Microsoft Azure Solutions Architect Expert AZ-305 (AZ-305) — Questions 676750

999 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQeasy

A company is migrating a legacy application to Azure VMs. The application requires a static IP address that does not change if the VM is stopped and started. Which type of IP address should they assign to the VM?

A.Dynamic private IP address
B.Dynamic public IP address
C.Static public IP address
D.Ephemeral IP address
AnswerC

Static public IP remains assigned even when VM is stopped.

Why this answer

A static public IP address or a static private IP address ensures the IP does not change. Option A is wrong because dynamic public IPs change on stop/start. Option C is wrong because private IPs can be dynamic or static; dynamic changes.

Option D is wrong because ephemeral IPs are for temporary usage.

677
MCQeasy

You need to design a storage solution for a website that hosts static content (HTML, CSS, JavaScript) and requires low-cost, scalable storage with integrated CDN delivery. Which Azure service should you use?

A.Azure Files with SMB protocol
B.Azure Content Delivery Network only
C.Azure Blob Storage with static website hosting and Azure CDN
D.Azure App Service
AnswerC

Blob Storage provides scalable static hosting and CDN integration.

Why this answer

Azure Blob Storage with static website hosting provides a cost-effective, scalable storage solution for static content (HTML, CSS, JavaScript). By enabling Azure CDN on top of the storage account, you achieve low-latency global content delivery and offload traffic from the origin, reducing costs and improving performance for end users.

Exam trap

The trap here is that candidates often confuse Azure Files (a managed file share) with Blob Storage (object storage) for static web hosting, or mistakenly think Azure CDN alone can store content without an origin service.

How to eliminate wrong answers

Option A is wrong because Azure Files with SMB protocol is designed for file shares that require SMB access (e.g., lift-and-shift apps, legacy file servers), not for serving static web content with CDN integration. Option B is wrong because Azure Content Delivery Network alone is a delivery service, not a storage service; it requires an origin (like Blob Storage) to cache and serve content. Option D is wrong because Azure App Service is a PaaS compute service for hosting web applications, not a dedicated static content storage solution, and it incurs higher costs and unnecessary overhead for purely static content.

678
MCQhard

Refer to the exhibit. You are reviewing an Azure Policy definition that your team plans to assign. The policy is intended to deny the deployment of virtual networks and virtual machines if they do not have an NSG attached with a rule named containing 'Allow'. However, the policy is not working as expected. What is the most likely reason?

A.The field 'Microsoft.Network/networkSecurityGroups/securityRules[*].name' is an incorrect alias.
B.The policy does not check whether the NSG is actually associated with the resource.
C.The policy rule syntax is invalid.
D.The effect 'deny' cannot be used with existenceCondition.
AnswerB

The policy checks for the existence of an NSG with a rule name but does not verify association.

Why this answer

Option C is correct because the existenceCondition checks the NSG rule name on the NSG resource, but the policy's 'if' condition only checks the resource type. The policy does not ensure that the NSG is associated with the subnet or NIC; an NSG can exist without being attached. Option A is wrong because the policy syntax is valid.

Option B is wrong because 'deny' is a valid effect. Option D is wrong because the policy rule does not use aliases incorrectly.

679
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to automatically detect sign-ins from users with leaked credentials and prompt those users to reset their password during the next sign-in. Which Microsoft Entra ID feature should they enable?

A.Microsoft Entra ID Identity Protection
B.Conditional Access
C.Privileged Identity Management (PIM)
D.Microsoft Entra ID B2B
AnswerA

Identity Protection detects risks like leaked credentials and can trigger automated remediation such as password reset.

Why this answer

Microsoft Entra ID Identity Protection includes a 'Leaked Credentials' detection capability that continuously monitors for credentials exposed in known data breaches. When a user's credentials are detected as leaked, Identity Protection can automatically trigger a password reset during the next sign-in, ensuring the compromised credentials are no longer usable.

Exam trap

The trap here is that candidates often confuse Conditional Access (which can enforce password changes via a 'Require password change' grant control) with Identity Protection, but Conditional Access alone cannot detect leaked credentials—it only enforces policies after a risk is detected by Identity Protection.

How to eliminate wrong answers

Option B (Conditional Access) is wrong because Conditional Access enforces access policies based on signals like location or device compliance, but it does not natively detect leaked credentials or trigger password resets. Option C (Privileged Identity Management) is wrong because PIM manages just-in-time privileged role activation and access reviews, not credential compromise detection. Option D (Microsoft Entra ID B2B) is wrong because B2B is designed for external user collaboration and guest access, not for detecting leaked credentials or enforcing password resets.

680
MCQeasy

Your organization uses Microsoft Purview to govern data across Azure and on-premises sources. You need to ensure that sensitive data, such as credit card numbers, is automatically detected and classified in Azure Blob Storage. Which Purview feature should you configure?

A.Microsoft Sentinel
B.Data catalog search
C.Data classification scanning with built-in sensitive information types
D.Data lineage tracking
AnswerC

Purview scans data sources and applies classification labels based on sensitive types like credit card numbers.

Why this answer

Option C is correct because Microsoft Purview's data classification scanning can be configured to automatically detect sensitive data like credit card numbers using built-in sensitive information types (e.g., Credit Card Number). When a scan is run against Azure Blob Storage, Purview identifies and classifies the data based on these predefined patterns, enabling governance and compliance.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with Purview's classification capabilities, or assume data lineage or catalog search can perform content inspection, when only classification scanning with sensitive information types can automatically detect sensitive data.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) tool for threat detection and response, not for data classification or governance. Option B is wrong because Data catalog search is a feature for discovering and searching assets already registered in Purview, not for automatically detecting or classifying sensitive data. Option D is wrong because Data lineage tracking captures how data moves and transforms across systems, but it does not perform content inspection or classification of sensitive information.

681
MCQeasy

A company wants to collect metrics and logs from all Azure resources in their subscription, including custom metrics from their applications, and create dashboards and alerts. Which Azure service should they use as the primary monitoring platform?

A.Azure Monitor
B.Azure Log Analytics
C.Azure Application Insights
D.Azure Service Health
AnswerA

Azure Monitor is the unified platform for collecting, analyzing, and acting on telemetry from Azure resources, including custom metrics and logs. It provides dashboards and alerting.

Why this answer

Azure Monitor is the correct primary monitoring platform because it serves as the single, unified ingestion and analysis service for all metrics and logs across Azure resources, including custom metrics from applications via the Application Insights SDK or the custom metrics API. It provides a consolidated workspace for creating dashboards, setting alerts, and querying data, making it the foundational service for observability in Azure.

Exam trap

The trap here is that candidates often confuse Azure Monitor with its sub-services like Log Analytics or Application Insights, failing to recognize that Azure Monitor is the umbrella service that encompasses both metrics and logs, while the others are specialized components within it.

How to eliminate wrong answers

Option B (Azure Log Analytics) is wrong because it is a component within Azure Monitor that stores and queries log data, not the overarching monitoring platform; it lacks native support for metrics and dashboards without Azure Monitor as the parent. Option C (Azure Application Insights) is wrong because it is a subset of Azure Monitor focused specifically on application performance monitoring (APM) for live web apps, not a platform for collecting infrastructure metrics or logs from all Azure resources. Option D (Azure Service Health) is wrong because it only provides personalized alerts and guidance for Azure service issues and planned maintenance, not the collection of metrics, logs, or custom application data.

682
MCQeasy

Your company is migrating on-premises applications to Azure. The identity team wants to synchronize on-premises Active Directory Domain Services (AD DS) to Microsoft Entra ID. You need to recommend a solution that ensures users can authenticate with their corporate credentials and that password changes are synchronized immediately. What should you recommend?

A.Microsoft Entra Connect with federation (AD FS)
B.Microsoft Entra Connect with pass-through authentication (PTA)
C.Microsoft Entra Connect with cloud sync
D.Microsoft Entra Connect with password hash synchronization (PHS)
AnswerD

PHS synchronizes password hashes to Microsoft Entra ID, enabling immediate password change synchronization.

Why this answer

Password hash synchronization (PHS) is the correct choice because it synchronizes password hashes from on-premises AD DS to Microsoft Entra ID, enabling immediate password change synchronization. This ensures users can authenticate with their corporate credentials without requiring additional infrastructure like federation servers, and password changes are propagated in near real-time (typically within minutes).

Exam trap

The trap here is that candidates often confuse 'immediate password change synchronization' with pass-through authentication or federation, not realizing that PHS is the only option that actually synchronizes password hashes to the cloud for immediate use.

How to eliminate wrong answers

Option A is wrong because federation (AD FS) does not synchronize password hashes; it redirects authentication to on-premises AD DS, so password changes are not synchronized to the cloud and immediate sync is not a feature of federation. Option B is wrong because pass-through authentication (PTA) validates passwords directly against on-premises AD DS without storing hashes in the cloud, so password changes are not synchronized to Microsoft Entra ID. Option C is wrong because cloud sync is designed for lightweight sync of users and groups from multiple forests, but it does not support immediate password change synchronization; it relies on periodic sync cycles.

683
MCQmedium

Your organization uses Microsoft Entra ID and has a hybrid identity deployment with Active Directory Domain Services (AD DS) on-premises. You need to synchronize user identities to Microsoft Entra ID, but you must ensure that password hashes are never stored in the cloud. Which synchronization method should you use?

A.Password Hash Sync
B.Federation with AD FS
C.Pass-through Authentication (PTA)
D.Azure AD Connect Cloud Sync
AnswerC

PTA authenticates users against on-premises AD without storing password hashes in the cloud.

Why this answer

Pass-through Authentication (PTA) is the correct choice because it validates user passwords directly against on-premises Active Directory without ever storing password hashes in Azure AD. This meets the requirement that password hashes are never stored in the cloud, as PTA uses an agent on-premises to authenticate users, and only the validation result is sent to Azure AD.

Exam trap

The trap here is that candidates often confuse Pass-through Authentication with Password Hash Sync, assuming that any synchronization method must store password hashes in the cloud, but PTA avoids this by performing real-time validation without hash storage.

How to eliminate wrong answers

Option A is wrong because Password Hash Sync synchronizes a hash of the user's password to Azure AD, which directly violates the requirement that password hashes are never stored in the cloud. Option B is wrong because Federation with AD FS does not store password hashes in Azure AD, but it introduces a separate federation infrastructure and is not primarily a synchronization method; the question asks for a synchronization method, and AD FS is an identity federation service, not a synchronization tool. Option D is wrong because Azure AD Connect Cloud Sync uses Password Hash Sync by default and can also support Pass-through Authentication, but it is a lightweight synchronization agent that still stores password hashes in the cloud if Password Hash Sync is enabled; the question requires a method that ensures password hashes are never stored, which is not guaranteed by Cloud Sync alone.

684
MCQmedium

Refer to the exhibit. You have an Azure Policy definition as shown. The policy is assigned at the subscription scope. What is the result when a user tries to create a VM with SKU Standard_D8s_v3?

A.The VM is created successfully.
B.The VM is created but flagged as non-compliant.
C.The VM SKU is automatically changed to Standard_D4s_v3.
D.The VM creation is denied.
AnswerD

Standard_D8s_v3 is not in the allowed list.

Why this answer

The Azure Policy definition shown uses a 'Deny' effect for VM SKUs that do not match the allowed list. Since Standard_D8s_v3 is not in the allowed list (which includes Standard_D2s_v3, Standard_D4s_v3, and Standard_D8s_v3), the policy denies the VM creation. The 'Deny' effect prevents the resource from being created and logs a denial event in the activity log.

Exam trap

The trap here is that candidates may confuse the 'Deny' effect with 'Audit' or 'Modify', assuming non-compliant resources are either flagged or auto-corrected, rather than understanding that 'Deny' blocks creation outright.

How to eliminate wrong answers

Option A is wrong because the 'Deny' effect explicitly blocks creation of non-compliant resources, so the VM cannot be created successfully. Option B is wrong because the 'Deny' effect prevents creation entirely; the 'Audit' effect would allow creation and flag non-compliance, but this policy uses 'Deny'. Option C is wrong because Azure Policy does not automatically modify SKUs; it only enforces compliance through effects like Deny, Audit, or Modify, and the 'Modify' effect is not used here.

685
MCQmedium

A company stores large amounts of log data in Azure Blob Storage. Logs are accessed frequently for the first 30 days, then rarely accessed afterward, but must be retained for 7 years for compliance. The company wants to minimize storage costs. They need to configure automatic data movement and retention policies. Which combination of Azure Blob Storage access tiers and lifecycle management policy should they use?

A.Use Hot tier for 30 days, then use Cool tier for 7 years, with a lifecycle rule to delete after 7 years.
B.Use Hot tier for 30 days, then use Archive tier for the remaining period, with a lifecycle rule to delete after 7 years.
C.Use Cool tier for 30 days, then use Archive tier for 7 years, no lifecycle rule needed.
D.Use Archive tier immediately, with a lifecycle rule to delete after 7 years.
AnswerB

Hot tier provides low-latency access during the frequent access period. Archive tier provides the lowest storage cost for data that is rarely accessed. A lifecycle policy can automatically move data from Hot to Archive after 30 days and delete it after 7 years.

Why this answer

Option B is correct because it uses the Hot tier for the first 30 days to handle frequent access, then automatically moves data to the Archive tier via a lifecycle management rule to minimize costs for rarely accessed data, and finally deletes the blobs after 7 years to meet compliance retention requirements. The Archive tier offers the lowest storage cost for long-term retention, making it ideal for logs that are rarely accessed after the initial period.

Exam trap

The trap here is that candidates often choose the Cool tier for long-term retention because they underestimate the cost savings of the Archive tier for data that is rarely accessed over many years, or they forget that a lifecycle rule is necessary to enforce deletion after the compliance period.

How to eliminate wrong answers

Option A is wrong because moving data to the Cool tier after 30 days does not minimize storage costs as effectively as the Archive tier for 7 years of rare access; the Cool tier has higher storage costs than Archive and is intended for data accessed less frequently but still with some latency requirements, not for long-term archival. Option C is wrong because starting with the Cool tier for the first 30 days is suboptimal since logs are accessed frequently during that period, and the Hot tier is more cost-effective for frequent access; additionally, a lifecycle rule is required to delete data after 7 years to enforce compliance retention. Option D is wrong because placing data directly into the Archive tier from the start incurs high retrieval costs and latency for the first 30 days when logs are accessed frequently, violating the requirement to minimize costs and access performance.

686
MCQeasy

You need to design a storage solution for an application that stores large amounts of unstructured data that is accessed frequently for the first 30 days, then rarely after that. Compliance requirements mandate that data be retained for 7 years. Which of the following is the most cost-effective storage solution?

A.Use Azure Files with snapshots and keep files in the Premium tier for 30 days, then move to Standard tier.
B.Use Azure Managed Disks with read-only snapshots and delete snapshots after 7 years.
C.Use Azure Blob Storage with lifecycle management to transition blobs from Hot to Cool to Archive tiers.
D.Store all data in Blob Storage Hot tier and delete after 7 years.
AnswerC

Lifecycle management automates tiering based on age, providing cost savings. Hot for frequent, Cool for infrequent, Archive for long-term retention.

Why this answer

Option B is correct because Azure Blob Storage with lifecycle management can automatically move blobs from Hot to Cool to Archive tiers as access patterns change, minimizing cost. Option A is wrong because Azure Files is for file shares, not optimal for large unstructured data. Option C is wrong because keeping all data in Hot tier is expensive.

Option D is wrong because managed disks are for VM disks, not for general unstructured data storage.

687
MCQhard

A multinational company uses Microsoft Entra ID with a custom domain. They need to implement a governance strategy for Microsoft 365 groups, ensuring that group expiration policies are enforced and that group owners receive renewal notifications. What should you configure?

A.Microsoft Purview compliance portal – Data Lifecycle Management
B.Microsoft Entra ID – Group settings (Expiration policy)
C.Microsoft Intune – Device compliance policies
D.Microsoft Sentinel – Analytics rules
AnswerB

Expiration policies for Microsoft 365 groups are configured in Entra ID under Group settings.

Why this answer

Option B is correct because Microsoft Entra ID's Group settings include an expiration policy specifically designed to enforce lifecycle management for Microsoft 365 groups. This policy allows administrators to set a group expiration period (e.g., 180, 365 days) and automatically sends renewal notification emails to group owners before expiration, enabling them to renew the group if needed. This directly meets the requirement for enforcing group expiration and renewal notifications.

Exam trap

The trap here is that candidates often confuse Microsoft Purview's data lifecycle management with group lifecycle management, or mistakenly think Intune or Sentinel can handle group expiration policies, when in fact only Microsoft Entra ID's group settings provide the specific expiration and renewal notification functionality.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview compliance portal – Data Lifecycle Management focuses on retention and deletion of content (e.g., emails, documents) based on labels, not on managing the lifecycle of Microsoft 365 groups or sending renewal notifications to group owners. Option C is wrong because Microsoft Intune – Device compliance policies are used to enforce security and compliance requirements on managed devices (e.g., requiring encryption, PIN), not to manage group expiration or renewal notifications. Option D is wrong because Microsoft Sentinel – Analytics rules are used for security detection and threat hunting by analyzing logs and alerts, not for configuring group expiration policies or sending renewal notifications.

688
Multi-Selectmedium

Which TWO actions should you take to ensure business continuity for an Azure Functions app that processes messages from an Azure Service Bus queue?

Select 2 answers
A.Implement the event source pattern to replay messages in case of failure.
B.Enable geo-replication on the Service Bus namespace.
C.Use a single Service Bus namespace to simplify management.
D.Deploy the Functions app in a single region.
E.Configure Azure Backup for the Functions app.
AnswersA, B

Event source allows reprocessing of messages.

Why this answer

Option A (geo-replication) and Option C (event source pattern) ensure messages are not lost and can be replayed. Option B (single region) not resilient. Option D (backup) not needed.

Option E (single namespace) not resilient.

689
MCQhard

A company has multiple Azure subscriptions and wants to enforce that all administrators must use multi-factor authentication (MFA) when accessing the Azure portal. They also want to monitor and report on any policy changes that affect this enforcement. Which combination of Azure services should they use?

A.Azure Policy with built-in policy to enforce MFA and Azure Activity Log to monitor changes.
B.Microsoft Entra ID Conditional Access policy to require MFA for Azure management and Azure Monitor with Log Analytics for monitoring.
C.Microsoft Entra ID Identity Protection to enforce MFA and Azure Sentinel for monitoring.
D.Azure Policy to assign built-in policy 'MFA should be enabled on accounts with write permissions' and Azure Security Center for monitoring.
AnswerB

Conditional Access policies are the appropriate way to enforce MFA for accessing Azure Portal (Azure Management cloud app). Azure Monitor can collect Activity Logs from Microsoft Entra ID and Azure subscriptions to track changes to Conditional Access policies or other critical resources, and Log Analytics can be used for querying and alerting.

Why this answer

Option B is correct because Microsoft Entra ID Conditional Access policies can enforce MFA specifically for Azure management (including the Azure portal), and Azure Monitor with Log Analytics provides the monitoring and reporting of policy changes via the Azure Activity Log. This combination directly addresses both requirements: enforcing MFA for administrators and auditing changes to the Conditional Access policy itself.

Exam trap

The trap here is confusing Azure Policy (which enforces resource configuration) with Conditional Access (which enforces user authentication), leading candidates to incorrectly choose Azure Policy for MFA enforcement on the Azure portal.

How to eliminate wrong answers

Option A is wrong because Azure Policy enforces compliance of Azure resources (e.g., requiring MFA on VMs), not user authentication behavior like MFA for portal access; the built-in policy 'MFA should be enabled on accounts with write permissions' is a guest configuration policy that checks account settings, not a real-time enforcement mechanism. Option C is wrong because Microsoft Entra ID Identity Protection is designed to detect and respond to identity risks (e.g., leaked credentials), not to enforce MFA for all administrators accessing the Azure portal; it can trigger MFA via Conditional Access but is not the primary enforcement service. Option D is wrong because Azure Policy's built-in policy 'MFA should be enabled on accounts with write permissions' is a compliance audit policy, not an enforcement mechanism, and Azure Security Center (now Microsoft Defender for Cloud) focuses on security posture and threat protection, not on monitoring policy changes for Conditional Access or MFA enforcement.

690
MCQmedium

A company is designing a multi-region disaster recovery solution for a mission-critical application hosted on Azure VMs. The application requires synchronous replication of storage and automatic failover with no data loss. The recovery time objective (RTO) is 15 minutes, and the recovery point objective (RPO) is 0. Which Azure service should the company use?

A.Azure Availability Zones
B.Azure Backup
C.Azure Site Recovery
D.Azure Storage with geo-redundant storage (GRS)
AnswerC

Azure Site Recovery provides automated failover across regions with low RPO (seconds) and RTO (minutes). While strict RPO=0 is not guaranteed, it is the best fit for DR scenarios.

Why this answer

Option A (Azure Site Recovery) supports RPO as low as a few seconds and RTO in minutes, but it uses asynchronous replication, so RPO of 0 cannot be guaranteed. Option B (Azure Backup) is for backup, not real-time replication. Option C (Azure Storage with geo-redundant storage) provides asynchronous replication, not synchronous.

Option D (Azure Availability Zones) uses synchronous replication and can achieve RPO=0 and low RTO within the same region, but for multi-region, the company would need a stretched cluster across regions, which is complex. However, the question specifies 'multi-region' and 'no data loss' which implies synchronous replication across regions; Azure does not offer synchronous replication across regions for VMs. But among the options, Azure Site Recovery is the only one that can provide automated failover across regions, even though RPO is not zero.

The best answer is Azure Site Recovery because it's designed for DR with low RPO/RTO, and although RPO=0 is not guaranteed, it's the closest fit. Corrected: Option A is the correct choice as it's the primary DR service for VMs.

691
MCQeasy

A company uses Microsoft Entra ID for identity management. They want to ensure that users accessing sensitive data from unmanaged devices are prompted for multifactor authentication (MFA) and must accept a terms-of-use. Which policy should be configured?

A.Terms-of-use policy
B.Conditional Access policy
C.Identity Protection policy
D.Privileged Identity Management (PIM) policy
AnswerB

Conditional Access can target unmanaged devices and require MFA and terms-of-use.

Why this answer

Conditional Access policies in Microsoft Entra ID allow granular control over access based on conditions such as device state (managed vs. unmanaged). By configuring a policy that targets unmanaged devices, you can enforce MFA and require acceptance of a terms-of-use before granting access to sensitive data. This directly meets the requirement without needing separate policies for MFA and terms-of-use.

Exam trap

The trap here is that candidates often confuse a standalone Terms-of-use policy (Option A) with the ability to enforce it conditionally, not realizing that Conditional Access is required to tie the terms-of-use acceptance to a specific condition like unmanaged devices.

How to eliminate wrong answers

Option A is wrong because a Terms-of-use policy alone only creates and displays the terms document; it cannot enforce MFA or trigger based on device state. Option C is wrong because Identity Protection policies focus on risk-based signals (e.g., leaked credentials, sign-in anomalies) and do not natively enforce terms-of-use acceptance or device-based conditions. Option D is wrong because Privileged Identity Management (PIM) policies manage just-in-time access and approval workflows for privileged roles, not general user access conditions like device state or MFA enforcement.

692
MCQhard

Your company runs a mission-critical application on Azure VMs in a single region. The application requires an RPO of 5 minutes and an RTO of 30 minutes. You plan to use Azure Site Recovery (ASR) to replicate the VMs to a secondary region. The VMs use managed disks. However, during a disaster recovery drill, you discover that the failover takes longer than expected. What is the most likely cause?

A.The replication policy is set to 30 minutes.
B.The Azure Hybrid Benefit is not applied to the VMs.
C.The recovery plan includes too many manual steps.
D.The VMs have large attached data disks that require significant time to synchronize.
AnswerD

Large disks increase failover time due to data synchronization.

Why this answer

Option B (large disk size) is a common cause of slow failover due to replication latency. Option A (network) is less likely if configured correctly. Option C (recovery plan) does not affect failover time.

Option D (hybrid benefit) irrelevant.

693
MCQeasy

Your company is migrating on-premises applications to Azure. You need to ensure that users can sign in using their existing on-premises Active Directory credentials without duplicating accounts. Which identity solution should you recommend?

A.Microsoft Entra B2B collaboration
B.Microsoft Entra External ID
C.Microsoft Entra Connect
D.Microsoft Entra Domain Services
AnswerC

Entra Connect synchronizes on-premises AD with Microsoft Entra ID, allowing users to sign in with their existing credentials.

Why this answer

Microsoft Entra Connect (formerly Azure AD Connect) is the correct solution because it synchronizes on-premises Active Directory identities to Microsoft Entra ID, enabling users to sign in with their existing credentials via password hash synchronization, pass-through authentication, or federation. This avoids duplicating accounts by maintaining a single identity source of truth, with optional seamless single sign-on (SSO) for a transparent experience.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Domain Services (which provides domain-join capabilities for Azure VMs) with identity synchronization, but it does not sync user credentials for cloud app authentication.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2B collaboration is designed for external guest users (e.g., partners or vendors) to access your applications using their own identities, not for synchronizing existing on-premises AD users. Option B is wrong because Microsoft Entra External ID is a customer-facing identity platform for external consumer or customer scenarios, not for integrating an organization's own on-premises Active Directory. Option D is wrong because Microsoft Entra Domain Services provides managed domain services (e.g., LDAP, Kerberos, NTLM) for Azure VMs without domain-joining them to an on-premises DC, but it does not synchronize user credentials from on-premises AD for cloud app sign-in.

694
MCQhard

Refer to the exhibit. A company is analyzing Azure Storage diagnostic logs using this KQL query. They notice a high number of GetBlob operations on BlockBlobs. The storage account is used for a web application that serves static content. What should they recommend to reduce the number of GetBlob operations?

A.Implement Azure Blob Storage life cycle management to move data to the archive tier.
B.Use Azure File Sync to cache files on-premises.
C.Enable Azure CDN or Azure Front Door to cache content.
D.Enable Azure Storage Analytics logging to track operations.
AnswerC

Reduces direct blob requests by serving cached content.

Why this answer

Option C is correct because enabling Azure CDN or Azure Front Door caches static content at edge locations, reducing the number of direct GetBlob operations against the storage account. This offloads repeated requests from the origin storage, lowering both operational costs and latency for the web application.

Exam trap

The trap here is that candidates may confuse logging (Option D) or lifecycle management (Option A) as solutions to reduce operations, when they only provide monitoring or cost optimization for infrequently accessed data, not a reduction in read requests.

How to eliminate wrong answers

Option A is wrong because lifecycle management moves data to the archive tier, which is designed for cold data and incurs high retrieval costs and latency—it does not reduce GetBlob operations for frequently accessed static content. Option B is wrong because Azure File Sync caches files on-premises for hybrid scenarios, but the question involves a web application serving static content from Azure Storage, not on-premises file sharing; it does not reduce GetBlob operations in Azure. Option D is wrong because enabling Storage Analytics logging tracks operations but does not reduce them; it only provides visibility into existing traffic.

695
MCQeasy

A company has an on-premises data center and wants to connect it to Azure with a dedicated, private network connection that is not routed over the public internet. They also need a higher service-level agreement (SLA) compared to VPN-based connections. Which Azure service should they use?

A.Azure VPN Gateway
B.Azure ExpressRoute
C.Azure Bastion
D.Azure Virtual WAN
AnswerB

ExpressRoute establishes a private connection to Azure via a connectivity provider, bypassing the internet. It offers higher reliability, bandwidth, and a stronger SLA (99.95% for dedicated circuits).

Why this answer

Azure ExpressRoute provides a dedicated, private connection from on-premises to Azure that bypasses the public internet, ensuring lower latency, higher reliability, and a 99.95% SLA (for dedicated circuits) compared to VPN-based connections. This meets the requirement for a private network connection with a higher SLA than VPN Gateway, which relies on internet-based IPSec tunnels with a 99.9% SLA.

Exam trap

The trap here is that candidates often confuse Azure Virtual WAN as a direct replacement for ExpressRoute, but Virtual WAN is a management overlay that still requires ExpressRoute or VPN as the underlying transport, not a dedicated private connection itself.

How to eliminate wrong answers

Option A (Azure VPN Gateway) is wrong because it uses IPSec tunnels over the public internet, which does not provide a dedicated private connection and has a lower SLA (99.9%) than ExpressRoute. Option C (Azure Bastion) is wrong because it is a PaaS service for secure RDP/SSH access to Azure VMs via the browser, not a hybrid connectivity solution between on-premises and Azure. Option D (Azure Virtual WAN) is wrong because it is a networking service that aggregates branch connectivity, but it still requires an underlying connectivity method (VPN or ExpressRoute) to provide the dedicated private link; by itself, it does not offer a dedicated private connection or the higher SLA specified.

696
MCQhard

Refer to the exhibit. You are deploying an ARM template to configure backup for an Azure Web App. The deployment fails with an error: 'The resource 'Microsoft.Web/sites/config' cannot be nested under a parent resource that is not deployed.' What is the MOST LIKELY cause?

A.The parent web app resource is not defined in the template
B.The storageAccountUrl property uses a reference() that cannot be resolved
C.The apiVersion '2022-03-01' is not supported for this resource type
D.The backup schedule frequency interval is invalid
AnswerA

The backup config resource requires the parent web app to be present in the template.

Why this answer

Option D is correct because the backup configuration resource is defined as a child resource of the web app, but the parent web app ('Microsoft.Web/sites') is not included in the template. In ARM templates, child resources must be nested under their parent or the parent must be deployed in the same template. Since the web app is not defined, the deployment fails.

Option A is wrong because the backup schedule is valid. Option B is wrong because the storage account URL is obtained using reference(), which works if the storage account is deployed or exists. Option C is wrong because the apiVersion is correct for the resource type.

697
Multi-Selecteasy

Which TWO Azure services can be used to implement a serverless event-driven architecture that processes messages from a queue and stores results in a database? (Choose two.)

Select 2 answers
A.Azure Logic Apps
B.Azure Event Grid
C.Azure Service Bus
D.Azure Functions
E.Azure Batch
AnswersA, D

Can be triggered by queue messages and orchestrate workflows.

Why this answer

A and D are correct. Azure Functions can process messages from Azure Queue Storage; Azure Logic Apps can also process messages from queues and orchestrate workflows. B is wrong because Azure Event Grid is for event routing, not queue processing.

C is wrong because Azure Batch is for parallel compute jobs. E is wrong because Azure Service Bus is a messaging service, not a compute trigger in serverless context.

698
Multi-Selecthard

A company is designing a data warehouse solution in Azure. The solution must support petabyte-scale data, high-performance queries, and integration with Power BI. The data includes both structured and semi-structured data. Which THREE services should you recommend?

Select 3 answers
A.Power BI
B.Azure Analysis Services
C.Azure Data Lake Storage
D.Azure Synapse Analytics
E.Azure HDInsight
AnswersA, C, D

Integrates with Synapse Analytics for reporting.

Why this answer

Option A is correct because Azure Synapse Analytics provides petabyte-scale data warehousing with high-performance queries. Option B is incorrect because Azure HDInsight is for big data processing, not data warehousing. Option C is correct because Azure Data Lake Storage can store structured and semi-structured data at petabyte scale.

Option D is incorrect because Azure Analysis Services is for semantic models, not data warehousing. Option E is correct because Power BI integrates with Synapse Analytics for reporting.

699
MCQhard

A multinational corporation needs to store sensitive customer data in Azure. The data must be encrypted at rest using a customer-managed key stored in Azure Key Vault, and the key must be rotated every 90 days. The solution must also support geo-redundancy for disaster recovery. Which combination of services should you recommend?

A.Azure Storage with customer-managed keys in Azure Key Vault and geo-redundant storage (GRS)
B.Azure SQL Database with Transparent Data Encryption (TDE) using customer-managed keys in Azure Key Vault, and active geo-replication
C.Azure Cosmos DB with customer-managed keys in Azure Key Vault and multi-region writes
D.Azure SQL Managed Instance with TDE and failover groups
AnswerB

This combination meets all requirements: encryption, key rotation via Key Vault, and geo-redundancy.

Why this answer

Azure SQL Database with TDE using customer-managed keys in Azure Key Vault meets the encryption-at-rest requirement with customer-managed key rotation every 90 days. Active geo-replication provides geo-redundancy for disaster recovery by maintaining readable secondary replicas in paired regions, which can be failed over manually or automatically.

Exam trap

The trap here is that candidates often confuse Azure SQL Database's active geo-replication with Azure SQL Managed Instance's failover groups, which do not support readable secondaries or the same level of geo-redundancy flexibility.

How to eliminate wrong answers

Option A is wrong because Azure Storage with GRS provides geo-redundancy but does not support customer-managed key rotation on a fixed 90-day schedule natively; key rotation must be managed separately and is not a built-in feature of the storage account. Option C is wrong because Azure Cosmos DB with multi-region writes provides geo-redundancy but does not support customer-managed key rotation at a fixed interval; key rotation is manual and not enforced by the service. Option D is wrong because Azure SQL Managed Instance with TDE and failover groups provides geo-redundancy but failover groups do not support active geo-replication with readable secondaries; they use automatic failover with a single readable secondary, which is less flexible than active geo-replication for disaster recovery.

700
MCQeasy

A company has an Azure SQL Database instance that is used by a critical application. They need to ensure business continuity with an RPO of 0 (zero data loss) and an RTO of less than 1 minute in case of a regional outage. The solution must be cost-effective. What should you recommend?

A.Use Azure SQL Database automatic failover groups with manual failover.
B.Use Azure SQL Database zone-redundant configuration.
C.Use Azure SQL Database geo-restore from geo-redundant backups.
D.Use Azure SQL Database failover groups with active geo-replication.
AnswerD

Failover groups with active geo-replication provide an RPO of 0 and an RTO of less than 1 minute.

Why this answer

Azure SQL Database failover groups with active geo-replication and automatic failover provide an RPO of 0 and an RTO of less than 1 minute. Option A is incorrect because Azure SQL Database backup and restore has an RPO of 5 minutes. Option C is incorrect because Azure SQL Database zone-redundant configuration protects only within a region.

Option D is incorrect because manual failover does not meet the RTO requirement.

701
MCQhard

A large enterprise is designing a data analytics platform in Azure that will ingest terabytes of data daily from multiple sources, including IoT devices, social media feeds, and internal databases. The data must be stored in a raw format for future processing, and then transformed and aggregated for reporting. The company requires low-latency querying for real-time dashboards and the ability to run complex batch analytics using Spark. The solution must also provide a unified data governance layer for cataloging and lineage tracking. Which combination of Azure services should the company choose to meet all these requirements with minimal operational overhead?

A.Azure Cosmos DB, Azure Stream Analytics, and Azure Analysis Services
B.Azure Blob Storage, Azure HDInsight, and Azure Data Factory
C.Azure SQL Database, Azure Databricks, and Azure Data Catalog
D.Azure Data Lake Storage, Azure Synapse Analytics, and Microsoft Purview
AnswerD

ADLS stores raw data, Synapse provides real-time querying and Spark-based batch analytics, and Purview provides data cataloging and lineage.

Why this answer

Option A (Azure Data Lake Storage + Azure Synapse Analytics + Azure Purview) provides a scalable data lake, unified analytics, and data governance. Option B (Azure Blob Storage + Azure HDInsight + Azure Data Factory) requires more management. Option C (Azure Cosmos DB + Azure Stream Analytics + Azure Analysis Services) is not suitable for batch analytics with Spark.

Option D (Azure SQL Database + Azure Databricks + Azure Data Catalog) lacks a data lake for raw storage. The best answer is A because it includes ADLS for raw storage, Synapse for both real-time and batch analytics, and Purview for governance.

702
MCQeasy

You need to configure a monitoring solution for Azure virtual machines that collects performance counters, event logs, and enables alerting based on CPU usage exceeding 90%. Which Azure service should you use?

A.Azure Policy
B.Microsoft Sentinel
C.Azure Monitor
D.Azure Update Manager
AnswerC

Azure Monitor collects performance counters, event logs, and supports metric alerts.

Why this answer

Azure Monitor is the correct service because it provides a unified platform for collecting performance counters and event logs from Azure VMs via the Log Analytics agent or Azure Monitor Agent, and it supports metric-based alert rules that can trigger when CPU usage exceeds a defined threshold (e.g., 90%). This directly meets the requirements for monitoring, log collection, and alerting without additional services.

Exam trap

The trap here is that candidates often confuse Azure Monitor with Microsoft Sentinel because both involve log collection and alerts, but Sentinel is specifically for security incidents, not general performance monitoring and threshold-based alerting on metrics like CPU usage.

How to eliminate wrong answers

Option A is wrong because Azure Policy is a governance tool used to enforce compliance rules (e.g., requiring specific VM SKUs or tags) and does not collect performance counters, event logs, or generate CPU-based alerts. Option B is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) solution focused on security threat detection and incident response, not general performance monitoring and alerting for CPU usage. Option D is wrong because Azure Update Manager is designed solely for managing OS updates and patches on VMs, with no capability to collect performance counters, event logs, or alert on CPU utilization.

703
MCQhard

A company runs a critical SQL Server database on an Azure virtual machine. They need a high-availability solution within a single region that provides automatic failover, zero data loss (synchronous replication), and support read-only routing for reporting workloads. Which solution should they implement?

A.SQL Server Always On Availability Group with synchronous replication across availability zones
B.SQL Server Always On Failover Cluster Instance (FCI) with shared disks
C.Azure SQL Database Managed Instance with active geo-replication
D.Azure SQL Database with active geo-replication
AnswerA

Correct. This configuration provides automatic failover, synchronous commit for zero data loss, and readable secondary replicas for reporting.

Why this answer

SQL Server Always On Availability Group with synchronous replication across availability zones meets all requirements: it provides automatic failover, zero data loss through synchronous commit mode, and supports read-only routing by directing reporting workloads to readable secondary replicas. This solution operates within a single Azure region using availability zones for high availability.

Exam trap

The trap here is that candidates confuse synchronous replication (used in Always On Availability Groups) with asynchronous replication (used in geo-replication), and fail to recognize that read-only routing is a feature exclusive to Availability Groups, not Failover Cluster Instances or geo-replication solutions.

How to eliminate wrong answers

Option B is wrong because a Failover Cluster Instance (FCI) with shared disks does not support read-only routing for reporting workloads; FCI provides a single instance with no readable secondary replicas. Option C is wrong because Azure SQL Database Managed Instance with active geo-replication uses asynchronous replication, which cannot guarantee zero data loss, and it is designed for cross-region disaster recovery, not single-region high availability. Option D is wrong because Azure SQL Database with active geo-replication also uses asynchronous replication, resulting in potential data loss, and it is a cross-region solution, not a single-region high-availability solution.

704
MCQmedium

A company uses Azure SQL Database (Premium tier) for their application. They need to offload reporting queries to a read-only copy of the database to reduce load on the primary. The read-only copy must be kept in sync synchronously within the same Azure region. They also need automated failover to the read-only copy if the primary fails. Which Azure SQL Database feature should they enable?

A.Active geo-replication
B.Auto-failover groups
C.Read Scale-Out
D.Database copy
AnswerC

Correct. Read Scale-Out provides a synchronous read-only replica in the same region, supporting reporting and automatic failover.

Why this answer

Read Scale-Out is the correct feature because it offloads reporting queries to a read-only replica that stays synchronously committed within the same Azure region. It also provides automated failover to the read-only replica if the primary database fails, meeting both the synchronous sync and failover requirements for Premium-tier Azure SQL Database.

Exam trap

The trap here is that candidates confuse cross-region disaster recovery features (Active geo-replication and Auto-failover groups) with in-region high availability and read-scale capabilities, overlooking that Read Scale-Out is the only option that provides synchronous replication and automated failover within the same Azure region.

How to eliminate wrong answers

Option A is wrong because Active geo-replication creates asynchronous replicas in different Azure regions, not synchronous replicas within the same region, and it does not support automated failover. Option B is wrong because Auto-failover groups rely on Active geo-replication and are designed for cross-region failover with asynchronous replication, not for synchronous in-region read-only offloading. Option D is wrong because Database copy creates a point-in-time snapshot that is not kept in sync synchronously and does not provide automated failover.

705
MCQhard

You are designing a monitoring solution for a critical application hosted on Azure Virtual Machines. The application experiences intermittent high CPU usage that lasts for 10 minutes. You need to be notified within 5 minutes of the start of each occurrence. The solution must minimize false alerts. What should you use?

A.Azure Monitor log alert querying Perf table every 1 minute
B.Create an Azure Monitor action group that sends email
C.Azure Monitor metric alert with a dynamic threshold and 5-minute frequency, alert on 2 consecutive breaches
D.Azure Monitor metric alert with a static threshold of 90% CPU
AnswerC

Dynamic threshold adapts to patterns, and requiring 2 consecutive breaches reduces false alerts.

Why this answer

Option C is correct because it uses a dynamic threshold that adapts to normal CPU patterns, reducing false alerts, and the 5-minute frequency with a requirement for 2 consecutive breaches ensures that the 10-minute event is detected within 5 minutes of its start (since the first breach triggers the second evaluation after 5 minutes, and if the second consecutive breach occurs, the alert fires). This matches the requirement for notification within 5 minutes while minimizing false positives.

Exam trap

The trap here is that candidates often choose a static threshold (Option D) or a high-frequency log query (Option A) without considering the need to minimize false alerts, overlooking the dynamic threshold and consecutive breach requirement that directly address the 10-minute duration and 5-minute notification window.

How to eliminate wrong answers

Option A is wrong because a log alert querying the Perf table every 1 minute would generate excessive noise and potential false alerts from transient spikes, and it does not inherently minimize false alerts as it lacks a consecutive breach requirement. Option B is wrong because an action group is just a notification channel (e.g., email, SMS) and does not define the alert condition or detection logic; it must be attached to an alert rule to be useful. Option D is wrong because a static threshold of 90% CPU would likely trigger false alerts from brief spikes that do not represent the sustained 10-minute event, and it does not include a consecutive breach requirement to filter out transient noise.

706
MCQmedium

A company is deploying a web application on Azure App Service. The application must authenticate users with their Microsoft Entra ID credentials. The development team wants to use the Microsoft Authentication Library (MSAL) for authentication. Which App Service authentication feature should they use to simplify integration?

A.Use Application Insights to capture authentication logs
B.Use Azure API Management to handle authentication
C.Use Azure AD B2C for identity management
D.Configure the App Service authentication / authorization feature to use Microsoft Entra ID
AnswerD

Easy Auth simplifies integration with Microsoft Entra ID.

Why this answer

Option A is correct because the App Service authentication / authorization feature (Easy Auth) can be configured to use Microsoft Entra ID as the identity provider and integrate with MSAL. Option B is incorrect because App Insights is for monitoring. Option C is incorrect because Azure AD B2C is for external users.

Option D is incorrect because Azure API Management is for managing APIs.

707
MCQeasy

You need to design a monitoring solution for a set of Azure virtual machines running a business-critical application. The solution must provide centralized log management, enable real-time analysis of security events, and support custom alerts for anomalous behavior. Which Azure service should you use?

A.Azure Log Analytics
B.Microsoft Defender for Cloud
C.Azure Monitor
D.Microsoft Sentinel
AnswerD

Microsoft Sentinel is a cloud-native SIEM that provides log management, analysis, and custom alerts.

Why this answer

Option C is correct because Microsoft Sentinel provides SIEM capabilities for centralized log management, real-time analysis, and custom alerts. Option A (Azure Monitor) is for metrics and logs but lacks SIEM. Option B (Log Analytics) is a component of Azure Monitor.

Option D (Microsoft Defender for Cloud) focuses on security posture and threat protection.

708
MCQmedium

A company runs a SQL Server database on an Azure virtual machine. They need to increase the storage capacity and improve I/O performance for their transaction log. The current data disk is a standard HDD. They want to achieve higher IOPS and throughput without increasing the size of the VM (the VM size supports up to 8 data disks). The database workload is write-intensive on the transaction log. Which configuration should they implement?

A.Add additional standard HDD disks and configure a storage pool with simple (striping) layout
B.Replace the standard HDD disk with a premium SSD disk for the log drive
C.Add a premium SSD disk and configure a storage space with mirroring for the log drive
D.Use Azure Disk Encryption to improve performance
AnswerB

Premium SSDs offer significantly higher IOPS and throughput, directly improving log write performance.

Why this answer

Option B is correct because replacing the standard HDD with a premium SSD directly addresses the need for higher IOPS and throughput for a write-intensive transaction log. Premium SSDs provide consistent low-latency performance and significantly higher IOPS/throughput compared to standard HDDs, without requiring a VM size change. Since the VM supports up to 8 data disks, a single premium SSD can meet the performance requirements more effectively than adding more HDDs.

Exam trap

The trap here is that candidates may think striping (Option A) or mirroring (Option C) with premium disks is needed for performance, but for a single transaction log file, a single premium SSD is sufficient and simpler, while mirroring adds unnecessary write overhead and striping with HDDs still yields poor IOPS.

How to eliminate wrong answers

Option A is wrong because adding more standard HDD disks and striping them in a storage pool still uses slow HDDs, which cannot deliver the required IOPS and throughput for a write-intensive transaction log; striping improves throughput but not latency or IOPS per disk. Option C is wrong because adding a premium SSD with mirroring (instead of using it as a single log drive) introduces unnecessary redundancy that does not improve write performance for a transaction log, and mirroring reduces usable capacity and can add write overhead. Option D is wrong because Azure Disk Encryption only provides encryption at rest and does not affect I/O performance; it can even introduce a slight CPU overhead for encryption/decryption operations.

709
MCQeasy

A company plans to deploy a stateless web application on Azure virtual machines. They want to ensure that the application remains available in the event of a hardware failure within a single Azure datacenter. The VMs must be placed in a way that ensures they are on different physical servers and racks, but are still within the same datacenter. Which deployment strategy should they use?

A.Deploy the VMs in an Availability Set.
B.Deploy the VMs in different Availability Zones.
C.Deploy the VMs in a single Virtual Machine Scale Set with a large instance count.
D.Deploy each VM in a separate resource group.
AnswerA

An Availability Set distributes VMs across fault domains (different racks) and update domains within a datacenter, protecting against hardware failures and maintenance.

Why this answer

An Availability Set ensures that VMs are distributed across multiple fault domains (different physical servers, racks, and network switches) and update domains within a single Azure datacenter. This protects against hardware failures in that datacenter by guaranteeing that not all VMs are affected by the same local failure, while keeping them in the same datacenter for low-latency communication.

Exam trap

The trap here is that candidates often confuse Availability Zones (which span multiple datacenters) with Availability Sets (which operate within a single datacenter), leading them to select the zone-based option when the question explicitly requires staying within the same datacenter.

How to eliminate wrong answers

Option B is wrong because Availability Zones place VMs in physically separate datacenters within a region, not within the same datacenter, which adds cross-datacenter latency and is not required for the stated goal of surviving a single datacenter hardware failure. Option C is wrong because a single Virtual Machine Scale Set with a large instance count does not by itself enforce distribution across different physical servers and racks unless it is configured with an Availability Set or Availability Zones; a scale set without such placement constraints can place many VMs on the same physical host. Option D is wrong because deploying each VM in a separate resource group has no impact on physical placement or fault domain isolation; resource groups are logical containers for management and RBAC, not for infrastructure redundancy.

710
MCQeasy

Your company uses Azure Policy to enforce compliance. You need to ensure that all storage accounts use HTTPS only. The policy should automatically remediate non-compliant storage accounts by enabling HTTPS-only. What policy effect should you use?

A.Deny
B.AuditIfNotExists
C.Append
D.DeployIfNotExists
AnswerD

DeployIfNotExists can deploy a template to set the storage account property to enable HTTPS-only.

Why this answer

The DeployIfNotExists effect is correct because it not only evaluates whether storage accounts have the 'HTTPS only' setting enabled but also automatically deploys a remediation task to enable it when non-compliance is detected. This ensures continuous compliance without manual intervention, which aligns with the requirement for automatic remediation.

Exam trap

The trap here is that candidates often confuse 'Deny' (which blocks non-compliant new resources) with 'DeployIfNotExists' (which remediates existing resources), missing the key requirement for automatic remediation of already deployed storage accounts.

How to eliminate wrong answers

Option A is wrong because Deny blocks the creation or update of a resource that doesn't meet the policy condition, but it does not remediate existing non-compliant storage accounts. Option B is wrong because AuditIfNotExists only audits whether a related resource (like a diagnostic setting) exists, not the property of the storage account itself, and it provides no remediation. Option C is wrong because Append adds fields to a resource during creation or update but cannot modify existing storage account properties like 'HTTPS only' after the resource is deployed.

711
MCQmedium

A company runs a critical SQL Server database on an Azure virtual machine. They need a backup strategy that supports point-in-time restore down to the second and long-term retention of backups for 7 years to meet compliance. They want to offload backup management to Azure. Which backup solution should they use?

A.Azure Backup for SQL Server on Azure VM
B.Azure Site Recovery
C.SQL Server managed backup to Azure
D.Azure Disk Backup
AnswerA

Azure Backup provides a fully managed backup solution for SQL Server VMs, including point-in-time restore and long-term retention, meeting all requirements.

Why this answer

Azure Backup for SQL Server on Azure VM provides native integration that supports point-in-time restore down to the second for SQL Server databases and allows configuring long-term retention (LTR) for up to 10 years, meeting the 7-year compliance requirement. It offloads backup management to Azure by automating backup schedules, retention policies, and restore operations without requiring manual scripting or third-party tools.

Exam trap

The trap here is that candidates often confuse Azure Site Recovery (disaster recovery) with backup, or assume SQL Server managed backup to Azure provides the same integrated point-in-time and long-term retention capabilities as Azure Backup, when in fact Azure Backup offers a fully managed, portal-integrated solution with native SQL Server awareness.

How to eliminate wrong answers

Option B is wrong because Azure Site Recovery is a disaster recovery solution that replicates entire VMs for failover, not a backup service; it does not support point-in-time restore for SQL Server databases or long-term retention for compliance. Option C is wrong because SQL Server managed backup to Azure is a feature that manages backups to Azure Blob storage but requires manual configuration of retention policies and does not offer native point-in-time restore down to the second or integrated long-term retention management within the Azure portal. Option D is wrong because Azure Disk Backup provides crash-consistent backups of managed disks at the VM level, not application-consistent backups for SQL Server, and cannot perform point-in-time restore for database transactions or log backups.

712
MCQmedium

Refer to the exhibit. A custom role is created. A user assigned this role reports being unable to view the VM's boot diagnostics in the Azure portal. What is the most likely reason?

A.The user does not have permission to start or restart the VM
B.The VM is stopped and deallocated
C.The role lacks permissions to the diagnostics storage account
D.The role does not include Microsoft.Compute/virtualMachines/read
AnswerC

Missing storage account permissions.

Why this answer

Option D is correct because the role does not include 'Microsoft.Storage/storageAccounts/listKeys/action' or 'Microsoft.Storage/storageAccounts/read' required to access boot diagnostics data in the diagnostics storage account. Option A is wrong because the role includes 'read' permission on VMs. Option B is wrong because start/restart are allowed.

Option C is wrong because the issue is not related to VM size.

713
MCQmedium

A company has an on-premises Hyper-V environment with 20 virtual machines running various workloads. They want to use Azure as a disaster recovery site. The required recovery point objective (RPO) is 15 minutes, and the recovery time objective (RTO) is 2 hours. They want to automate failover and failback. Which Azure service should they use?

A.Azure Site Recovery
B.Azure Migrate
C.Azure Backup
D.Azure Recovery Services Vault
AnswerA

Azure Site Recovery orchestrates replication, failover, and failback for Hyper-V VMs to Azure. It supports near-synchronous replication and custom RPOs down to 30 seconds.

Why this answer

Azure Site Recovery (ASR) is the correct service because it provides orchestrated replication, failover, and failback for Hyper-V VMs to Azure as a DR site. It supports the required RPO of 15 minutes (using near-synchronous replication with change tracking) and RTO of 2 hours (via automated recovery plans), and it natively automates both failover and failback processes without additional scripting.

Exam trap

The trap here is that candidates confuse the Recovery Services Vault (a storage container) with the actual DR service (Azure Site Recovery), or they mistakenly think Azure Backup can meet low RPO/RTO requirements for disaster recovery when it is designed for backup, not replication with automated failover.

How to eliminate wrong answers

Option B (Azure Migrate) is wrong because it is designed for discovery, assessment, and migration of on-premises workloads to Azure, not for ongoing disaster recovery replication or automated failover/failback. Option C (Azure Backup) is wrong because it provides backup-based recovery with typical RPOs of 12-24 hours and RTOs measured in hours to days, and it does not support automated failover or failback orchestration. Option D (Azure Recovery Services Vault) is wrong because it is a storage container that holds backup data and replication settings, not a service that performs replication, failover, or failback; it is the underlying vault used by both Azure Backup and Azure Site Recovery, but the question asks for the service that automates DR, which is ASR.

714
MCQmedium

A company stores JSON documents for a mobile app backend. The data needs to be accessible from multiple global regions with low latency writes from any region. The app uses a client-side library that supports automatic conflict resolution for concurrent updates. Which Azure data service should they choose?

A.Azure Cosmos DB
B.Azure SQL Database
C.Azure Database for PostgreSQL
D.Azure Table Storage
AnswerA

Cosmos DB supports multi-region writes with automatic conflict resolution, fulfilling the requirement.

Why this answer

Azure Cosmos DB is correct because it provides multi-region writes with automatic conflict resolution, which directly matches the requirement for low-latency writes from any global region. Its multi-master replication model allows any region to accept writes, and the client-side library can use last-writer-wins (LWW) or custom conflict resolution policies to handle concurrent updates seamlessly.

Exam trap

The trap here is that candidates often confuse Azure SQL Database or Azure Database for PostgreSQL's read replicas with write capability, failing to recognize that only Cosmos DB offers true multi-region writes with built-in conflict resolution.

How to eliminate wrong answers

Option B (Azure SQL Database) is wrong because it does not natively support multi-region writes; it relies on a single primary region for writes, and geo-replication is read-only, so it cannot achieve low-latency writes from multiple regions. Option C (Azure Database for PostgreSQL) is wrong because it also uses a single-writer primary architecture; while read replicas can be distributed, writes must go to the primary region, introducing latency for global writes. Option D (Azure Table Storage) is wrong because it does not support multi-region writes; it offers only a single write region with read-only geo-redundant storage, and it lacks built-in conflict resolution for concurrent updates.

715
MCQmedium

A company needs to store sensor data from IoT devices. Each device sends a message every second. The data is time-series and will be queried for real-time dashboards and historical analysis. The solution must support high ingestion rates and low-latency queries on recent data. Which Azure service should they use?

A.Azure Blob Storage with Azure Data Lake Storage Gen2
B.Azure Cosmos DB with SQL API
C.Azure Event Hubs and Azure Data Explorer
D.Azure Table Storage
AnswerC

Event Hubs ingests high volumes of event data, and Azure Data Explorer provides fast, real-time analytics on time-series data. This combination is best suited for IoT sensor data.

Why this answer

Azure Event Hubs is designed for high-throughput data ingestion from millions of IoT devices, capable of handling millions of events per second. Azure Data Explorer (ADX) is optimized for time-series data, providing sub-second query latency on recent data and efficient historical analysis. Together, they form a serverless pipeline that ingests sensor data via Event Hubs and stores it in ADX for real-time dashboards and long-term analytics.

Exam trap

The trap here is that candidates often choose Azure Cosmos DB (Option B) because they associate it with 'low latency' and 'IoT', but they overlook that Cosmos DB is not purpose-built for time-series data and lacks the ingestion throughput and query optimizations that Azure Data Explorer provides for this specific workload.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage with Data Lake Storage Gen2 is optimized for batch analytics and large file storage, not for high-frequency time-series ingestion or low-latency queries on recent data; it lacks native time-series indexing and real-time query capabilities. Option B is wrong because Azure Cosmos DB with SQL API is a multi-model NoSQL database designed for transactional workloads with flexible schemas, but it is not optimized for time-series data at high ingestion rates and can incur high RU costs for continuous writes; it also lacks native time-series functions like binning or retention policies. Option D is wrong because Azure Table Storage is a key-value store with limited query capabilities (only on partition and row keys), no support for time-series-specific operations, and high latency for range scans over timestamps, making it unsuitable for real-time dashboards and high-ingestion IoT workloads.

716
MCQhard

You have an Azure subscription that contains a virtual network named VNet1. You need to monitor all network security group (NSG) flow logs. Which three components must you enable? (Select THREE.)

A.Azure Network Watcher
B.Log Analytics workspace
C.Network security group flow logs
D.Traffic Analytics
E.A storage account
AnswerC, D, E

NSG flow logs must be enabled to capture traffic.

Why this answer

Network security group flow logs must be explicitly enabled on the NSG to capture IP traffic data. Without enabling this feature, no flow log data is generated regardless of other components. The question asks which components must be enabled, and enabling NSG flow logs is the direct action that starts logging.

Exam trap

The trap here is that candidates often assume Azure Network Watcher must be manually enabled, but it is regionally auto-enabled, and they may also confuse the optional Traffic Analytics and Log Analytics workspace as mandatory components for basic flow log collection.

How to eliminate wrong answers

Option A is wrong because Azure Network Watcher is a regional service that is automatically enabled in every region when you create a virtual network; you do not need to manually enable it as a component for NSG flow logs. Option B is wrong because a Log Analytics workspace is only required if you want to use Traffic Analytics to analyze flow logs; it is not a mandatory component for enabling or storing the raw flow logs themselves.

717
MCQmedium

You have an Azure Storage account that stores critical data. You need to ensure that the data remains accessible if the primary region fails. The solution must minimize data loss and automatically failover. What should you configure?

A.Zone-redundant storage (ZRS) with customer-managed failover.
B.Locally redundant storage (LRS) with soft delete.
C.Read-access geo-zone-redundant storage (RA-GZRS).
D.Geo-redundant storage (GRS) with manual failover.
AnswerC

RA-GZRS provides automatic failover and read access in secondary region.

Why this answer

Option C (RA-GZRS) provides read access to secondary region and automatic failover if Microsoft initiates. Option A (LRS) no failover. Option B (GRS) failover but no read access.

Option D (ZRS) same region.

718
MCQmedium

A company uses Azure Kubernetes Service (AKS) to run a containerized microservices application. They need a disaster recovery solution that can automatically fail over to a secondary region if the primary region fails. The solution must minimize data loss for stateful workloads. What should they implement?

A.Azure Backup for AKS
B.Azure Front Door
C.Azure Traffic Manager
D.Azure Site Recovery
AnswerD

Site Recovery can replicate AKS workloads and persistent volumes for DR.

Why this answer

Option C is correct because AKS with Azure Disks using zone-redundant storage (ZRS) provides replication across zones within a region, but for cross-region DR, they need to pair with Azure Site Recovery or use a multi-region AKS with Velero for backup and restore. However, among the options, Azure Site Recovery is the only one that provides cross-region failover for AKS with persistent volumes. Option A is wrong because Azure Traffic Manager only routes traffic, does not replicate data.

Option B is wrong because Azure Front Door is for global load balancing, not DR. Option D is wrong because Azure Backup for AKS is backup-only, not failover.

719
MCQmedium

Refer to the exhibit. You are deploying an ARM template with the above parameters. After deployment, you need to ensure that the storage account automatically moves blobs that are not accessed for 30 days to the archive tier. What should you do?

A.Enable soft delete for blobs.
B.Change the 'accessTier' parameter value to 'Archive'.
C.Change the 'replication' parameter value to 'GRS'.
D.Add a lifecycle management policy rule to the storage account.
AnswerD

Lifecycle management can automatically move blobs to archive tier after 30 days.

Why this answer

Option D is correct because Azure Storage lifecycle management policies allow you to automatically move blobs to cooler tiers (like Archive) based on age or last access time. By adding a rule with a filter for blobs not accessed in 30 days and an action to tier to Archive, you meet the requirement without manual intervention or changing the default access tier.

Exam trap

The trap here is that candidates often confuse setting the default access tier (via 'accessTier' parameter) with automating tier transitions based on age, leading them to choose Option B instead of recognizing that lifecycle management policies are required for time-based auto-tiering.

How to eliminate wrong answers

Option A is wrong because soft delete for blobs protects against accidental deletion by retaining deleted blobs for a specified period; it does not move blobs to a different access tier. Option B is wrong because changing the 'accessTier' parameter to 'Archive' would set the default tier for new blobs, but it does not automatically move existing blobs that are not accessed for 30 days; lifecycle management is needed for time-based tier transitions. Option C is wrong because changing replication to GRS (geo-redundant storage) affects durability and disaster recovery, not the access tier of blobs based on access patterns.

720
MCQmedium

A company is designing a hybrid network solution connecting an on-premises data center to Azure. They require high availability with active-active routing and need to support up to 10 Gbps throughput. Which Azure service should they include in the design?

A.Site-to-Site VPN Gateway
B.Azure Virtual WAN
C.ExpressRoute FastPath
D.ExpressRoute Direct
AnswerC

FastPath offers active-active connectivity with high throughput.

Why this answer

ExpressRoute FastPath provides active-active connectivity with high throughput up to 10 Gbps. Option A is wrong because VPN Gateway typically supports lower throughput and is active-passive. Option B is wrong because Azure Virtual WAN is a management layer, not a connectivity service itself.

Option D is wrong because ExpressRoute Direct provides dedicated ports but not inherently active-active routing.

721
MCQmedium

An application requires a highly available key-value store with sub-millisecond read and write latencies across multiple Azure regions. The data model is simple and does not require complex queries. Which Azure data store should they choose?

A.Azure SQL Database
B.Azure Table Storage
C.Azure Cosmos DB
D.Azure Cache for Redis
AnswerC

Globally distributed, low-latency key-value store.

Why this answer

Azure Cosmos DB is the correct choice because it provides a globally distributed, multi-region key-value store with guaranteed sub-10-millisecond read and write latencies at the 99th percentile, and supports multiple consistency models including eventual consistency for even lower latency. Its turnkey global distribution enables active-active replication across Azure regions, meeting the high availability and sub-millisecond performance requirements without complex query support.

Exam trap

The trap here is that candidates often confuse Azure Cache for Redis as a primary data store due to its sub-millisecond performance, but it lacks global distribution and durability guarantees, making Cosmos DB the correct choice for a highly available, multi-region key-value store.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database is a relational database that requires complex schema design, does not natively support sub-millisecond key-value access patterns, and its geo-replication is not designed for active-active multi-region writes with single-digit millisecond latencies. Option B is wrong because Azure Table Storage is a NoSQL key-value store but it is not globally distributed by default, has higher latency (typically 10-50 ms), and does not offer sub-millisecond performance or multi-region write capabilities. Option D is wrong because Azure Cache for Redis is an in-memory cache that does not provide native multi-region replication or persistence guarantees required for a durable key-value store, and its primary use case is caching, not a fully managed globally distributed data store.

722
MCQmedium

A company needs to store audit logs for 7 years to meet compliance requirements. The logs are generated at a high volume and must be cost-effective. They need to run occasional queries on recent logs (less than 30 days old) but rarely on older ones. Which Azure storage solution should they recommend?

A.Azure Blob Storage with lifecycle management to Archive tier
B.Azure SQL Database
C.Azure Cosmos DB
D.Azure Log Analytics
AnswerA

Correct. Blob Storage provides tiers (Hot, Cool, Archive) and automatic lifecycle management for cost-efficient long-term retention.

Why this answer

Azure Blob Storage with lifecycle management to the Archive tier is the correct solution because it provides a cost-effective storage hierarchy for high-volume audit logs. Lifecycle management can automatically move logs from the Hot or Cool tier to the Archive tier after 30 days, aligning with the requirement to keep recent logs queryable while minimizing costs for older logs that are rarely accessed. The Archive tier offers the lowest storage cost, making it ideal for 7-year retention of audit data.

Exam trap

The trap here is that candidates often choose Azure Log Analytics (Option D) because it is associated with logs, but they overlook its retention limits and high cost for long-term storage, failing to recognize that Azure Blob Storage with lifecycle management is the correct archival solution for compliance-driven retention.

How to eliminate wrong answers

Option B (Azure SQL Database) is wrong because it is a relational database designed for transactional workloads and structured queries, not for cost-effective storage of high-volume, append-only audit logs; its storage costs are significantly higher than blob storage for large data volumes. Option C (Azure Cosmos DB) is wrong because it is a NoSQL database optimized for low-latency, globally distributed applications, not for long-term, cost-efficient archival of audit logs; its provisioned throughput and storage costs make it prohibitively expensive for this use case. Option D (Azure Log Analytics) is wrong because it is a monitoring and analytics service designed for real-time log ingestion and querying, not for long-term archival storage; its retention limits (default 30 days, up to 2 years with additional cost) cannot meet the 7-year compliance requirement cost-effectively.

723
Multi-Selecteasy

Which TWO Azure services can be used to store unstructured data such as documents, images, and videos?

Select 2 answers
A.Azure Blob Storage
B.Azure Files
C.Azure SQL Database
D.Azure Data Lake Storage Gen2
E.Azure Cosmos DB
AnswersA, D

Blob Storage is object storage for unstructured data.

Why this answer

Azure Blob Storage is designed for storing massive amounts of unstructured data, such as documents, images, and videos, as objects (blobs) in a flat namespace. It supports three types of blobs (block, append, and page) and provides REST APIs for access, making it ideal for scalable, cost-effective storage of binary and text data.

Exam trap

The trap here is that candidates often confuse Azure Files (a file share service) with unstructured storage, but Azure Files is for structured file sharing with SMB/NFS, not for object storage of documents, images, and videos.

724
MCQmedium

A company has several Azure Virtual Machines running Windows Server with critical applications. They need to back up these VMs to a secondary Azure region to protect against regional disasters. The backup must be application-consistent and support file-level restore. Which solution should they implement?

A.Azure Backup with geo-redundant storage (GRS) in a Recovery Services vault
B.Azure Site Recovery
C.Azure Snapshot of managed disks stored in a different region
D.Azure Managed Disk with incremental snapshots and manual cross-region copy
AnswerA

Azure Backup offers VM-level application-consistent backups, supports GRS for cross-region durability, and allows file-level restore from recovery points.

Why this answer

Azure Backup with geo-redundant storage (GRS) in a Recovery Services vault is the correct solution because it provides application-consistent backups of Windows Server VMs using the Volume Shadow Copy Service (VSS) to ensure data integrity, and it supports file-level restore by allowing you to mount the backup as a drive to recover individual files. The GRS option replicates backup data to a paired secondary region, meeting the disaster recovery requirement without additional manual steps.

Exam trap

The trap here is that candidates confuse Azure Site Recovery (a replication/failover tool) with Azure Backup (a backup/restore tool), or assume that crash-consistent snapshots (Options C and D) are sufficient for application consistency and file-level restore, which they are not.

How to eliminate wrong answers

Option B (Azure Site Recovery) is wrong because it is designed for replication and failover of VMs for disaster recovery, not for backup—it does not support file-level restore from backup snapshots and is not a backup solution. Option C (Azure Snapshot of managed disks stored in a different region) is wrong because snapshots are crash-consistent, not application-consistent, and they do not support file-level restore natively; you would need to create a new disk from the snapshot to access files. Option D (Azure Managed Disk with incremental snapshots and manual cross-region copy) is wrong because incremental snapshots are also crash-consistent and require manual cross-region copy, which adds complexity and does not guarantee application consistency or built-in file-level restore capabilities.

725
Multi-Selectmedium

Which THREE features are available in Azure Files premium tier that are not available in standard tier?

Select 3 answers
A.Higher IOPS (up to 100,000 per share)
B.SMB multichannel support
C.Lower latency (single-digit milliseconds)
D.Support for NFS v4.1 protocol
E.Azure File Sync integration
AnswersA, C, D

Premium tier provides significantly higher IOPS.

Why this answer

Option A is correct because Azure Files premium tier is backed by SSD storage and can deliver up to 100,000 IOPS per share, while the standard tier (HDD-based) is limited to significantly lower IOPS. This high IOPS capability is exclusive to premium shares and is critical for I/O-intensive workloads.

Exam trap

The trap here is that candidates often assume SMB multichannel is a premium-only feature, but it is actually available in both tiers (though premium provides better performance due to higher IOPS and lower latency).

726
MCQmedium

Your company has an on-premises database running SQL Server 2019. You plan to migrate to Azure SQL Managed Instance. The business requires a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 4 hours for a regional disaster. You need to design the disaster recovery solution. What should you use?

A.Configure a failover group between two Azure SQL Managed Instances in different regions with automatic failover.
B.Use SQL Server log shipping from on-premises to Azure SQL Managed Instance in a secondary region.
C.Configure geo-restore of Azure SQL Managed Instance backups to a secondary region.
D.Configure a failover group between two Azure SQL Managed Instances in different regions with manual failover.
AnswerD

Failover groups replicate data synchronously or asynchronously; manual failover ensures control.

Why this answer

Option A is correct because Azure SQL Managed Instance failover group with manual failover meets RPO of 15 minutes (replication delay typically less than 10 seconds) and RTO of 4 hours (manual failover takes minutes). Option B has RTO of 12 hours for geo-restore. Option C auto-failover may cause unwanted failovers.

Option D log shipping is not supported in managed instance.

727
MCQeasy

A company deploys a web application in two Azure regions for high availability. They need to automatically direct users to the nearest healthy region based on geographic location and endpoint health. Which Azure service should they use?

A.Azure Traffic Manager
B.Azure Load Balancer
C.Azure Application Gateway
D.Azure Front Door
AnswerA

Correct. Traffic Manager uses DNS to route traffic to the nearest healthy region, providing simple global load balancing.

Why this answer

Azure Traffic Manager is a DNS-based traffic load balancer that directs users to the nearest healthy region based on geographic location and endpoint health. It uses DNS resolution to route traffic to the closest available endpoint, making it ideal for global high-availability scenarios where users need automatic failover across regions.

Exam trap

The trap here is that candidates often confuse Azure Front Door with Traffic Manager because both can route traffic globally, but Front Door is an application delivery controller with integrated WAF and SSL offload, whereas Traffic Manager is a simpler DNS-based load balancer focused solely on geographic and health-based routing.

How to eliminate wrong answers

Option B (Azure Load Balancer) is wrong because it operates at Layer 4 (TCP/UDP) and distributes traffic within a single region, not across multiple regions or based on geographic location. Option C (Azure Application Gateway) is wrong because it is a regional Layer 7 load balancer with features like SSL termination and URL-based routing, but it does not provide global geographic routing or multi-region failover. Option D (Azure Front Door) is wrong because, while it offers global load balancing and geographic routing, it is primarily an HTTP/HTTPS application delivery platform with advanced web application firewall (WAF) capabilities; for simple DNS-based geographic routing and health monitoring, Traffic Manager is the correct and more lightweight choice.

728
MCQhard

A company runs a critical application on Azure VMs in the West US region. They want to protect against a regional disaster by replicating VMs to East US using Azure Site Recovery. They have both managed and unmanaged disks. They need to ensure that after failover, the recovery VMs are automatically placed in a specific availability set to support the application's multi-tier architecture. Additionally, they want to minimize downtime during planned failover. Which configuration should they use?

A.Configure a recovery plan that includes the VMs and specifies the target availability set and failover order
B.Set the target availability set in each VM's replication settings individually without a recovery plan
C.Use Azure Traffic Manager to route traffic to the secondary region after manual failover
D.Enable consistency groups across the VMs using a replication policy
AnswerA

A recovery plan allows you to group VMs into logical groups, specify the order of failover, and set target settings like availability sets. It also supports automation to minimize downtime during planned failover.

Why this answer

Option A is correct because a recovery plan in Azure Site Recovery allows you to group VMs, specify the target availability set, and define the failover order. This ensures that after failover, the recovery VMs are automatically placed in the specified availability set, supporting the application's multi-tier architecture. Additionally, recovery plans enable you to automate and sequence failover steps, minimizing downtime during planned failover by orchestrating the process efficiently.

Exam trap

The trap here is that candidates often confuse replication settings (like target availability set per VM) with recovery plans, not realizing that only recovery plans can enforce failover order and group-level placement, which is critical for multi-tier applications.

How to eliminate wrong answers

Option B is wrong because setting the target availability set in each VM's replication settings individually does not allow you to define a failover order or group VMs into a recovery plan, which is necessary for multi-tier application consistency and minimizing downtime. Option C is wrong because Azure Traffic Manager is a DNS-based traffic routing service that does not handle VM placement into availability sets or orchestrate failover sequencing; it only redirects traffic after failover is manually completed. Option D is wrong because consistency groups (multi-VM consistency) ensure crash-consistent or app-consistent recovery points across VMs but do not control target availability set placement or failover order; they are a replication policy feature, not a recovery plan substitute.

729
MCQeasy

A company has an on-premises data center and wants to connect it to Azure to extend their network. They require a dedicated, private, high-bandwidth connection that is not routed over the public internet. They also want a lower-cost backup connection for redundancy in case the primary connection fails. Which combination of connectivity options should they implement?

A.ExpressRoute as the primary connection and a Site-to-Site VPN as the backup connection.
B.Two ExpressRoute circuits from different service providers, both active.
C.Site-to-Site VPN as the primary connection and Point-to-Site VPN as the backup.
D.Azure VPN Gateway with active-passive mode and a second VPN Gateway for failover.
AnswerA

ExpressRoute provides a private, dedicated circuit with high bandwidth and low latency. A Site-to-Site VPN over the internet is a cost-effective backup that can be activated if ExpressRoute fails.

Why this answer

ExpressRoute provides a dedicated, private, high-bandwidth connection that bypasses the public internet, meeting the primary requirement. A Site-to-Site VPN over the internet serves as a cost-effective backup path for redundancy, as it uses encrypted tunnels over the public internet without the recurring costs of a second ExpressRoute circuit.

Exam trap

The trap here is that candidates often assume two ExpressRoute circuits are required for redundancy, overlooking the cost-effective alternative of using a Site-to-Site VPN as a backup, which still meets the redundancy requirement without the high cost of a second private connection.

How to eliminate wrong answers

Option B is wrong because two active ExpressRoute circuits from different providers provide high availability but at a higher cost, not a lower-cost backup. Option C is wrong because a Site-to-Site VPN as the primary connection does not meet the requirement for a dedicated, private, high-bandwidth connection not routed over the public internet; Point-to-Site VPN is for individual client connections, not site-to-site redundancy. Option D is wrong because Azure VPN Gateway with active-passive mode and a second VPN Gateway for failover still uses the public internet, failing the private connection requirement, and is more complex and costly than a single VPN Gateway with active-passive mode.

730
Multi-Selecteasy

Which TWO of the following are true about Azure Blob Storage access tiers?

Select 2 answers
A.The cool access tier has lower storage costs but higher access costs compared to the hot tier
B.The cool access tier is designed for data that is accessed more frequently than the hot tier
C.The archive access tier is suitable for data that is accessed daily
D.The archive access tier has the lowest storage costs but the highest retrieval latency
E.The hot access tier has the lowest storage costs
AnswersA, D

Correct: cool is cheaper to store, more expensive to access.

Why this answer

Option A is correct because Azure Blob Storage's cool access tier is designed for infrequently accessed data, offering lower storage costs than the hot tier but higher access costs (per GB read/write) to compensate for the reduced storage price. This cost trade-off aligns with typical usage patterns where data is stored long-term but accessed less often.

Exam trap

The trap here is confusing the cost trade-off between storage and access—candidates often assume 'cool' means cheaper overall, but they miss that access costs are higher, and they mistakenly think archive supports daily access due to its low storage cost.

731
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to automatically remove guest users who have not signed in for 60 days. Additionally, they must generate a report of all guest access for auditors. Which Microsoft Entra ID feature should they implement?

A.Access Reviews
B.Entitlement Management
C.Identity Protection
D.Terms of Use
AnswerA

Correct. Access Reviews can automate the removal of inactive guest users and provide audit reports.

Why this answer

Access Reviews in Microsoft Entra ID allow administrators to create recurring reviews that automatically remove guest users who have not signed in within a specified period (e.g., 60 days) by configuring the 'Inactive users (in days)' setting. Additionally, Access Reviews generate a detailed report of all guest access decisions, which can be exported for auditors, meeting both requirements directly.

Exam trap

The trap here is that candidates often confuse Entitlement Management (which handles access packages) with Access Reviews (which handles periodic attestation and automated removal), missing that only Access Reviews directly support inactivity-based removal and audit reporting.

How to eliminate wrong answers

Option B (Entitlement Management) is wrong because it manages access packages and catalogs for resource provisioning but does not natively provide automated removal based on sign-in inactivity or generate audit reports for guest access. Option C (Identity Protection) is wrong because it focuses on detecting and remediating identity risks (e.g., compromised accounts, sign-in anomalies) rather than automating guest user lifecycle or producing access review reports. Option D (Terms of Use) is wrong because it enforces user consent to policies but lacks any capability to automatically remove inactive users or generate audit reports for guest access.

732
MCQhard

Refer to the exhibit. You deploy this ARM template to create a storage account in the West US region. The business continuity requirement states that if the primary region becomes unavailable, the storage account must be readable within 1 hour. What is the most important limitation of this configuration?

A.The storage account does not support read access in the secondary region, so manual failover is required, which may exceed the 1-hour RTO
B.The storage account uses GRS, which replicates data only to a secondary region within the same geography, not to a different region
C.The storage account only supports HTTPS traffic, which blocks replication
D.The storage account is configured with the Hot access tier, which prevents failover
AnswerA

GRS requires manual failover and no read access.

Why this answer

Option A is correct because GRS (geo-redundant storage) does not provide read access to the secondary region; failover is manual and may take longer than 1 hour. Option B is wrong because the access tier does not affect DR. Option C is wrong because HTTPS enforcement does not affect DR.

Option D is wrong because GRS replicates data to a paired region, but without read access.

733
MCQhard

Refer to the exhibit. An administrator runs the PowerShell script to enable replication for a VM. The script fails with an error that the VM is not found. What is the most likely cause?

A.The Recovery Services vault does not exist.
B.The protection container is not available.
C.The replication policy is not valid.
D.The Azure PowerShell context is not set to the subscription that contains the VM.
AnswerD

The script does not use Set-AzContext to switch to the production subscription.

Why this answer

Option A is correct because the Get-AzVM cmdlet is run against the current Azure context, which might be set to the DR subscription, but the VM is in the PROD-RG in the production subscription. The script does not switch the context to the production subscription, so the VM is not found. Option B is wrong because the vault is found (Get-AzRecoveryServicesVault succeeds).

Option C is wrong because the fabric and protection container are retrieved successfully. Option D is wrong because the policy is retrieved successfully.

734
MCQmedium

A company runs a critical line-of-business application on Azure VMs within a single region. The application tier is deployed across multiple VMs. They need to protect against a failure of an entire Azure datacenter within that region. The solution should automatically distribute the VMs across physically separate locations with independent power, cooling, and networking. The company also requires the lowest possible latency between application and database tiers within the same location. Which deployment strategy should they use?

A.Deploy the VMs across multiple availability zones
B.Deploy the VMs in an availability set
C.Use Azure Site Recovery to replicate VMs to a paired region
D.Use Azure Proximity Placement Groups
AnswerA

Availability zones provide datacenter-level redundancy within a region. By placing VMs in different zones, the application can survive a single datacenter failure. This also allows low latency within the same zone for the database tier.

Why this answer

Availability zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying the application tier VMs across multiple zones protects against an entire datacenter failure while keeping all resources within the same region, ensuring the lowest possible latency between application and database tiers when they are placed in the same zone.

Exam trap

The trap here is that candidates often confuse availability sets (which protect against rack failures) with availability zones (which protect against datacenter failures), or they incorrectly assume that cross-region replication via Site Recovery is the only way to achieve datacenter fault tolerance, ignoring the lower-latency option of multiple zones within the same region.

How to eliminate wrong answers

Option B is wrong because an availability set only protects against rack-level failures within a single datacenter, not against the failure of an entire datacenter. Option C is wrong because Azure Site Recovery to a paired region introduces cross-region latency, which does not meet the requirement for the lowest possible latency within the same location. Option D is wrong because Proximity Placement Groups are designed to reduce latency by co-locating VMs, but they do not provide protection against a full datacenter failure.

735
MCQmedium

A company needs to store sensitive customer data in Azure Blob Storage. They require encryption at rest using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, they want to prevent data from being accessed if the key is revoked. Which feature should they enable?

A.Azure Defender for Storage
B.Customer Lockbox for Azure Storage
C.Azure Files with AD DS authentication
D.Storage Service Encryption (SSE)
AnswerB

Customer Lockbox enables you to control access with key revocation, blocking data access.

Why this answer

Customer Lockbox for Azure Storage provides an additional layer of control by requiring explicit approval from the customer before Microsoft engineers can access storage data for support or troubleshooting. When combined with customer-managed keys (CMK) in Azure Key Vault, revoking the key renders the data inaccessible, and Customer Lockbox ensures that even Microsoft cannot bypass this protection without your consent.

Exam trap

The trap here is that candidates often confuse Customer Lockbox with Azure Defender for Storage or SSE, assuming that encryption alone prevents access, but only Customer Lockbox provides the explicit approval gate for Microsoft support access after key revocation.

How to eliminate wrong answers

Option A is wrong because Azure Defender for Storage is a security monitoring service that detects threats and anomalies, not a feature that controls access or enforces key revocation. Option C is wrong because Azure Files with AD DS authentication provides identity-based access control for file shares, not encryption key management or revocation-based data protection. Option D is wrong because Storage Service Encryption (SSE) encrypts data at rest using Microsoft-managed keys by default; while it can use customer-managed keys, it does not provide a mechanism to prevent data access when the key is revoked—Customer Lockbox is required for that.

736
MCQmedium

A financial services company needs to store transaction logs for regulatory compliance. The logs must be stored in a cost-effective manner, and they must be immutable to prevent tampering. The logs are accessed infrequently but must be retained for 7 years. Which Azure storage solution should you recommend?

A.Azure Cosmos DB with time-to-live (TTL)
B.Azure Blob Storage with immutable storage policy and cool access tier
C.Azure SQL Database with long-term retention backup
D.Azure Files with share snapshots
AnswerB

Immutable storage prevents tampering; cool tier reduces cost for infrequently accessed data.

Why this answer

Azure Blob Storage with an immutable storage policy (WORM) ensures that transaction logs cannot be modified or deleted during the retention period, meeting compliance requirements. The cool access tier is cost-effective for infrequently accessed data, and the 7-year retention aligns with the policy's time-based retention. This combination provides both immutability and low-cost storage for long-term archival.

Exam trap

The trap here is that candidates may confuse Azure SQL Database long-term retention (which is for backup recovery, not immutable storage) with true immutability, or assume that any snapshot or TTL mechanism can satisfy regulatory immutability requirements when they actually allow deletion or modification.

How to eliminate wrong answers

Option A is wrong because Azure Cosmos DB with TTL automatically deletes data after the TTL expires, which does not provide immutability and would delete logs before the 7-year retention period ends. Option C is wrong because Azure SQL Database long-term retention backup is designed for database recovery, not for storing immutable transaction logs, and it does not prevent tampering at the storage level. Option D is wrong because Azure Files share snapshots are point-in-time copies that can be deleted by the administrator, offering no immutability guarantee, and they are not cost-optimized for infrequent access over 7 years.

737
MCQeasy

A company has multiple virtual networks in different Azure regions. They need to connect all VNets together securely over the Microsoft backbone. They also need to connect to an on-premises data center via ExpressRoute. The solution should support transitive routing between all connected networks. Which Azure service should they use?

A.Azure Virtual Network Peering
B.Azure VPN Gateway
C.Azure Virtual WAN
D.Azure ExpressRoute Gateway
AnswerC

Virtual WAN provides a hub that connects multiple VNets and on-premises sites with automatic transitive routing.

Why this answer

Azure Virtual WAN is the correct choice because it provides a hub-and-spoke architecture that supports transitive routing between all connected networks (multiple VNets across regions and on-premises via ExpressRoute) over the Microsoft backbone. It natively integrates ExpressRoute and VPN gateways into a single managed service, enabling seamless connectivity and routing between any spoke VNet, branch, or on-premises site without requiring manual peering or gateway transit configuration.

Exam trap

The trap here is that candidates often choose Azure Virtual Network Peering (Option A) because they assume peering supports transitive routing, but Azure explicitly does not allow transitive routing through peered VNets unless you use a hub VNet with a network virtual appliance or enable gateway transit, which is not the same as native transitive routing.

How to eliminate wrong answers

Option A is wrong because Azure Virtual Network Peering does not support transitive routing; if you peer VNet A to VNet B and VNet B to VNet C, traffic cannot flow from A to C through B without additional configuration (e.g., a network virtual appliance or hub VNet). Option B is wrong because Azure VPN Gateway provides site-to-site or point-to-site connectivity over the public internet, not over the Microsoft backbone, and it does not natively support transitive routing between multiple VNets across regions without complex manual routing and additional gateways. Option D is wrong because Azure ExpressRoute Gateway is a component that connects a single VNet to an ExpressRoute circuit; it does not provide transitive routing between multiple VNets or across regions, and it requires additional services (like Virtual WAN or a hub VNet) to achieve full mesh connectivity.

738
Drag & Dropmedium

Drag and drop the steps to implement Azure AD Privileged Identity Management (PIM) for a role into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Select role, configure settings, assign eligible members, set notifications, then test activation.

739
MCQhard

A financial services company is designing a data platform on Azure that must comply with strict regulatory requirements. The platform will store sensitive customer data in Azure SQL Database. The company needs to prevent data exfiltration and ensure that only authorized Microsoft Entra ID users can access the data. The solution must also encrypt data at rest and in transit. Which combination of Azure services should the company implement?

A.Azure SQL Database firewall rules, Transparent Data Encryption (TDE), and Always Encrypted
B.Azure SQL Database with IP firewall rules, TLS 1.2, and Azure Information Protection
C.Azure SQL Database with Managed Identity, Azure Private Link, and Transparent Data Encryption (TDE)
D.Azure SQL Database with Microsoft Entra ID authentication, Azure Key Vault, and Azure Storage Service Encryption
AnswerC

Private Link prevents exposure to the internet, Managed Identity ensures only authorized identities can connect, and TDE encrypts data at rest.

Why this answer

Option A (Azure SQL Database firewall + Transparent Data Encryption + Always Encrypted) meets encryption requirements but does not prevent data exfiltration. Option B (Azure SQL Database with Managed Identity + Azure Private Link + Transparent Data Encryption) provides private connectivity, identity-based access, and encryption. Option C (Azure SQL Database with Azure AD authentication + Azure Key Vault + Azure Storage Service Encryption) is partially correct but Azure Storage Service Encryption is not relevant.

Option D (Azure SQL Database with IP firewall rules + TLS 1.2 + Azure Information Protection) does not prevent exfiltration. The best answer is B because Private Link ensures traffic stays within the Microsoft backbone, Managed Identity restricts access, and TDE encrypts at rest.

740
MCQmedium

You are designing a globally distributed application that requires low-latency reads and writes for a web application with user session data. The solution must support multi-master writes and provide 99.999% availability. Which Azure data service meets these requirements?

A.Azure SQL Database
B.Azure Cosmos DB
C.Azure Cache for Redis
D.Azure Table Storage
AnswerB

Cosmos DB supports multi-region writes and 99.999% SLA.

Why this answer

Azure Cosmos DB is the correct choice because it natively supports multi-master writes across multiple regions, enabling low-latency reads and writes globally. It offers a 99.999% availability SLA when configured with multiple write regions, and its turnkey global distribution ensures user session data is replicated with consistency options tailored for web applications.

Exam trap

The trap here is that candidates often confuse Azure Cache for Redis's low-latency caching with a durable, multi-master data store, overlooking that it lacks persistence guarantees and multi-master write support required for 99.999% availability.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database supports only a single writable primary replica (active geo-replication provides readable secondaries but not multi-master writes), and its maximum availability SLA is 99.995% for Business Critical tier, not 99.999%. Option C is wrong because Azure Cache for Redis is an in-memory cache, not a durable data store; it does not support multi-master writes natively and its SLA is 99.9% for Standard tier, far below 99.999%. Option D is wrong because Azure Table Storage is a NoSQL key-value store that does not support multi-master writes; it offers only single-region writes with read-access geo-redundant storage (RA-GRS) for reads, and its SLA is 99.99% for reads but only 99.9% for writes, insufficient for the required availability.

741
MCQmedium

Refer to the exhibit. An administrator reviews the backup status of a VM. The last backup failed. What is the most likely cause?

A.The Recovery Services vault is in a different region.
B.The backup policy does not exist.
C.The source resource ID is missing.
D.The VM was deallocated at the time of backup.
AnswerD

Azure Backup cannot back up deallocated VMs.

Why this answer

Option C is correct because the last backup failure could be due to the VM being deallocated at the time of backup. Azure Backup cannot back up VMs that are in a deallocated state. Option A is wrong because the backup policy is referenced by policyId, so it exists.

Option B is wrong because the sourceResourceId is present and valid. Option D is wrong because the vault is not shown to be in a different region; besides, cross-region backup is supported.

742
MCQmedium

A company runs a critical application on Azure VMs in a single region. They need to ensure business continuity with an RPO of 1 hour and RTO of 4 hours. The application has dependencies on virtual networks, storage accounts, and other Azure resources. They want to use Azure Backup as the primary disaster recovery tool and must be able to restore the entire application in a secondary region if the primary region fails. Which backup strategy should they recommend?

A.Azure Backup for VMs with daily backups and cross-region restore
B.Azure Site Recovery with replication to a secondary region
C.Azure Backup for VMs with hourly backups and cross-region restore
D.Azure Backup for files with daily backups and geo-redundant storage
AnswerC

Hourly backups achieve an RPO of 1 hour, and cross-region restore allows recovery in a secondary region. Azure Backup can also protect dependent resources using the same Recovery Services Vault.

Why this answer

Option C is correct because Azure Backup for VMs supports hourly backups (up to every 4 hours for VM backups, but with application-consistent snapshots and cross-region restore, you can achieve an RPO of 1 hour by combining frequent backups with the ability to restore in a secondary region. The cross-region restore feature allows you to restore VMs and their dependencies (VNet, storage accounts) to a paired secondary region, meeting the RTO of 4 hours when using Azure Backup's restore capabilities.

Exam trap

The trap here is that candidates confuse Azure Backup with Azure Site Recovery, assuming Site Recovery is required for cross-region failover, but Azure Backup's cross-region restore can meet the RPO/RTO when combined with hourly backups, and the question explicitly restricts the tool to Azure Backup.

How to eliminate wrong answers

Option A is wrong because daily backups cannot achieve an RPO of 1 hour; the maximum backup frequency for daily backups is once per day, which would result in an RPO of up to 24 hours. Option B is wrong because Azure Site Recovery is a separate disaster recovery tool, not Azure Backup, and the question explicitly states they want to use Azure Backup as the primary disaster recovery tool. Option D is wrong because Azure Backup for files only protects file-level data, not the entire application including VMs, virtual networks, and storage accounts, and daily backups cannot meet the 1-hour RPO requirement.

743
MCQmedium

A company deploys a multi-tier application on Azure virtual machines. They need to implement disaster recovery using Azure Site Recovery. The recovery plan must ensure that the database VMs are started before the application VMs, and the application VMs before the web VMs. They also need to run a script after failover to update DNS records. Which ASR feature should they use?

A.Recovery Plan with manual steps
B.Recovery Plan with custom groups and script actions
C.Replication policy with crash-consistent snapshots
D.Azure Automation runbook
AnswerB

Custom groups define ordering, and script actions allow running PowerShell or Azure Automation after failover.

Why this answer

Azure Site Recovery (ASR) Recovery Plans allow you to orchestrate the order of VM failover by grouping VMs into custom groups and adding pre- and post-actions. By placing database VMs in Group 1, application VMs in Group 2, and web VMs in Group 3, you enforce the required startup sequence. Script actions (e.g., Azure Automation runbooks or PowerShell scripts) can be inserted at specific points in the plan to update DNS records after failover, making option B the correct choice.

Exam trap

The trap here is that candidates confuse a standalone Azure Automation runbook (which can run scripts but cannot enforce VM startup order) with a script action embedded in a Recovery Plan (which combines both ordering and script execution).

How to eliminate wrong answers

Option A is wrong because manual steps require human intervention during failover, which contradicts the need for an automated, reliable recovery plan that runs scripts to update DNS records. Option C is wrong because a replication policy with crash-consistent snapshots only controls the consistency of replicated data (ensuring crash-consistent recovery points) and does not provide any orchestration of VM startup order or post-failover scripting. Option D is wrong because an Azure Automation runbook is a script execution tool, but by itself it cannot define the multi-group startup sequence; it must be used as a script action within a Recovery Plan to achieve both ordering and automation.

744
MCQmedium

A company needs a fully managed NoSQL database for a JSON document-oriented application that requires low latency (single-digit milliseconds) for reads and writes at any scale. The application will run globally and needs multi-region writes with automatic failover. Which Azure data store should they use?

A.Azure Cosmos DB
B.Azure Table Storage
C.Azure SQL Database
D.Azure Cache for Redis
AnswerA

Cosmos DB offers multi-region writes, elastic scalability, and guarantees single-digit millisecond latency at the 99th percentile. It supports document models natively.

Why this answer

Azure Cosmos DB is the correct choice because it is a fully managed NoSQL database that natively supports JSON documents, offers single-digit millisecond latency for reads and writes at any scale, and provides multi-region writes with automatic failover through its multi-master replication capability. Its global distribution model allows you to configure multiple write regions, ensuring high availability and low latency worldwide.

Exam trap

The trap here is that candidates often confuse Azure Table Storage (a simple key-value store) with a fully managed NoSQL database, overlooking that it lacks native JSON support, multi-region writes, and automatic failover capabilities required for global, low-latency applications.

How to eliminate wrong answers

Option B (Azure Table Storage) is wrong because it is a key-value store that does not natively support JSON documents or multi-region writes with automatic failover; it offers only eventual consistency and lacks the global distribution features required. Option C (Azure SQL Database) is wrong because it is a relational database that does not support JSON as a native document model and cannot provide multi-region writes with automatic failover; it is not a NoSQL solution. Option D (Azure Cache for Redis) is wrong because it is an in-memory cache, not a fully managed NoSQL database; it does not persist JSON documents durably and lacks multi-region write capabilities with automatic failover.

745
MCQhard

A company runs a containerized application on Azure Container Instances (ACI) in a single region. The application uses Azure Cosmos DB (SQL API) with a single write region. You need to design a disaster recovery solution that meets an RPO of 0 seconds and RTO of 10 minutes for a regional outage. The solution must be cost-optimized. What should you include in the design?

A.Use Azure Container Instances with container groups across availability zones, and configure Cosmos DB geo-replication with manual failover.
B.Deploy ACI containers in two regions, use Azure Traffic Manager, and configure Cosmos DB with automatic failover.
C.Migrate the application to Azure Kubernetes Service (AKS) deployed in two regions, use Azure Front Door, and configure Cosmos DB with multi-region writes.
D.Deploy ACI containers in two regions, use Azure Front Door, and configure Cosmos DB with multi-region writes.
AnswerC

AKS supports multi-region deployment with automatic failover; Cosmos DB multi-region writes provide RPO=0.

Why this answer

Option D is correct because ACI does not support built-in multi-region deployment; using AKS with Azure Front Door and Cosmos DB multi-region writes provides RPO=0 and fast failover. Option A uses Azure Container Registry for replication but not compute failover. Option B uses Cosmos DB conflict resolution but ACI is single-region.

Option C uses manual steps which exceed RTO.

746
MCQhard

A company uses Microsoft Entra ID B2B to collaborate with external vendors. They want to enforce that external users must use multi-factor authentication (MFA) and access company resources only from compliant devices (e.g., managed by Intune). They also want to require a session timeout of 1 hour. Which combination of Microsoft Entra ID features should they use?

A.A
B.B
C.C
D.D
AnswerB

Microsoft Entra ID Conditional Access policies can require MFA, require device to be marked as compliant (via Intune), and include session controls to set sign-in frequency (session timeout).

Why this answer

Option B is correct because it combines Conditional Access policies with session controls to enforce MFA, device compliance (via Intune), and a 1-hour session timeout. Conditional Access policies evaluate sign-in risk and require MFA and compliant devices, while the session control 'Sign-in frequency' can be set to 1 hour to enforce reauthentication. This meets all three requirements without relying on deprecated or separate features.

Exam trap

The trap here is that candidates often confuse Conditional Access session controls with token lifetime policies or think that Identity Protection alone can enforce device compliance, but only Conditional Access policies can combine MFA, device compliance, and session timeout in a single policy.

How to eliminate wrong answers

Option A is wrong because it uses Azure AD Identity Protection, which is designed for risk-based policies (e.g., risky sign-ins) but does not natively enforce device compliance or session timeout; it lacks the session control for a 1-hour timeout. Option C is wrong because it relies on Azure AD Privileged Identity Management (PIM), which manages just-in-time privileged access and does not enforce MFA or device compliance for external users accessing general resources. Option D is wrong because it uses Azure AD Terms of Use, which only requires acceptance of a policy document and cannot enforce MFA, device compliance, or session timeout.

747
MCQhard

You are designing a monitoring solution for a critical application that runs on Azure Virtual Machines. The application generates custom performance counters. You need to alert when the custom counter exceeds a threshold and trigger an Azure Automation runbook to remediate. Which two Azure services should you combine? (Select TWO.)

A.Azure Event Grid
B.Azure Monitor
C.Log Analytics
D.Azure Automation
AnswerB, D

Azure Monitor can alert on metrics and trigger actions.

Why this answer

Azure Monitor is the correct choice because it collects and analyzes custom performance counters from Azure VMs, enabling metric-based alert rules. When a threshold is exceeded, Azure Monitor can trigger an action group that invokes an Azure Automation runbook, providing automated remediation. This combination directly addresses the requirement to alert on custom counters and execute a runbook in response.

Exam trap

The trap here is that candidates often confuse Log Analytics as a direct alerting and remediation service, when in fact it is a data repository that requires Azure Monitor to evaluate alerts and trigger actions via action groups.

How to eliminate wrong answers

Option A is wrong because Azure Event Grid is a pub-sub event routing service for handling discrete events (e.g., resource state changes), not for continuous metric monitoring or threshold-based alerting on custom performance counters. Option C is wrong because Log Analytics is a data storage and query platform for log and performance data; it does not natively trigger alerts or runbooks directly—it relies on Azure Monitor for alerting and action groups to invoke Automation runbooks.

748
MCQeasy

A company stores website static assets in Azure Blob Storage. The assets are updated weekly and must be available for immediate access for 30 days. After 30 days, older versions can be moved to the Cool tier to save costs but must still be accessible within seconds. They want an automated solution. What should they configure?

A.Set the access tier to Cool on the container
B.Use Azure Blob Storage lifecycle management rules
C.Manually change the access tier every 30 days
D.Use Azure Policy to enforce tier changes
AnswerB

Lifecycle management allows you to create a rule that moves blobs older than 30 days to the Cool tier automatically, while keeping newer blobs in the Hot tier.

Why this answer

Azure Blob Storage lifecycle management rules allow you to automate tier transitions based on age or last modification time. By configuring a rule to move blobs to the Cool tier 30 days after creation, you meet the requirement for immediate access (Cool tier offers sub-second latency) while optimizing costs without manual intervention.

Exam trap

The trap here is confusing Azure Policy (which enforces configuration at resource creation) with lifecycle management (which automates transitions based on time), leading candidates to choose Policy when only lifecycle rules can schedule tier changes.

How to eliminate wrong answers

Option A is wrong because setting the access tier to Cool on the container applies to all blobs immediately, not after 30 days, and would prevent the required immediate access for the first 30 days. Option C is wrong because manually changing the access tier every 30 days is not automated and violates the requirement for an automated solution. Option D is wrong because Azure Policy can enforce compliance rules (e.g., requiring a specific tier) but cannot schedule or automate tier transitions based on age or time.

749
MCQmedium

You are an Azure administrator. The above Azure Policy definition is assigned to a subscription. A developer tries to deploy a Virtual Machine with SKU Standard_DS2_v2. What will happen?

A.The deployment is denied and an error message is returned.
B.The deployment succeeds with a warning logged.
C.The VM is created but the SKU is changed to a different series.
D.The deployment succeeds because the policy only audits.
AnswerA

The policy denies VMs matching the condition.

Why this answer

Option C is correct because the policy denies any VM with SKU name starting with 'Standard_DS*' (like match). Option A (allowed) is false. Option B (audited) is false.

Option D (modified) is false.

750
MCQhard

You are reviewing a network security group (NSG) rule for a subnet that hosts web servers. The subnet's address space is 10.0.1.0/24. What is the effect of this rule?

A.The rule allows inbound TCP traffic on ports 80 and 443 from any source.
B.The rule allows inbound TCP traffic on ports 80 and 443 from the same subnet.
C.The rule denies inbound TCP traffic on ports 80 and 443 from any source.
D.The rule allows inbound TCP traffic on ports 80 and 443 from the internet.
AnswerB

Source is 10.0.1.0/24, which is the same subnet.

Why this answer

Option A is correct because the rule allows inbound TCP traffic on ports 80 and 443 from any source (SourceAddressPrefixes is missing, but by default it means any; however, the JSON shows SourceAddressPrefixes with 10.0.1.0/24, so it only allows from that subnet). Wait, the exhibit shows SourceAddressPrefixes: ["10.0.1.0/24"], so the rule allows inbound traffic from the same subnet. Option A is incorrect because it says 'from any source'.

Actually, the rule allows from 10.0.1.0/24 only. So Option D is correct: The rule allows inbound traffic from the same subnet. Option B (deny) is false.

Option C (allow from internet) is false. Option D is correct.

Page 9

Page 10 of 14

Page 11