Microsoft Azure Solutions Architect Expert AZ-305 (AZ-305) — Questions 751825

999 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQeasy

You are designing a storage solution for a new application that will store large binary files (up to 5 TB each) and require high throughput for sequential reads. The data is accessed infrequently but must be retained for 7 years for compliance. Which Azure storage solution should you recommend?

A.Azure Blob Storage in the Cool tier
B.Azure Managed Disks with Standard HDD
C.Azure Files shares in the Premium tier
D.Azure NetApp Files with Standard service level
AnswerA

Supports large blobs, cost-effective for infrequent access, and meets retention requirements.

Why this answer

Option B is correct because Azure Blob Storage supports large blobs (up to ~4.75 TB) and the Cool tier is cost-effective for infrequently accessed data with long retention. Option A (Azure Files) has size limits. Option C (Azure Managed Disks) is for VM disks, not unstructured data.

Option D (Azure NetApp Files) is for enterprise workloads, not cost-effective for archival.

752
MCQhard

A company runs a multi-tier application on Azure virtual machines (VMs) in the West US region. The application consists of a web tier, an application tier, and a database tier. They need to implement a disaster recovery plan to a secondary region (East US) with a recovery point objective (RPO) of 5 minutes and a recovery time objective (RTO) of 15 minutes. The VMs must be recovered in the correct order: database tier first, then application tier, then web tier. The company also wants to test the recovery process periodically without affecting production. They need to ensure that after failover, the VMs retain their IP addresses to minimize DNS propagation delays. Which combination of Azure Site Recovery features should they use?

A.Use Azure Site Recovery with a replication policy of 5-minute frequency, configure a recovery plan with manual ordering, and rely on default IP assignment
B.Use Azure Site Recovery with a replication policy of 30-second frequency, create multi-VM consistency groups for each tier, build a recovery plan with script actions for ordering and static IP mapping, and use test failover for drills
C.Use Azure Site Recovery with a replication policy of 15-minute frequency and configure manual IP mapping after failover
D.Use Azure Backup with daily snapshots and a geo-restore option, then manually restore VMs in order
AnswerB

This combination meets all requirements: 30-second replication achieves <5-minute RPO; consistency groups ensure cross-VM consistency; recovery plan enforces order and runs scripts for IP mapping; test failover supports non-disruptive drills.

Why this answer

Option B is correct because it meets all requirements: a 30-second replication policy achieves the 5-minute RPO, multi-VM consistency groups ensure crash-consistent recovery across tiers, script actions in the recovery plan enforce the correct startup order (database first, then app, then web), static IP mapping retains IP addresses after failover, and test failover allows non-disruptive drills. This combination of features directly addresses the RPO, RTO, ordering, IP retention, and testing needs.

Exam trap

The trap here is that candidates often confuse replication frequency with RPO (e.g., thinking a 5-minute replication policy guarantees a 5-minute RPO) or assume manual ordering in a recovery plan is sufficient without understanding that script actions are needed for precise tier sequencing and IP retention.

How to eliminate wrong answers

Option A is wrong because a 5-minute replication policy does not guarantee the 5-minute RPO (it only replicates every 5 minutes, not within 5 minutes), manual ordering lacks script actions for precise tier sequencing, and default IP assignment does not retain IP addresses after failover. Option C is wrong because a 15-minute replication policy exceeds the 5-minute RPO requirement, and manual IP mapping after failover introduces delays that violate the 15-minute RTO. Option D is wrong because Azure Backup with daily snapshots cannot achieve a 5-minute RPO (snapshots are typically daily), geo-restore does not provide automated failover with ordering, and manual restoration cannot meet the 15-minute RTO.

753
Matchingmedium

Match each Azure monitoring service to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collect, analyze, and act on telemetry

Query and analyze log data

Application performance monitoring (APM)

Personalized recommendations for best practices

Personalized alerts for service issues

Why these pairings

These are the primary tools for monitoring and observability.

754
MCQmedium

Contoso, Ltd. is migrating a legacy on-premises application to Azure. The application uses a SQL Server database with complex queries and requires read-heavy workloads with sub-10-millisecond latency. The solution must support geo-replication for disaster recovery. Which Azure data service should you recommend?

A.Azure Cosmos DB for NoSQL
B.Azure SQL Database Business Critical
C.Azure SQL Database Hyperscale
D.Azure SQL Managed Instance Business Critical
AnswerB

Business Critical offers readable secondaries for read-heavy workloads and supports geo-replication.

Why this answer

Azure SQL Database Business Critical is correct because it uses SQL Server database engine with full T-SQL support for complex queries, provides read-heavy workloads with sub-10-millisecond latency via in-memory OLTP and local SSD storage, and supports active geo-replication for disaster recovery. This tier offers a readable secondary replica in a different Azure region, meeting both latency and geo-replication requirements.

Exam trap

The trap here is that candidates often choose Hyperscale for its scalability and geo-replication features, overlooking that its page server architecture introduces higher read latency for small, frequent queries compared to the local SSD-based Business Critical tier.

How to eliminate wrong answers

Option A is wrong because Azure Cosmos DB for NoSQL does not support SQL Server T-SQL complex queries and uses a NoSQL API, making it incompatible with the existing SQL Server database. Option C is wrong because Azure SQL Database Hyperscale is optimized for large databases and high throughput but does not guarantee sub-10-millisecond latency for read-heavy workloads due to its page server architecture and potential cache misses. Option D is wrong because Azure SQL Managed Instance Business Critical supports geo-replication only via failover groups with limited read-scale capabilities, and it introduces additional management overhead compared to Azure SQL Database, which is more suitable for a simple migration of a legacy application.

755
MCQhard

You are designing a monitoring solution for an Azure function app that processes messages from Azure Service Bus. The function app is critical and must be highly available. You need to monitor for poison messages and trigger an alert when the dead-letter queue count exceeds 100. What should you use?

A.Azure Service Bus Explorer
B.Azure Monitor metric alert on the dead-letter message count
C.Azure Log Analytics workspace querying Service Bus logs
D.Azure Application Insights availability tests
AnswerB

Metric alerts can monitor the dead-letter queue count and trigger actions.

Why this answer

Azure Monitor metric alerts can directly monitor the 'Dead-letter message count' metric for a Service Bus namespace or entity. When this count exceeds 100, the alert triggers, enabling automated response to poison messages without additional query overhead. This is the most efficient and native monitoring solution for real-time threshold-based alerts on Service Bus metrics.

Exam trap

The trap here is that candidates may overthink and choose Log Analytics (Option C) for its querying flexibility, but the question specifically asks for a threshold-based alert on a single metric, which is exactly what Azure Monitor metric alerts are designed for.

How to eliminate wrong answers

Option A is wrong because Azure Service Bus Explorer is a manual tool for browsing queues and dead-letter queues, not an automated monitoring or alerting mechanism. Option C is wrong because Log Analytics queries require logs to be sent to a workspace, which adds latency and cost; metric alerts are simpler and more immediate for threshold-based monitoring. Option D is wrong because Application Insights availability tests monitor HTTP endpoint availability, not Service Bus dead-letter queue metrics.

756
MCQhard

AdventureWorks is a global retailer with a cloud-native architecture. They have a microservices application deployed on Azure Kubernetes Service (AKS). Each microservice needs to store its own data. The data requirements vary: (1) Shopping cart service: key-value data with high write throughput and low latency, data can be lost if not critical; (2) Order service: transactional data with strong consistency and ACID compliance; (3) Product catalog service: semi-structured product data that supports complex queries and is globally distributed for low-latency reads. The solution must use Azure PaaS services and minimize operational overhead. You need to design the data storage for each microservice. What should you recommend?

A.Azure Cosmos DB for all three services.
B.Azure Table Storage for shopping cart, Azure SQL Database for orders, Azure Cosmos DB for product catalog.
C.Azure Cache for Redis for shopping cart, Azure SQL Database for orders, Azure Cosmos DB for product catalog.
D.Azure SQL Database for all three services.
AnswerC

Best fit for each requirement.

Why this answer

Option B is correct. For the shopping cart, Azure Cache for Redis provides in-memory key-value storage with low latency. For the order service, Azure SQL Database provides ACID compliance.

For the product catalog, Azure Cosmos DB provides global distribution and complex query support. Option A is wrong because Cosmos DB is not ACID-compliant for orders. Option C is wrong because Azure Table Storage is not ACID-compliant.

Option D is wrong because Azure SQL Database is not ideal for high-write key-value.

757
MCQhard

Refer to the exhibit. You are an Azure administrator for a company that enforces a policy that no virtual networks or network security groups can be created. However, a developer reports that they successfully created a virtual network. What is the most likely reason the policy did not block the creation?

A.The policy definition contains a syntax error.
B.The policy only applies to network security groups, not virtual networks.
C.The policy was assigned to a scope that does not include the subscription or resource group where the virtual network was created.
D.The policy effect should be 'append' instead of 'deny'.
AnswerC

Policy assignment scope must cover the resource's location.

Why this answer

Option C is correct because Azure Policy assignments are scoped to a specific management group, subscription, or resource group. If the policy was assigned to a scope that does not include the subscription or resource group where the developer created the virtual network, the policy would not apply, and the creation would succeed. The policy definition itself may be valid, but without proper assignment scope, it cannot enforce the deny effect.

Exam trap

The trap here is that candidates may assume a policy definition automatically applies to all resources in the tenant, but Azure Policy requires explicit assignment to a scope, and without proper scope coverage, the policy has no effect.

How to eliminate wrong answers

Option A is wrong because a syntax error in the policy definition would cause the policy to fail at evaluation time, typically resulting in an error message or the policy being non-functional, but it would not allow the virtual network creation to succeed silently; the policy would either not apply or produce an error. Option B is wrong because the question states the policy enforces that 'no virtual networks or network security groups can be created,' implying the policy definition explicitly includes both resource types; if it only applied to network security groups, the developer would not have been able to create a virtual network, but the scenario says they successfully created a virtual network, which contradicts the policy's stated scope. Option D is wrong because the 'append' effect is used to add additional properties or tags to a resource during creation or update, not to block creation; to deny creation, the correct effect is 'deny', and using 'append' would not prevent the virtual network from being created.

758
MCQmedium

A company needs to store large amounts of unstructured file data (documents, images) that is accessed concurrently from hundreds of Azure VMs. The data must be accessible via the SMB protocol and provide low-latency, high-throughput performance. The solution must be fully managed and support up to 1000 simultaneous connections. Which Azure storage solution should they choose?

A.Azure Files (Premium tier)
B.Azure Blob Storage
C.Azure NetApp Files
D.Azure Managed Disks
AnswerA

Premium Azure Files provides SSD-backed SMB shares, low latency, high IOPS, and supports up to 1000 concurrent connections per share, making it ideal for this scenario.

Why this answer

Azure Files (Premium tier) is correct because it provides fully managed SMB file shares with low-latency, high-throughput performance suitable for concurrent access from hundreds of Azure VMs. Premium file shares are backed by SSD storage and are designed to support up to 1000 simultaneous connections per share, meeting the stated requirements for unstructured file data accessed via SMB.

Exam trap

The trap here is that candidates often confuse Azure Blob Storage with file shares because both store unstructured data, but Blob Storage lacks native SMB protocol support and is not optimized for concurrent file-level access from hundreds of VMs.

How to eliminate wrong answers

Option B (Azure Blob Storage) is wrong because it does not natively support the SMB protocol; it uses REST-based APIs (HTTP/HTTPS) and is optimized for object storage, not file-level concurrent access from hundreds of VMs. Option C (Azure NetApp Files) is wrong because while it supports SMB and high throughput, it is not fully managed in the same sense as Azure Files—it requires a delegated subnet and offers NFS/SMB but is typically used for specialized workloads like HPC or SAP, and its pricing and complexity exceed the requirements. Option D (Azure Managed Disks) is wrong because they are block-level storage attached to a single VM (up to 256 connections per disk with shared disks, but not designed for concurrent file-level access from hundreds of VMs via SMB).

759
MCQmedium

A multinational corporation is designing a data storage solution for its global customer data. The data must be stored in the Azure region closest to each customer to minimize latency, but all data must be accessible from a central analytics platform for reporting. The solution must also comply with data residency regulations that require customer data to remain in the country of origin. Which Azure storage solution should the company recommend?

A.Azure Cosmos DB with multi-master writes and conflict resolution
B.Azure Data Lake Storage Gen2 with geo-zone-redundant storage (GZRS)
C.Azure Blob Storage with geo-redundant storage (GRS)
D.Azure SQL Database with active geo-replication
AnswerA

Cosmos DB supports multi-region writes and can enforce data residency at the partition level.

Why this answer

Option C is correct because Azure Cosmos DB supports multi-region writes and data residency with a multi-master configuration, allowing data to be written in the region closest to the customer and read globally. Option A is wrong because Azure Blob Storage with geo-redundant storage (GRS) does not allow per-item residency control. Option B is wrong because Azure SQL Database with geo-replication replicates entire databases, not per-customer data.

Option D is wrong because Azure Data Lake Storage Gen2 is a single-region service and does not natively support multi-region data placement per customer.

760
MCQeasy

You are designing a backup strategy for Azure virtual machines that must support application-consistent backups and be capable of restoring to a different Azure region. Which solution should you use?

A.Azure Site Recovery
B.Azure Files
C.Azure Disk Backup
D.Azure Backup
AnswerD

Azure Backup supports application-consistent backups using VSS and cross-region restore with GRS storage.

Why this answer

Option C is correct because Azure Backup supports application-consistent backups for VMs and cross-region restore. Option A is wrong because Azure Site Recovery provides disaster recovery, not backup. Option B is wrong because Azure Disk Backup supports disk-level backups but not application-consistent backups.

Option D is wrong because Azure Files is a storage service, not a backup service.

761
MCQhard

Your organization has a complex Azure environment with multiple subscriptions. You need to design a governance strategy that ensures: 1) All resources must have specific tags (CostCenter, Environment, Owner). 2) Any resource without required tags must be reported to the compliance team weekly. 3) Virtual machines must not be deployed in certain regions due to data sovereignty. 4) The solution must be automated and use native Azure services. You already have an Azure Log Analytics workspace and a central automation account. What should you include in the design?

A.Use Azure Resource Graph queries to find untagged resources and export to CSV manually each week.
B.Use Azure Blueprints to define tags and region restrictions; use Azure Monitor alerts to report non-compliance.
C.Use Azure Policy with 'deny' effect for missing tags and an Azure Automation runbook to add tags weekly.
D.Use Azure Policy with 'audit' effect for missing tags and region restriction; use Azure Logic Apps triggered by a schedule to query Azure Resource Graph and email the compliance report.
AnswerD

Policy enforces and audits, Logic App automates weekly reporting.

Why this answer

Option D is correct because it uses Azure Policy with 'audit' effect to detect missing tags and region violations without blocking deployment, which satisfies the reporting requirement. Azure Logic Apps, triggered on a schedule, queries Azure Resource Graph to identify non-compliant resources and sends an email report to the compliance team weekly, fulfilling the automation and native service criteria without manual intervention.

Exam trap

The trap here is that candidates often choose 'deny' effect (Option C) thinking it enforces compliance, but the question explicitly requires reporting non-compliance, not blocking resources, making 'audit' the correct effect for this scenario.

How to eliminate wrong answers

Option A is wrong because manually exporting to CSV each week violates the 'automated' requirement and does not use native Azure services for reporting. Option B is wrong because Azure Blueprints cannot enforce runtime region restrictions or tag requirements; they only define initial resource templates, and Azure Monitor alerts are not designed to query resource compliance or generate tag-based reports. Option C is wrong because using Azure Policy with 'deny' effect would block deployment of untagged resources, but the requirement is to report non-compliance, not prevent it; additionally, an Automation runbook adding tags weekly does not address the region restriction or the weekly reporting to the compliance team.

762
MCQmedium

You are designing a network topology for a multi-tier application in Azure. The application has a web tier, an API tier, and a database tier. You need to ensure that the web tier can communicate with the API tier, and the API tier can communicate with the database tier, but the web tier cannot directly access the database tier. Which Azure networking solution should you implement?

A.Azure Firewall
B.Network Security Groups (NSGs) with service tags
C.Azure Application Security Groups (ASGs)
D.VNet peering
AnswerC

ASGs allow you to group VMs and define security rules based on application tiers, simplifying policy management.

Why this answer

Option B is correct because Azure Application Security Groups (ASGs) allow you to define network security policies based on application groups, and you can create rules that permit traffic only between specific tiers. Option A is wrong because NSGs alone would require complex rule management. Option C is wrong because Azure Firewall is a managed firewall but is overkill for this scenario.

Option D is wrong because VNet peering is for connecting VNets, not controlling traffic within a VNet.

763
Multi-Selecthard

A company runs an application on Azure VMs that uses Azure SQL Database. They need a disaster recovery solution that ensures the application can fail over to a secondary region with minimal data loss. The solution must include automatic failover for the database and manual failover for the VMs. Which TWO Azure services should they use? (Choose two.)

Select 2 answers
A.Azure SQL Database auto-failover groups
B.Azure Traffic Manager
C.Azure Front Door
D.Azure Site Recovery
E.Azure SQL Database active geo-replication
AnswersA, D

Provides automatic failover for the database.

Why this answer

Options B and D are correct. Azure SQL Database auto-failover groups provide automatic failover for the database. Azure Site Recovery replicates the VMs to the secondary region and allows manual failover.

Option A is wrong because Azure SQL active geo-replication does not automatically failover; it requires manual action. Option C is wrong because Azure Traffic Manager is for routing, not VM replication. Option E is wrong because Azure Front Door is for global load balancing.

764
MCQhard

You are designing a disaster recovery solution for an Azure SQL Database. The database is in the West US region. You need to ensure that if the entire West US region becomes unavailable, the database can be failed over to another region within 1 hour with minimal data loss. The solution must be cost-effective for a development environment. What should you recommend?

A.Configure active geo-replication to a secondary database in a paired region
B.Configure auto-failover groups with a secondary in a paired region
C.Deploy an Always On availability group across two regions using Azure VMs
D.Take daily backups and store them in a different region
AnswerA

Provides low RPO and RTO with failover within minutes.

Why this answer

Active geo-replication provides a readable secondary in a paired region with a configurable failover. For a dev environment, cost is a concern; active geo-replication is the most cost-effective option that meets the RPO/RTO. Option B (auto-failover groups) is a higher-level abstraction but still uses geo-replication; however, for dev, it may be overkill.

Option C (backup to another region) has longer RTO. Option D (always on availability groups) is for IaaS, not PaaS.

765
MCQeasy

You are designing a cloud-native application that will run on Azure Kubernetes Service (AKS). The application needs to authenticate users and manage access to resources. Which identity service should you use?

A.Microsoft Entra External ID
B.Microsoft Entra ID
C.Microsoft Account
D.Azure Active Directory Domain Services
AnswerB

Microsoft Entra ID (formerly Azure AD) is the identity provider for Azure, offering authentication and authorization for AKS via managed identities or service principals.

Why this answer

Microsoft Entra ID is the cloud-based identity and access management service for Azure, providing authentication and authorization for AKS workloads.

766
MCQhard

You are designing a governance strategy for a multi-subscription Azure environment. Your compliance team requires that any resource group created in the production subscription must have a specific naming convention: it must start with 'prod-' and be followed by a three-letter department code and a two-digit number. Any resource group not following this convention should be automatically prevented from creation. Which Azure policy definition should you use?

A.Use a policy with 'like' constraint on the 'name' field.
B.Use a policy with 'match' constraint on the 'name' field.
C.Use a policy with 'contains' constraint on the 'name' field.
D.Use a policy with 'pattern' constraint on the 'name' field.
AnswerD

The 'pattern' constraint supports regex, allowing validation of the naming convention.

Why this answer

Option D is correct because Azure Policy's 'pattern' constraint uses regular expressions to enforce complex naming conventions. The requirement for resource groups to start with 'prod-', followed by a three-letter department code and a two-digit number, is a pattern that can be precisely defined with a regex like '^prod-[a-z]{3}\d{2}$'. The 'pattern' constraint is the only option that supports regex-based validation, making it suitable for this multi-part naming rule.

Exam trap

The trap here is that candidates confuse 'match' (which uses simple wildcards like '*' and '?') with 'pattern' (which uses regex), leading them to choose option B when the requirement demands a structured format that only regex can enforce.

How to eliminate wrong answers

Option A is wrong because the 'like' constraint uses wildcard matching (e.g., 'prod-???') but cannot enforce exact character types or lengths for the department code and number; it would allow any three characters and two digits, including invalid characters like symbols. Option B is wrong because the 'match' constraint is used for simple string matching with wildcards (e.g., 'prod-*'), not for enforcing a structured pattern with specific character classes and lengths. Option C is wrong because the 'contains' constraint checks if a substring exists anywhere in the name, which cannot enforce the required prefix or the exact format after it; a name like 'test-prod-abc12' would incorrectly pass.

767
MCQeasy

Your company has multiple Azure subscriptions. You need to ensure that all security-related logs from Azure resources are centralized in a single Log Analytics workspace for analysis. Which Azure service should you use to collect and route these logs?

A.Azure Monitor
B.Microsoft Sentinel
C.Azure Policy
D.Azure Event Hubs
AnswerC

Azure Policy can enforce diagnostic settings to send logs to a central Log Analytics workspace.

Why this answer

Azure Policy is correct because it can enforce the deployment of a diagnostic setting on all Azure resources, automatically routing security-related logs (such as Activity Logs, resource logs, and audit logs) to a single Log Analytics workspace. This ensures centralized collection and analysis without manual configuration per resource, meeting the requirement for a governance-driven approach.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure Monitor or Sentinel, thinking that monitoring or SIEM tools handle log routing, when in fact Azure Policy is the governance tool that enforces the configuration to centralize logs.

How to eliminate wrong answers

Option A is wrong because Azure Monitor is the platform that collects and analyzes telemetry, but it does not itself route or enforce the collection of logs from multiple subscriptions; it relies on diagnostic settings or other services to ingest data. Option B is wrong because Microsoft Sentinel is a SIEM that uses Log Analytics as its underlying data store, but it is not the service that collects or routes logs—it consumes data already in the workspace. Option D is wrong because Azure Event Hubs is a real-time data streaming service used for high-throughput ingestion, not for centralized log storage or analysis; it would require additional configuration to forward logs to Log Analytics.

768
MCQhard

A company is designing a disaster recovery strategy for a mission-critical Azure SQL Database. They require a recovery point objective (RPO) of 5 seconds and a recovery time objective (RTO) of 1 hour. Which replication option should they use?

A.Zone-redundant deployment
B.Failover groups with active geo-replication
C.Auto-failover groups with active geo-replication
D.Geo-restore
AnswerB

Meets RPO of 5 seconds and RTO of 1 hour.

Why this answer

Failover groups with active geo-replication provide the lowest RPO (typically 5 seconds or less) and RTO (under 1 hour) for Azure SQL Database. Active geo-replication asynchronously replicates transactions to a secondary region, and failover groups orchestrate a coordinated, application-transparent failover that meets the stringent RTO requirement.

Exam trap

The trap here is that candidates confuse 'failover groups' with 'auto-failover groups' (which is not an official Azure term) and may incorrectly choose option C, or they underestimate the RPO/RTO of geo-restore and pick option D, not realizing that geo-restore is a backup-based solution with much higher latency.

How to eliminate wrong answers

Option A is wrong because zone-redundant deployment protects against datacenter failures within a single region, not against regional outages, and its RPO/RTO are not as low as required. Option C is wrong because 'Auto-failover groups with active geo-replication' is essentially the same as option B but with an incorrect name—Azure's feature is called 'failover groups' and does not include 'auto' in its official name; the automatic failover capability is part of failover groups, not a separate option. Option D is wrong because geo-restore uses point-in-time restore from geo-replicated backups, which has an RPO of 1 hour and RTO of 12+ hours, far exceeding the required 5-second RPO and 1-hour RTO.

769
MCQeasy

You are designing a solution to store large binary files (videos) that are accessed infrequently but must be retained for 7 years for compliance. The solution must minimize storage costs while allowing retrieval within 24 hours. Which Azure storage tier should you use?

A.Premium tier
B.Cool tier
C.Hot tier
D.Archive tier
AnswerD

Archive tier is lowest cost for long-term retention with retrieval within hours.

Why this answer

The Archive tier is the correct choice because it is the lowest-cost storage tier for infrequently accessed data that must be retained for long periods (7 years). It allows retrieval within 24 hours via standard rehydration, meeting the compliance requirement while minimizing storage costs. The other tiers (Premium, Hot, Cool) are more expensive and designed for higher-frequency access, making them unsuitable for this cost-optimization scenario.

Exam trap

The trap here is that candidates often choose Cool tier because they see 'infrequent access' and '24-hour retrieval' and mistakenly think Archive's retrieval time is too slow, but the question explicitly allows up to 24 hours, making Archive the correct cost-optimized choice.

How to eliminate wrong answers

Option A is wrong because the Premium tier is designed for low-latency, high-frequency access (e.g., Azure Virtual Machine disks) and incurs the highest storage costs, which is unnecessary for infrequently accessed videos. Option B is wrong because the Cool tier is optimized for data accessed less than once per month but still has higher storage costs than Archive and is not the most cost-effective for 7-year retention with 24-hour retrieval. Option C is wrong because the Hot tier is intended for frequent access (multiple times per month) and has the highest storage costs among standard tiers, contradicting the goal of minimizing costs for infrequently accessed data.

770
MCQmedium

A company runs a critical application on Azure VMs in the West US region. They need to protect against a regional disaster using Azure Site Recovery. The VMs use unmanaged disks. The recovery point objective (RPO) must be 15 minutes and the recovery time objective (RTO) must be 1 hour. Additionally, they must be able to perform quarterly disaster recovery drills that do not affect the production environment. Which configuration should they use in Azure Site Recovery?

A.Set up replication with a 15-minute snapshot frequency and perform test failover for drills.
B.Use Azure Backup for VM replication and perform restore drills.
C.Configure a recovery plan with a pre-script to take a snapshot every 15 minutes.
D.Enable multi-VM consistency group with a 15-minute consistency frequency.
AnswerA

Correct: ASR allows configuring snapshot frequency (15 minutes meets RPO) and test failover is a built-in feature for drills.

Why this answer

Option A is correct because Azure Site Recovery supports replication of Azure VMs with unmanaged disks, and a 15-minute snapshot frequency meets the RPO requirement. Test failover allows quarterly disaster recovery drills without impacting the production environment, as it creates isolated copies of VMs in a separate network for validation.

Exam trap

The trap here is confusing Azure Backup (long-term backup) with Azure Site Recovery (replication for disaster recovery), as both can restore VMs but only Site Recovery supports low RPOs and non-disruptive test failovers.

How to eliminate wrong answers

Option B is wrong because Azure Backup is designed for long-term backup retention and restore, not for low-RPO replication (typically 1-2 snapshots per day) and does not support the 15-minute RPO or test failover drills without affecting production. Option C is wrong because recovery plans with pre-scripts cannot take snapshots at a fixed frequency; snapshot frequency is configured at the replication policy level, not via scripts in a recovery plan. Option D is wrong because multi-VM consistency groups ensure crash-consistent or app-consistent snapshots across multiple VMs, but they do not directly set the snapshot frequency; the consistency frequency is separate from the replication frequency, and this option does not address the drill requirement.

771
MCQhard

A large enterprise is designing a data lake solution for its analytics platform. The data lake will store petabytes of structured and unstructured data from various sources, including IoT devices, logs, and transactional databases. The solution must support: - Multi-protocol access (ABFS, REST, and NFS 3.0) - Hierarchical namespace for folder-level permissions - Optimized for analytical workloads (Parquet format) - Cost-effective storage for cold data that is accessed less than once a year. Which Azure storage solution should the enterprise recommend for the data lake?

A.Azure NetApp Files Ultra tier
B.Azure Files Premium tier
C.Azure Data Lake Storage Gen2 with Archive tier for cold data
D.Azure Blob Storage with hierarchical namespace enabled
AnswerC

Supports all required protocols and hierarchical namespace.

Why this answer

Option C is correct because Azure Data Lake Storage Gen2 supports hierarchical namespace, multi-protocol access (ABFS, REST, NFS 3.0), and can use Archive tier for cold data. Option A is wrong because Azure Blob Storage does not support NFS 3.0 natively. Option B is wrong because Azure Files does not support ABFS or hierarchical namespace.

Option D is wrong because Azure NetApp Files does not support ABFS and is expensive for petabyte-scale.

772
MCQhard

You are tasked with ensuring that all VMs in the subscription have Azure Hybrid Benefit enabled for Windows Server. You create the Azure Policy shown in the exhibit. However, after assignment, the compliance report shows that some D-series VMs are still non-compliant. What is the most likely cause?

A.The 'deny' effect is incorrectly configured; it should be 'audit' to show compliance.
B.The policy does not apply to existing resources; it only blocks new or updated ones.
C.The 'like' operator does not match standard D-series SKUs.
D.The policy is scoped to a management group that excludes the resource group containing the VMs.
AnswerB

The 'deny' effect only prevents creation or update of non-compliant resources; existing VMs remain non-compliant.

Why this answer

Azure Policy with the 'deny' effect only blocks new or updated resources that violate the policy; it does not automatically remediate existing non-compliant resources. The D-series VMs were likely created before the policy was assigned, so they remain non-compliant until they are redeployed or a remediation task is triggered. To enforce compliance on existing resources, you would need to use a 'deployIfNotExists' or 'modify' effect with a remediation task.

Exam trap

The trap here is that candidates often assume Azure Policy automatically applies to all resources in scope, but they overlook the fundamental difference between 'deny' (only blocks new/updated resources) and 'deployIfNotExists'/'modify' (can remediate existing resources).

How to eliminate wrong answers

Option A is wrong because changing the effect from 'deny' to 'audit' would not make existing VMs compliant; it would only change the compliance state from 'Non-compliant' to 'Non-compliant' (audit reports non-compliance without blocking). Option B is correct as explained. Option C is wrong because the 'like' operator with pattern 'Standard_D*' correctly matches all D-series SKUs (e.g., Standard_D2s_v3, Standard_D4s_v5), as the wildcard '*' matches any suffix.

Option D is wrong because if the policy were scoped to a management group that excludes the resource group, the VMs would not be evaluated at all and would not appear in the compliance report as non-compliant; they would simply be out of scope.

773
MCQhard

A SaaS application must allow external partner users to sign in with their own organization credentials while the company controls application access. What should be used?

A.Create local cloud-only accounts for every partner user
B.Share one account per partner company
C.Use Azure DNS private zones
D.Microsoft Entra External ID/B2B collaboration with Conditional Access
AnswerD

External identities allow partner users to authenticate with their own identity provider while the resource tenant enforces access policies.

Why this answer

Microsoft Entra External ID (formerly Azure AD B2B) enables external partner users to sign in using their own organization's credentials (their existing Azure AD or Microsoft account) while the company retains control over application access. By combining B2B collaboration with Conditional Access policies, the company can enforce MFA, device compliance, or location-based controls on guest users without managing their identities or passwords.

Exam trap

The trap here is that candidates confuse Azure DNS private zones (a networking feature) with identity federation, or assume that creating local accounts or sharing accounts is acceptable for external collaboration, ignoring the security and manageability requirements of the scenario.

How to eliminate wrong answers

Option A is wrong because creating local cloud-only accounts for every partner user defeats the purpose of federated identity, introduces password management overhead, and violates the requirement that partners use their own credentials. Option B is wrong because sharing one account per partner company eliminates individual accountability, violates security best practices (no audit trail per user), and cannot enforce per-user Conditional Access policies. Option C is wrong because Azure DNS private zones are a networking feature for resolving custom domain names within virtual networks; they have no role in identity federation or external authentication.

774
MCQmedium

A company uses Azure Site Recovery to replicate critical Azure virtual machines (VMs) to a secondary Azure region for disaster recovery. The VMs use managed disks and are part of a multi-tier application. After a failover, the recovery VMs must be automatically placed into a specific availability set to maintain the application architecture. How should the administrator configure this in Azure Site Recovery?

A.Configure the target availability set in the VM replication settings in the Recovery Services vault
B.Create a recovery plan and add a manual step or script to move VMs to the availability set after failover
C.Convert the managed disks to unmanaged disks for replication, then specify the availability set
D.Azure Site Recovery does not support placing VMs into an availability set in the target region
AnswerA

For managed disk VMs, ASR provides an option to select the target availability set in the replication configuration, ensuring automatic placement after failover.

Why this answer

Option A is correct because Azure Site Recovery (ASR) allows you to configure the target availability set directly in the replication settings for each VM. When you enable replication for a VM, under the 'Target availability set' setting, you can select an existing availability set in the target region. ASR will then automatically place the recovered VM into that availability set during failover, ensuring the multi-tier application architecture is maintained without manual intervention.

Exam trap

The trap here is that candidates may assume ASR lacks native support for availability sets and default to manual recovery plans or unnecessary disk conversions, overlooking the straightforward configuration option in the replication settings.

How to eliminate wrong answers

Option B is wrong because while recovery plans can include manual steps or scripts, this approach is inefficient and error-prone; ASR natively supports specifying the target availability set in the replication settings, eliminating the need for post-failover manual steps. Option C is wrong because converting managed disks to unmanaged disks is unnecessary and not a supported method for specifying availability sets; ASR works with managed disks and the availability set is configured independently in the replication settings. Option D is wrong because Azure Site Recovery does support placing VMs into an availability set in the target region, as demonstrated by the correct configuration in Option A.

775
MCQhard

A company needs to store sensitive customer data in Azure Blob Storage with encryption at rest using customer-managed keys (CMK) stored in a hardware security module (HSM). Which Azure service should they use to manage the keys?

A.Azure Key Vault (Premium tier)
B.Azure Information Protection
C.Azure Key Vault (Standard tier)
D.Azure Key Vault Managed HSM
AnswerD

Managed HSM provides HSM-backed keys for CMK.

Why this answer

Azure Key Vault Managed HSM is a fully managed, highly available, single-tenant HSM that is FIPS 140-2 Level 3 validated. It allows you to store customer-managed encryption keys (CMKs) in a hardware security module (HSM) for Azure Storage encryption at rest, meeting the requirement for HSM-backed key storage. The Premium tier of Azure Key Vault also supports HSM-backed keys, but the question specifies 'stored in a hardware security module (HSM)', and Managed HSM provides dedicated HSM partitions with stronger isolation and compliance.

Exam trap

The trap here is that candidates often confuse the Azure Key Vault Premium tier (which supports HSM keys but in a shared multi-tenant HSM) with the dedicated HSM requirement, leading them to select Option A instead of the more appropriate Managed HSM.

How to eliminate wrong answers

Option A is wrong because Azure Key Vault (Premium tier) does support HSM-backed keys, but it is a multi-tenant service with shared HSM pools, not a dedicated HSM; the question's phrasing 'stored in a hardware security module (HSM)' implies a dedicated HSM solution, which Managed HSM provides. Option B is wrong because Azure Information Protection is a classification and labeling service for data protection, not a key management service for encryption at rest. Option C is wrong because Azure Key Vault (Standard tier) uses software-protected keys (FIPS 140-2 Level 1), not HSM-backed keys, and thus cannot meet the requirement for storing keys in an HSM.

776
MCQhard

A company is building a petabyte-scale data lake for analytics. The workload includes Apache Spark and Hive jobs that read and write large files. The storage solution must support a hierarchical namespace for efficient directory operations, POSIX-like access control lists (ACLs) for fine-grained permissions, and must be accessible via the Azure Blob Storage API for compatibility with existing tools. Furthermore, the solution should be optimized for analytics workloads with high throughput. Which Azure data service should they choose?

A.Azure Data Lake Storage Gen2
B.Azure Data Lake Storage Gen1
C.Azure Blob Storage
D.Azure Files
AnswerA

ADLS Gen2 combines a hierarchical namespace with POSIX ACLs and Blob API access. It is designed for large-scale analytics workloads and integrates with Spark and Hive.

Why this answer

Azure Data Lake Storage Gen2 (ADLS Gen2) is the correct choice because it combines a hierarchical namespace with POSIX-like ACLs and is accessible via the Azure Blob Storage API. This service is specifically optimized for analytics workloads like Apache Spark and Hive, providing high throughput for petabyte-scale data lakes. The hierarchical namespace enables efficient directory operations, while the Blob Storage API ensures compatibility with existing tools.

Exam trap

The trap here is that candidates may confuse Azure Data Lake Storage Gen1 with Gen2, overlooking that Gen1 lacks Blob Storage API compatibility, or they may assume Azure Blob Storage with hierarchical namespace enabled is a separate service, but ADLS Gen2 is the specific offering that combines all required features.

How to eliminate wrong answers

Option B (Azure Data Lake Storage Gen1) is wrong because it uses its own REST API, not the Azure Blob Storage API, breaking compatibility with existing tools that rely on Blob Storage APIs. Option C (Azure Blob Storage) is wrong because it does not support a hierarchical namespace by default (only flat namespace) and lacks POSIX-like ACLs, making it unsuitable for efficient directory operations and fine-grained permissions. Option D (Azure Files) is wrong because it is designed for SMB file shares and shared file access, not for petabyte-scale analytics workloads with high throughput, and it does not support the Blob Storage API or a hierarchical namespace optimized for Spark/Hive.

777
MCQmedium

You are a solutions architect for a large healthcare organization that uses Microsoft 365 and Azure. The organization has a Microsoft Entra ID tenant with 15,000 users. The security team requires that all users use multi-factor authentication (MFA) when accessing cloud applications. Currently, only 60% of users have registered for MFA. The organization wants to enforce MFA registration for all users within 30 days. The solution must minimize user disruption and allow users to register their MFA methods during their normal work hours. The organization uses Microsoft Intune for mobile device management and has a conditional access policy that requires MFA for all cloud apps. You need to design a solution to enforce MFA registration. What should you do?

A.Modify the existing conditional access policy to require MFA for all cloud apps and block access if MFA is not registered.
B.Deploy an Intune compliance policy that requires MFA enrollment on mobile devices.
C.Configure a Microsoft Entra ID MFA registration campaign to target all users and require registration within 14 days.
D.Use Microsoft Entra ID password reset policy to force users to register MFA during password reset.
AnswerC

Registration campaigns nudge users to register without blocking access.

Why this answer

Option A is correct because Microsoft Entra ID's MFA registration campaign is designed to nudge users to register without blocking access, minimizing disruption. Option B is wrong because requiring MFA via conditional access without registration will block users who haven't registered. Option C is wrong because Intune compliance policies enforce device compliance, not MFA registration.

Option D is wrong because resetting passwords does not force MFA registration.

778
MCQhard

A financial services company is designing a data storage solution for its transaction processing system. The system uses Azure Cosmos DB with the Core (SQL) API. The company needs to implement a change data capture (CDC) pipeline to feed a downstream analytics system in near real-time (under 1 minute). The analytics system uses Azure Synapse Analytics. The data volume is approximately 10,000 transactions per second. The solution must minimize operational complexity and cost. Which approach should the company recommend?

A.Use Azure Cosmos DB change feed with Azure Functions to process changes and load them into Azure Synapse Analytics using the COPY command.
B.Enable Azure Synapse Link for Cosmos DB and query the transactional data directly from Synapse serverless SQL.
C.Use Azure Data Factory to schedule incremental copy from Cosmos DB to Synapse every minute.
D.Use Azure Databricks with Spark Structured Streaming to read from Cosmos DB change feed and write to Synapse.
AnswerA

Change feed provides real-time events, Functions can process and load to Synapse quickly.

Why this answer

Option A is correct because Azure Cosmos DB change feed can stream changes directly to Azure Functions or Stream Analytics, which can then write to Synapse via PolyBase or COPY command in near real-time. Option B is wrong because Azure Data Factory is batch-oriented and may not meet the <1 minute latency requirement. Option C is wrong because Azure Databricks with Change Feed adds complexity and cost.

Option D is wrong because Azure Synapse Link is designed for analytical queries on Cosmos DB data but does not provide a CDC stream to Synapse; it replicates data into Synapse for querying, but the latency may vary.

779
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID) Premium P2. They want to enforce that users accessing sensitive cloud applications from outside the corporate network must use multi-factor authentication (MFA). Which Microsoft Entra ID feature should they configure?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management
D.Access Reviews
AnswerA

Correct. Conditional Access policies can require MFA for specific users, apps, and locations.

Why this answer

Conditional Access is the correct feature because it allows administrators to define policies that enforce MFA based on specific conditions, such as network location (outside corporate network) and cloud app sensitivity. By configuring a Conditional Access policy targeting 'All cloud apps' or specific sensitive apps with the condition 'Locations: All trusted/untrusted networks', you can require MFA for external access. This directly meets the requirement without needing additional licenses or features beyond Entra ID Premium P2.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based MFA triggers with Conditional Access's location-based MFA, assuming Identity Protection alone can enforce MFA for external access, but Identity Protection only suggests or triggers MFA via risk policies that require Conditional Access to actually enforce the block or MFA prompt.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it focuses on detecting and remediating identity risks (e.g., leaked credentials, sign-ins from anonymous IPs) and can trigger MFA via risk-based policies, but it does not natively enforce MFA based solely on network location; it requires integration with Conditional Access for enforcement. Option C (Privileged Identity Management) is wrong because it manages just-in-time privileged role activation and approval workflows, not general user access to cloud apps or MFA enforcement. Option D (Access Reviews) is wrong because it is used for periodic recertification of group memberships and application access, not for real-time authentication enforcement like MFA.

780
MCQhard

Refer to the exhibit. A custom Azure RBAC role is defined as shown. A user assigned this role is unable to delete blobs in a container. What is the most likely reason?

A.The role is scoped to the storage account but not to the container
B.The role does not include read permission on blobs
C.The role does not include any dataActions
D.The role does not include delete permission on blobs
AnswerD

Delete action is missing from dataActions.

Why this answer

Option D is correct because the custom RBAC role definition shown in the exhibit includes 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete' under the 'Actions' section, but this permission is a control plane action, not a data plane action. To delete blobs, the role must include the corresponding data action 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete/action' under 'DataActions'. Without it, the user lacks the necessary data plane permission to perform blob deletion, even though the control plane permission is present.

Exam trap

The trap here is that candidates see 'delete' in the Actions list and assume it covers blob deletion, missing the critical distinction between control plane and data plane permissions in Azure RBAC.

How to eliminate wrong answers

Option A is wrong because the scope of the role (storage account vs. container) does not affect the fundamental requirement for dataActions; the issue is the missing data action, not the scope. Option B is wrong because read permission on blobs (Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read) is not required to delete blobs; the delete operation only requires the delete data action. Option C is wrong because the role does include dataActions in the definition (as shown in the exhibit), but the specific delete data action is missing; the problem is not the absence of all dataActions.

781
MCQmedium

A company runs a critical web application on Azure VMs in two availability zones. They need to ensure the application remains available during a regional outage with an RPO of 5 minutes and an RTO of 15 minutes. What should they implement?

A.Azure Backup
B.Azure Traffic Manager
C.Azure Site Recovery
D.Azure Front Door
AnswerC

Site Recovery provides replication with RPO as low as 5 minutes and supports RTO of 15 minutes.

Why this answer

Option B is correct because Azure Site Recovery can replicate VMs to a secondary Azure region with a recovery point objective (RPO) as low as 5 minutes and recovery time objective (RTO) measured in minutes. Option A is wrong because Azure Front Door provides global load balancing and caching, but does not handle VM replication. Option C is wrong because Azure Backup has a minimum RPO of 12 hours for VMs.

Option D is wrong because Azure Traffic Manager only provides DNS-based traffic routing, not VM replication.

782
MCQmedium

Your company is migrating on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can authenticate using their existing on-premises passwords and that password changes are synchronized immediately. The solution must minimize latency and avoid storing password hashes in the cloud. What should you implement?

A.Implement Microsoft Entra Pass-through Authentication
B.Implement password hash synchronization with password writeback
C.Create cloud-only user accounts in Microsoft Entra ID
D.Federate with Active Directory Federation Services (AD FS)
AnswerB

Password hash synchronization syncs password changes immediately and writeback allows changes to be written back to on-premises AD. Hashing is stored but using salt prevents plaintext exposure.

Why this answer

Option B is correct because password hash synchronization with password writeback meets the requirement to synchronize password changes immediately while avoiding storing password hashes in the cloud. However, the question explicitly states 'avoid storing password hashes in the cloud,' which contradicts password hash synchronization (which does store hashes). The correct solution for immediate password change sync without cloud hash storage is Microsoft Entra Pass-through Authentication (Option A), which validates passwords on-premises without storing hashes in Azure AD.

The exam trap is that password writeback is for cloud-to-on-premises sync, not immediate on-premises-to-cloud sync.

Exam trap

The trap here is that candidates confuse password writeback (cloud-to-on-premises) with immediate on-premises-to-cloud password synchronization, and overlook that password hash synchronization inherently stores hashes in the cloud, directly contradicting the 'avoid storing password hashes' requirement.

How to eliminate wrong answers

Option A is wrong because Pass-through Authentication does not synchronize password changes immediately; it validates passwords on-premises but does not replicate password changes to Azure AD. Option B is wrong because password hash synchronization stores password hashes in the cloud, which violates the requirement to avoid storing password hashes in the cloud. Option C is wrong because creating cloud-only user accounts does not use existing on-premises passwords and requires users to set new passwords.

Option D is wrong because federating with AD FS does not synchronize password changes immediately and still requires a federation trust, which introduces latency and complexity.

783
Multi-Selecteasy

Which TWO of the following are benefits of using Azure Policy? (Choose two.)

Select 2 answers
A.Assess compliance of resources against defined policies
B.Enforce tagging conventions on resources
C.Manage access control for resources
D.Create new Azure resources based on a template
E.Automatically remediate non-compliant resources without manual intervention
AnswersA, B

Azure Policy provides compliance dashboard and evaluation.

Why this answer

Azure Policy enforces organizational standards and assesses compliance. Option A (enforce tags) is a common use. Option D (assess compliance) is a core feature.

Option B is wrong because Azure Policy does not auto-remediate; it can trigger remediation tasks but not automatically fix all issues. Option C is wrong because Azure Policy does not create resources. Option E is wrong because RBAC is separate.

784
MCQhard

A healthcare organization stores patient records in Azure Blob Storage with a hot access tier in the East US region. The compliance policy requires that data be recoverable within 1 hour in the event of a regional disaster. The data is updated every 10 minutes and must be recoverable to a consistent state within 15 minutes of failure. Which configuration should you implement?

A.Use object replication with a minimum RPO of 15 minutes and configure read-access in the secondary region
B.Use RA-GRS (read-access geo-redundant storage) and configure storage account failover
C.Use GRS (geo-redundant storage) with automated failover
D.Use GZRS (geo-zone-redundant storage) with customer-managed failover
AnswerA

Object replication meets RPO; read-access meets RTO.

Why this answer

Option D is correct because object replication with a minimum Replication Time Objective (RTO) of 15 minutes meets the RPO requirement, and a secondary read-access region meets the RTO of 1 hour. Option A is wrong because RA-GRS has an RPO of 15 minutes but failover is manual and may take longer. Option B is wrong because GZRS with manual failover may exceed RTO.

Option C is wrong because geo-redundant storage (GRS) does not provide read access in the secondary region.

785
MCQmedium

A company runs a web application on Azure App Service with a backing Azure SQL Database in a single region. They need to ensure availability during an Azure region outage. The solution must automatically fail over the entire application stack with minimal data loss and redirect user traffic to the secondary region. Which combination of Azure services should they implement?

A.Azure Traffic Manager with active-passive and geo-replication for Azure SQL Database
B.Azure Front Door with active-active or active-passive routing and auto-failover groups for Azure SQL Database
C.Azure Application Gateway with backend pools in multiple regions and SQL Database failover groups
D.Azure Load Balancer with multiple regions and Azure SQL Database automatic failover
AnswerB

Azure Front Door provides global HTTP/HTTPS routing with health probes and automatic failover, and auto-failover groups for SQL Database provide geo-replication with automatic failover, meeting RPO and RTO requirements.

Why this answer

Azure Front Door provides global HTTP(S) load balancing with automatic failover between regions, and when combined with auto-failover groups for Azure SQL Database, it ensures the entire application stack (web + database) fails over together with minimal data loss. The auto-failover group replicates the database synchronously within the same region and asynchronously across regions, allowing a user-configurable grace period to trade off between data loss and availability. This matches the requirement for automatic, coordinated failover of the full stack and traffic redirection.

Exam trap

The trap here is that candidates often confuse Azure Traffic Manager (DNS-level, no application health awareness) with Azure Front Door (HTTP/S-level, health-probe driven), and they overlook that auto-failover groups are required for SQL Database to achieve coordinated, automatic failover with minimal data loss, rather than relying on geo-replication alone.

How to eliminate wrong answers

Option A is wrong because Azure Traffic Manager operates at the DNS level and does not provide automatic end-to-end failover coordination with the database; it also lacks native support for health probes that can detect application-level failures, and geo-replication for SQL Database alone does not provide automatic failover with minimal data loss (it requires manual or scripted failover). Option C is wrong because Azure Application Gateway is a regional load balancer and cannot route traffic across multiple regions for global failover; it is designed for layer-7 traffic within a single region. Option D is wrong because Azure Load Balancer is a regional, layer-4 load balancer that cannot distribute traffic across multiple regions or provide global failover; SQL Database automatic failover (without auto-failover groups) does not support a coordinated, policy-driven failover with a secondary region.

786
MCQmedium

A company deploys a web application on Azure virtual machines (VMs) across multiple availability zones in the East US region. The application receives HTTPS traffic. They need to distribute incoming traffic across the VMs, offload SSL/TLS termination, and ensure that client requests from the same user session are always sent to the same backend VM (session persistence). Which Azure load balancing solution should they choose?

A.Azure Load Balancer
B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerB

Application Gateway is a layer-7 load balancer that provides SSL termination, cookie-based session affinity, and URL-based routing. It can distribute HTTPS traffic across VMs in availability zones.

Why this answer

Azure Application Gateway is the correct choice because it is a Layer 7 load balancer that supports SSL/TLS termination, cookie-based session persistence (affinity), and can distribute HTTPS traffic across VMs in multiple availability zones. These features directly match all three requirements: SSL offloading, session persistence, and cross-zone traffic distribution.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming any load balancer can handle SSL termination and session persistence, but only Layer 7 solutions like Application Gateway or Front Door provide cookie-based affinity and SSL offload.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and does not support SSL/TLS termination or application-layer session persistence; it can only maintain session affinity using source IP hashing, which is not cookie-based and less reliable for HTTPS. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic router that does not perform SSL termination or session persistence; it directs clients to regional endpoints based on DNS resolution, not per-request load balancing. Option D is wrong because Azure Front Door is a global Layer 7 service that supports SSL termination and session affinity, but it is designed for global distribution across regions, not for distributing traffic within a single region across availability zones; it adds unnecessary latency and complexity for a regional-only workload.

787
MCQhard

A company uses Microsoft Entra ID Privileged Identity Management (PIM) to control access to administrator roles. They want to implement a monitoring solution that sends an email to the security team whenever a user activates the Global Administrator role outside of standard business hours (9 AM–5 PM). They also need to track all activation history for quarterly audits. Which solution should they implement?

A.Configure PIM to send notifications for role activations and stream PIM audit logs to Azure Log Analytics, then create an alert rule for activations outside business hours
B.Use Microsoft Entra ID Identity Protection to detect risky activations and trigger a Logic App
C.Enable Microsoft Entra ID diagnostic settings to send logs to Event Hubs and process with Azure Stream Analytics
D.Use Azure Sentinel with a built-in connector for PIM and create a scheduled analytics rule
AnswerA

Correct. PIM notifications for baseline, but time-based filtering requires log analytics alert rule on audit logs.

Why this answer

Option A is correct because PIM can be configured to send email notifications for role activations, and by streaming PIM audit logs to Azure Log Analytics, you can create alert rules that trigger when the Global Administrator role is activated outside business hours. This meets both the real-time email alert requirement and the long-term audit trail requirement, as Log Analytics retains logs for up to two years by default and supports custom queries for quarterly audits.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing a full SIEM like Azure Sentinel or a streaming pipeline like Event Hubs, when the simpler combination of PIM notifications and Log Analytics alerts fully satisfies both the real-time alert and audit requirements.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Identity Protection is designed to detect risky sign-ins and user behavior, not to monitor PIM role activations or trigger alerts based on time-based conditions; it cannot send emails for out-of-hours activations. Option C is wrong because streaming logs to Event Hubs and processing with Azure Stream Analytics is an overengineered, real-time streaming solution that adds unnecessary complexity and cost; it does not natively provide the simple email alert or long-term audit storage that Log Analytics offers out of the box. Option D is wrong because Azure Sentinel is a full SIEM solution that requires significant setup, cost, and ongoing management; while it can monitor PIM activations, it is not the simplest or most cost-effective solution for this specific requirement, and the question does not mention a need for advanced threat detection or incident response.

788
MCQmedium

A company runs a critical application on Azure VMs. They want to ensure high availability within a region using Azure Site Recovery. What is the correct configuration?

A.Configure Azure Site Recovery to replicate VMs to a paired region
B.Deploy VMs across multiple availability zones and use a load balancer
C.Use Azure Site Recovery to replicate VMs across availability sets
D.Configure Azure Site Recovery to replicate VMs to different availability zones within the same region
AnswerB

Availability zones provide intra-region high availability.

Why this answer

Option B is correct because Azure Site Recovery is designed for disaster recovery across regions, not within a region. For intra-region high availability, availability zones should be used. Option A is wrong because Site Recovery does not support intra-region replication to availability zones directly.

Option C is wrong because Site Recovery cannot replicate across availability sets. Option D is wrong because Site Recovery can replicate across zones but is not the best practice for intra-region HA.

789
MCQmedium

A company runs a critical application on Azure VMs and an Azure SQL Managed Instance in a single region. They need a disaster recovery solution with a Recovery Point Objective (RPO) of 5 minutes for the database and a Recovery Time Objective (RTO) of 2 hours for the entire stack. They want to minimize cost and use native Azure services. Which combination should they implement?

A.Azure Site Recovery for VMs and active geo-replication for the database
B.Azure Backup for VMs and auto-failover groups for the database
C.Azure Site Recovery for VMs and auto-failover groups for the database
D.Deploy a second region with VMs and database replicas manually configured and Azure Traffic Manager
AnswerC

Azure Site Recovery replicates VMs to a secondary region with RPO of seconds to minutes and RTO of hours, and auto-failover groups provide geo-replication and automatic failover for Azure SQL Managed Instance with RPO of seconds.

Why this answer

Option C is correct because Azure Site Recovery (ASR) provides orchestrated replication and failover for Azure VMs, meeting the 2-hour RTO for the entire stack, while auto-failover groups for Azure SQL Managed Instance enable automatic, synchronous or asynchronous replication with an RPO as low as 5 minutes using the built-in distributed availability groups feature. This combination uses native Azure services without manual scripting, minimizing cost and complexity.

Exam trap

The trap here is confusing active geo-replication (which only applies to Azure SQL Database) with auto-failover groups (which are required for Azure SQL Managed Instance), leading candidates to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because active geo-replication is not supported for Azure SQL Managed Instance; it is only available for Azure SQL Database (single or elastic pool), and Managed Instance requires auto-failover groups for geo-replication. Option B is wrong because Azure Backup for VMs is designed for backup and restore, not for continuous replication and rapid failover, so it cannot achieve a 2-hour RTO for the entire stack; it typically has RTOs measured in hours to days. Option D is wrong because manually configuring a second region with VMs and database replicas and using Azure Traffic Manager increases operational overhead and cost, and does not leverage native Azure DR services like ASR or auto-failover groups, violating the 'minimize cost and use native Azure services' requirement.

790
MCQmedium

A company runs multiple on-premises workloads that are critical. They need a disaster recovery solution that can replicate workloads to Azure and enable failover in the event of an on-premises outage. The solution must support non-VMware and non-Hyper-V physical servers. Which Azure service should they use?

A.Azure Backup
B.Azure Site Recovery
C.Azure Migrate
D.Azure Disaster Recovery
AnswerB

Azure Site Recovery supports replication of physical servers (and virtual machines) to Azure. It provides failover and test failover capabilities for DR.

Why this answer

Azure Site Recovery (ASR) is the correct service because it provides orchestrated replication and failover for on-premises physical servers (including non-VMware, non-Hyper-V) to Azure. It supports physical-to-Azure (P2A) replication using the Mobility service installed on the source server, enabling automated failover during an outage. This directly meets the requirement for critical workload disaster recovery with failover capability.

Exam trap

The trap here is that candidates often confuse Azure Backup (data protection) with Azure Site Recovery (disaster recovery with failover), or assume that 'Azure Disaster Recovery' is a valid service name, when in fact the correct service is Azure Site Recovery.

How to eliminate wrong answers

Option A is wrong because Azure Backup is designed for backup and restore of data (files, folders, VMs, databases) to a Recovery Services vault, not for continuous replication and automated failover orchestration required for disaster recovery. Option C is wrong because Azure Migrate is a tool for assessing and migrating on-premises workloads to Azure, not for ongoing replication and failover after migration. Option D is wrong because 'Azure Disaster Recovery' is not a standalone Azure service; the correct service name is Azure Site Recovery, and this option is a distractor that does not exist as a named service.

791
MCQhard

A multinational organization is designing a Microsoft 365 deployment for 10,000 users. The organization requires that all users have a consistent experience and that desktop settings follow users across devices. The solution must also support offline access to files and automatic sync. Which Microsoft 365 service should the organization use?

A.Microsoft Entra ID
B.Microsoft Intune
C.Enterprise State Roaming
D.OneDrive for Business
AnswerD

OneDrive for Business provides file sync, offline access, and Known Folder Move which roams user folders, meeting the requirements.

Why this answer

Option A (Microsoft Intune) manages devices and can enforce policies, but it does not provide settings roaming. Option B (Microsoft Entra ID) provides identity but not settings. Option C (Enterprise State Roaming) provides roaming of Windows settings and application data across devices, but it does not provide file sync.

Option D (OneDrive for Business) provides file sync, offline access, and Known Folder Move, but it does not roam desktop settings. The best answer is Enterprise State Roaming combined with OneDrive for Business. However, the question asks for a single service.

Among the options, Enterprise State Roaming is specifically designed for settings roaming. But it does not sync files. Maybe the intended answer is Microsoft Entra ID because it enables Enterprise State Roaming.

But that's not accurate. Let's rethink: The requirement includes offline access to files and automatic sync, which points to OneDrive. But settings roaming is also needed.

The best single service that supports both settings and file sync? None. However, OneDrive for Business can sync files and also, with Known Folder Move, it can sync desktop, documents, etc., which effectively roams settings? Not exactly. Actually, OneDrive does not roam Windows settings like wallpaper or taskbar.

So the correct answer is likely a combination, but since it's single-choice, the best available is Enterprise State Roaming? But the question includes offline access to files. I think the question might be flawed. Let's adjust: Option D (Microsoft 365 Apps for enterprise) is not relevant.

The correct answer should be Microsoft Intune because it can manage settings via configuration profiles and also integrate with OneDrive for file sync? But it's not directly. Given the options, perhaps the intended correct answer is Enterprise State Roaming (Option C) because it roams settings and also, with OneDrive, file sync can be added separately. However, the stem says 'solution must also support offline access to files and automatic sync', which is not part of Enterprise State Roaming.

I think the best answer is OneDrive for Business (Option D) because it syncs files, and settings roaming can be achieved separately? But the question asks for a single service. I'll go with D as it covers file sync and offline access, and settings can be roamed via other means. But that's not ideal.

Let me correct: The correct service is Microsoft Intune because it can manage device configurations and also has settings catalog for roaming? Actually, Intune does not roam settings; it pushes policies. The correct answer is Enterprise State Roaming. But it doesn't sync files.

I think the question expects OneDrive for Business because it syncs files and also, with Known Folder Move, it essentially roams the user's files and folders, which is a major part of settings. However, true settings roaming is not there. I'll choose Option D.

792
Multi-Selecthard

Which THREE of the following are requirements for using Azure SQL Database auto-failover groups? (Select three.)

Select 3 answers
A.Both servers must be in the same Azure region.
B.The primary and secondary servers must be in different Azure regions.
C.The secondary server must have the same logical server name.
D.The databases must be in different elastic pools.
E.The databases must use the same service tier.
AnswersB, C, E

Auto-failover groups are designed for cross-region disaster recovery.

Why this answer

Azure SQL Database auto-failover groups require the primary and secondary servers to be in different Azure regions to support geo-replication and disaster recovery. This ensures that if a regional outage occurs, the secondary server can take over, maintaining business continuity. The secondary server must have the same logical server name to allow applications to connect using the same listener endpoint after failover.

Additionally, all databases in the failover group must use the same service tier to ensure consistent performance and capacity during failover.

Exam trap

The trap here is that candidates often assume the secondary server must have a different logical server name, but in fact the listener endpoint uses the same server name, and the secondary server's actual name can be different; the requirement is that the logical server name used for the failover group must be the same on both sides.

793
MCQmedium

Refer to the exhibit. You are reviewing the output of an Azure Key Vault secret listing command. The application team reports that a secret is not accessible. What is the most likely reason?

A.The secret is tagged as production but the application is in development
B.The secret has expired
C.The Key Vault is in a soft-deleted state
D.The secret is disabled
AnswerB

The exp attribute indicates expiration, and if past, the secret is invalid.

Why this answer

The secret listing output shows an 'expires' field with a date in the past, indicating the secret has expired. Azure Key Vault enforces expiration by preventing access to secrets whose expiration date has passed, returning a 403 Forbidden error. This is the most likely reason the application cannot access the secret.

Exam trap

The trap here is that candidates may overlook the 'expires' field in the output and instead focus on tags or assume a disabled state, but Azure Key Vault explicitly blocks access to expired secrets regardless of other settings.

How to eliminate wrong answers

Option A is wrong because tags are metadata labels and do not enforce access control; Azure RBAC or access policies govern access, not tags. Option C is wrong because a soft-deleted Key Vault would not appear in the listing output at all, or would show a 'recovery level' indicating soft-delete; the output shows the vault is active. Option D is wrong because a disabled secret would show an 'enabled' field set to 'false' in the listing output, but the exhibit does not show that field; the presence of an expiration date in the past is the clear indicator.

794
MCQhard

Your organization has a hybrid identity solution using Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory. You need to design a solution that allows users to use their on-premises credentials to authenticate to cloud applications, but you want to avoid synchronizing password hashes to the cloud. Which authentication method should you choose?

A.Seamless Single Sign-On
B.Pass-through Authentication
C.Active Directory Federation Services (AD FS)
D.Password Hash Synchronization
AnswerB

Pass-through Authentication validates passwords on-premises without storing hashes in the cloud.

Why this answer

Pass-through Authentication allows users to sign in using their on-premises password without synchronizing password hashes to Microsoft Entra ID. Option A (Password Hash Synchronization) requires hash sync. Option B (Federation with AD FS) requires federation infrastructure.

Option D (Seamless Single Sign-On) is a feature that works with other methods.

795
MCQhard

A company has multiple Azure subscriptions and wants to enforce consistent network policies across all VNets. They need to ensure that all traffic going out to the internet is inspected by a central firewall. The solution must be scalable and support multiple regions. What should they implement?

A.Use Azure Virtual WAN with a secured hub and Azure Firewall Manager
B.Deploy Azure Firewall in each subscription and route traffic through it
C.Use Azure Policy to enforce route tables on each VNet
D.Create VNet peering and use a network virtual appliance in one subscription
AnswerA

Virtual WAN provides centralized routing and inspection across regions.

Why this answer

Option B is correct because Azure Virtual WAN with a secured hub using Azure Firewall Manager provides centralized internet inspection for multiple regions. Option A is incorrect because Azure Firewall in a single VNet does not scale across subscriptions without Virtual WAN. Option C is incorrect because Azure Policy enforces rules but does not inspect traffic.

Option D is incorrect because VNet peering does not centralize traffic inspection.

796
MCQhard

A company is designing a hub-spoke network topology in Azure. The hub contains a third-party network virtual appliance (NVA) for inspection. Spokes need to communicate with each other, and all inter-spoke traffic must be routed through the NVA in the hub. Which configuration should they use?

A.Set route tables on spoke subnets with a 0.0.0.0/0 route to the Internet
B.Configure Azure Firewall in the hub with forced tunneling to on-premises
C.Create user-defined routes (UDRs) in each spoke subnet that force traffic to go through the hub NVA
D.Use VNet peering with gateway transit enabled
AnswerC

Correct. UDRs allow precise control of traffic routing; adding a route for the spoke address spaces with next hop as the NVA IP enforces inspection.

Why this answer

Option C is correct because user-defined routes (UDRs) allow you to explicitly override Azure's default system routes. By adding a route in each spoke subnet with the hub NVA's private IP as the next hop for inter-spoke traffic (e.g., 10.1.0.0/16 -> 10.0.0.4), all traffic between spokes is forced through the NVA for inspection. This ensures the hub-spoke topology meets the requirement without relying on Azure Firewall or Internet routing.

Exam trap

The trap here is that candidates often confuse VNet peering's built-in transitive routing (which is disabled by default) with the ability to force traffic through an NVA, mistakenly thinking peering alone or gateway transit can achieve the required inspection without explicit UDRs.

How to eliminate wrong answers

Option A is wrong because a 0.0.0.0/0 route to the Internet would send all outbound traffic to the Internet, not through the hub NVA, and would not route inter-spoke traffic correctly. Option B is wrong because Azure Firewall with forced tunneling to on-premises would route traffic to on-premises, not through the hub NVA, and does not satisfy the requirement for inter-spoke inspection within Azure. Option D is wrong because VNet peering with gateway transit enables spokes to use a VPN gateway in the hub, but it does not force inter-spoke traffic through an NVA; it only provides transitive routing via the gateway, not custom inspection.

797
MCQmedium

A company has Microsoft Entra ID Premium P2 licenses and wants to ensure that privileged roles (e.g., Global Administrator) are only activated when needed and with approval. They also need to regularly review who has access to these roles. Which combination of features should they use?

A.Privileged Identity Management (PIM) and Microsoft Entra ID Access Reviews
B.Identity Protection and Conditional Access
C.Entitlement Management and Conditional Access
D.Microsoft Entra ID Access Reviews and Identity Protection
AnswerA

PIM enables time-bound, approved activation of privileged roles, and Access Reviews can be configured to recertify assignments regularly.

Why this answer

Privileged Identity Management (PIM) provides just-in-time (JIT) activation of privileged roles with approval workflows, meeting the requirement for activation only when needed and with approval. Microsoft Entra ID Access Reviews then enable recurring certification of role assignments, ensuring that access is regularly reviewed and stale or inappropriate assignments are removed. Together, they form the correct combination for managing and governing privileged roles.

Exam trap

The trap here is that candidates often confuse Identity Protection (risk-based detection) with PIM (role activation and governance), leading them to select options that include Identity Protection instead of PIM for privileged role management.

How to eliminate wrong answers

Option B is wrong because Identity Protection focuses on detecting and remediating identity-based risks (e.g., compromised credentials, sign-in anomalies) and Conditional Access enforces access policies based on signals; neither provides JIT activation with approval or recurring access reviews for privileged roles. Option C is wrong because Entitlement Management manages access packages and resource access for external users and groups, not specifically privileged role activation with approval; Conditional Access does not provide role activation or review capabilities. Option D is wrong because while Access Reviews are correct, Identity Protection does not offer JIT activation or approval workflows for privileged roles, leaving the core requirement unmet.

798
Multi-Selecteasy

You are designing a network architecture for a three-tier application in Azure. The web tier must be accessible from the internet. The application tier must only accept traffic from the web tier. The database tier must only accept traffic from the application tier. Which TWO Azure services should you use to enforce these network rules? (Choose two.)

Select 2 answers
A.Azure Bastion
B.Network Security Groups (NSGs)
C.Azure Application Gateway
D.Azure Front Door
E.Azure Firewall
AnswersB, C

Restrict traffic between subnets.

Why this answer

Options A and D are correct. Azure Application Gateway provides web traffic routing and WAF. Network Security Groups (NSGs) allow inbound/outbound rules to restrict traffic between tiers.

Option B is wrong because Azure Firewall is a stateful firewall but not needed for simple tier isolation. Option C is wrong because Azure Bastion is for RDP/SSH access. Option E is wrong because Azure Front Door is for global load balancing.

799
MCQhard

You need to design a data storage solution for a high-throughput event processing pipeline. The solution must ingest millions of events per second, support exactly-once processing semantics, and allow replay of events from the past 7 days. Which Azure service should you use as the event ingestion store?

A.Azure Service Bus
B.Azure IoT Hub
C.Azure Queue Storage
D.Azure Event Hubs
AnswerD

Event Hubs supports high-throughput ingestion, exactly-once processing, and event replay via Capture.

Why this answer

Azure Event Hubs is the correct choice because it is a big data streaming platform and event ingestion service designed for high-throughput scenarios, capable of ingesting millions of events per second. It supports exactly-once processing semantics through checkpointing and offset management, and it provides event retention for up to 7 days by default (configurable up to 90 days), enabling event replay. This makes it ideal for a high-throughput event processing pipeline that requires reliable ingestion and replay capabilities.

Exam trap

The trap here is that candidates often confuse Azure Event Hubs with Azure Service Bus, assuming both are interchangeable for messaging, but Event Hubs is optimized for massive-scale event ingestion and replay, while Service Bus is for reliable message delivery with lower throughput and transactional support.

How to eliminate wrong answers

Option A is wrong because Azure Service Bus is a message broker optimized for enterprise messaging with lower throughput (up to 20,000 messages per second per namespace) and does not natively support event replay for 7 days; it is designed for decoupled applications, not high-throughput event ingestion. Option B is wrong because Azure IoT Hub is specifically built for IoT device-to-cloud communication, with a maximum throughput of 6,000 events per second per unit, and while it supports device telemetry ingestion, it is not designed for the scale of millions of events per second or general-purpose event replay. Option C is wrong because Azure Queue Storage is a simple message queue with a maximum throughput of 20,000 messages per second per storage account and does not support exactly-once processing semantics or event replay; it is intended for asynchronous task processing, not high-throughput event streaming.

800
Multi-Selecthard

A company plans to migrate its on-premises Oracle database to Azure. The database is currently 2 TB and experiences high write throughput. The solution must support: - ACID transactions - Automatic failover to a secondary region - Minimal downtime during maintenance. Which three Azure services should the company include in the solution? (Choose three.)

Select 3 answers
A.Azure SQL Database Managed Instance
B.Azure SQL Database zone-redundant configuration
C.Azure Cosmos DB with SQL API
D.Azure Database for PostgreSQL - Hyperscale (Citus)
E.Azure SQL Database active geo-replication
AnswersA, B, E

Supports ACID transactions and has Oracle migration tools.

Why this answer

Option A is correct because Azure SQL Database Managed Instance supports native Oracle migration and ACID transactions. Option B is correct because active geo-replication provides automatic failover to a secondary region. Option D is correct because Azure SQL Database zone-redundant configuration ensures high availability within a region.

Option C is wrong because Azure Cosmos DB is NoSQL and not ACID for multi-document transactions. Option E is wrong because Azure Database for PostgreSQL is not optimized for Oracle migration.

801
MCQmedium

A company runs a global e-commerce application that stores customer order data. The data must be highly available and durable. The application requires strong consistency for all reads and writes. The company needs to store relational data (orders, customers) and handle complex queries with joins. They want a fully managed database service that supports active geo-replication for disaster recovery across two Azure regions with automatic failover. Which Azure database service should they choose?

A.Azure SQL Database with active geo-replication
B.Azure Cosmos DB with multiple write regions and strong consistency
C.Azure Database for MySQL with read replicas
D.Azure SQL Managed Instance with failover groups
AnswerA

Active geo-replication provides automatic failover to a readable secondary region, with strong consistency for relational workloads.

Why this answer

Azure SQL Database with active geo-replication is the correct choice because it provides a fully managed relational database service that supports strong consistency, complex queries with joins, and active geo-replication across two Azure regions with automatic failover for disaster recovery. Active geo-replication creates readable secondary replicas in a paired region, and the application can manually or programmatically initiate failover to ensure high availability and durability while maintaining transactional consistency.

Exam trap

The trap here is that candidates often confuse Azure SQL Database active geo-replication with Azure SQL Managed Instance failover groups, but the key differentiator is that active geo-replication supports automatic failover only when configured with a failover group, while Managed Instance failover groups are designed for instance-level migration and have different RPO/RTO characteristics and licensing requirements.

How to eliminate wrong answers

Option B is wrong because Azure Cosmos DB with multiple write regions and strong consistency is a NoSQL database that does not support relational data with complex joins and SQL-based queries natively, and its strong consistency mode limits availability and throughput in a multi-region write scenario. Option C is wrong because Azure Database for MySQL with read replicas does not support active geo-replication with automatic failover; read replicas are asynchronous and require manual promotion for failover, and the service does not provide the same level of geo-replication and automatic failover as Azure SQL Database. Option D is wrong because Azure SQL Managed Instance with failover groups supports geo-replication but is designed for lift-and-shift scenarios with full SQL Server compatibility, and its failover groups require a manual or automatic failover policy that is not as seamless as active geo-replication for a global e-commerce application needing automatic failover across two regions.

802
MCQeasy

A company deploys a web application on Azure VMs within a single region. They need to distribute incoming HTTP traffic across multiple VMs, offload SSL encryption, and maintain session persistence (sticky sessions) for user sessions. Which Azure load balancing solution should they use?

A.Azure Load Balancer
B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerB

Correct. Application Gateway is a Layer 7 load balancer that offloads SSL, supports sticky sessions, and distributes HTTP traffic.

Why this answer

Azure Application Gateway is the correct choice because it is a Layer 7 load balancer that can route HTTP/HTTPS traffic, offload SSL/TLS encryption, and support session affinity (sticky sessions) using cookies. Unlike a Layer 4 load balancer, it can inspect application-layer data, making it ideal for web applications requiring SSL termination and persistent user sessions.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming all load balancers support SSL offloading and sticky sessions, but only Layer 7 solutions like Application Gateway or Front Door provide these application-layer features.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot offload SSL encryption or maintain HTTP-based sticky sessions; it only distributes traffic based on IP and port. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic router that does not handle SSL offloading or session persistence at the application layer; it directs clients to endpoints based on DNS resolution. Option D is wrong because Azure Front Door is a global Layer 7 service designed for multi-region distribution and acceleration, not for intra-region load balancing with SSL offloading and sticky sessions within a single region; it adds unnecessary complexity and cost for a single-region scenario.

803
MCQhard

Your organization has a hybrid identity infrastructure using Microsoft Entra ID (formerly Azure AD) and Active Directory Domain Services (AD DS) on-premises. You plan to deploy a critical application on Azure VMs that must remain available even if the on-premises network connection fails. The application authenticates users via on-premises AD DS. You need to design an identity disaster recovery solution that works during a network outage. What should you implement?

A.Create a site-to-site VPN connection with a secondary on-premises data center.
B.Configure Azure AD Connect with password hash synchronization and enable seamless single sign-on.
C.Deploy Microsoft Entra Domain Services and join the Azure VMs to the managed domain.
D.Use Azure AD Application Proxy to publish the application and authenticate via Azure AD.
AnswerC

Entra Domain Services provides AD DS in the cloud, accessible even if on-premises is down.

Why this answer

Option C is correct because deploying Microsoft Entra Domain Services in Azure provides managed domain services independent of on-premises connectivity. The application can authenticate using Entra Domain Services. Option A (Azure AD Connect) does not provide authentication if on-premises is unreachable.

Option B (VPN gateway) does not help if the on-premises network is down. Option D (Azure AD Application Proxy) is for remote access, not authentication.

804
MCQmedium

A company has an on-premises application running on physical servers with various operating systems. They want to use Azure as a disaster recovery site with an RPO of less than 1 hour and an RTO of less than 4 hours. They need to replicate the servers to Azure and support failover and failback. Which Azure service should they use?

A.Azure Site Recovery
B.Azure Backup (MARS agent)
C.Azure Migrate
D.Azure File Sync
AnswerA

ASR provides continuous replication for physical servers to Azure, enabling failover and failback with RPO as low as 30 seconds and RTO in hours, meeting the requirements.

Why this answer

Azure Site Recovery (ASR) orchestrates replication, failover, and failback for physical servers and VMs to Azure, meeting the RPO of <1 hour and RTO of <4 hours. It supports heterogeneous operating systems on physical servers and provides continuous replication with recovery points as low as 30 seconds, enabling both planned and unplanned failover with full failback capability.

Exam trap

The trap here is that candidates confuse Azure Backup (which provides long-term archival backups) with Azure Site Recovery (which provides near-continuous replication and orchestrated failover), failing to recognize that the RPO and RTO requirements demand a replication-based DR solution, not a backup service.

How to eliminate wrong answers

Option B (Azure Backup with MARS agent) is wrong because it is designed for file/folder and system state backup with a minimum RPO of 1 day (daily backup), not sub-hourly replication, and it does not support orchestrated failover or failback of entire servers. Option C (Azure Migrate) is wrong because it is a discovery, assessment, and migration tool, not a disaster recovery service; it does not provide ongoing replication or failover/failback capabilities. Option D (Azure File Sync) is wrong because it only syncs file shares between on-premises and Azure, not entire server workloads, and lacks failover/failback orchestration for disaster recovery.

805
MCQmedium

Your company runs an on-premises application that needs to be failed over to Azure in the event of a disaster. The application uses a SQL Server database and requires an RPO of 15 minutes and an RTO of 1 hour. You plan to use Azure Site Recovery (ASR) for the VMs and Azure SQL Database for the database. Which combination of actions should you take?

A.Use ASR with 5-minute replication and configure SQL Server Log Shipping to an Azure VM.
B.Use ASR with 30-minute replication frequency and backup the SQL Server database every 15 minutes.
C.Use ASR with 15-minute replication for the VMs and configure a failover group for Azure SQL Database with active geo-replication.
D.Use ASR with 15-minute replication and restore the SQL Server database from backup.
AnswerC

ASR provides VM replication; failover group provides database failover within RTO.

Why this answer

Option C (ASR for VMs with 15-minute replication and SQL Database failover group) meets both RPO and RTO. Option A (longer RPO). Option B (manual restore) does not meet RTO.

Option D (Log Shipping) is not native to Azure SQL Database.

806
MCQeasy

A company is designing a virtual network architecture for a three-tier application (web, application, database). They want network isolation between tiers and secure access from the internet to the web tier only. Which Azure networking solution should they use?

A.Azure Virtual Network with subnets for each tier and Network Security Groups.
B.Azure Virtual Network with a single subnet and application security groups.
C.Azure Virtual Network with subnets and Azure Firewall.
D.Azure Virtual Network with subnets and a network virtual appliance (NVA).
AnswerA

This is the standard and most cost-effective approach. Subnets provide logical isolation, and NSGs enforce inbound/outbound rules. Internet traffic can be allowed only to the web subnet via a public IP and NSG rules.

Why this answer

Option A is correct because deploying each tier in its own subnet within an Azure Virtual Network and applying Network Security Groups (NSGs) allows granular inbound/outbound rule enforcement. NSGs can restrict traffic so that only the web tier is reachable from the internet (via a public IP or Azure Load Balancer), while the application and database tiers are isolated from direct internet access and can only communicate with the adjacent tier as defined by NSG rules.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing Azure Firewall or an NVA for basic isolation, not realizing that NSGs with subnets are the native, cost-effective, and fully supported method for network segmentation within a single Azure VNet.

How to eliminate wrong answers

Option B is wrong because a single subnet with Application Security Groups (ASGs) still places all VMs in the same broadcast domain and does not provide network-level isolation between tiers; ASGs only group VMs logically for NSG rule application, but they do not prevent lateral traffic within the subnet without explicit NSG rules, and a single subnet cannot enforce separate routing or address spaces. Option C is wrong because Azure Firewall is a managed, stateful firewall service used for centralized inspection and logging across VNets or hybrid networks, but it is overkill and not the simplest solution for basic tier isolation within a single VNet; NSGs alone provide sufficient subnet-level filtering without the cost and complexity of a firewall. Option D is wrong because a Network Virtual Appliance (NVA) is typically used for advanced traffic inspection, routing, or security functions (e.g., third-party firewalls, WAN optimization) and is unnecessary for simple tier isolation; it adds operational overhead and cost when NSGs can achieve the same isolation with less complexity.

807
MCQmedium

A company runs a file server on an Azure VM in the East US region. They want to back up the file shares to Azure and be able to restore individual files if accidentally deleted. They also need to be able to restore the entire file share to a secondary region (West US) in case of a regional disaster. The solution should automatically protect the file shares and provide versioning for up to 30 days. Which Azure service and configuration should they recommend?

A.Configure Azure Backup on the Azure file share using a Recovery Services vault with geo-redundant storage (GRS). Enable cross-region restore on the vault.
B.Use Azure File Sync to sync the file share to an on-premises server, and then back up the on-premises server using Azure Backup.
C.Enable soft delete and versioning on the storage account, and configure replication to a secondary region using RA-GRS.
D.Create a scheduled Azure Automation runbook that takes snapshots of the file share every day and copy them to a storage account in West US.
AnswerA

Azure Backup for Azure Files provides daily backups, file-level restore, and versioning. With GRS and cross-region restore enabled, you can restore the entire share to the paired region.

Why this answer

Azure Backup for Azure file shares uses a Recovery Services vault and can be configured with geo-redundant storage (GRS) to replicate backup data to a paired secondary region. Enabling cross-region restore on the vault allows restoring the entire file share to the secondary region (West US) during a regional disaster. Azure Backup automatically protects the file share with scheduled backups and provides up to 30 days of retention for point-in-time restores of individual files or the entire share.

Exam trap

The trap here is that candidates often confuse storage account replication (RA-GRS) with backup and restore capabilities, thinking that replication alone provides disaster recovery restore functionality, but it does not support point-in-time file-level restore or cross-region restore of backups without Azure Backup's cross-region restore feature.

How to eliminate wrong answers

Option B is wrong because Azure File Sync is designed for hybrid sync and tiering, not for backup; it does not provide native cross-region disaster recovery or versioning for up to 30 days, and backing up an on-premises server adds unnecessary complexity and does not directly meet the requirement to restore to a secondary Azure region. Option C is wrong because soft delete and versioning on the storage account provide protection against accidental deletion and overwrites, but they do not offer a backup solution with scheduled backups, cross-region restore capability, or the ability to restore the entire file share to a secondary region in a disaster scenario; RA-GRS replication is for storage account data redundancy, not for backup restore. Option D is wrong because a scheduled Azure Automation runbook that takes snapshots and copies them to another region is a custom, non-native solution that lacks the automated backup scheduling, versioning, and cross-region restore capabilities provided by Azure Backup; it also introduces operational overhead and does not guarantee the 30-day versioning requirement.

808
MCQeasy

Your company uses Microsoft Entra ID and has recently deployed Microsoft Sentinel. You need to design a monitoring solution to detect brute-force attacks against user accounts. The solution should use built-in analytics rules where possible and must trigger an automated response to temporarily disable the affected account. What should you include in the design?

A.Use the built-in 'Brute force attack against an Entra ID account' analytics rule in Microsoft Sentinel and connect a playbook to disable the user.
B.Use Microsoft Entra Identity Protection to detect brute-force and configure a conditional access policy to block sign-ins.
C.Stream sign-in logs to Log Analytics and create a scheduled query that alerts on multiple failures, then manually disable accounts.
D.Create a custom KQL query in Microsoft Sentinel and configure an automation rule to disable the account.
AnswerA

Built-in rule and playbook provide automated detection and response.

Why this answer

Option A is correct because Microsoft Sentinel includes a built-in analytics rule specifically for detecting brute-force attacks against Microsoft Entra ID accounts. By connecting a playbook to this rule, you can automate the response to temporarily disable the affected user account, meeting the requirement for an automated response without custom development.

Exam trap

The trap here is that candidates may confuse Microsoft Entra Identity Protection's ability to block sign-ins with the requirement to disable the user account, or they may overlook the 'use built-in analytics rules where possible' constraint and opt for a custom KQL query.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Identity Protection detects risk events like brute-force but uses Conditional Access policies to block sign-ins, not to disable user accounts; disabling accounts requires a different mechanism. Option C is wrong because it relies on manually disabling accounts, which does not meet the requirement for an automated response. Option D is wrong because it suggests creating a custom KQL query and automation rule, but the question specifies using built-in analytics rules where possible, making a custom query unnecessary and less efficient.

809
MCQeasy

A company wants to allow remote users to access an internal web application hosted on-premises without opening inbound firewall ports. They need seamless single sign-on (SSO) using Microsoft Entra ID credentials. Which Azure service should they use?

A.Microsoft Entra ID Application Proxy
B.Microsoft Entra ID B2C
C.Microsoft Entra ID Domain Services
D.Microsoft Entra ID Connect
AnswerA

Application Proxy acts as a reverse proxy that allows users to access on-premises apps from anywhere without opening inbound ports. It also supports Microsoft Entra ID SSO.

Why this answer

Microsoft Entra ID Application Proxy provides secure remote access to on-premises web applications without requiring inbound firewall ports. It works by establishing an outbound connection from the on-premises Application Proxy connector to the Entra ID service, then routing user traffic through that tunnel. It integrates with Entra ID for pre-authentication and supports seamless SSO using the user's existing Entra ID credentials via Kerberos constrained delegation (KCD) or header-based authentication.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID Application Proxy with a VPN or DirectAccess solution, but the key differentiator is that Application Proxy requires no inbound firewall rules and uses outbound-only connectivity, which is a common exam scenario for secure remote access.

How to eliminate wrong answers

Option B (Microsoft Entra ID B2C) is wrong because it is designed for customer-facing identity management with social or local accounts, not for providing secure remote access to internal on-premises applications. Option C (Microsoft Entra ID Domain Services) is wrong because it provides managed domain services (e.g., LDAP, Kerberos) for Azure VMs but does not offer a reverse proxy or remote access capability for on-premises apps. Option D (Microsoft Entra ID Connect) is wrong because it is a synchronization tool that syncs on-premises AD objects to Entra ID; it does not provide any application proxy or remote access functionality.

810
MCQmedium

You are designing a backup strategy for Azure VMs that host a file server. The backup must support daily backups with a retention of 30 days, and the ability to restore individual files quickly. The solution must minimize backup storage costs. What backup policy should you configure?

A.Use Azure Backup with daily backup, retention of 30 days, and use locally redundant storage (LRS) for backup data.
B.Use Azure Backup with daily backup, retention of 30 days, and enable instant restore snapshot for file-level recovery.
C.Use Azure Backup with daily backup, retention of 30 days, and use geo-redundant storage (GRS) for backup data.
D.Use Azure Backup with weekly backup, retention of 30 days, and use geo-redundant storage (GRS) for backup data.
AnswerA, B

LRS is cost-effective and meets the retention and file recovery needs.

Why this answer

Azure Backup with instant restore snapshots allows quick file-level recovery. Using GRS (geo-redundant storage) adds cost unnecessarily for this requirement. Option A is incorrect because LRS is sufficient.

Option B is incorrect because it limits file recovery. Option D is incorrect because it adds cost without benefit.

811
Multi-Selectmedium

Which TWO actions should you take to design a monitoring solution for a multi-tier application running on Azure VMs? (Select TWO.)

Select 2 answers
A.Deploy VM Insights on each VM
B.Configure Azure Monitor Agent to collect metrics and logs from each tier
C.Create a Log Analytics workspace and connect all VMs
D.Instrument the application with Application Insights
E.Enable Azure Monitor for VMs on all VMs
AnswersB, D

Collects infrastructure data from all VMs.

Why this answer

Option B is correct because Azure Monitor Agent is the modern, unified agent that collects metrics and logs from Azure VMs and sends them to Azure Monitor, Log Analytics workspaces, and other destinations. For a multi-tier application, collecting data from each tier is essential for end-to-end monitoring. Option D is correct because Application Insights provides application performance monitoring (APM) by instrumenting the application code itself, capturing telemetry like request rates, dependency calls, and exceptions, which is critical for understanding the behavior of a multi-tier application.

Exam trap

The trap here is that candidates confuse 'VM Insights' (a feature that provides visualizations and dependency mapping) with the underlying agent installation, or they think that creating a Log Analytics workspace is a primary monitoring action rather than a prerequisite, leading them to select options A, C, or E instead of the correct combination of agent-based collection and application instrumentation.

812
MCQmedium

A company runs a critical application on Azure virtual machines in the West US region. They need a disaster recovery solution that replicates VMs to East US with a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 2 hours. They also need to perform non-disruptive disaster recovery drills. Which Azure service should they use?

A.Azure Backup
B.Azure Site Recovery
C.Azure Traffic Manager
D.Azure Front Door
AnswerB

Azure Site Recovery replicates VMs to a secondary region, supports flexible RPO (e.g., 15 minutes), and enables test failover for non-disruptive drills.

Why this answer

Azure Site Recovery (ASR) orchestrates replication, failover, and failback of Azure VMs between regions. It supports RPOs as low as 15 minutes (continuous replication with crash-consistent or app-consistent snapshots) and RTOs of 2 hours or less, and it enables non-disruptive disaster recovery drills via test failover that isolates replicated VMs in a separate virtual network without impacting production.

Exam trap

The trap here is that candidates confuse Azure Backup (which is for backup/restore with longer RPOs) with Azure Site Recovery (which is for replication and failover with low RPO/RTO), or they mistakenly think a traffic-routing service like Traffic Manager or Front Door can provide disaster recovery replication without actually moving or copying VM data.

How to eliminate wrong answers

Option A is wrong because Azure Backup is designed for long-term retention and point-in-time restore of VM data (typically with a minimum RPO of 1 hour for disk snapshots), not for continuous replication with sub-15-minute RPO or orchestrated failover with a 2-hour RTO; it also does not support non-disruptive drills. Option C is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that routes incoming traffic to healthy endpoints, but it does not replicate VM data or provide any disaster recovery replication, RPO/RTO guarantees, or drill capabilities. Option D is wrong because Azure Front Door is a global application delivery network with HTTP/S load balancing and acceleration, but it does not handle VM-level replication, failover orchestration, or recovery point objectives; it only redirects traffic based on backend health.

813
MCQmedium

You are designing a backup strategy for Azure Files shares that contain critical data. The backup must support snapshot-based backups and allow restoration to a specific point in time. The solution must also protect against accidental deletion. What should you use?

A.Use Azure File Sync with cloud tiering.
B.Use Azure Storage account geo-redundant storage (GRS) with versioning.
C.Use Azure Backup for Azure Files with soft delete enabled.
D.Use Azure Backup for Azure Files without soft delete.
AnswerC

Azure Backup provides snapshot-based backups and point-in-time restore; soft delete protects against accidental deletion.

Why this answer

Azure Backup for Azure Files provides snapshot-based backups with point-in-time restore and soft delete protection. Option A is incorrect because Storage Accounts replication does not provide point-in-time restore. Option C is incorrect because file sync does not provide backup.

Option D is incorrect because it lacks soft delete.

814
MCQhard

A global company is deploying a microservices application on AKS clusters in multiple Azure regions. They need to provide a single endpoint for users worldwide with SSL offloading, web application firewall, and URL path-based routing to the nearest healthy AKS cluster. They also need global load balancing with automatic failover. Which Azure service should they use?

A.Azure Front Door
B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Load Balancer
AnswerA

Front Door provides global HTTP load balancing with SSL termination, WAF, and URL routing. It uses anycast to direct users to the nearest healthy endpoint, and supports path-based routing to different backends (AKS clusters).

Why this answer

Azure Front Door is the correct choice because it provides global HTTP/HTTPS load balancing with SSL offloading, web application firewall (WAF) integration, and URL path-based routing. It uses Anycast-based routing to direct users to the nearest healthy AKS cluster, ensuring low latency and automatic failover across regions.

Exam trap

The trap here is that candidates often confuse Azure Front Door with Azure Traffic Manager, but Traffic Manager only provides DNS-level routing without application-layer features like SSL offloading, WAF, or path-based routing.

How to eliminate wrong answers

Option B is wrong because Azure Application Gateway is a regional load balancer that operates within a single Azure region and cannot provide global load balancing or cross-region failover. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic router that does not support SSL offloading, WAF, or URL path-based routing at the application layer. Option D is wrong because Azure Load Balancer is a Layer 4 (TCP/UDP) load balancer that operates regionally and lacks application-layer features like SSL termination, WAF, and path-based routing.

815
Multi-Selecteasy

Your company is designing a disaster recovery solution for a three-tier application hosted on Azure VMs. The solution must meet the following requirements: - RPO: 1 hour - RTO: 4 hours - Automated failover to a secondary region - Cost optimization is a priority Which TWO actions should you include in the design?

Select 2 answers
A.Deploy an Azure Load Balancer in the secondary region with health probes to automatically route traffic after failover.
B.Use Azure Backup to take hourly backups of the VMs and restore them in the secondary region.
C.Configure a read-only replica of the application tier in the secondary region using Availability Zones.
D.Deploy Azure Front Door with a backend pool containing both primary and secondary regions.
E.Configure Azure Site Recovery replication for all application VMs from primary to secondary region.
AnswersA, E

Load balancer with health probes can redirect traffic to healthy backend VMs in the secondary region.

Why this answer

Options A and C are correct. Azure Site Recovery provides replication and automated failover for VMs, meeting RPO and RTO. Using an Azure Load Balancer with health probes allows traffic to be redirected to the secondary region after failover.

Option B is wrong because Azure Backup is not designed for automated failover and has higher RTO. Option D is wrong because read-only replicas are for read scaling, not failover. Option E is wrong because Azure Front Door is for global load balancing, not regional failover for VMs.

816
MCQhard

A multinational corporation needs to design a global DNS solution for Azure resources. They require automatic failover across Azure regions and low-latency responses based on the client's geographic location. The solution must also support custom domains without exposing the underlying Azure public IP addresses. Which combination of Azure services should they use?

A.Azure Traffic Manager with geographic routing and Azure Front Door
B.Azure Application Gateway with Azure Front Door
C.Azure DNS with Azure Traffic Manager
D.Azure Traffic Manager with priority routing and Azure Application Gateway
AnswerA

Traffic Manager provides global load balancing and Front Door provides custom domain and private endpoint support.

Why this answer

Azure Traffic Manager with geographic routing and Azure Front Door with custom domain and private endpoint integration provides the required functionality. Option A is wrong because Azure DNS does not provide traffic routing. Option C is wrong because Application Gateway does not provide global routing.

Option D is wrong because Traffic Manager alone does not support custom domains without exposing IPs.

817
MCQmedium

Your organization uses Microsoft Sentinel for security monitoring. You need to create a rule that triggers an incident when a user from a specific IP address performs more than 10 failed sign-ins within an hour. Which rule type should you use?

A.Microsoft Security rule
B.Scheduled query rule
C.Anomaly detection rule
D.Fusion rule
AnswerB

Scheduled rules can aggregate events and alert on threshold.

Why this answer

A scheduled query rule is the correct choice because it allows you to define a custom KQL query that counts failed sign-in events from a specific IP address over a 1-hour window and triggers an incident when the count exceeds 10. This rule type is designed for user-defined detection logic based on log data, such as SigninLogs, and supports aggregation and threshold-based alerting.

Exam trap

The trap here is that candidates confuse scheduled query rules with anomaly detection rules, assuming any threshold-based alert is 'anomaly detection,' but anomaly detection requires baseline learning and cannot enforce a static numeric threshold like 10.

How to eliminate wrong answers

Option A is wrong because Microsoft Security rules are prebuilt templates from Microsoft security products (e.g., Microsoft Defender for Cloud) and cannot be customized to count specific IP addresses or set custom thresholds like 10 failed sign-ins per hour. Option C is wrong because anomaly detection rules use machine learning to identify unusual patterns in baseline behavior, not fixed thresholds on a specific IP address. Option D is wrong because Fusion rules correlate multiple low-fidelity alerts from different sources to detect advanced multi-stage attacks, not single-condition threshold-based triggers.

818
Multi-Selecteasy

A company is designing a storage solution for its backup data. The backups must be stored for 10 years for compliance reasons. The solution should minimize storage costs while ensuring data durability. Which two Azure services should the company consider? (Choose two.)

Select 2 answers
A.Azure Blob Storage Archive tier
B.Azure Files with snapshots
C.Azure NetApp Files with cross-region replication
D.Azure Disk Storage with incremental snapshots
E.Azure Backup with long-term retention policy
AnswersA, E

Lowest cost for rarely accessed data.

Why this answer

Azure Blob Storage Archive tier is correct because it provides the lowest-cost storage for data that is rarely accessed, with a 10-year retention period meeting compliance requirements. It offers 11 nines of durability (99.999999999%) by storing multiple copies across Azure regions, ensuring data integrity over the long term.

Exam trap

The trap here is that candidates often confuse Azure Backup with long-term retention (which is a service that manages backup lifecycle and can use Archive tier) with other Azure storage services that are not designed for cost-effective, long-term archival, such as Azure Files or Azure NetApp Files.

819
MCQmedium

Your company is expanding its Azure presence to a new region in Asia. You need to design a network connectivity solution between the on-premises data center in New York and the new Azure region in Singapore. The solution must provide high bandwidth, low latency, and high availability. The company already has an ExpressRoute circuit to the East US region. You want to use that circuit to extend connectivity to Singapore if possible. The budget allows for additional ExpressRoute circuits if needed. What should you recommend?

A.Set up a site-to-site VPN between the on-premises network and the Singapore region.
B.Use ExpressRoute Global Reach to connect the on-premises network to the Singapore region via the existing circuit.
C.Deploy Azure Front Door to route traffic between on-premises and Singapore.
D.Peer the East US VNet with the Singapore VNet and route traffic through the existing ExpressRoute.
AnswerB

Global Reach enables connectivity to any Azure region with low latency and high availability.

Why this answer

Option B is correct because ExpressRoute Global Reach allows you to connect your on-premises network to multiple Azure regions using a single circuit, providing low latency and high bandwidth. Option A is wrong because site-to-site VPN over the internet may have variable latency and is less reliable. Option C is wrong because VNet peering does not connect on-premises to Azure.

Option D is wrong because Azure Front Door is a global load balancer, not a WAN connectivity solution.

820
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to enable users to reset their own passwords without contacting the help desk. They also want to enforce multi-factor authentication (MFA) during the password reset process. Which Microsoft Entra ID feature should they enable?

A.Microsoft Entra ID Identity Protection
B.Microsoft Entra ID Privileged Identity Management (PIM)
C.Microsoft Entra ID Self-Service Password Reset (SSPR)
D.Microsoft Entra ID Conditional Access
AnswerC

SSPR enables users to reset their own passwords, and it can be integrated with MFA to verify identity during the reset process.

Why this answer

Option C is correct because Microsoft Entra ID Self-Service Password Reset (SSPR) enables users to reset their own passwords without help desk intervention. When combined with Microsoft Entra ID Conditional Access, SSPR can enforce multi-factor authentication (MFA) during the password reset process, meeting both requirements.

Exam trap

The trap here is that candidates often confuse Conditional Access as the sole solution for password reset, but Conditional Access only enforces policies on top of SSPR; without SSPR enabled, users cannot reset their own passwords at all.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Identity Protection is a risk-based detection and remediation tool that identifies potential vulnerabilities and suspicious activities, but it does not directly enable self-service password reset or enforce MFA during password reset. Option B is wrong because Microsoft Entra ID Privileged Identity Management (PIM) manages just-in-time privileged access and role activation, not self-service password reset or MFA enforcement for end users. Option D is wrong because Microsoft Entra ID Conditional Access is a policy engine that enforces access controls (like MFA) based on conditions, but it does not provide the self-service password reset capability itself; it can only be used to secure the SSPR process.

821
Multi-Selectmedium

Your company plans to migrate a legacy on-premises application to Azure. The application has a monolithic architecture and requires low-latency access to a shared file system. You need to choose a migration strategy that minimizes changes to the application code. Which TWO options should you recommend? (Choose two.)

Select 2 answers
A.Use Azure Migrate to perform a lift-and-shift migration to Azure VMs
B.Refactor the application to run in Azure Kubernetes Service (AKS)
C.Migrate the file share to Azure Files
D.Migrate the file share to Azure NetApp Files
E.Rearchitect the application to use a microservices architecture
AnswersA, C

Lift-and-shift minimizes code changes by moving VMs as-is.

Why this answer

Option A and Option D are correct. Azure Migrate with lift-and-shift moves VMs as-is, minimizing code changes. Azure Files provides a managed file share that can be accessed via SMB.

Option B is wrong because refactoring to containers requires code changes. Option C is wrong because Azure NetApp Files is also a file share but is more expensive and complex for this scenario. Option E is wrong because rearchitecting to microservices is a major change.

822
MCQmedium

A company deploys a web application on Azure VMs in an availability set. They need to expose the application to the internet with SSL termination and health probes. Additionally, they need to protect against DDoS attacks and common web vulnerabilities. Which Azure service should they use?

A.Azure Application Gateway with Web Application Firewall (WAF) and DDoS Protection
B.Azure Front Door with WAF and DDoS Protection
C.Azure Traffic Manager and Azure Load Balancer
D.Azure CDN with WAF
AnswerA

Application Gateway offers SSL termination, health probes, WAF, and can be combined with DDoS Protection.

Why this answer

Azure Application Gateway with WAF and DDoS Protection is the correct choice because it provides Layer 7 load balancing with SSL termination at the gateway, health probes for backend VMs, and the WAF feature protects against common web vulnerabilities (e.g., OWASP Top 10). DDoS Protection (Azure DDoS Network Protection) can be enabled on the virtual network hosting the Application Gateway to mitigate volumetric attacks. This combination directly meets all stated requirements: internet exposure, SSL offload, health monitoring, and dual-layer security.

Exam trap

The trap here is that candidates confuse Azure Front Door (global, multi-region) with Application Gateway (regional, single-region), overlooking that the question specifies an availability set (single-region) and requires SSL termination and health probes at the gateway level, which Front Door does not natively provide for a single-region backend.

How to eliminate wrong answers

Option B (Azure Front Door with WAF and DDoS Protection) is wrong because Azure Front Door is a global, anycast-based service designed for multi-region load balancing and HTTP(S) acceleration, not for terminating SSL directly on a single-region availability set; it also lacks native health probes for VM-level backend pools without additional configuration. Option C (Azure Traffic Manager and Azure Load Balancer) is wrong because Traffic Manager is a DNS-level traffic router (Layer 3/4) that cannot perform SSL termination or WAF inspection, and Azure Load Balancer operates at Layer 4 without application-layer security features. Option D (Azure CDN with WAF) is wrong because Azure CDN is a content delivery network focused on caching static content and does not provide SSL termination for backend VMs or health probes for an availability set; its WAF integration is limited to edge rules, not full application-layer protection.

823
MCQmedium

A company manages a fleet of millions of IoT devices that send telemetry data every minute. The data must be stored for 10 years to meet compliance requirements. For the first 30 days, data is accessed frequently for real-time dashboards and alerting. After 30 days, data is only accessed occasionally for historical analysis and reporting. The solution must be cost-effective and support high ingestion rates. Which Azure service should the company use to store and query this data?

A.Azure Blob Storage with Azure Data Lake Storage Gen2
B.Azure Data Explorer
C.Azure SQL Database
D.Azure Cosmos DB with SQL API
AnswerB

Azure Data Explorer is optimized for time-series data, supports high ingestion rates, and provides both real-time and historical querying with automatic data tiering for cost effectiveness.

Why this answer

Azure Data Explorer (ADX) is designed for high-ingestion, time-series telemetry data and supports real-time dashboards and alerting on fresh data, while also providing cost-effective long-term storage for historical queries. Its columnar storage and indexing enable fast analytics on billions of records, making it ideal for IoT scenarios with millions of devices sending data every minute and a 10-year retention requirement.

Exam trap

The trap here is that candidates often choose Azure Blob Storage or Cosmos DB because they associate them with 'storage' or 'IoT,' but they fail to recognize that Azure Data Explorer is the only service purpose-built for high-velocity time-series analytics with built-in hot/cold tiering and native support for real-time alerting and long-term retention at scale.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage with Azure Data Lake Storage Gen2 is optimized for batch analytics and large file storage, not for real-time querying and alerting on high-velocity telemetry data; it lacks native time-series indexing and low-latency query capabilities. Option C is wrong because Azure SQL Database is a relational OLTP system that cannot cost-effectively handle the ingestion rate of millions of events per minute or the 10-year retention of massive telemetry volumes without significant performance degradation and high costs. Option D is wrong because Azure Cosmos DB with SQL API is a globally distributed NoSQL database designed for low-latency reads/writes on operational data, but it is not optimized for high-throughput time-series ingestion and analytical queries over long retention periods, and its cost would be prohibitive for storing billions of telemetry records for 10 years.

824
MCQmedium

A multinational company uses Microsoft Entra ID for identity. They need to grant external partners access to specific SharePoint Online sites. The access must be time-limited and require approval from a resource owner. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Entitlement Management.
B.Microsoft Entra ID B2C.
C.Microsoft Entra ID Conditional Access.
D.Microsoft Entra ID Identity Protection.
AnswerA

Entitlement Management enables creation of access packages with approvals and time-limited access. It is designed for governing external user access to resources like SharePoint Online.

Why this answer

Microsoft Entra ID Entitlement Management (A) is the correct feature because it enables organizations to manage external partner access to resources like SharePoint Online sites through access packages. These access packages can enforce time-limited access and require approval from designated resource owners, directly meeting the scenario's requirements.

Exam trap

The trap here is that candidates may confuse Entitlement Management (which handles external user access governance) with B2C (which is for customer-facing apps) or Conditional Access (which is a security policy layer, not a provisioning workflow).

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID B2C (Business-to-Consumer) is designed for customer-facing identity management with social logins, not for granting external partners access to internal resources like SharePoint sites. Option C is wrong because Microsoft Entra ID Conditional Access enforces policies based on signals like location or device state, but it does not provide time-limited access or approval workflows for external partner access. Option D is wrong because Microsoft Entra ID Identity Protection focuses on detecting and remediating identity risks (e.g., leaked credentials), not on managing external user access with time limits and approvals.

825
MCQeasy

You are designing a monitoring solution for Azure SQL Database. The requirement is to track query performance metrics such as CPU usage, data IO, and wait statistics over time. You need to identify performance bottlenecks and provide historical data for analysis. Which Azure service should you use?

A.Azure Monitor Metrics for Azure SQL Database
B.Azure SQL Analytics (preview) in Azure Monitor
C.Azure SQL Database Intelligent Insights
D.Query Performance Insight for Azure SQL Database
AnswerD

Query Performance Insight provides detailed query metrics and wait statistics.

Why this answer

Query Performance Insight for Azure SQL Database is the correct choice because it provides built-in, intelligent analysis of top queries by CPU, data IO, and wait statistics over time, enabling you to identify performance bottlenecks and review historical data. It is specifically designed for Azure SQL Database and offers a customizable time range for trend analysis, directly meeting the requirement to track query performance metrics and analyze historical data.

Exam trap

The trap here is that candidates often confuse Azure SQL Analytics (a broader monitoring solution) with Query Performance Insight (a focused query-level tool), or they assume Azure Monitor Metrics provides query-level details when it only offers aggregate resource metrics.

How to eliminate wrong answers

Option A is wrong because Azure Monitor Metrics for Azure SQL Database provides platform-level metrics (e.g., DTU/CPU percentage, storage) but does not offer per-query performance details like wait statistics or historical query-level analysis. Option B is wrong because Azure SQL Analytics (preview) in Azure Monitor is a broader monitoring solution that aggregates metrics and logs across multiple Azure SQL databases, but it does not provide the granular, query-specific historical performance data and wait statistics that Query Performance Insight offers. Option C is wrong because Azure SQL Database Intelligent Insights uses built-in intelligence to automatically detect and alert on performance issues, but it does not provide the detailed, customizable historical query performance metrics (CPU, IO, wait stats) that are needed for manual bottleneck analysis.

Page 10

Page 11 of 14

Page 12