Microsoft Azure Solutions Architect Expert AZ-305 (AZ-305) — Questions 826900

999 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQeasy

A company needs to implement a hybrid identity solution that allows users to access both on-premises applications and Microsoft 365 using a single identity. The company has on-premises Active Directory Domain Services (AD DS). They want to synchronize identities to the cloud while also enabling password writeback for self-service password reset. Which Azure service should they use?

A.Microsoft Entra ID
B.Microsoft Entra Connect Health
C.Microsoft Entra Connect
D.Microsoft Entra Domain Services
AnswerC

Microsoft Entra Connect syncs identities and supports password writeback.

Why this answer

Option A is correct because Microsoft Entra Connect can synchronize identities and support password writeback. Option B is incorrect because Microsoft Entra Connect Health is for monitoring. Option C is incorrect because Microsoft Entra Domain Services provides managed domain services.

Option D is incorrect because Microsoft Entra ID is the cloud identity service but does not sync directly.

827
MCQhard

Refer to the exhibit. You are a security administrator reviewing a custom Azure Policy assignment. The policy definition with ID 'abc123' is an initiative containing two policies: one that audits storage accounts with blob public access enabled and one that deploys a diagnostic setting for network security groups. The scope includes a production resource group. However, the compliance state shows 'Non-compliant' for several resources. What is the most likely reason for the non-compliance?

A.The scope is incorrectly targeting the resource group, missing the subscription.
B.The audit policy is preventing the creation of storage accounts with public access.
C.The enforcement mode is set to 'Default' which disables policy evaluation.
D.The diagnostic setting deployment policy requires a remediation task to bring non-compliant resources into compliance.
AnswerD

DeployIfNotExists policies need remediation tasks to apply the configuration; until then, resources remain non-compliant.

Why this answer

Option D is correct because the policy that deploys a diagnostic setting for network security groups is a 'DeployIfNotExists' (DINE) policy. DINE policies do not automatically remediate existing non-compliant resources; they require a remediation task to be created and run, which will deploy the diagnostic settings to bring the resources into compliance. The audit-only policy for storage accounts does not require remediation, but the DINE policy's non-compliance indicates that the diagnostic settings are missing and need to be deployed via a remediation task.

Exam trap

The trap here is that candidates often assume all policy effects (like 'DeployIfNotExists') automatically remediate non-compliant resources, but in reality, they only mark non-compliance and require a separate remediation task to deploy the required configuration.

How to eliminate wrong answers

Option A is wrong because the scope includes the production resource group, which is a valid scope for policy assignment; missing the subscription is not an issue as policies can be assigned at the management group, subscription, or resource group level. Option B is wrong because an audit policy only evaluates and reports compliance; it does not prevent creation or enforce any action, so it cannot be the reason for non-compliance. Option C is wrong because the 'Default' enforcement mode does not disable policy evaluation; it enables evaluation and enforcement, whereas 'Disabled' mode would disable evaluation.

828
Multi-Selecthard

Which THREE of the following are best practices for designing a business continuity solution using Azure Backup? (Choose three.)

Select 3 answers
A.Enable soft delete to protect backup data from accidental deletion
B.Configure a single backup policy for all resources to simplify management
C.Use geo-redundant storage (GRS) for the backup data to protect against regional disasters
D.Use separate Recovery Services vaults for different workloads or regions
E.Grant all users 'Backup Contributor' role to ensure backups are taken
AnswersA, C, D

Soft delete provides an additional layer of protection.

Why this answer

Options A, C, and D are correct. Using a Recovery Services vault per workload or per region helps with isolation (A). Enabling soft delete protects against accidental deletion (C).

Using geo-redundant storage (GRS) for backup data provides cross-region protection (D). Option B is wrong because backup policies should be based on RPO, not a fixed number of policies. Option E is wrong because RBAC should be used to restrict access, not grant everyone access.

829
MCQmedium

A company is designing a data storage solution for a global e-commerce platform that requires low-latency access to product catalog data from multiple Azure regions. The data is read-heavy, with occasional updates. Which Azure data store should they recommend?

A.Azure Cache for Redis
B.Azure Blob Storage
C.Azure SQL Database
D.Azure Cosmos DB
AnswerD

Globally distributed, low-latency, multi-region reads.

Why this answer

Azure Cosmos DB is the correct choice because it provides globally distributed, multi-region writes with tunable consistency levels and single-digit-millisecond latency for read-heavy workloads. Its ability to replicate data across Azure regions and serve reads from the nearest region directly addresses the requirement for low-latency global access to product catalog data with occasional updates.

Exam trap

The trap here is that candidates often choose Azure Cache for Redis (Option A) because they associate low-latency with caching, but fail to recognize that the question requires a durable, globally distributed primary data store, not a cache layer that depends on an underlying database.

How to eliminate wrong answers

Option A is wrong because Azure Cache for Redis is an in-memory cache, not a durable primary data store; it would require an underlying persistent store and cannot serve as the authoritative source for product catalog data that needs occasional updates. Option B is wrong because Azure Blob Storage is optimized for unstructured blob data (images, videos, backups) and does not support low-latency, sub-second queries on structured product catalog data with indexing and consistency guarantees. Option C is wrong because Azure SQL Database is a relational database that, while supporting read replicas, does not natively provide multi-region, multi-master replication with automatic failover and tunable consistency for global low-latency reads; it requires complex manual configuration and has higher latency for cross-region access.

830
Multi-Selectmedium

Which TWO Azure services can be used to implement a globally distributed database that supports multi-region writes and provides low-latency access to users worldwide? (Choose two.)

Select 2 answers
A.Azure Storage with geo-redundant storage (GRS).
B.Azure Cache for Redis with geo-replication.
C.Azure Cosmos DB with multi-master enabled.
D.Azure Database for PostgreSQL with geo-replication.
E.Azure SQL Database with active geo-replication and failover groups.
AnswersC, E

Supports multi-region writes.

Why this answer

Option A and D are correct. Azure Cosmos DB with multi-master supports multi-region writes. Azure SQL Database active geo-replication supports readable secondaries but not multi-region writes; however, with failover groups it can support writes only in one region at a time.

Option B is wrong because Azure Database for PostgreSQL does not natively support multi-region writes. Option C is wrong because Azure Cache for Redis is a cache, not a database. Option E is wrong because Azure Storage is not a database.

831
MCQhard

A large enterprise wants to enforce zero-trust conditional access policies that use real-time user risk, sign-in risk, and device compliance. Which combination of Microsoft Entra ID features should they use?

A.Microsoft Entra ID Identity Protection and Conditional Access
B.Microsoft Entra ID Privileged Identity Management and Access Reviews
C.Microsoft Entra ID B2B and External Identities
D.Microsoft Entra ID Domain Services and Managed Identities
AnswerA

Correct. Identity Protection detects risks like leaked credentials and unusual sign-ins, and Conditional Access uses these risks to enforce adaptive policies for a zero-trust model.

Why this answer

Microsoft Entra ID Identity Protection provides real-time risk detection for users and sign-ins, while Conditional Access policies can enforce access controls based on those risk signals and device compliance. Together, they enable zero-trust conditional access by blocking or requiring MFA when user or sign-in risk is high, and ensuring only compliant devices can access resources.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) with risk-based conditional access, but PIM only manages role activation and does not evaluate user/sign-in risk or device compliance in real time.

How to eliminate wrong answers

Option B is wrong because Privileged Identity Management (PIM) and Access Reviews focus on just-in-time privileged role activation and periodic attestation, not on real-time user/sign-in risk or device compliance. Option C is wrong because B2B and External Identities are designed for guest user collaboration and identity federation, not for enforcing risk-based conditional access policies on internal users. Option D is wrong because Azure AD Domain Services provides managed domain services (like LDAP, Kerberos) for legacy apps, and Managed Identities are used for Azure resource authentication, neither of which offer risk detection or conditional access enforcement.

832
MCQhard

You are designing a solution for a financial application that requires strong consistency for read and write operations across multiple Azure regions. The solution must support active-active configuration and provide fractional millisecond latency for single-digit KB payloads. Which data service should you choose?

A.Azure SQL Database with failover groups
B.Azure Table Storage with geo-replication
C.Azure Cosmos DB with strong consistency
D.Azure Cache for Redis with geo-replication
AnswerC

Cosmos DB supports multi-region writes with strong consistency and low latency.

Why this answer

Azure Cosmos DB with strong consistency is the correct choice because it offers multi-region writes (active-active) with guaranteed strong consistency, ensuring that all read and write operations across regions see the most recent write. It also provides fractional millisecond latency for single-digit KB payloads, meeting the financial application's performance requirements.

Exam trap

The trap here is that candidates often confuse Azure SQL Database's failover groups with active-active capability, but failover groups are active-passive and cannot support simultaneous writes across regions, whereas Cosmos DB's multi-region writes with strong consistency are required for true active-active scenarios.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database with failover groups supports only active-passive configurations (one primary, one readable secondary) and cannot provide active-active multi-region writes; failover groups also introduce latency during failover and do not guarantee fractional millisecond latency globally. Option B is wrong because Azure Table Storage with geo-replication offers only eventual consistency by default, not strong consistency, and its read/write latency is higher than fractional milliseconds for multi-region scenarios. Option D is wrong because Azure Cache for Redis with geo-replication is an in-memory cache, not a durable data store, and its geo-replication is asynchronous, meaning it cannot guarantee strong consistency across regions; it also lacks native support for active-active writes.

833
MCQmedium

A company runs a critical application on Azure VMs. They want to back up the VMs using Azure Backup. The retention requirements are: daily backups for 35 days, weekly backups for 52 weeks, and yearly backups for 10 years. Which backup policy should they create?

A.Create a custom backup policy with a daily backup schedule and retention rules for daily (35), weekly (52), and yearly (10 years)
B.Use the default backup policy provided by Azure Backup
C.Use Azure Site Recovery (ASR) to replicate the VMs and meet the retention
D.Use Azure Backup for VMs with instant recovery enabled
AnswerA

Correct. Custom policies allow you to configure multiple retention rules per frequency.

Why this answer

Option A is correct because Azure Backup allows you to create a custom backup policy that defines a daily backup schedule and separate retention rules for daily, weekly, and yearly retention points. This directly meets the requirement of 35 days daily, 52 weeks weekly, and 10 years yearly retention, as Azure Backup supports granular retention policies with multiple tiers (daily, weekly, monthly, yearly) within a single policy.

Exam trap

The trap here is that candidates may confuse Azure Backup's default policy (which only covers short-term retention) with the ability to customize retention tiers, or mistakenly think Azure Site Recovery can serve as a backup solution for long-term retention, when in fact it is for replication and failover, not backup retention.

How to eliminate wrong answers

Option B is wrong because the default backup policy in Azure Backup typically retains daily backups for only 30 days (not 35) and does not include weekly or yearly retention rules, so it cannot meet the specified requirements. Option C is wrong because Azure Site Recovery (ASR) is designed for disaster recovery and replication, not for long-term backup retention; it does not support retention policies for years and is not a backup solution for meeting retention schedules. Option D is wrong because instant recovery is a feature that enables faster restore from snapshots, but it does not modify or extend retention policies; the default or custom policy still governs retention, and instant recovery alone cannot satisfy the 35-day, 52-week, and 10-year retention requirements.

834
MCQhard

You are a cloud architect for a multinational corporation. The company has a single Azure tenant with a management group hierarchy: Root MG -> Corp MG -> (Finance, HR, IT, Marketing) child management groups. Each child management group contains multiple subscriptions. The IT governance team wants to enforce a policy that all Azure resources must have a 'CostCenter' tag. However, the Finance department has legacy resources that cannot be modified and must be exempt from this policy. You need to design a solution that meets the following requirements: (1) The policy should be applied to all subscriptions in the Corp MG except those in the Finance MG. (2) The policy should audit non-compliant resources but not deny them. (3) The solution must use Azure Policy and minimize administrative overhead. What should you do?

A.Assign the policy at the Root management group and exclude all child management groups except Corp.
B.Assign the policy at the Corp management group scope and exclude the Finance management group.
C.Assign the policy at each child management group except Finance.
D.Assign the policy to each subscription individually, excluding those in Finance.
AnswerB

Assigning at Corp MG with exclusion for Finance MG meets all requirements with minimal overhead.

Why this answer

Assigning the policy at the Corp management group scope and excluding the Finance management group meets all requirements: it applies the policy to all subscriptions under Corp (including Finance, HR, IT, Marketing) while the exclusion removes Finance from policy evaluation. Using the 'audit' effect ensures non-compliant resources are flagged but not denied, and this single assignment minimizes administrative overhead.

Exam trap

The trap here is that candidates mistakenly think they must assign the policy at the Root management group and then exclude all non-Corp children, but that would require multiple exclusions and could accidentally exclude the Corp management group itself, whereas a single assignment at Corp with one exclusion is simpler and correct.

How to eliminate wrong answers

Option A is wrong because excluding all child management groups except Corp would remove the policy from all child management groups (Finance, HR, IT, Marketing), leaving only the Corp management group itself (which contains no subscriptions directly) — thus the policy would not apply to any subscriptions. Option C is wrong because assigning the policy at each child management group except Finance requires four separate assignments, increasing administrative overhead unnecessarily. Option D is wrong because assigning the policy to each subscription individually, even excluding Finance subscriptions, creates excessive administrative overhead and does not leverage the management group hierarchy for inheritance.

835
Multi-Selecthard

A mission-critical web application must tolerate a full Azure region outage. The business requires automatic failover and global HTTP acceleration. Which two components should be included in the design? (Choose 2.)

Select 2 answers
A.Deploy the application to at least two Azure regions.
B.Use Azure Front Door with health probes and origin failover.
C.Use only availability zones in one region.
D.Use Azure Bastion for failover routing.
AnswersA, B

A single-region deployment cannot survive a full regional outage.

Why this answer

Option A is correct because deploying the application to at least two Azure regions provides geographic redundancy, ensuring that if one entire region fails, the application can still operate from the other region. This is a fundamental requirement for tolerating a full region outage. Option B is correct because Azure Front Door provides global HTTP acceleration and automatic failover by using health probes to monitor endpoint health and routing traffic to healthy origins, which meets the business requirements for both automatic failover and performance.

Exam trap

The trap here is that candidates often confuse availability zones (which protect against datacenter failures within a region) with multi-region deployments (which are required for region outage tolerance), leading them to incorrectly select Option C as sufficient.

836
MCQmedium

A SaaS company uses Azure SQL Database for a multi-tenant application. They have 80 tenant databases, each with varying and unpredictable usage patterns. The company wants to optimize costs without sacrificing performance and wants the ability to easily add new tenant databases without over-provisioning. Which deployment option should they use?

A.Azure SQL Database elastic pool
B.Single Azure SQL Database per tenant
C.Azure SQL Managed Instance
D.Azure SQL Database Hyperscale
AnswerA

Correct. Elastic pool allows sharing resources across databases, optimizing cost for variable and unpredictable workloads.

Why this answer

Azure SQL Database elastic pool is the correct choice because it allows multiple tenant databases to share a fixed set of resources (DTUs or vCores), automatically absorbing the unpredictable usage spikes of individual tenants without over-provisioning. This model optimizes cost by paying for the pooled resources rather than each database's peak capacity, and new tenant databases can be added seamlessly to the pool without upfront resource allocation.

Exam trap

The trap here is that candidates often choose Single Azure SQL Database per tenant (Option B) because they think it provides isolation and simplicity, but they overlook the cost inefficiency of over-provisioning for unpredictable peaks, which is exactly the problem elastic pools solve.

How to eliminate wrong answers

Option B (Single Azure SQL Database per tenant) is wrong because it requires provisioning each database for its peak load, leading to significant over-provisioning and higher costs when tenants have unpredictable, varying usage patterns. Option C (Azure SQL Managed Instance) is wrong because it is a fully managed instance of SQL Server with fixed resource limits per instance, designed for lift-and-shift scenarios, not for cost-efficient multi-tenant elasticity with many small databases. Option D (Azure SQL Database Hyperscale) is wrong because it is optimized for very large databases (up to 100 TB) with high throughput and rapid scaling, not for pooling many small, unpredictable tenant databases; it would be unnecessarily expensive and complex for this workload.

837
MCQmedium

Your organization uses Azure Policy to enforce tagging standards. You need to ensure that any resource created without the required 'CostCenter' tag is automatically remediated by adding the tag with a default value. Which policy effect should you use?

A.append
B.deny
C.modify
D.audit
AnswerC

Modify can automatically add the tag with a default value during creation and supports remediation for existing resources.

Why this answer

Option C is correct because the 'modify' effect can add tags to resources during creation or on existing resources via remediation. Option A is wrong because 'deny' blocks creation. Option B is wrong because 'audit' only logs non-compliance.

Option D is wrong because 'append' adds the tag at creation but does not support remediation for existing resources.

838
MCQmedium

A company wants to deploy a web application on Azure virtual machines (VMs). The application experiences variable traffic patterns, so the company needs to automatically add or remove VM instances based on CPU utilization. They also want the application to remain highly available even if an Azure datacenter fails. Which combination of Azure services should they use?

A.Virtual Machine Scale Sets configured with autoscale rules based on CPU and distributed across availability zones
B.Azure App Service with autoscale rules and deployment slots
C.Azure Load Balancer with a backend pool of VMs and autoscale rules applied to individual VMSS
D.Azure Traffic Manager with endpoints in separate regions and Manual scaling of VMs
AnswerA

VM Scale Sets allow you to define autoscale conditions (e.g., scale out when CPU > 75%) and can be deployed across availability zones. This provides both horizontal scaling and protection against a zone failure.

Why this answer

Virtual Machine Scale Sets (VMSS) with autoscale rules based on CPU utilization automatically add or remove VM instances to match variable traffic patterns. Distributing the VMSS across availability zones ensures the application remains highly available even if an entire Azure datacenter fails, because availability zones are physically separate datacenters within a region.

Exam trap

The trap here is that candidates often confuse Azure App Service (PaaS) with IaaS VM solutions, or assume that a load balancer alone can handle autoscaling, when in fact autoscale rules must be configured directly on the VMSS resource.

How to eliminate wrong answers

Option B is wrong because Azure App Service is a Platform-as-a-Service (PaaS) offering, not a VM-based solution, and the question explicitly requires deployment on Azure virtual machines. Option C is wrong because Azure Load Balancer distributes traffic but does not itself perform autoscaling; autoscale rules must be applied directly to the VMSS, not to individual VMs, and the phrase 'applied to individual VMSS' is redundant and misstates the architecture. Option D is wrong because Traffic Manager provides global DNS-based traffic routing across regions, but manual scaling of VMs does not meet the requirement for automatic scaling based on CPU utilization.

839
MCQmedium

Your company plans to migrate on-premises SQL Server databases to Azure. The databases require high availability with automatic failover to a secondary region in the event of a regional outage. The solution must minimize data loss and support read-only queries on the secondary replica. Which Azure service should you use?

A.Azure SQL Database with geo-restore
B.Azure SQL Database with active geo-replication
C.Azure SQL Database with failover groups
D.Azure SQL Managed Instance with failover groups
AnswerB

Active geo-replication provides a readable secondary in another region with automatic failover and minimal data loss.

Why this answer

Option B is correct because Azure SQL Database with active geo-replication provides automatic failover to a secondary region, supports read-only queries on the secondary, and minimizes data loss with synchronous replication within the primary region. Option A is wrong because Azure SQL Managed Instance does not support geo-replication by default. Option C is wrong because Azure SQL Database with failover groups uses asynchronous replication, which may cause data loss.

Option D is wrong because Azure SQL Database with geo-restore does not provide automatic failover or a readable secondary.

840
MCQhard

A company runs a high-performance computing (HPC) workload that requires low-latency access to large files (hundreds of GB) from thousands of Azure VMs concurrently. The files must be accessible via the NFS protocol and the solution must be a fully managed, POSIX-compliant file system that can scale throughput linearly with capacity. Which Azure storage solution should they choose?

A.Azure NetApp Files
B.Azure Files (premium tier)
C.Azure Blob Storage with NFS 3.0 support
D.Azure HPC Cache
AnswerA

Correct. Azure NetApp Files offers high performance, low latency, and POSIX compliance with linear throughput scalability.

Why this answer

Azure NetApp Files is the correct choice because it provides a fully managed, POSIX-compliant NFS file system that can scale throughput linearly with capacity. It is designed for HPC workloads requiring low-latency access to large files from thousands of concurrent VMs, offering sub-millisecond latency and high throughput that increases as you add capacity.

Exam trap

The trap here is that candidates often confuse Azure Blob Storage with NFS support as a fully POSIX-compliant file system, overlooking its lack of full POSIX compliance and linear throughput scaling, or they assume Azure Files premium tier can match the performance and scalability of Azure NetApp Files for HPC workloads.

How to eliminate wrong answers

Option B is wrong because Azure Files (premium tier) uses SMB protocol by default and, while it supports NFS, it does not provide the linear throughput scaling with capacity required for HPC workloads; its performance is capped per share and does not scale linearly. Option C is wrong because Azure Blob Storage with NFS 3.0 support is not a fully POSIX-compliant file system; it lacks features like hard links and directory rename operations, and its throughput does not scale linearly with capacity in the same way as a true file system. Option D is wrong because Azure HPC Cache is a caching service that accelerates access to existing storage (e.g., on-premises or Azure Blob), not a fully managed, POSIX-compliant file system itself; it does not provide a native NFS file system with linear throughput scaling.

841
MCQhard

Your company, Contoso Ltd., is a global financial services firm with a primary data center in London and a disaster recovery site in Paris. They are migrating their on-premises SQL Server databases to Azure. The databases include: (1) a 2-TB customer database with high transaction throughput, requiring an RPO of 5 seconds and an RTO of 30 seconds; (2) a 500-GB reporting database that is read-only and can tolerate an RPO of 1 hour and an RTO of 2 hours; (3) a 100-GB archival database that is accessed once a month. The solution must minimize costs while meeting requirements. You need to recommend a storage and database strategy for each database. What should you recommend?

A.Use Azure SQL Managed Instance for all databases with auto-failover groups.
B.Use Azure SQL Database with active geo-replication for the customer database, geo-restore for the reporting database, and long-term retention for the archival database.
C.Use Azure Cosmos DB for the customer database, Azure SQL Database for reporting, and Azure Blob Storage for archival.
D.Use Azure SQL Database with active geo-replication for all databases.
AnswerB

Meets requirements cost-effectively.

Why this answer

Option C is correct. For the customer database, Azure SQL Database with active geo-replication meets the low RPO/RTO. For the reporting database, Azure SQL Database geo-restore from geo-redundant backups meets the 1-hour RPO at lower cost.

For the archival database, Azure SQL Database with long-term retention (LTR) and geo-restore is cost-effective. Option A is wrong because Azure SQL Managed Instance is more expensive and not necessary. Option B is wrong because using Cosmos DB for relational data is inappropriate.

Option D is wrong because using Azure SQL Database for all with active geo-replication would be overkill and costly for the archival database.

842
MCQeasy

A company has multiple branch offices and needs to connect them to Azure and to each other using a scalable, managed solution that simplifies network architecture. The solution should support automatic routing and integration with ExpressRoute and VPN. Which Azure service should they use?

A.Azure Virtual Network
B.Azure Virtual WAN
C.Azure ExpressRoute
D.Azure VPN Gateway
AnswerB

Virtual WAN offers a scalable, managed hub that connects branch offices, Azure VNets, and on-premises resources with automatic routing and integration with ExpressRoute/S2S VPN.

Why this answer

Azure Virtual WAN is a managed networking service that aggregates branch, VPN, and ExpressRoute connectivity into a single hub-and-spoke architecture. It automatically handles routing between branches and Azure, supports any-to-any connectivity, and integrates natively with ExpressRoute and VPN gateways, making it the correct choice for a scalable, managed solution that simplifies network architecture.

Exam trap

The trap here is that candidates often confuse Azure Virtual WAN with Azure Virtual Network, thinking that a simple VNet with VPN gateways can scale to interconnect multiple branches, but they overlook the managed, automatic routing and aggregation capabilities that Virtual WAN provides for multi-site topologies.

How to eliminate wrong answers

Option A is wrong because Azure Virtual Network is a fundamental building block for creating isolated networks in Azure, but it does not provide managed, automatic routing between multiple branch offices or native integration with ExpressRoute and VPN at scale; it requires manual configuration of peering, gateways, and routing. Option C is wrong because Azure ExpressRoute is a dedicated private connection from on-premises to Azure, but it does not connect multiple branch offices to each other or provide automatic routing between them; it is a connectivity option, not a managed WAN service. Option D is wrong because Azure VPN Gateway provides site-to-site VPN connectivity from a single branch to Azure, but it does not offer a managed, scalable hub for interconnecting multiple branches or automatic routing between them; it requires additional configuration and does not aggregate multiple connections into a single managed topology.

843
MCQhard

You are designing a business continuity solution for a global e-commerce platform that runs on Azure Kubernetes Service (AKS) in multiple regions. The application must remain available even if an entire Azure region fails. The application uses Azure Cosmos DB for its database. You need to ensure that the application can continue to serve traffic with minimal disruption. What should you recommend?

A.Use Cosmos DB with geo-redundant storage and deploy a single AKS cluster with Azure Site Recovery.
B.Deploy AKS clusters in two regions with Azure Traffic Manager and use Cosmos DB single-region writes with async replication.
C.Configure Cosmos DB with multi-region writes and deploy AKS clusters in two regions behind Azure Front Door.
D.Deploy the application to a single region and use Azure Backup for Cosmos DB to restore in another region.
AnswerC

Multi-region writes enable active-active with automatic failover.

Why this answer

Option B (multi-region write Cosmos DB with multi-region AKS) provides active-active architecture with automatic failover. Option A (single-region with backups) has high RTO. Option C (geo-redundant storage) is for data only.

Option D (Traffic Manager with passive) has lower availability.

844
Multi-Selectmedium

Which TWO actions should you take to implement a least-privilege identity strategy for Azure resources?

Select 2 answers
A.Assign Global Administrator role to all cloud architects
B.Store service principal passwords in Azure Key Vault and retrieve at runtime
C.Enable self-service password reset for all users
D.Use managed identities for Azure resources instead of service principals
E.Use Privileged Identity Management (PIM) to activate roles just-in-time
AnswersD, E

Managed identities remove the need to manage secrets.

Why this answer

Option D is correct because managed identities for Azure resources eliminate the need to store and manage credentials. Azure automatically rotates the identity's principal in Azure AD, and the resource can obtain an access token directly from the Azure Instance Metadata Service (IMDS) endpoint without any secrets. This aligns with the least-privilege principle by removing static, long-lived credentials and reducing the attack surface.

Exam trap

The trap here is that candidates often confuse storing secrets securely (Option B) with eliminating secrets entirely (Option D), or they overlook that PIM (Option E) is a core least-privilege tool for role activation, not just a monitoring feature.

845
MCQhard

You are designing a data lake solution using Azure Data Lake Storage Gen2. The solution must support file-level security for sensitive data and must integrate with Azure Purview for data cataloging. What should you use for file-level security?

A.Azure Key Vault with customer-managed keys
B.Access control lists (ACLs)
C.Azure Defender for Storage
D.Azure RBAC roles
AnswerB

ACLs provide file-level security in Data Lake Storage Gen2.

Why this answer

Option B is correct because Azure Data Lake Storage Gen2 supports POSIX-like ACLs for file-level permissions. Option A is wrong because RBAC operates at the storage account or container level. Option C is wrong because Azure Defender for Storage is for threat detection, not access control.

Option D is wrong because Azure Key Vault is for key management.

846
MCQmedium

A company stores log data in Azure Blob Storage. The logs are accessed frequently for the first 30 days, then only occasionally for up to 1 year, and after that must be retained for 7 years for compliance purposes. The company wants to minimize storage costs by automatically moving data to cheaper tiers. Which Azure Blob Storage lifecycle management policy should they implement?

A.Move to Cool tier after 30 days, move to Archive tier after 365 days, delete after 2555 days
B.Move to Cool tier after 30 days, move to Archive tier after 365 days, delete after 7 years
C.Move to Cool tier after 30 days, move to Archive tier after 30 days, delete after 2555 days
D.Move to Archive tier after 30 days, keep in Archive until deletion after 2555 days
AnswerA

This matches the usage pattern: frequent access first 30 days (Hot), then occasional access for a year (Cool), then rare access (Archive) until deletion after 7 years.

Why this answer

Option A is correct because it aligns with the access patterns: move to Cool tier after 30 days (frequent access period), move to Archive tier after 365 days (occasional access period ends), and delete after 2555 days (7 years retention). This minimizes costs by transitioning data to progressively cheaper storage tiers and automatically deleting it when compliance retention expires.

Exam trap

The trap here is that candidates may choose Option B thinking '7 years' is acceptable in the policy, but Azure requires the 'delete after' action to be specified in days (2555), not years, and they may overlook the early deletion penalty of the Archive tier when moving data too soon.

How to eliminate wrong answers

Option B is wrong because it specifies 'delete after 7 years' without converting to days; Azure lifecycle management policies require the 'delete after' action to be defined in days, not years, and 7 years equals 2555 days, not a literal '7 years' string. Option C is wrong because it moves data to Archive tier after only 30 days, which would incur early deletion fees and retrieval costs since logs are still accessed occasionally for up to a year; Archive tier is for rarely accessed data and has a 180-day minimum storage charge. Option D is wrong because it moves data directly to Archive tier after 30 days, ignoring the Cool tier entirely, which increases costs due to early deletion penalties and higher retrieval costs for the occasional access period up to 365 days.

847
MCQhard

A company runs a critical multi-tier application on Azure VMs. The application includes a database tier that requires recovery across multiple VMs at the same point in time. The company uses Azure Site Recovery (ASR) for disaster recovery to a secondary region. The recovery point objective (RPO) is 15 minutes and the recovery time objective (RTO) is 1 hour. The database VMs have a high data change rate, and the company wants to minimize replication costs. Which combination of ASR configurations should they implement?

A.Use multi-VM consistency groups and set the replication frequency to 15 minutes.
B.Enable application-consistent recovery for all VMs and use ExpressRoute.
C.Use standard recovery plans and default replication policy.
D.Configure a single recovery plan with manual failover and use Premium SSD managed disks.
AnswerA

Multi-VM consistency groups ensure crash-consistent recovery of all VMs to the same point. Setting replication frequency to 15 minutes meets the RPO and reduces the number of recovery points, lowering storage and network costs compared to the default 5-minute frequency.

Why this answer

Option A is correct because multi-VM consistency groups in Azure Site Recovery ensure that all VMs in the group are recovered to the same crash-consistent point in time, which meets the requirement for cross-VM recovery. Setting the replication frequency to 15 minutes aligns with the 15-minute RPO while minimizing replication costs by avoiding more frequent replication (e.g., 5 minutes) that would increase bandwidth and storage costs.

Exam trap

The trap here is that candidates often confuse application-consistent recovery (which ensures each VM's OS and apps are consistent) with cross-VM consistency (which ensures all VMs are recovered to the same point in time), leading them to choose Option B or C without recognizing the need for multi-VM consistency groups.

How to eliminate wrong answers

Option B is wrong because application-consistent recovery for all VMs does not guarantee cross-VM point-in-time consistency; it only ensures each VM is application-consistent individually, and ExpressRoute is a network connectivity option that does not affect replication consistency or cost. Option C is wrong because standard recovery plans and default replication policy (typically 5-minute frequency) would not minimize costs and may not provide the required cross-VM consistency without a consistency group. Option D is wrong because a single recovery plan with manual failover does not ensure simultaneous recovery at the same point in time across VMs, and Premium SSD managed disks are a storage performance choice unrelated to replication consistency or cost minimization.

848
MCQhard

Refer to the exhibit. The ARM template provisions a VM. The deployment succeeds but the VM fails to start. What is the most likely cause?

A.The admin password is in plaintext and does not meet complexity requirements
B.The data disk size 1023 GB exceeds the maximum for StandardSSD_LRS
C.The network interface resource ID is incorrectly formatted
D.The VM size Standard_D2s_v3 is not available in the region
AnswerA

Plaintext password violates Azure policy.

Why this answer

Option C is correct because the template contains the admin password in plaintext, which violates Azure policy that requires a complex password or use of Key Vault. Option A is wrong because Premium_LRS is supported in most regions. Option B is wrong because StandardSSD_LRS is valid for data disks.

Option D is wrong because the NIC reference uses the correct resourceId function.

849
MCQeasy

A company needs a fully managed NoSQL database for a new application with a key-value and document data model. They require single-digit millisecond latency at any scale, multi-region writes with automatic conflict resolution, and a serverless capacity option to handle unpredictable traffic. Which Azure data service should they use?

A.Azure Table Storage
B.Azure Cosmos DB
C.Azure Cache for Redis
D.Azure SQL Database
AnswerB

Cosmos DB provides guaranteed single-digit millisecond latency, multi-region writes (multi-master), automatic conflict resolution, and a serverless mode that automatically scales capacity based on workload.

Why this answer

Azure Cosmos DB is the correct choice because it is a fully managed NoSQL database that supports both key-value and document data models natively. It guarantees single-digit millisecond latency at any scale, offers multi-region writes with automatic conflict resolution via its multi-master replication, and provides a serverless capacity mode that automatically scales based on demand, making it ideal for unpredictable traffic.

Exam trap

The trap here is that candidates often confuse Azure Table Storage as a NoSQL database that supports multi-region writes, but it lacks document support and automatic conflict resolution, making Cosmos DB the only option that meets all requirements.

How to eliminate wrong answers

Option A is wrong because Azure Table Storage is a key-value store but does not support a document data model, lacks multi-region writes with automatic conflict resolution, and does not offer a serverless capacity option (it uses provisioned throughput). Option C is wrong because Azure Cache for Redis is an in-memory caching service, not a fully managed NoSQL database; it does not natively support document data models or multi-region writes with conflict resolution. Option D is wrong because Azure SQL Database is a relational database (SQL-based), not a NoSQL database, and does not support key-value or document data models natively, nor does it offer multi-region writes with automatic conflict resolution.

850
MCQmedium

You are designing a backup and disaster recovery solution for a financial services company. The company has a critical application running on Azure VMs with premium SSDs. The RPO for the application is 15 minutes, and the RTO is 1 hour. The application data is stored on a separate managed disk with a premium SSD. The company wants to ensure that backups are cost-effective and do not impact application performance. You need to recommend a backup strategy. What should you do?

A.Use Azure Site Recovery with replication from the primary to a secondary region.
B.Use Azure Disk Backup with a backup policy of 15-minute frequency.
C.Use Azure Backup with application-consistent snapshots and configure a backup policy with a 15-minute frequency.
D.Use Azure Compute Gallery to create custom snapshots every 15 minutes.
AnswerC

Azure Backup supports high-frequency backups and application consistency.

Why this answer

Option A is correct because Azure Backup with application-consistent snapshots can achieve an RPO of 15 minutes with high-frequency backup policies, and the use of premium SSDs ensures low performance impact. Option B is wrong because Azure Site Recovery has a higher RTO and is more expensive for backup. Option C is wrong because manual snapshots are not automated and can impact performance.

Option D is wrong because Azure Disk Backup does not provide application consistency and has a minimum backup frequency of 4 hours.

851
MCQhard

You are designing a data storage solution for an IoT application that ingests millions of events per second. Each event is a small JSON message (under 1 KB). The solution must support real-time analytics and allow queries on recent data (last 24 hours) with low latency. Historical data (older than 24 hours) should be stored in a cost-optimized manner for occasional compliance queries. Which combination of Azure services should you recommend?

A.Azure Cosmos DB for both real-time and historical data
B.Azure Event Hubs for ingestion and Azure Functions for querying
C.Azure SQL Database with elastic pool
D.Azure Data Explorer for real-time analytics and Azure Blob Storage for historical data
AnswerD

ADX handles high-throughput ingest and real-time queries; Blob Storage is cost-effective for cold data.

Why this answer

Azure Data Explorer (ADX) is purpose-built for real-time analytics on high-velocity data streams, ingesting millions of events per second with sub-second query latency on recent data. Azure Blob Storage provides a cost-optimized tier (e.g., Cool or Archive) for historical data older than 24 hours, which can be queried occasionally via ADX’s continuous export or external table feature. This combination meets both the low-latency real-time analytics requirement and the cost-effective long-term storage need.

Exam trap

The trap here is that candidates often confuse high-throughput ingestion with query capability, assuming that any service that can ingest data (like Event Hubs) can also serve real-time queries, or that a general-purpose database (like Cosmos DB or SQL Database) can handle the extreme volume and analytics pattern of IoT telemetry.

How to eliminate wrong answers

Option A is wrong because Azure Cosmos DB, while fast for transactional workloads, is not optimized for high-throughput ingestion of millions of events per second for real-time analytics; its per-request cost and indexing overhead would be prohibitive for this volume, and it lacks native time-series analytics capabilities. Option B is wrong because Azure Event Hubs is an ingestion service, not a query engine; Azure Functions are stateless and unsuitable for low-latency ad-hoc queries over terabytes of recent data, and they cannot efficiently handle the querying requirement. Option C is wrong because Azure SQL Database with elastic pool cannot ingest millions of events per second due to connection and transaction limits, and its cost for storing and querying high-volume time-series data would be excessive compared to purpose-built solutions.

852
MCQeasy

You need to design a storage solution for a data lake that will store petabytes of structured and unstructured data. The data must be accessible from Azure Databricks and Azure Machine Learning. The solution must optimize costs by automatically moving data to cooler tiers when access frequency decreases. Which Azure storage solution should you use?

A.Azure Data Lake Storage Gen2
B.Azure Blob Storage (flat namespace)
C.Azure NetApp Files
D.Azure Files
AnswerA

ADLS Gen2 combines blob storage with a hierarchical namespace, supports lifecycle management, and integrates with Databricks and ML.

Why this answer

Option B is correct because Azure Data Lake Storage Gen2 provides hierarchical namespace, integration with analytics services, and lifecycle management to tier data to cool and archive tiers. Option A is wrong because Azure Blob Storage (flat namespace) is not optimized for data lake workloads. Option C is wrong because Azure NetApp Files is for high-performance file shares, not data lakes.

Option D is wrong because Azure Files is for file shares, not petabyte-scale data lakes.

853
MCQmedium

Your company is migrating a critical on-premises database to Azure SQL Managed Instance. The database is 500 GB and requires minimal downtime during migration. You need to choose the best migration approach. What should you recommend?

A.Use the export/import bacpac method.
B.Use Azure Data Factory to copy data.
C.Use transactional replication.
D.Use Azure Database Migration Service with online migration.
AnswerD

Supports minimal downtime by continuously replicating changes.

Why this answer

Option D is correct because Azure Database Migration Service with online migration supports minimal downtime by continuously syncing changes. Option A is wrong because export/import requires downtime. Option B is wrong because transactional replication can be complex and is not the primary recommended method for minimal downtime.

Option C is wrong because Azure Data Factory is for data integration, not minimal-downtime migration.

854
Multi-Selectmedium

A company needs to design a disaster recovery solution for a multi-tier application that includes a web tier, a business tier, and a database tier. The solution must meet the following requirements: - RPO of 15 minutes for the database - RTO of 1 hour for the entire application - Automatic failover for the database - No data loss for the web and business tiers (stateless) Which TWO services should be included in the solution? (Choose two.)

Select 2 answers
A.Azure Backup
B.Azure Traffic Manager
C.Azure Site Recovery for VM replication
D.Azure Front Door
E.Azure SQL Database active geo-replication
AnswersB, E

Routes traffic to healthy region for stateless tiers.

Why this answer

Option B and Option D are correct. Azure SQL Database active geo-replication provides automatic failover with an RPO of 5 seconds, well within 15 minutes. Azure Traffic Manager can route traffic to the secondary region stateless tiers.

Option A is wrong because Azure Site Recovery is not needed for stateless tiers; they can be redeployed. Option C is wrong because Azure Front Door is not necessary for a simple DR scenario. Option E is wrong because Azure Backup does not provide automatic failover.

855
MCQmedium

Fabrikam Inc. runs a file-sharing service used by 500 employees globally. The service is deployed on Azure VMs in the North Europe region. The VMs store data on Azure Files shares (Standard performance tier) mounted via SMB. The company's business continuity policy requires: - RPO: 1 hour for any data loss. - RTO: 4 hours to restore service after a regional disaster. - All data must be backed up and recoverable in a different region. - Budget is a concern; prefer cost-effective solutions. Currently, there is no backup in place. You need to design a solution. What should you do?

A.Set up Azure Site Recovery (ASR) for the VMs and Azure Files. Replicate to a secondary region (West Europe). Use ASR recovery plans to orchestrate failover.
B.Configure Azure Backup for the Azure Files shares with a backup policy of 1-hour frequency. Also back up the VMs using Azure Backup with a 1-hour policy. Store backups in a Recovery Services vault with geo-redundant storage (GRS). Enable cross-region restore.
C.Use Azure Files share snapshots taken every hour and store them in a separate storage account in the same region. For VM backup, use Azure Backup with daily frequency. In a disaster, deploy new VMs and restore from snapshots.
D.Implement Azure File Sync between the Azure Files share and an on-premises file server. For disaster recovery, failover to the on-premises server.
AnswerB

Azure Backup meets the RPO and RTO with cross-region restore, and is cost-effective.

Why this answer

Option B is correct because Azure Backup for Azure Files can schedule backups every hour (meeting 1-hour RPO) and store them in a Recovery Services vault with geo-redundant storage (GRS) to recover in another region. For the VMs, Azure Backup can also protect them with a 1-hour frequency. Cross-region restore enables recovery in a secondary region.

Option A is wrong because Azure Site Recovery is more expensive and may not be needed for this RTO. Option C is wrong because Azure Files snapshots are manual and do not provide cross-region recovery. Option D is wrong because Azure File Sync is for sync, not backup.

856
MCQeasy

You need to store billions of small JSON files (average 50 KB) that are accessed infrequently but must be available within seconds when requested. Which Azure storage solution is most cost-effective?

A.Azure SQL Database with a table storing JSON
B.Azure Files with SMB shares
C.Azure Blob Storage Cool tier
D.Azure Cosmos DB with a container for each file
AnswerC

Cool tier offers low storage costs and low-latency access for infrequently accessed data.

Why this answer

Azure Blob Storage Cool tier is the most cost-effective solution for storing billions of small JSON files (average 50 KB) that are infrequently accessed but require low-latency retrieval within seconds. The Cool tier offers low storage costs for data accessed less than once per month, while still providing sub-second access latency for individual blobs via HTTPS REST API, matching the 'available within seconds' requirement without the higher costs of Hot or premium tiers.

Exam trap

The trap here is that candidates often choose Azure Cosmos DB (Option D) because of its low-latency guarantees, but they overlook the massive cost difference for storing billions of small files, where Blob Storage's object storage model is far more economical for infrequently accessed data.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database is a relational database optimized for transactional queries and structured data, not for storing billions of individual small files; storing each JSON file as a row would incur high storage costs (minimum 1 MB per row for LOB data) and poor performance for file-level retrieval. Option B is wrong because Azure Files with SMB shares is designed for shared file systems with SMB protocol overhead and is not optimized for billions of small files; it incurs higher costs per GB than Blob Storage and lacks native support for efficient bulk operations on individual small objects. Option D is wrong because Azure Cosmos DB is a NoSQL database optimized for low-latency queries and real-time access with high throughput, but its cost per GB of storage is significantly higher than Blob Storage (often 10x or more), making it prohibitively expensive for storing billions of small files that are accessed infrequently.

857
MCQhard

Your organization has a hybrid identity infrastructure with Microsoft Entra ID and on-premises Active Directory. You plan to implement Microsoft Entra ID Protection to detect and respond to identity risks. You need to ensure that risky sign-ins from anonymous IP addresses are automatically blocked, while still allowing legitimate users to self-remediate. What should you configure?

A.Configure a sign-in risk policy in Microsoft Entra ID Protection to block access for high risk
B.Use the Identity Protection dashboard to manually review and block risky sign-ins
C.Configure a Conditional Access policy to block sign-ins from anonymous IP addresses and enable user risk policy for self-remediation
D.Configure a user risk policy to require password change for high risk users
AnswerC

Conditional Access blocks sign-in, and user risk policy allows self-remediation.

Why this answer

Option C is correct because it combines a Conditional Access policy to block sign-ins from anonymous IP addresses with a user risk policy that allows legitimate users to self-remediate by performing a password change. This ensures that high-risk sign-ins are automatically blocked while users can still recover their accounts without administrative intervention.

Exam trap

The trap here is that candidates often confuse sign-in risk policies with user risk policies, or assume that a single policy can both block and remediate, when in fact two separate policies are needed to meet the requirements of automatic blocking and self-remediation.

How to eliminate wrong answers

Option A is wrong because a sign-in risk policy configured to block access for high risk does not specifically target anonymous IP addresses; it blocks based on the overall sign-in risk level, which may not automatically block all anonymous IP sign-ins. Option B is wrong because manual review and blocking via the Identity Protection dashboard does not provide automatic blocking and self-remediation; it requires ongoing administrative effort and does not meet the requirement for automated response. Option D is wrong because a user risk policy requiring a password change for high risk users addresses user compromise but does not block sign-ins from anonymous IP addresses; it only triggers remediation after a risk is detected, not preventing the initial risky sign-in.

858
MCQmedium

A company has an Azure virtual network (VNet) in the East US region hosting a web application. They need to securely connect to an on-premises data center in the same region using a dedicated, private network connection with high throughput and low latency. They also need a backup connection for redundancy in case the primary connection fails. Which connectivity solution should they implement?

A.Site-to-Site VPN only
B.ExpressRoute only
C.ExpressRoute as primary with Site-to-Site VPN as backup
D.Azure Virtual WAN with VPN
AnswerC

This combination provides a dedicated private connection for primary traffic and a lower-cost VPN as a redundant backup, meeting both performance and redundancy requirements.

Why this answer

ExpressRoute provides a dedicated, private, high-throughput, low-latency connection to Azure, ideal for the primary link. A Site-to-Site VPN over the internet serves as a cost-effective, encrypted backup path that activates if the ExpressRoute circuit fails, meeting the redundancy requirement without relying on the same physical infrastructure.

Exam trap

The trap here is that candidates often choose ExpressRoute only, forgetting that it lacks built-in redundancy and that a Site-to-Site VPN is the standard, cost-effective backup for ExpressRoute circuits in the same region.

How to eliminate wrong answers

Option A is wrong because a Site-to-Site VPN alone uses the public internet, which cannot guarantee the dedicated, high-throughput, low-latency private connection required for the primary link. Option B is wrong because ExpressRoute alone provides no automatic backup; if the circuit fails, connectivity is lost, violating the redundancy requirement. Option D is wrong because Azure Virtual WAN with VPN is a managed networking service that can aggregate multiple connections, but it does not inherently provide a dedicated private primary link with a VPN backup unless ExpressRoute is also configured; the option as stated lacks the ExpressRoute component needed for the primary connection.

859
Multi-Selecteasy

A company needs to store sensitive customer data that must be encrypted at rest. Which TWO Azure storage services support customer-managed keys (CMK) for encryption?

Select 2 answers
A.Azure Files
B.Azure SQL Database
C.Azure Cache for Redis
D.Azure Blob Storage
E.Azure Cosmos DB
AnswersB, D

Supports CMK with Azure Key Vault.

Why this answer

Azure SQL Database and Azure Blob Storage both support customer-managed keys (CMK) via Azure Key Vault, allowing you to bring your own encryption keys (BYOK) for data at rest. This meets the requirement for sensitive customer data where the organization needs full control over encryption keys, including key rotation and revocation.

Exam trap

The trap here is that candidates often confuse services that support CMK with those that only support Microsoft-managed keys, and they may incorrectly select Azure Cosmos DB or Azure Files because they assume all Azure data services support BYOK, but only specific services like Azure SQL Database and Azure Blob Storage are explicitly tested for CMK in the AZ-305 exam.

860
Multi-Selectmedium

You are designing an identity lifecycle management solution for a multinational company. Employees frequently change departments, and you need to automate the assignment and removal of application access based on their current department. Which THREE Microsoft Entra features should you use?

Select 3 answers
A.Dynamic membership groups
B.Microsoft Entra Privileged Identity Management
C.Microsoft Entra access reviews
D.Microsoft Entra entitlement management
E.Microsoft Entra self-service password reset
AnswersA, C, D

Automatically adds/removes users based on department attribute.

Why this answer

Dynamic membership groups (A) are correct because they automatically add or remove users based on attribute values like 'department'. When an employee changes departments, their department attribute is updated, and the group membership is recalculated, granting or revoking access to applications assigned to that group. This is the core mechanism for automating access changes based on user attributes.

Exam trap

The trap here is confusing Privileged Identity Management (PIM) with lifecycle management—PIM handles temporary elevation for admin roles, not the ongoing assignment of application access based on user attribute changes.

861
MCQmedium

Your company runs a Windows-based application on Azure Virtual Machines in the Brazil South region. The application uses Azure Files for shared storage and Azure SQL Database (Hyperscale tier) for the database. The business requires a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 30 minutes for the entire application. The solution must be cost-effective and leverage Azure-native services. You have been asked to design the disaster recovery strategy. Which option should you recommend?

A.Use Azure Site Recovery to replicate the VMs to a secondary region. Configure geo-redundant storage (GRS) for Azure Files. For Azure SQL Database Hyperscale, enable geo-restore and test restore procedures.
B.Deploy a second set of VMs in a secondary region. Use Azure File Sync to keep Azure Files in sync. Use Azure SQL Database failover groups with a readable secondary.
C.Back up the VMs using Azure Backup with a 15-minute frequency. Use Azure File Sync to replicate Azure Files to a secondary region. Use Azure SQL Database backup with point-in-time restore.
D.Use Azure Site Recovery for VMs. Use Azure File Sync for Azure Files. Use active geo-replication for Azure SQL Database.
AnswerA

Azure Site Recovery meets RPO/RTO for VMs; GRS for Azure Files provides automatic replication; Hyperscale geo-restore can restore a database in minutes.

Why this answer

Option A is correct because Azure Site Recovery for VMs provides 15-minute RPO and fast RTO; geo-redundant storage for Azure Files meets RPO; Azure SQL Database Hyperscale geo-restore can achieve RTO within 30 minutes. Option B is wrong because Azure Backup for VMs has slower RTO. Option C is wrong because Azure File Sync is for hybrid scenarios, not DR.

Option D is wrong because active geo-replication for SQL Database is more expensive than geo-restore.

862
MCQmedium

A company runs a SQL Server database on an Azure virtual machine in a single region. They need to increase storage capacity and improve I/O performance for their transaction-intensive workload. They also want to ensure high availability within the same datacenter (99.99% SLA). What should they do?

A.Use Azure Premium SSD v2 managed disks in a storage pool with mirroring across multiple disks.
B.Use Azure Ultra Disk storage attached to the VM.
C.Deploy the SQL Server on an availability set and use Storage Spaces Direct with multiple disks.
D.Enable Azure SQL Managed Instance with auto-failover groups.
AnswerA

Premium SSD v2 provides high IOPS and throughput, and multiple disks can be pooled in the OS (e.g., Storage Spaces) to increase capacity and performance. The VM should be in an availability set to meet the SLA.

Why this answer

Azure Premium SSD v2 managed disks offer the highest I/O performance for transaction-intensive workloads, with sub-millisecond latency and the ability to scale IOPS and throughput independently of disk size. By configuring a storage pool with mirroring across multiple Premium SSD v2 disks, you can aggregate capacity and I/O while providing redundancy within a single datacenter, which supports the 99.99% SLA for the VM when combined with an availability set or proximity placement group.

Exam trap

The trap here is that candidates often confuse Azure Ultra Disk as the best performance option, but it lacks the ability to pool multiple disks for capacity and I/O aggregation, making Premium SSD v2 with storage pool mirroring the correct choice for both performance and high availability within a single datacenter.

How to eliminate wrong answers

Option B is wrong because Azure Ultra Disk storage, while offering extremely low latency and high IOPS, does not natively support mirroring or striping across multiple disks in a storage pool to increase capacity and I/O simultaneously; it is typically used as a single disk and does not provide the same aggregated performance and redundancy as a mirrored pool. Option C is wrong because Storage Spaces Direct is designed for on-premises or Azure Stack HCI scenarios, not for Azure VMs; it cannot be used with Azure managed disks and would not be supported in a standard Azure VM deployment. Option D is wrong because Azure SQL Managed Instance with auto-failover groups is a PaaS solution that moves the workload off the VM, which does not address the requirement to increase storage capacity and I/O performance for the existing SQL Server on an Azure VM, and it introduces a different architecture and SLA model.

863
MCQmedium

A company runs a critical web application on Azure VMs in the West US region. They need a disaster recovery solution that replicates the VMs to the East US region. The recovery point objective (RPO) must be 30 minutes, and the recovery time objective (RTO) must be 1 hour. The company also needs to perform quarterly disaster recovery drills without impacting the production environment. Additionally, after a failover, the solution must automatically update traffic management to route users to the East US region. Which combination of Azure services should they use?

A.Azure Site Recovery and Azure Traffic Manager
B.Azure Backup and Azure Traffic Manager
C.Azure Site Recovery and Azure Front Door
D.Azure Backup and Azure Front Door
AnswerA

Azure Site Recovery handles VM replication with the required RPO/RTO and supports non-disruptive test failovers. Azure Traffic Manager can automatically route user traffic to the secondary region after failover by using endpoint monitoring and failover priority.

Why this answer

Azure Site Recovery (ASR) orchestrates replication, failover, and failback of Azure VMs from West US to East US, meeting the 30-minute RPO and 1-hour RTO. Azure Traffic Manager automatically updates DNS-based traffic routing to the East US region after failover, ensuring users are redirected without manual intervention. This combination satisfies all requirements: DR replication, RPO/RTO, quarterly drills (via test failover), and automated traffic management.

Exam trap

The trap here is that candidates confuse Azure Front Door with Traffic Manager, assuming Front Door's global routing automatically handles failover, but Front Door requires manual DNS or backend pool updates, whereas Traffic Manager integrates natively with ASR recovery plans for automated DNS failover.

How to eliminate wrong answers

Option B is wrong because Azure Backup is designed for long-term data retention and point-in-time restore, not for full VM replication with orchestrated failover and RPO of 30 minutes; it cannot meet the RTO of 1 hour or support automated traffic rerouting after failover. Option C is wrong because Azure Front Door is a global load balancer and application delivery controller that uses anycast and HTTP-level routing, but it does not provide automatic traffic rerouting after a Site Recovery failover without manual DNS updates; Traffic Manager is the correct service for DNS-based failover routing. Option D is wrong because it combines Azure Backup (which lacks DR orchestration) with Azure Front Door (which does not automatically update routing after failover), failing both the replication and traffic management requirements.

864
Matchingmedium

Match each Azure database service to its primary use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Globally distributed NoSQL database

Relational database as a service (PaaS)

Managed open-source relational database

In-memory data cache for low latency

SQL Server with near 100% compatibility

Why these pairings

These are common Azure data services for different workloads.

865
MCQmedium

A company wants to configure policies that detect risky sign-ins (e.g., from anonymous IPs or unfamiliar locations) and automatically require multi-factor authentication (MFA) when such risk is detected. Which Microsoft Entra ID feature should they use to create these policies?

A.Microsoft Entra ID Conditional Access
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID Privileged Identity Management
D.Microsoft Entra ID Audit Logs
AnswerA

Conditional Access policies can use risk conditions such as 'Sign-in risk level' to require MFA or block access, integrating with Identity Protection.

Why this answer

Microsoft Entra ID Conditional Access is the correct feature because it allows administrators to create policies that evaluate sign-in risk signals (such as anonymous IP addresses or unfamiliar locations) and enforce access controls like requiring multi-factor authentication (MFA). Conditional Access policies can integrate with Identity Protection risk detections, but the policy itself is defined and managed within the Conditional Access blade, making it the direct tool for this requirement.

Exam trap

The trap here is that candidates often confuse Identity Protection (which detects risk) with Conditional Access (which enforces the policy), leading them to select Identity Protection as the answer when the question explicitly asks for the feature that 'creates policies' to require MFA.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Identity Protection detects and reports risky sign-ins and users (e.g., via risk events like anonymous IP address or unfamiliar sign-in properties), but it does not itself enforce access controls like requiring MFA; it relies on Conditional Access policies to act on those risk detections. Option C is wrong because Microsoft Entra ID Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not risk-based sign-in policies or MFA enforcement. Option D is wrong because Microsoft Entra ID Audit Logs provide a record of sign-in and administrative activities for monitoring and compliance, but they cannot be used to create proactive policies that detect risk and enforce MFA.

866
MCQeasy

A small business is moving its on-premises file server to Azure. The company has 50 users and stores approximately 500 GB of data, which includes documents and spreadsheets. The users need to access the files from their Windows laptops both at the office and remotely. The company wants to minimize costs while ensuring that files are always available and secure. You need to recommend a storage solution. What should you recommend?

A.Migrate the files to Azure Blob Storage and use Azure Storage Explorer for access.
B.Use Azure Stack Edge to sync the data to Azure Blob Storage.
C.Deploy Azure NetApp Files with a Standard capacity pool.
D.Deploy Azure Files with Azure File Sync and use a Windows File Server on-premises.
AnswerD

Azure Files provides cloud file shares, File Sync enables caching on-premises.

Why this answer

Option C is correct because Azure Files with Azure File Sync provides cloud file shares that can be synced to on-premises Windows Server for local access, and supports remote access via SMB over the internet. Option A is wrong because Azure Blob Storage is not a file share and does not support SMB access natively. Option B is wrong because Azure NetApp Files is too expensive for this small use case.

Option D is wrong because Azure Stack Edge is for edge computing, not file sharing.

867
Multi-Selecteasy

Which TWO are valid methods to authenticate to Azure from a PowerShell script that runs unattended? (Choose two.)

Select 2 answers
A.Service principal with a certificate
B.Service principal with a client secret
C.User account with multi-factor authentication
D.User account with password and MFA
E.Managed identity for Azure resources
AnswersA, B

Certificate-based authentication is non-interactive and secure.

Why this answer

A service principal with a certificate is a valid unattended authentication method because the certificate can be securely stored (e.g., in Azure Key Vault or the local machine store) and used by the script without interactive login. The Azure PowerShell cmdlet `Connect-AzAccount -ServicePrincipal -CertificateThumbprint` or `-ApplicationId` with the certificate allows the script to authenticate using the certificate's private key, which is a non-interactive, secure approach.

Exam trap

The trap here is that candidates often confuse managed identities as a universal authentication method for any script, but they only work when the script runs on an Azure resource that supports managed identities, not from arbitrary or on-premises environments.

868
MCQhard

A company uses Azure Firewall to secure outbound traffic from a hub virtual network. The security team reports that some traffic is bypassing the firewall because of asymmetric routing. You need to design a solution to force all outbound traffic through the firewall. What should you implement?

A.VNet peering with gateway transit
B.User Defined Routes (UDRs) with a default route (0.0.0.0/0) pointing to Azure Firewall
C.Azure Route Server
D.Azure Firewall Manager to enforce routing policies
AnswerB

UDRs override system routes and force all outbound traffic through the firewall, ensuring symmetric routing.

Why this answer

Option D is correct because User Defined Routes with a default route (0.0.0.0/0) pointing to the Azure Firewall private IP enforce traffic symmetry. Option A is wrong because Azure Firewall Manager does not enforce routing; it manages policies. Option B is wrong because VNet peering does not force traffic through a firewall.

Option C is wrong because Azure Route Server learns routes dynamically but does not enforce forced tunneling.

869
MCQmedium

A global e-commerce company stores product catalog data in a JSON document format. The application requires low-latency reads and writes from multiple geographic regions. The solution must support multi-region writes with automatic conflict resolution and provide a guaranteed 99th percentile latency. Which Azure Cosmos DB API and consistency level should they choose?

A.SQL API with Session consistency
B.Table API with Eventual consistency
C.SQL API with Strong consistency
D.MongoDB API with Bounded staleness consistency
AnswerA

The SQL API supports JSON documents, and Session consistency provides low latency with read-your-writes guarantee, suitable for e-commerce applications.

Why this answer

The SQL API with Session consistency is correct because it supports multi-region writes with automatic conflict resolution using last-writer-wins (LWW) and provides a guaranteed 99th percentile latency. Session consistency is the most widely used level for globally distributed applications, offering read-your-writes guarantees while maintaining low latency across regions.

Exam trap

The trap here is that candidates often assume Strong consistency is required for low-latency multi-region writes, but Strong consistency is incompatible with multi-region writes and would actually increase latency, while Session consistency provides the right balance of performance and guarantees.

How to eliminate wrong answers

Option B (Table API with Eventual consistency) is wrong because the Table API does not support multi-region writes; it only supports single-region writes with multi-region reads. Option C (SQL API with Strong consistency) is wrong because Strong consistency cannot be used with multi-region writes; it is only supported in single-region write configurations and would introduce high latency across regions. Option D (MongoDB API with Bounded staleness consistency) is wrong because Bounded staleness consistency, while supporting multi-region writes, does not guarantee a specific 99th percentile latency due to the configurable staleness window (k or t), which can introduce unpredictable delays.

870
MCQmedium

Adatum Corporation runs a customer-facing API on Azure API Management (Developer tier) in the East US region. The backend is an Azure Function app (Premium plan) also in East US. The data is stored in Azure Cosmos DB (Core SQL API) with a single write region in East US. The company requires: - RPO: 0 (zero data loss). - RTO: 1 minute for the API to be available after a region failure. - The solution must be fully automated. - Cost is not a primary concern. What DR strategy should you recommend?

A.Deploy the API Management, Functions, and Cosmos DB across two Availability Zones in East US. Use zone-redundant services. For Cosmos DB, use multi-region writes within the same region (not possible).
B.Deploy an active-active architecture in East US and West US. Deploy API Management in both regions and use Azure Front Door with health probes for automatic failover. Deploy Azure Functions in both regions (Premium plan supports multi-region). Configure Cosmos DB with multi-region writes (single write region with automatic failover) and strong consistency. All traffic is active-active, with automatic failover.
C.Deploy a passive standby in West US with a second API Management instance, a second Functions app, and a second Cosmos DB write region (multi-region writes). Use Azure Front Door with health probes to automatically route traffic. Manually failover Cosmos DB during disaster.
D.Deploy a passive standby in West US using Azure Site Recovery to replicate the Azure Functions and API Management. For Cosmos DB, enable a secondary read region and manual failover. Use Azure Traffic Manager to switch traffic during a disaster.
AnswerB

Active-active with automatic failover meets RPO=0 and RTO=1 minute.

Why this answer

Option D is correct because an active-active multi-region architecture with Cosmos DB multi-region writes (strong consistency in single write region with automatic failover) ensures zero data loss and automatic failover. API Management can be deployed in multiple regions with Azure Front Door for global load balancing and automatic failover. Azure Functions Premium plan supports multi-region deployment.

Option A is wrong because Azure Site Recovery has higher RTO. Option B is wrong because passive standby has higher RTO due to manual steps. Option C is wrong because Availability Zones do not protect against regional outage.

871
Multi-Selecthard

Which THREE of the following are best practices for designing an Azure SQL Database solution for performance and scalability?

Select 3 answers
A.Use appropriate indexes to optimize query performance
B.Use elastic pools to manage multiple databases with variable workloads
C.Implement read replicas for read-heavy workloads
D.Avoid using stored procedures to reduce complexity
E.Disable automatic tuning to maintain consistent performance
AnswersA, B, C

Indexes improve query speed.

Why this answer

Option A is correct because appropriate indexes, such as clustered and nonclustered indexes, reduce the number of data pages scanned during query execution, directly improving query performance. In Azure SQL Database, index tuning is critical for minimizing I/O and CPU overhead, especially for large tables or complex joins.

Exam trap

The trap here is that candidates may mistakenly think stored procedures add complexity or that disabling automatic tuning ensures consistency, when in fact both practices hinder scalability and performance in Azure SQL Database's managed environment.

872
MCQhard

A company runs a critical financial application on Azure Kubernetes Service (AKS) in a single region. The application uses Azure Cosmos DB for NoSQL with multiple write regions. You need to design a business continuity solution that meets an RPO of 0 seconds and an RTO of less than 5 seconds for a regional outage. The solution must be cost-optimized. What should you include in the design?

A.Deploy AKS clusters in two regions, use Azure Front Door to route traffic, and configure Azure Cosmos DB with multiple write regions and automatic failover.
B.Deploy AKS clusters in two regions, use Azure Traffic Manager with priority routing, and configure Azure Cosmos DB with a single write region and a readable secondary.
C.Deploy AKS clusters across availability zones in one region, use Azure Load Balancer, and configure Azure SQL Database with active geo-replication.
D.Deploy AKS clusters in two regions, use Azure Front Door, and configure Azure Cosmos DB with a single write region and manual failover.
AnswerA

Cosmos DB multi-region writes provide RPO=0; AKS with Front Door enables instant traffic switching.

Why this answer

Option A is correct because AKS can be deployed across Azure regions with Azure Front Door for global load balancing; Cosmos DB multi-region writes provide RPO=0 and automatic failover within seconds. Option B uses Azure Traffic Manager which does not provide instant failover. Option C uses Azure SQL Database which does not offer RPO=0 across regions.

Option D uses manual failover which increases RTO.

873
MCQhard

A company runs a critical application on Azure VMs in a single region. The database tier uses SQL Server on Azure VMs. They need to implement disaster recovery to a secondary region with an RPO of 30 seconds and an RTO of 10 minutes for the database, and an RPO of 5 minutes and RTO of 1 hour for the VMs. The solution must minimize data loss and be cost-effective. Which combination should they use?

A.Azure Site Recovery for VMs and SQL Server Always On Availability Groups with synchronous commit
B.Azure Site Recovery for VMs and SQL Server log shipping
C.Azure Backup for VMs and SQL Server database mirroring
D.Azure Site Recovery for VMs and SQL Server Always On Availability Groups with asynchronous commit
AnswerD

Asynchronous commit meets RPO of 30 seconds, and ASR meets VM RPO/RTO requirements; this is cost-effective and recommended across regions.

Why this answer

Option D is correct because Azure Site Recovery (ASR) provides VM replication to a secondary region with an RPO of 5 minutes and RTO of 1 hour, meeting the VM requirements. SQL Server Always On Availability Groups with asynchronous commit can achieve an RPO of 30 seconds (or less) while minimizing cost by avoiding synchronous replication overhead, and it supports automatic failover for the database tier, meeting the 10-minute RTO.

Exam trap

The trap here is that candidates often choose synchronous commit (Option A) thinking it minimizes data loss, but they overlook the cost and latency constraints of cross-region synchronous replication, making asynchronous commit the practical choice for the given RPO and cost-effectiveness requirements.

How to eliminate wrong answers

Option A is wrong because SQL Server Always On Availability Groups with synchronous commit requires low-latency, high-bandwidth links between regions, which is not cost-effective and can impact performance; it also typically requires at least three replicas for automatic failover, increasing complexity and cost. Option B is wrong because SQL Server log shipping has a typical RPO of minutes to hours (not 30 seconds) and an RTO that can exceed 10 minutes due to manual failover and log restore steps. Option C is wrong because Azure Backup for VMs is a backup solution, not a disaster recovery replication tool, and cannot achieve an RPO of 5 minutes or RTO of 1 hour; SQL Server database mirroring (deprecated) does not support automatic failover to a secondary region and has higher latency.

874
MCQmedium

A company wants to cache frequently accessed session state and product data for their e-commerce website. They need the cache to be highly available with a 99.9% SLA and provide fast read and write access. The solution must be fully managed. Which Azure Cache tier should they choose?

A.Azure Redis Cache Basic tier
B.Azure Redis Cache Standard tier
C.Azure Redis Cache Premium tier
D.Azure Content Delivery Network
AnswerB

Standard tier offers a 99.9% SLA, replication, and is fully managed, making it suitable for caching with high availability.

Why this answer

The Standard tier of Azure Redis Cache provides a 99.9% SLA through built-in replication with two nodes (primary and replica) in the same region, ensuring high availability. It is fully managed, supports fast read/write access for session state and product data, and meets the requirement without the additional cost or complexity of the Premium tier.

Exam trap

The trap here is that candidates often choose the Premium tier for high availability, not realizing that the Standard tier already provides a 99.9% SLA with replication, and Premium adds features like data persistence and clustering that are not required by the question.

How to eliminate wrong answers

Option A is wrong because the Basic tier has no SLA (0% SLA) and no replication, making it unsuitable for high availability requirements. Option C is wrong because the Premium tier, while offering higher performance and features like persistence and clustering, is overkill for the stated requirements and incurs unnecessary cost; the Standard tier already meets the 99.9% SLA and fast access needs. Option D is wrong because Azure Content Delivery Network is a caching solution for static content delivery at edge locations, not a low-latency, fully managed cache for dynamic session state and product data; it does not provide the read/write semantics required for session state.

875
MCQmedium

You are designing a hybrid storage solution where on-premises applications need low-latency access to file shares hosted in Azure. The solution must cache frequently accessed files locally and sync changes bidirectionally. Which Azure feature should you use?

A.Azure File Sync
B.Azure Data Box
C.Azure NetApp Files with ExpressRoute
D.Azure Blob Storage with Azure Files migration
AnswerA

File Sync provides local caching and bidirectional sync.

Why this answer

Azure File Sync is the correct choice because it enables bidirectional syncing of Azure file shares with on-premises Windows Servers, caching frequently accessed files locally for low-latency access while automatically syncing changes back to Azure. This meets the hybrid requirement of local caching and bidirectional sync without requiring full migration or dedicated network circuits.

Exam trap

The trap here is that candidates confuse Azure NetApp Files with ExpressRoute as a caching solution, but ExpressRoute only improves network latency and reliability—it does not provide local caching or bidirectional sync, which are core requirements of the scenario.

How to eliminate wrong answers

Option B is wrong because Azure Data Box is a physical data transfer device for bulk offline migration, not a continuous caching or bidirectional sync solution. Option C is wrong because Azure NetApp Files with ExpressRoute provides high-performance NFS/SMB volumes but does not include built-in bidirectional caching or sync with on-premises file servers; it requires separate replication tools. Option D is wrong because Azure Blob Storage with Azure Files migration is a one-time migration path, not a hybrid caching and sync service; Blob Storage itself does not support SMB file shares or bidirectional sync natively.

876
Multi-Selectmedium

Which TWO actions can be performed using Microsoft Entra ID Governance? (Choose two.)

Select 2 answers
A.Synchronize users from on-premises Active Directory
B.Manage access packages for internal and external users
C.Perform access reviews of group memberships
D.Configure network security group rules
E.Deploy virtual machines in Azure
AnswersB, C

Entitlement Management is part of Entra ID Governance.

Why this answer

Microsoft Entra ID Governance includes entitlement management, which allows administrators to create and manage access packages that bundle resources (like groups, apps, and SharePoint sites) and assign them to internal and external users. This enables automated lifecycle management of access, including expiration and renewal, making Option B correct.

Exam trap

The trap here is that candidates confuse Entra ID Governance's access review capability (Option C) with a separate feature, but both B and C are correct; the question asks for two actions, and the trap is that some might think only one of these is valid, or they might incorrectly select A because synchronization is a common identity task, but it's not a governance action.

877
MCQeasy

You need to design a storage solution for an Azure virtual machine that runs a mission-critical application. The solution must provide the highest availability SLA and support up to 80,000 IOPS. Which type of Azure managed disk should you use?

A.Premium SSD v2
B.Ultra Disk
C.Standard SSD
D.Premium SSD (non-v2)
AnswerA

Premium SSD v2 supports up to 80,000 IOPS and provides high SLA.

Why this answer

Premium SSD v2 is correct because it offers the highest availability SLA (99.9% for single-instance VMs) and supports up to 80,000 IOPS per disk, meeting the mission-critical requirements. Unlike Ultra Disk, Premium SSD v2 does not require a dedicated capacity reservation, making it more cost-effective while still delivering high performance.

Exam trap

The trap here is that candidates often confuse Ultra Disk as the only high-IOPS option, overlooking that Premium SSD v2 can achieve 80,000 IOPS with a better SLA and without the capacity reservation requirement, or they mistakenly think Premium SSD non-v2 can reach 80,000 IOPS without realizing its per-disk IOPS limit is capped at 20,000 for smaller sizes.

How to eliminate wrong answers

Option B (Ultra Disk) is wrong because while it can exceed 80,000 IOPS, it requires a dedicated capacity reservation and has a lower SLA (99.9% for single-instance VMs) compared to Premium SSD v2, and it is not the most cost-effective choice for this IOPS requirement. Option C (Standard SSD) is wrong because it supports a maximum of 6,000 IOPS per disk, far below the required 80,000 IOPS, and has a lower SLA (99.5% for single-instance VMs). Option D (Premium SSD non-v2) is wrong because it supports up to 20,000 IOPS per disk (for P30 size) and requires larger disk sizes to achieve higher IOPS, making it unsuitable for 80,000 IOPS without using multiple disks or larger sizes that exceed typical capacity needs.

878
MCQmedium

A media company is building a video streaming platform on Azure. The platform will store original high-definition videos and convert them to multiple resolutions for distribution. The company needs a cost-effective storage solution for the original videos, which are accessed infrequently but must be instantly available when needed. The converted videos will be served to end users globally and must be cached at edge locations for low latency. You need to design a storage and content delivery solution. What should you recommend?

A.Store original videos in Azure Blob Storage Cool tier and use Azure CDN for distribution.
B.Store original videos in Azure Blob Storage Premium tier and use Azure CDN for distribution.
C.Store original videos in Azure Blob Storage Archive tier and use Azure CDN for distribution.
D.Store original videos in Azure Files and use Azure Front Door for caching.
AnswerA

Cool tier is cost-effective, and CDN provides edge caching.

Why this answer

Option C is correct because Azure Blob Storage Cool tier is cost-effective for infrequently accessed original videos, and Azure Content Delivery Network (CDN) caches converted videos at edge locations for low latency. Option A is wrong because Premium tier is expensive for infrequent access. Option B is wrong because Azure Files is not optimized for video streaming.

Option D is wrong because Archive tier has high retrieval latency.

879
MCQmedium

You are designing a containerized microservices application on Azure Kubernetes Service (AKS). The application must scale automatically based on HTTP traffic. You need to minimize cost by scaling down to zero pods when there is no traffic. Which scaling solution should you use?

A.Horizontal Pod Autoscaler (HPA)
B.Cluster Autoscaler
C.Kubernetes Event-driven Autoscaler (KEDA)
D.Vertical Pod Autoscaler (VPA)
AnswerC

KEDA can scale to zero based on HTTP traffic.

Why this answer

Option B is correct. The Kubernetes Event-driven Autoscaler (KEDA) can scale based on HTTP requests and supports scaling to zero pods when there is no traffic. Option A is wrong because the horizontal pod autoscaler (HPA) cannot scale to zero.

Option C is wrong because the cluster autoscaler scales nodes, not pods. Option D is wrong because the vertical pod autoscaler adjusts resource requests, not number of pods.

880
MCQeasy

A company deploys a web application on multiple Azure VMs within an availability set. They need to distribute incoming HTTP traffic evenly across the VMs and provide health probe monitoring. The solution must support SSL termination and source IP affinity (session persistence). Which Azure load balancing solution should they choose?

A.Azure Load Balancer (Basic)
B.Azure Load Balancer (Standard)
C.Azure Application Gateway v2
D.Azure Traffic Manager
AnswerC

Application Gateway is a layer-7 load balancer that offers SSL termination, cookie-based session affinity, and health probes, meeting all requirements.

Why this answer

Azure Application Gateway v2 is the correct choice because it is a Layer 7 load balancer that supports SSL termination, source IP affinity (session persistence), and health probe monitoring. It can distribute HTTP traffic evenly across VMs in an availability set while offloading SSL processing from the backend VMs.

Exam trap

The trap here is that candidates often confuse Layer 4 load balancers (Azure Load Balancer) with Layer 7 application delivery controllers (Application Gateway), assuming that SSL termination and session persistence are available in all load balancing tiers, but these features require application-layer processing only provided by Application Gateway.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer (Basic) operates at Layer 4 and does not support SSL termination or application-layer features like session persistence based on source IP. Option B is wrong because Azure Load Balancer (Standard) also operates at Layer 4 and cannot terminate SSL or provide Layer 7 routing capabilities. Option D is wrong because Azure Traffic Manager is a DNS-based global traffic routing solution that does not handle SSL termination or health probes at the application layer; it distributes traffic across endpoints based on DNS resolution, not direct HTTP traffic distribution.

881
Multi-Selectmedium

Which TWO are benefits of using Microsoft Entra ID Governance? (Choose two.)

Select 2 answers
A.Automate the deprovisioning of user accounts when an employee leaves the organization
B.Implement entitlement management for access request workflows
C.Enable just-in-time privileged access to Azure resources
D.Provide single sign-on to all SaaS applications
E.Provide VPN connectivity for remote users
AnswersA, B

Entra ID Governance automates deprovisioning as part of the identity lifecycle.

Why this answer

Option A is correct because Microsoft Entra ID Governance includes automated lifecycle workflows that can detect when an employee leaves the organization (e.g., via HR integration) and automatically remove or disable their user accounts, ensuring timely deprovisioning and reducing security risks. This automation is a core governance capability that enforces the principle of least privilege and helps maintain a clean identity lifecycle.

Exam trap

The trap here is that candidates confuse the overlapping capabilities of Microsoft Entra ID, Entra ID Governance, and Privileged Identity Management (PIM), mistakenly attributing JIT access or SSO to governance when they belong to separate services within the Microsoft Entra portfolio.

882
MCQeasy

Your company has a large number of unstructured files (images, videos) that need to be stored cost-effectively in Azure. The data is accessed infrequently but must be available within minutes when needed. Which storage tier should you recommend?

A.Premium tier.
B.Archive tier.
C.Cool tier.
D.Hot tier.
AnswerC

Cost-effective for infrequent access, data available within minutes.

Why this answer

Option B is correct because the Cool tier is for infrequently accessed data with immediate availability and lower cost than Hot. Option A is wrong because Hot tier is for frequently accessed data and costs more. Option C is wrong because Archive tier has a retrieval time of hours.

Option D is wrong because Premium tier is for low-latency, high-performance scenarios.

883
MCQmedium

A media company stores large video files that are accessed once a month for audits. When needed, they must be available for download immediately (within seconds). The company wants to minimize storage costs. Which Azure Blob Storage access tier should they use?

A.Hot tier
B.Cool tier
C.Cold tier
D.Archive tier
AnswerB

Cool tier balances lower storage cost with immediate access, ideal for data accessed less than 30 days apart.

Why this answer

The Cool tier is optimal for this scenario because it balances low storage cost with high availability and low latency access. Video files accessed once a month for audits require immediate download (within seconds), which Cool tier supports with the same millisecond latency as Hot tier, but at a lower storage price. Archive tier would introduce a multi-hour rehydration delay, making it unsuitable for on-demand access within seconds.

Exam trap

The trap here is that candidates often choose Archive tier for infrequent access without realizing that the multi-hour rehydration latency makes it impossible to meet the 'within seconds' availability requirement, or they choose Hot tier out of habit for any access speed requirement, ignoring the cost-minimization goal.

How to eliminate wrong answers

Option A (Hot tier) is wrong because it has the highest storage cost, which contradicts the goal of minimizing storage costs for infrequently accessed data. Option C (Cold tier) is wrong because although it offers lower storage cost than Cool, it has a higher minimum storage duration (90 days vs 30 days) and a higher early deletion fee, making it more expensive for data accessed only once a month. Option D (Archive tier) is wrong because it requires a rehydration process that takes up to 15 hours, making it impossible to provide download within seconds on demand.

884
MCQeasy

Your company uses Azure Backup to protect on-premises file servers and Azure VMs. The compliance team requires that backup data be stored in a secondary region to protect against regional disasters. Which Azure Backup feature should you enable?

A.Enable geo-redundant storage (GRS) for the Recovery Services vault
B.Use Azure Site Recovery to replicate the backup data
C.Configure backup policies to back up directly to the secondary region
D.Use a Recovery Services vault in the secondary region
AnswerA

GRS replicates backup data to a paired region.

Why this answer

Option B is correct because Azure Backup allows configuring a Recovery Services vault with geo-redundant storage (GRS) to replicate backup data to a paired region. Option A is wrong because Recovery Services vault is the container, not the replication feature. Option C is wrong because Back up to a secondary region is not supported directly.

Option D is wrong because Azure Site Recovery is for replication, not backup.

885
MCQeasy

Your company uses Azure SQL Database and needs to retain backups for 7 years for compliance. Which backup retention policy should you configure?

A.Increase automated backup retention to 7 years.
B.Configure point-in-time restore backup retention for 7 years.
C.Enable geo-redundant backups.
D.Configure long-term retention (LTR) backup policy.
AnswerD

LTR allows weekly, monthly, yearly backups up to 10 years.

Why this answer

Azure SQL Database's automated backup retention is limited to a maximum of 35 days, which is insufficient for a 7-year compliance requirement. Long-term retention (LTR) allows you to retain full database backups for up to 10 years by storing them in separate Azure Blob Storage containers. Therefore, configuring an LTR backup policy is the correct solution for meeting a 7-year retention mandate.

Exam trap

The trap here is that candidates often confuse the maximum retention for automated backups (35 days) with the ability to extend it arbitrarily, or they mistakenly think point-in-time restore retention can be configured for years, when in reality only long-term retention (LTR) supports multi-year archival.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database automated backup retention has a maximum of 35 days, not 7 years; you cannot increase it beyond that limit. Option B is wrong because point-in-time restore (PITR) backup retention is also capped at 35 days and is designed for short-term recovery, not long-term archival compliance. Option C is wrong because enabling geo-redundant backups (e.g., geo-redundant storage) provides disaster recovery protection by replicating backups to a paired region, but it does not extend the retention period beyond the default 35 days.

886
MCQmedium

Your company has a global application deployed across multiple Azure regions. You need to design a disaster recovery solution that meets a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 1 hour. The solution should use Azure-native services and minimize costs. Which option should you choose?

A.Azure Traffic Manager with priority routing
B.Azure Site Recovery with 15-minute replication
C.Active geo-replication for Azure SQL Database
D.Azure Backup with cross-region restore
AnswerB

Azure Site Recovery supports replication frequencies as low as 15 minutes and orchestrated failover within minutes.

Why this answer

Azure Site Recovery with replication frequency of 15 minutes meets the RPO, and the orchestrated failover meets the RTO. Option A (Active geo-replication for Azure SQL Database) is not applicable to all workloads. Option B (Azure Backup) has a longer RTO.

Option D (Traffic Manager with health probes) is for load balancing, not disaster recovery.

887
MCQmedium

Your company is migrating a legacy on-premises application to Azure. The application requires low-latency access to a shared file system that supports SMB protocol. The solution must be highly available within a single Azure region and must not require the application to be modified. Which Azure service should you recommend?

A.Azure Managed Disks (SSD)
B.Azure NetApp Files
C.Azure Files (premium tier)
D.Azure Blob Storage
AnswerC

Managed SMB file share with low latency and high availability.

Why this answer

Option C is correct because Azure Files with premium SSD (SMB) provides a fully managed SMB file share with low latency and high availability. Option A is wrong because Azure NetApp Files supports SMB but is more expensive and complex for this use case. Option B is wrong because Azure Blob Storage does not support SMB natively.

Option D is wrong because Azure Managed Disks are block storage, not file shares.

888
Multi-Selecthard

Which THREE conditions should be met to implement a successful Azure landing zone for a new enterprise subscription? (Choose three.)

Select 3 answers
A.A dedicated Azure Active Directory tenant.
B.A management group hierarchy that separates environments.
C.Microsoft Sentinel enabled for security monitoring.
D.A defined network topology with connectivity to on-premises.
E.A subscription vending process to automate creation.
AnswersB, D, E

Management groups help organize subscriptions and apply policies.

Why this answer

A management group hierarchy that separates environments (e.g., production, non-production, and management) is a core design principle of an Azure landing zone. It enables policy inheritance, role-based access control (RBAC) isolation, and cost tracking across different workloads, aligning with the Cloud Adoption Framework's governance best practices.

Exam trap

The trap here is that candidates often confuse optional security tools like Microsoft Sentinel or dedicated tenants as mandatory prerequisites, when the Azure landing zone's success hinges on governance structure (management groups), network connectivity (hub-spoke topology), and automation (subscription vending).

889
MCQeasy

Your company deploys a line-of-business application on Azure App Service. The application requires custom domain names and SSL/TLS certificates. You need to ensure that the application can be accessed via a custom domain with HTTPS. What should you configure in the App Service?

A.Add the custom domain and bind the SSL/TLS certificate.
B.Configure IP restrictions to allow only the custom domain.
C.Create a deployment slot for production traffic.
D.Scale out the App Service plan to increase instance count.
AnswerA

Adding a custom domain and binding a certificate enables HTTPS access.

Why this answer

Option C is correct because to use a custom domain with HTTPS, you need to add the custom domain in the App Service's custom domains blade and upload or bind an SSL/TLS certificate. Option A is incorrect because scaling out does not affect custom domains. Option B is incorrect because deployment slots are for staging, not custom domains.

Option D is incorrect because IP restrictions are for network security, not domain configuration.

890
MCQhard

You need to design a network topology for a global e-commerce platform on Azure. The solution must provide low-latency access to static content and protect the backend APIs from DDoS attacks. The backend APIs are deployed in multiple regions behind an internal load balancer. Which services should you use?

A.Azure Traffic Manager and Azure Firewall.
B.Azure Content Delivery Network (CDN) and Azure Load Balancer.
C.Azure Application Gateway with WAF and Azure API Management.
D.Azure Front Door with WAF and Azure API Management.
AnswerD

Front Door provides global load balancing, WAF, DDoS protection; API Management secures and manages APIs.

Why this answer

Option D is correct because Azure Front Door provides global load balancing, SSL offload, WAF, and DDoS protection; Azure API Management provides API gateway functionality. Option A is wrong because Azure Application Gateway is regional, not global. Option B is wrong because Azure Traffic Manager is DNS-based and does not provide WAF.

Option C is wrong because Azure CDN does not provide API management.

891
MCQhard

Contoso Ltd. runs a mission-critical application on Azure Virtual Machines in the East US region. The application uses Azure SQL Database (Business Critical tier) and stores files in Azure Blob Storage (hot tier). The business requires a Recovery Time Objective (RTO) of 15 minutes and a Recovery Point Objective (RPO) of 5 minutes for the application. For SQL Database, they need the ability to fail over to a secondary region with no data loss. For Blob Storage, they need to maintain read access to data even if the primary region fails. The solution must be cost-optimized and not exceed the RTO/RPO. Which combination of services should you recommend?

A.Configure Azure SQL Database failover groups with automatic failover, and use geo-redundant storage (GRS) for Blob Storage.
B.Deploy Azure Site Recovery for VMs, configure Azure SQL Database failover groups, and use geo-zone-redundant storage (GZRS) for Blob Storage.
C.Configure Azure SQL Database geo-restore for the database, and use zone-redundant storage (ZRS) for Blob Storage.
D.Configure Azure SQL Database active geo-replication with a secondary in a paired region, and use read-access geo-redundant storage (RA-GRS) for Blob Storage.
AnswerD

Active geo-replication provides synchronous replication for zero data loss, and RA-GRS allows read access during a regional outage, meeting RTO/RPO.

Why this answer

Option B is correct because Azure SQL Database with active geo-replication provides synchronous replication to a secondary region, achieving RPO of 0 (no data loss), and failover can be initiated within minutes, meeting RTO of 15 minutes. Azure Blob Storage with read-access geo-redundant storage (RA-GRS) allows read access to data in the secondary region even if the primary fails, and asynchronous replication meets RPO of 5 minutes. Option A is wrong because Azure Site Recovery for SQL Database is not necessary and adds cost/complexity; SQL Database has built-in geo-replication.

Option C is wrong because Azure SQL Database failover groups use asynchronous replication, which could lose data (RPO > 5 minutes) unless configured with premium tier, but still not zero data loss. Option D is wrong because Azure SQL Database with geo-restore has RTO of hours, not 15 minutes.

892
MCQmedium

A company has headquarters and multiple branch offices worldwide, each with its own on-premises network. They want to connect all these sites to Azure and to each other over a single, centrally managed solution. They need high bandwidth connectivity for site-to-site traffic, support for both VPN and ExpressRoute connections, and automatic routing management without the complexity of configuring multiple VPN tunnels or BGP manually. Which Azure service should they use?

A.Azure Virtual WAN
B.Azure VPN Gateway (site-to-site) with BGP
C.Azure ExpressRoute with Microsoft peering
D.Azure Virtual Network peering
AnswerA

Azure Virtual WAN provides a hub-and-spoke architecture across regions, automatically routes traffic, supports VPN and ExpressRoute, and simplifies management of multiple branch connections.

Why this answer

Azure Virtual WAN is the correct choice because it provides a single, centrally managed hub-and-spoke architecture that connects branch offices, headquarters, and Azure over a unified network. It supports both VPN and ExpressRoute connections, automatically manages routing (including BGP) without manual configuration of multiple tunnels, and offers high bandwidth for site-to-site traffic.

Exam trap

The trap here is that candidates often confuse Azure Virtual WAN with a simple VPN gateway or ExpressRoute, not realizing that Virtual WAN is a managed overlay that combines both connectivity types with automatic routing, while the other options require manual configuration for multi-site scenarios.

How to eliminate wrong answers

Option B is wrong because Azure VPN Gateway (site-to-site) with BGP requires manual configuration of multiple VPN tunnels and BGP peering for each branch, lacking the centralized management and automatic routing that Virtual WAN provides. Option C is wrong because Azure ExpressRoute with Microsoft peering only provides private connectivity to Azure, not site-to-site connectivity between branch offices, and does not include VPN support or automatic routing management across multiple sites. Option D is wrong because Azure Virtual Network peering connects only Azure virtual networks, not on-premises networks, and cannot provide site-to-site connectivity between branch offices or support VPN/ExpressRoute connections.

893
MCQhard

A company is planning to migrate a legacy application to Azure VMs. The application requires a static IP address for licensing purposes. The VM must be highly available within a single region. Which combination of Azure resources should they use?

A.Application Gateway with a static frontend IP and virtual machine scale set
B.Standard Load Balancer with a static frontend IP and availability set
C.Basic Load Balancer with a static frontend IP and availability zone
D.Azure Front Door with a static backend IP and VM in an availability zone
AnswerB

Standard Load Balancer supports static IP and high availability.

Why this answer

Option B is correct because an Azure Standard Load Balancer with a frontend IP and availability set provides a static IP and high availability. Option A is incorrect because a basic load balancer does not support availability zones. Option C is incorrect because an Application Gateway is for web traffic.

Option D is incorrect because a public IP prefix is for multiple IPs.

894
Multi-Selecteasy

A company is designing a storage solution for a new application that will store large amounts of unstructured data, such as images and videos. The data must be highly durable and available, and the solution should minimize costs for infrequently accessed data. Which TWO storage options should be recommended? (Choose two.)

Select 2 answers
A.Azure Blob Storage with Cool access tier
B.Azure Disk Storage with Standard HDD
C.Azure Files with Premium performance tier
D.Azure NetApp Files with Standard service level
E.Azure Blob Storage with Archive access tier
AnswersA, E

Optimized for unstructured data and cost-effective for infrequent access.

Why this answer

The correct answers are A and C. Azure Blob Storage is ideal for unstructured data, and the Cool access tier is cost-effective for infrequently accessed data. Option B is wrong because Azure Files is for file shares, not optimal for large-scale unstructured data.

Option D is wrong because Azure Disk Storage is for VM disks, not for general unstructured data. Option E is wrong because Azure NetApp Files is for enterprise workloads requiring high performance, not cost-effective for infrequent access.

895
MCQmedium

A company is designing a storage solution for a critical application that requires low latency (under 5 ms) and high throughput for large files (up to 10 GB). The solution must support NFS and SMB protocols. Which Azure storage solution should you recommend?

A.Azure Blob Storage (premium tier)
B.Azure NetApp Files
C.Azure Managed Disks (Ultra Disk)
D.Azure Files (premium tier)
AnswerB

Azure NetApp Files offers high performance, low latency, and both NFS and SMB protocols for large files.

Why this answer

Azure NetApp Files is the correct choice because it provides a fully managed, high-performance file share service that supports both NFS and SMB protocols natively, with sub-millisecond latency and throughput suitable for large files up to 10 GB. It is built on NetApp's ONTAP technology and is designed for latency-sensitive enterprise workloads, meeting the under-5 ms requirement while handling large file sizes efficiently.

Exam trap

The trap here is that candidates often confuse Azure Files (premium) with Azure NetApp Files, assuming both offer identical NFS and SMB support, but Azure Files' NFS is still in preview and lacks the enterprise-grade performance and protocol maturity of Azure NetApp Files for large-file, low-latency workloads.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage (premium tier) does not support NFS or SMB protocols natively; it uses REST APIs or NFS 3.0 only (not SMB), and its block blob architecture is optimized for object storage, not shared file access for large files with low latency. Option C is wrong because Azure Managed Disks (Ultra Disk) provides block-level storage with low latency but does not support NFS or SMB protocols; it is attached as a raw disk to a VM and requires the guest OS to manage file sharing, making it unsuitable for direct protocol-based access. Option D is wrong because Azure Files (premium tier) supports SMB and NFS (preview), but its NFS implementation is limited to Linux clients and lacks the advanced performance tuning, high throughput, and sub-5 ms latency consistency required for large files up to 10 GB, especially under concurrent access patterns.

896
Multi-Selecthard

Which THREE components are required to implement a hybrid cloud solution that extends on-premises Active Directory to Azure and provides single sign-on (SSO) to cloud applications? (Choose three.)

Select 3 answers
A.Microsoft Entra Domain Services
B.Microsoft Entra Connect Sync
C.Azure AD Application Proxy
D.Microsoft Entra ID (formerly Azure AD)
E.Active Directory Federation Services (AD FS)
AnswersB, D, E

Synchronizes on-premises AD with Entra ID.

Why this answer

A, B, and C are correct. Microsoft Entra Connect Sync synchronizes identities; Microsoft Entra ID provides the cloud identity platform; Active Directory Federation Services (AD FS) enables SSO for on-premises and cloud apps. D is wrong because Azure AD Application Proxy is for publishing on-premises apps, not SSO.

E is wrong because Microsoft Entra Domain Services manages domain services in the cloud, but is not required for SSO.

897
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID) and Microsoft Intune. They want to block all access to internal corporate applications from devices that are not enrolled in Intune and do not meet the company's compliance policies. The solution must apply to all cloud app access seamlessly. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID Conditional Access
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID Privileged Identity Management
D.Microsoft Entra ID Access Reviews
AnswerA

Conditional Access policies can require that devices be compliant and managed by Intune, blocking access from non-compliant devices.

Why this answer

Microsoft Entra ID Conditional Access is the correct feature because it enables you to create policies that evaluate device compliance and enrollment status before granting access to cloud applications. By configuring a Conditional Access policy with a condition requiring devices to be marked as compliant and enrolled in Intune, you can block access from non-compliant or unenrolled devices seamlessly across all integrated cloud apps.

Exam trap

The trap here is that candidates often confuse Identity Protection (which handles risk-based conditional access) with Conditional Access (which handles broader policy conditions like device compliance), leading them to select Identity Protection when the question explicitly requires device enrollment and compliance enforcement.

How to eliminate wrong answers

Option B (Microsoft Entra ID Identity Protection) is wrong because it focuses on detecting and responding to identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) rather than enforcing device compliance or enrollment requirements. Option C (Microsoft Entra ID Privileged Identity Management) is wrong because it manages just-in-time privileged role assignments and access reviews for administrative roles, not device-level access controls for all users. Option D (Microsoft Entra ID Access Reviews) is wrong because it automates periodic attestation of group memberships or application access, but does not enforce real-time device compliance checks at the point of authentication.

898
MCQeasy

A company needs to store millions of small JSON files (average 10 KB each) for a serverless application. The data must be accessed via HTTPS and support high read throughput. Which Azure storage solution is most cost-effective?

A.Azure Blob Storage (general-purpose v2, hot tier)
B.Azure Files (standard)
C.Azure Cosmos DB
D.Azure Table Storage
AnswerA

Blob Storage provides scalable object storage with HTTPS access, ideal for millions of small files.

Why this answer

Azure Blob Storage (general-purpose v2, hot tier) is the most cost-effective solution because it provides native HTTPS access, high throughput for read-heavy workloads, and low-cost storage for small objects like JSON files. The hot tier optimizes for frequent access, and GPv2 accounts support the high request rates needed for millions of small files without premium pricing.

Exam trap

The trap here is that candidates often choose Azure Cosmos DB for JSON files due to its native JSON support, but they overlook the cost inefficiency of using a transactional database for static file storage, where blob storage provides the same HTTPS access at a fraction of the cost.

How to eliminate wrong answers

Option B (Azure Files) is wrong because it is designed for SMB/NFS file shares with mounted drives, not for direct HTTPS access to individual small objects, and its cost per GB is higher than blob storage for this use case. Option C (Azure Cosmos DB) is wrong because it is a NoSQL database optimized for transactional workloads with low-latency queries, not for bulk storage of static JSON files, and its RU-based pricing would be prohibitively expensive for millions of small files with high read throughput. Option D (Azure Table Storage) is wrong because it is a NoSQL key-value store for structured data with partition key limitations, not designed for storing raw JSON files as blobs, and its throughput is constrained by partition scalability.

899
Drag & Dropmedium

Drag and drop the steps to set up Azure Key Vault for storing secrets and access them from an Azure function into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create vault, add secret, grant access, configure references, test.

900
MCQhard

A healthcare organization is deploying a new application on Azure that will handle Protected Health Information (PHI). The application must be compliant with HIPAA. The security team requires encryption at rest and in transit, and the ability to audit access to the data. The solution should minimize administrative overhead. Which storage solution should you recommend?

A.Azure SQL Database with Transparent Data Encryption and Always Encrypted
B.Azure Cosmos DB with encryption at rest
C.Azure SQL Managed Instance with customer-managed keys
D.SQL Server on Azure Virtual Machine with BitLocker
AnswerA

Azure SQL Database provides built-in encryption at rest (TDE) and in transit (Always Encrypted), along with auditing, and is a PaaS service minimizing management.

Why this answer

Azure SQL Database with Transparent Data Encryption (TDE) and Always Encrypted meets HIPAA requirements for encryption at rest and in transit, and provides auditing capabilities. It is a PaaS solution that reduces administrative overhead compared to IaaS.

Page 11

Page 12 of 14

Page 13