy.

How to eliminate wrong answers

Option A is wrong because adding a second storage account with Geo-redundant replication does not make the existing storage account geo-redundant; it creates a separate resource, which is inefficient and does not meet the requirement. Option B is wrong because changing the 'kind' property to 'BlobStorage' changes the storage account type to blob-only storage, which does not affect replication redundancy; replication is controlled by the 'sku.name' property. Option C is wrong because changing the 'apiVersion' to a newer version does not alter the replication setting; the 'apiVersion' only defines the schema version for the template and does not impact resource properties like redundancy.

51
MCQmedium

Your company is migrating a legacy application to Azure. The application uses a proprietary database that requires file-level access to data files. You need to minimize changes to the application. Which Azure storage solution should you recommend?

A.Azure Files
B.Azure Disk Storage
C.Azure Blob Storage
D.Azure NetApp Files
AnswerA

Provides SMB file shares with file-level access, minimizing changes.

Why this answer

Option A is incorrect because Azure Blob Storage does not provide file-level access. Option B is correct because Azure Files provides SMB file shares that can be mounted with file-level access. Option C is incorrect because Azure NetApp Files provides high-performance file shares but is overkill and more expensive.

Option D is incorrect because Azure Disk Storage provides block-level access, not file-level.

52
MCQeasy

Your organization runs a web application on Azure App Service (Standard tier) in the West US region. The application uses Azure Blob Storage for static content and Azure SQL Database (Standard tier) for dynamic data. The compliance requirements specify a Recovery Point Objective (RPO) of 1 hour and a Recovery Time Objective (RTO) of 4 hours. You need to design a disaster recovery solution that meets these requirements with minimal cost. Which option should you recommend?

A.Deploy App Service in two regions with Azure Traffic Manager. Use Azure Site Recovery to replicate the App Service and SQL Database. Enable geo-redundant storage for Blob Storage.
B.Deploy App Service in two regions with Azure Front Door. Use active geo-replication for Azure SQL Database. Enable read-access geo-redundant storage (RA-GRS) for Blob Storage.
C.Use Azure Traffic Manager to distribute traffic. Manually copy Blob Storage to a secondary region. Use Azure SQL Database export to bacpac and import in secondary region.
D.Configure App Service backup to a geo-redundant storage account. Use geo-redundant storage (GRS) for Blob Storage. Enable geo-restore for Azure SQL Database.
AnswerD

App Service backup to GRS meets RPO/RTO; Blob Storage GRS provides automatic replication; geo-restore for SQL Database meets the 1-hour RPO.

Why this answer

Option B is correct because geo-redundant storage for Blob Storage is cost-effective and meets RPO; geo-restore for SQL Database meets RPO and RTO; App Service backup and restore in a secondary region meets RTO. Option A is wrong because Azure Site Recovery is for VMs, not App Service. Option C is wrong because active geo-replication for SQL Database is more expensive than needed.

Option D is wrong because Azure Traffic Manager alone does not provide data replication.

53
Multi-Selecteasy

Which TWO of the following Azure storage services support hosting static websites?

Select 2 answers
A.Azure Storage Account (general-purpose v2)
B.Azure Cosmos DB
C.Azure NetApp Files
D.Azure Blob Storage
E.Azure Files
AnswersA, D

General-purpose v2 accounts support static websites.

Why this answer

Azure Storage Account (general-purpose v2) supports hosting static websites by enabling the 'Static website' feature, which configures a container named '$web' to serve static content (HTML, CSS, JS) directly via a public endpoint. This feature is built into the storage account's blob service and provides automatic routing for index and error documents, making it a cost-effective solution for static site hosting.

Exam trap

The trap here is that candidates often confuse Azure Blob Storage (which supports static websites when part of a general-purpose v2 account) with Azure Files or Azure NetApp Files, assuming any storage service can serve web content, but only the blob service with the static website feature enabled provides the necessary HTTP endpoint and routing logic.

54
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID). External partners need temporary access to an internal application. The process must be self-service: partners request access, the request goes through an approval workflow managed by a manager from the partner's organization, and access automatically expires after 30 days. The company also wants to send reminder emails 7 days before expiration. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Identity Governance - Access Reviews
B.Microsoft Entra ID Identity Governance - Entitlement Management
C.Microsoft Entra ID Privileged Identity Management (PIM)
D.Microsoft Entra ID Conditional Access
AnswerB

Entitlement Management provides access packages that external users can request. It includes approval workflows, automatic expiration after a defined duration, and email reminders before expiration. It is designed for managing external identities and time-limited access.

Why this answer

Option B is correct because Microsoft Entra ID Identity Governance - Entitlement Management is specifically designed to manage access for external users through self-service access packages. It supports approval workflows with external managers, automatic time-bound access (e.g., 30-day expiration), and lifecycle notifications like reminder emails 7 days before expiry. This aligns perfectly with the requirement for partner-managed, temporary, self-service access.

Exam trap

The trap here is confusing Entitlement Management (designed for external user access lifecycle) with Access Reviews (which is for periodic recertification, not self-service provisioning) or PIM (which is for internal privileged roles, not application access for partners).

How to eliminate wrong answers

Option A is wrong because Access Reviews are used for periodic attestation of existing access, not for self-service request workflows with automatic expiration and reminders. Option C is wrong because Privileged Identity Management (PIM) is focused on just-in-time privileged role activation for internal administrators, not for granting temporary access to external partners for an application. Option D is wrong because Conditional Access enforces policies (e.g., MFA, location) during sign-in but does not provide self-service request, approval workflows, or automatic expiration management.

55
MCQhard

A company runs a critical application on Azure SQL Database in the West US region. They need a disaster recovery solution with an RPO of 5 seconds and an RTO of 1 hour. They also need to be able to perform patching and maintenance on the primary without downtime. Which configuration should they implement?

A.Active geo-replication with auto-failover group
B.Azure SQL Database backup to geo-redundant storage
C.Azure SQL Database with zone-redundant configuration
D.Azure SQL Database with failover group using manual failover
AnswerA

Auto-failover groups provide the required RPO and RTO, and allow planned failover for maintenance without data loss.

Why this answer

Active geo-replication with auto-failover group meets the RPO of 5 seconds (typically under 5 seconds for active geo-replication) and RTO of 1 hour (auto-failover groups can fail over in minutes). It also supports patching and maintenance on the primary without downtime by failing over to a secondary replica during planned maintenance, leveraging the continuous data synchronization between primary and secondary databases in different Azure regions.

Exam trap

The trap here is that candidates confuse zone-redundant configuration (which only protects within a region) with geo-redundant disaster recovery, or they assume manual failover can meet strict RTOs without considering the human delay factor.

How to eliminate wrong answers

Option B is wrong because Azure SQL Database backup to geo-redundant storage (RA-GRS) provides an RPO of up to 12 hours and RTO of 12-24 hours, far exceeding the required 5-second RPO and 1-hour RTO, and does not support zero-downtime patching. Option C is wrong because zone-redundant configuration protects against zonal failures within a single region, not against regional disasters, and cannot meet the RPO/RTO for cross-region DR. Option D is wrong because a failover group using manual failover requires human intervention to trigger failover, which cannot achieve the 1-hour RTO reliably and does not support automated zero-downtime patching without manual steps.

56
Multi-Selectmedium

You are designing a solution to monitor and analyze security events across your Azure environment. Which TWO Azure services should you include in your design to provide centralized logging and threat detection? (Choose two.)

Select 2 answers
A.Azure Firewall
B.Azure Log Analytics
C.Microsoft Sentinel
D.Azure Policy
E.Azure Network Watcher
AnswersB, C

Log Analytics collects and analyzes log data from various sources.

Why this answer

Options B and C are correct. Azure Log Analytics (now part of Azure Monitor) provides centralized logging and analysis. Microsoft Sentinel provides SIEM and threat detection.

Option A is wrong because Azure Policy is for compliance. Option D is wrong because Azure Firewall is a network security service. Option E is wrong because Azure Network Watcher is for network monitoring.

57
MCQmedium

A company runs a web application on Azure App Service with a Standard tier plan. The application uses an Azure SQL Database (DTU-based) for storage. The business requires that the application remain available in the event of a single Azure region outage. Which solution meets the requirement with the least administrative effort?

A.Use an App Service Environment (ASE) in a single region with App Service plans in multiple availability zones
B.Use Azure Front Door to route traffic to a secondary App Service in the same region
C.Configure Azure Backup for the App Service and SQL Database
D.Deploy an additional App Service in a secondary region and use Azure SQL Database active geo-replication
AnswerD

Simplest DR setup with geo-replication.

Why this answer

Option A is correct because App Service deployment slots in a secondary region combined with Azure SQL Database geo-replication provide a low-effort DR solution. Option B is wrong because App Service Environment is more complex and costly. Option C is wrong because Azure Front Door is for global load balancing, not DR.

Option D is wrong because Azure Backup does not provide availability during an outage.

58
Multi-Selecteasy

Which TWO features of Microsoft Entra ID can be used to secure hybrid identities?

Select 2 answers
A.Microsoft Sentinel
B.Microsoft Intune
C.Seamless Single Sign-On
D.Azure Active Directory Domain Services
E.Password Hash Synchronization
AnswersC, E

Seamless SSO allows users to sign in without entering passwords when on corporate network.

Why this answer

Seamless Single Sign-On (Seamless SSO) automatically signs users in when they are on corporate devices connected to the corporate network, eliminating password prompts. Password Hash Synchronization (PHS) synchronizes a hash of the user's on-premises AD password to Azure AD, enabling cloud authentication without additional infrastructure. Both features directly secure hybrid identities by extending on-premises credentials to the cloud.

Exam trap

The trap here is that candidates often confuse Azure AD DS (a managed domain service) with a feature of Microsoft Entra ID, when in fact it is a separate service that provides legacy LDAP and NTLM capabilities, not a native hybrid identity authentication feature.

59
Multi-Selecthard

A global e-commerce company is designing a highly available application on Azure. The application uses Azure SQL Database and requires that in the event of a regional outage, failover to a secondary region occurs automatically without manual intervention. The solution must minimize data loss. Which THREE components should be included? (Choose three.)

Select 3 answers
A.Azure App Service with deployment slots in secondary region
B.Azure Traffic Manager with priority routing
C.Azure Front Door with health probes
D.Azure SQL Database active geo-replication
E.Azure DNS with alias records
AnswersA, B, D

Hosts application standby instance.

Why this answer

Options A, C, and E are correct. Azure SQL Database active geo-replication provides continuous replication. Azure Traffic Manager with priority routing ensures automatic traffic redirection.

Azure App Service with deployment slots in secondary region allows fast application failover. Option B is wrong because Azure Front Door is for global load balancing, not SQL failover. Option D is wrong because Azure DNS does not provide failover routing.

60
Multi-Selectmedium

Which TWO of the following are valid considerations when designing a SQL Server Always On availability group in Azure VMs? (Choose two.)

Select 2 answers
A.The availability group listener should use a static IP address in the same subnet as the primary replica.
B.The availability group listener can use DHCP to automatically assign an IP address.
C.The number of replicas should be an odd number to avoid split-brain scenarios.
D.A file share witness is required for the quorum configuration.
E.All replicas must be in the same subnet to use a single internal load balancer.
AnswersA, C

The listener IP should be in the same subnet as the primary replica for proper routing.

Why this answer

Correct answers are B and D. Option A is wrong because availability group replicas should be in different subnets for proper routing. Option C is wrong because cloud witness is recommended for quorum, not file share witness.

Option E is wrong because the listener requires a dedicated IP address.

61
Multi-Selectmedium

Your company uses Microsoft Entra ID. You need to implement a privileged identity management (PIM) strategy to secure administrative roles. Which TWO capabilities does PIM provide? (Choose two.)

Select 2 answers
A.Approval workflows for role activation
B.Conditional Access policies for role activation
C.Management of external identities
D.Just-in-time (JIT) access to privileged roles
E.Automated user provisioning to applications
AnswersA, D

PIM can require approval from designated approvers before a role is activated.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID provides time-based and approval-based role activation to secure privileged roles. Approval workflows for role activation (Option A) are a core PIM feature, allowing designated approvers to review and approve activation requests before a user gains elevated permissions. This ensures that privileged access is granted only after explicit authorization, reducing the risk of unauthorized use.

Exam trap

The trap here is that candidates often confuse Conditional Access policies (which control access to apps) with PIM's role activation policies (which control access to privileged roles), leading them to incorrectly select Option B.

62
Drag & Dropmedium

Drag and drop the steps to implement Azure Site Recovery for a Hyper-V VM into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First, create the vault. Then ensure network connectivity. Install the provider and agent.

Create and apply a replication policy. Finally, enable replication.

63
MCQmedium

You are designing an authentication solution for a mobile application that uses Azure AD B2C (now Microsoft Entra External ID). The application needs to support social logins (Google, Facebook) and also allow users to sign in with their corporate Microsoft Entra ID accounts. Which of the following identity providers should you configure?

A.Use Microsoft Entra ID as the only identity provider and configure federation with Google and Facebook.
B.Use Microsoft Entra External ID with Google and Facebook only, and advise corporate users to create local accounts.
C.Configure Google and Facebook as social identity providers, and add Microsoft Entra ID as a custom identity provider.
D.Configure only Google and Facebook as identity providers, and use Microsoft account for corporate users.
AnswerC

Microsoft Entra External ID allows multiple identity providers, including social and enterprise Microsoft Entra ID tenants.

Why this answer

Option A is correct because Microsoft Entra External ID (formerly Azure AD B2C) supports both social identity providers and Microsoft Entra ID as a custom identity provider. Option B is wrong because Microsoft Entra ID alone does not support social logins. Option C is wrong because Microsoft account is not for corporate accounts.

Option D is wrong because it doesn't include corporate identity.

64
MCQhard

A multinational corporation is designing a disaster recovery strategy for a critical application running on Azure VMs. The application must have a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 1 hour. The primary region is East US, and the secondary region is West US. The solution must minimize costs while meeting the requirements. What should you recommend?

A.Deploy an active-passive configuration with Azure Front Door and Traffic Manager
B.Implement Azure Site Recovery for the VMs
C.Configure the VMs in an availability zone across East US and West US
D.Use Azure Backup with cross-region restore for the VMs
AnswerB

Azure Site Recovery provides continuous replication with RPO as low as 15 seconds and RTO of minutes, meeting the requirements cost-effectively.

Why this answer

Azure Site Recovery provides orchestrated replication with RPO as low as 15 minutes and RTO of minutes. It is the most cost-effective option for VM-level DR.

65
MCQmedium

A company is migrating on-premises SQL Server databases to Azure. They need to minimize administrative overhead for patching and backups while ensuring high availability. The solution must support automatic failover within the same Azure region. Which Azure service should they choose?

A.SQL Server on Azure Virtual Machines
B.Azure SQL Database Hyperscale
C.Azure SQL Database (single database)
D.Azure SQL Database Managed Instance
AnswerD

Managed Instance offers automated maintenance and built-in high availability with auto-failover.

Why this answer

Azure SQL Database Managed Instance is correct because it provides near-100% compatibility with on-premises SQL Server, automated patching and backups, and built-in high availability with automatic failover within the same region via Always On availability groups. This minimizes administrative overhead while meeting the high availability requirement without manual configuration.

Exam trap

The trap here is that candidates often confuse Azure SQL Database Managed Instance with Azure SQL Database single database, assuming both offer the same high availability and compatibility, but Managed Instance provides full SQL Server instance-level features and automatic failover within the region without additional configuration.

How to eliminate wrong answers

Option A is wrong because SQL Server on Azure Virtual Machines requires manual patching and backup management, increasing administrative overhead, and high availability requires manual configuration of Windows Server Failover Clustering or SQL Server Always On. Option B is wrong because Azure SQL Database Hyperscale is designed for large databases with fast scaling and read scale-out, but its high availability model uses page servers and a log-based service, not automatic failover within the same region in the same way as Managed Instance; it also lacks full SQL Server agent and CLR support. Option C is wrong because Azure SQL Database (single database) offers automated patching and backups but does not support automatic failover within the same region without configuring active geo-replication or failover groups, which adds complexity and cost; it also has limited compatibility for existing SQL Server features like SQL Agent jobs and cross-database queries.

66
MCQhard

You are a solutions architect for a financial services company. The company is deploying a new critical application on Azure that processes sensitive customer transactions. The application consists of an ASP.NET Core web app (Azure App Service), a REST API (Azure Kubernetes Service), and an Azure SQL Database. The requirements are: - All data at rest must be encrypted using customer-managed keys (CMK) stored in a managed HSM. - All network traffic between components must be encrypted and traverse the Microsoft backbone network. - The web app must be protected against common web attacks (SQL injection, XSS). - The solution must automatically scale the API based on CPU utilization. - All API calls must be authenticated using OAuth 2.0 with Microsoft Entra ID. - Logs from all components must be sent to a central Log Analytics workspace for analysis. - The solution must have a recovery time objective (RTO) of 1 hour and recovery point objective (RPO) of 5 minutes for the database. Which combination of Azure services should you recommend to meet ALL requirements?

A.Azure Front Door with WAF, Azure SQL Database point-in-time restore, Azure Key Vault Managed HSM, Azure App Service with private endpoint, AKS with HPA, Azure Log Analytics agent, Microsoft Entra ID
B.Azure Front Door with WAF, Azure SQL Database geo-replication, Azure Key Vault (Standard), Azure App Service with private endpoint, AKS with HPA, Azure Diagnostics extension, Microsoft Entra ID
C.Azure Application Gateway with WAF, Azure SQL Database active geo-replication, Azure Key Vault Managed HSM, Azure App Service with VNet integration, AKS with cluster autoscaler, Azure Monitor Agent, Microsoft Entra ID
D.Azure Application Gateway with WAF, Azure SQL Database failover groups, Azure Key Vault Managed HSM, Azure App Service with service endpoint, AKS with HPA, Azure Monitor Agent, Microsoft Entra ID
AnswerC

Meets all requirements.

Why this answer

Option C is correct because it includes all required services: Azure Application Gateway with WAF for web protection, Azure SQL Database active geo-replication for DR with RPO=5s, Azure Key Vault Managed HSM for CMK, Azure App Service with VNet integration for private connectivity, Azure Kubernetes Service with cluster autoscaler for API scaling, Azure Monitor Agent for log collection, and Microsoft Entra ID for authentication. Option A is wrong because Azure Front Door does not provide WAF at the application layer for SQL injection. Option B is wrong because Azure Firewall is not a WAF.

Option D is wrong because Azure SQL Database point-in-time restore cannot meet RPO of 5 minutes.

67
MCQhard

A company runs a high-performance computing (HPC) workload on Azure that requires extremely low latency (under 10 microseconds) between multiple VMs for MPI communication. The VMs are part of a single job and must be placed together to minimize network latency. Which VM deployment option should they use?

A.Azure Virtual Machine Scale Sets with a Proximity Placement Group
B.Azure Availability Sets
C.Azure Virtual Machine Scale Sets across Availability Zones
D.Azure Kubernetes Service (AKS)
AnswerA

Proximity Placement Groups (PPG) co-locate VMs in the same datacenter region, providing ultra-low latency required for MPI workloads. VMSS allows scaling out while staying in the PPG.

Why this answer

A Proximity Placement Group (PPG) within a Virtual Machine Scale Set ensures that all VMs are physically located as close as possible within an Azure datacenter, reducing network latency to under 10 microseconds for MPI communication. This is the only option that guarantees co-location of VMs for a single HPC job, as PPGs minimize inter-VM latency by placing VMs in the same rack or cluster.

Exam trap

The trap here is that candidates often confuse Availability Sets (which provide high availability) with Proximity Placement Groups (which provide low latency), or assume that Availability Zones offer sufficient performance for HPC, ignoring the significant latency penalty of inter-zone communication.

How to eliminate wrong answers

Option B is wrong because Availability Sets only protect against failures by distributing VMs across fault and update domains, but they do not guarantee low latency or co-location; in fact, they may spread VMs across different racks, increasing latency. Option C is wrong because Virtual Machine Scale Sets across Availability Zones place VMs in physically separate datacenters within a region, which introduces network latency far exceeding the 10-microsecond requirement due to inter-zone communication. Option D is wrong because Azure Kubernetes Service (AKS) abstracts VM placement and does not provide native mechanisms to enforce co-location of pods for low-latency MPI communication; it relies on underlying node placement, which is not guaranteed to be within a single rack.

68
MCQhard

Contoso Ltd. is a global e-commerce company running its online store on Azure. The application consists of: - Frontend: Azure App Service (Windows) in West US. - Backend: Azure Kubernetes Service (AKS) cluster in West US. - Database: Azure SQL Database (General Purpose, S2) in West US. - Cache: Azure Cache for Redis (Standard C1) in West US. - Storage: Azure Blob Storage (LRS) for product images. Business continuity requirements: - RPO: 5 minutes for the database. - RTO: 1 hour for the entire application. - The solution must survive a complete West US region outage. - Budget is limited; minimize additional costs. What should you recommend as the primary DR strategy?

A.Deploy a secondary region (East US) with a passive AKS cluster (minimal node count), a standby App Service plan (same tier), and a secondary Azure SQL Database in an auto-failover group. Use Azure Traffic Manager for frontend and configure Azure Cache for Redis with geo-replication. For Blob Storage, enable geo-redundant storage (GRS).
B.Use Azure Backup for the database with 5-minute log backup frequency. For the app, use Azure App Service backup with frequency to a secondary region. For AKS, back up persistent volumes using Azure Backup. Restore everything in a secondary region during disaster.
C.Deploy the entire application across two Azure Availability Zones within West US. Use zone-redundant storage for blobs, zone-redundant App Service plan, and zone-redundant AKS. For SQL Database, use a zone-redundant configuration. For Redis, use Enterprise tier with zone redundancy.
D.Use Azure Site Recovery to replicate all VMs (including AKS nodes) to a secondary region. For the database, use Azure SQL Database active geo-replication. For Azure Cache for Redis, replicate data via geo-replication. Use Azure Traffic Manager for frontend traffic routing.
AnswerA

This meets the RPO/RTO with minimal cost by using a passive standby.

Why this answer

Option C is correct because Azure SQL Database auto-failover group with a secondary in a paired region (e.g., East US) meets the 5-minute RPO (active geo-replication with synchronous mode) and 1-hour RTO. For AKS and App Service, you can deploy a minimal standby cluster and App Service plan in the secondary region, and use Azure Traffic Manager for global load balancing. Azure Cache for Redis can be deployed with geo-replication.

Option A is wrong because Azure Site Recovery for the entire environment would be more expensive and may not meet the database RPO. Option B is wrong because Azure Backup has an RPO of at least 1 hour. Option D is wrong because Availability Zones do not protect against a regional outage.

69
MCQhard

You are designing a backup strategy for Azure virtual machines. The solution must support application-consistent backups for SQL Server databases running on the VMs. You need to ensure that backups are taken every 4 hours and retained for 30 days. What should you configure in Azure Backup?

A.Configure Azure SQL Backup for the SQL Server databases.
B.Configure a VM backup policy with 4-hour frequency and 30-day retention using the default backup extension.
C.Configure Azure Site Recovery replication policy with 4-hour frequency.
D.Configure Azure Backup for SAP HANA on the VM.
AnswerB

VM backup policy supports application-consistent backups and custom schedules.

Why this answer

Option D is correct because Azure Backup supports application-consistent backups via the VM backup policy, which can be configured with a frequency of 4 hours and retention of 30 days. The backup extension for Windows (VMSnapshot) ensures application consistency. Option A (Azure Site Recovery) is for replication, not backup.

Option B (Azure SQL Backup) is for Azure SQL databases, not VMs. Option C (Azure Backup for SAP HANA) is specific to SAP HANA.

70
MCQeasy

You are designing a disaster recovery strategy for an Azure virtual machine running a critical application. The VM is in the East US region. Your recovery point objective (RPO) is 15 minutes, and your recovery time objective (RTO) is 1 hour. Which Azure service should you use to replicate the VM to the West US region?

A.Azure Site Recovery
B.Azure Traffic Manager
C.Azure Backup
D.Azure Migrate
AnswerA

ASR replicates VMs to another region with low RPO and RTO.

Why this answer

Option A is correct because Azure Site Recovery provides automated replication with RPO as low as 30 seconds and RTO of minutes to hours. Option B is wrong because Azure Backup is for backup, not replication for DR. Option C is wrong because Azure Migrate is for assessment and migration.

Option D is wrong because Azure Traffic Manager is for traffic routing.

71
MCQmedium

A company uses Azure SQL Database for a line-of-business application. They need to implement a disaster recovery solution across Azure regions with RPO of 5 seconds and RTO of 30 seconds. Which feature should they use?

A.Active geo-replication
B.Geo-restore
C.Azure SQL Database zone-redundant configuration
D.Auto-failover groups
AnswerA

Active geo-replication offers fast replication with RPO < 5 seconds and RTO < 30 seconds.

Why this answer

Active geo-replication for Azure SQL Database provides a continuous replication mechanism with an RPO of 5 seconds and an RTO of 30 seconds when using a readable secondary replica in a paired region. It replicates transactions asynchronously but with very low latency, meeting the strict RPO/RTO requirements for cross-region disaster recovery.

Exam trap

The trap here is that candidates often confuse auto-failover groups with active geo-replication, assuming the managed failover group provides faster RTO, but in reality, auto-failover groups have a longer RTO (typically 1 hour) due to DNS propagation and health probe intervals, while active geo-replication allows manual failover with sub-minute RTO.

How to eliminate wrong answers

Option B (Geo-restore) is wrong because it restores a database from geo-replicated backups with an RPO of 1 hour and an RTO of 12+ hours, far exceeding the required 5-second RPO and 30-second RTO. Option C (Azure SQL Database zone-redundant configuration) is wrong because it protects against datacenter failures within a single region, not across Azure regions, and does not provide cross-region disaster recovery. Option D (Auto-failover groups) is wrong because, while it uses active geo-replication under the hood, it adds a DNS-level routing layer that introduces additional failover latency, typically achieving an RTO of 1 hour, not the required 30 seconds.

72
MCQeasy

A company runs a line-of-business application on Azure VMs that requires a highly available, low-latency SMB file share with support for active-active access from multiple VMs. The application requires high IOPS and throughput, and the file share must be mountable on both Linux and Windows VMs. Which Azure file storage solution should they recommend?

A.A
B.B
C.C
D.D
AnswerB

Azure NetApp Files is a high-performance, enterprise-grade file storage service that supports SMB (both Windows and Linux) and can deliver thousands of IOPS with low latency.

Why this answer

Azure Premium File Shares (using SMB 3.0 protocol) provide a fully managed, highly available SMB file share with low latency and high IOPS/throughput. They support active-active access from multiple VMs and can be mounted on both Linux and Windows VMs, meeting all the requirements.

Exam trap

The trap here is that candidates often confuse Azure Blob Storage (which is object storage) with file shares, or incorrectly assume that Azure Disk Shared Disks provide an SMB mountable share, when in fact they are block-level and require cluster-aware applications.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage (including Premium Blob) does not support SMB protocol natively; it uses REST/API access and cannot be mounted as an SMB file share for active-active access from VMs. Option C is wrong because Azure NetApp Files uses NFS or SMB but is a third-party service with higher cost and complexity, and it is not the native Azure file storage solution for SMB shares. Option D is wrong because Azure Disk Storage (managed disks) can only be attached to a single VM at a time (except for shared disks with SCSI-3 Persistent Reservations, which are not SMB-based and have limited OS support), and it does not provide a file share mountable over SMB.

73
Multi-Selecteasy

Your company is designing a new application that will run on Azure VMs. The application must be highly available across two Azure regions. You need to ensure that the application can automatically fail over if a regional outage occurs. Which THREE components should you include in the architecture? (Choose three.)

Select 3 answers
A.Azure Application Gateway
B.Azure Traffic Manager
C.Availability Sets
D.Availability Zones
E.Azure Load Balancer
AnswersB, C, E

Traffic Manager provides global load balancing across regions.

Why this answer

Option A, Option C, and Option D are correct. Azure Traffic Manager distributes traffic across regions. Azure Load Balancer distributes traffic within a region.

Availability Sets protect against failures within a datacenter. Option B is wrong because Availability Zones are within a region, not across regions. Option E is wrong because Azure Application Gateway is a regional load balancer but not necessary if using Traffic Manager and Load Balancer.

74
MCQhard

A company ingests millions of IoT events per second from sensors around the world. Each event is a JSON message with timestamp, device ID, and readings. They need to support real-time analytics dashboards and also store all raw data for long-term historical analysis. They want to minimize operational overhead. Which Azure data storage solution should they recommend?

A.Azure Data Lake Storage Gen2 for all data.
B.Azure Event Hubs with Capture to Azure Data Lake Storage.
C.Azure Cosmos DB for both real-time and historical data.
D.Azure Time Series Insights (TSI) Standard.
AnswerB

Event Hubs can handle millions of events per second. The Capture feature automatically writes ingested events to Data Lake Storage in Avro format (or JSON). For real-time dashboards, you can use Stream Analytics to query the Event Hubs stream. This provides a seamless, low-operational-overhead solution.

Why this answer

Azure Event Hubs is designed for high-throughput data ingestion, capable of handling millions of events per second. By enabling the Capture feature, data is automatically and durably persisted to Azure Data Lake Storage in Avro format, providing a serverless, low-latency pipeline for real-time dashboards while storing raw data for long-term analytics. This minimizes operational overhead by eliminating the need to manage separate ingestion and storage infrastructure.

Exam trap

The trap here is that candidates often confuse Azure Data Lake Storage as a complete solution for both ingestion and storage, overlooking the need for a dedicated event ingestion service like Event Hubs to handle high-throughput streaming data before persisting it to the lake.

How to eliminate wrong answers

Option A is wrong because Azure Data Lake Storage Gen2 is a scalable storage service but lacks native real-time ingestion capabilities; it would require an additional service like Event Hubs to handle the high-velocity IoT stream, adding complexity. Option C is wrong because Azure Cosmos DB is a NoSQL database optimized for low-latency reads/writes and transactional workloads, not for ingesting millions of events per second as a streaming buffer; using it for both real-time and historical data would incur high costs and operational overhead for raw event storage. Option D is wrong because Azure Time Series Insights (TSI) Standard is purpose-built for time-series data visualization and analysis, but it has limited throughput and retention compared to Event Hubs with Capture, and it is not designed to store raw JSON events for long-term historical analysis at this scale.

75
MCQeasy

You need to design a networking solution for a multi-tier application that includes a web front-end, an API layer, and a database. The web and API tiers must be accessible from the internet, while the database tier must be isolated. What is the most secure and efficient design?

A.Place all VMs in the same subnet and use a single Azure Load Balancer to distribute traffic.
B.Use separate VNets for each tier and connect them with VNet peering.
C.Deploy all VMs in a single subnet and use Azure Firewall to inspect all inbound and outbound traffic.
D.Deploy all tiers in the same VNet with separate subnets, and use NSGs to restrict traffic. Place an Azure Application Gateway with WAF in front of the web tier.
AnswerD

Secure and efficient: subnets isolate tiers, NSGs control traffic, Application Gateway provides internet-facing entry and WAF protection.

Why this answer

Option C is correct because using subnets for each tier with NSG restrictions provides isolation. Application Gateway with WAF protects the web tier. Option A (load balancer for all tiers) exposes the database.

Option B (VNet peering) is not needed. Option D (Azure Firewall for all traffic) is overkill and complex.

Page 1 of 14

Page 2