Microsoft Azure Solutions Architect Expert AZ-305 (AZ-305) — Questions 901975

999 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQmedium

A company runs a SQL Server database on an Azure VM in West Europe. They need to back up the database daily and retain backups for 7 years for compliance. They also require the ability to restore the database to a secondary Azure region (North Europe) if the primary region fails. They want to minimize operational overhead and costs. Which Azure Backup configuration should they use?

A.A
B.B
C.C
D.D
AnswerA

Use Azure Backup to back up SQL Server to a Recovery Services vault in West Europe and enable cross-region restore to North Europe. This is the recommended approach for backup resilience across regions.

Why this answer

Option A is correct because Azure Backup's built-in cross-region restore (CRR) for Azure VMs allows you to restore SQL Server databases hosted on Azure VMs to a paired secondary region (North Europe) in the event of a disaster, while retaining backups for up to 10 years (covering the 7-year compliance requirement). This configuration minimizes operational overhead by using Azure Backup's native policy-based scheduling and storage management, and it is cost-effective as it uses geo-redundant storage (GRS) for the Recovery Services vault without needing a separate backup infrastructure.

Exam trap

The trap here is that candidates often confuse Azure Site Recovery (ASR) with Azure Backup, thinking ASR can handle long-term backup retention, when in fact ASR is for replication and failover, not for point-in-time restores with multi-year retention, and they may overlook the need to explicitly enable cross-region restore (CRR) on the Recovery Services vault to meet the secondary region recovery requirement.

How to eliminate wrong answers

Option B is wrong because it suggests using Azure Site Recovery (ASR) for database backup, but ASR is designed for replication and failover of entire VMs, not for point-in-time database restore with long-term retention; it also incurs higher costs for continuous replication and does not natively support 7-year backup retention. Option C is wrong because it proposes backing up the SQL Server database to Azure Blob Storage using manual scripts or third-party tools, which increases operational overhead and does not integrate with Azure Backup's native cross-region restore or long-term retention policies. Option D is wrong because it recommends using Azure Backup for SQL Server on Azure VM but without enabling cross-region restore (CRR), which means backups are stored only in the primary region (West Europe) and cannot be restored to North Europe if the primary region fails, failing the disaster recovery requirement.

902
Matchingmedium

Match each Azure service to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DNS-based traffic routing

Global HTTP(S) load balancing with WAF

Regional layer-7 load balancer with WAF

Regional layer-4 load balancer

Site-to-site VPN connectivity

Why these pairings

These are core Azure networking services with distinct roles.

903
MCQeasy

A company runs a critical Azure SQL Database in the West US region. They need a disaster recovery solution that automatically fails over to a secondary region (East US) with a recovery point objective (RPO) of 5 seconds and a recovery time objective (RTO) of less than 1 hour. Additionally, they want to offload read-only workloads to the secondary database during normal operations. Which Azure SQL Database feature should they enable?

A.Active geo-replication with failover groups
B.Point-in-time restore
C.Long-term backup retention
D.Always On availability groups (self-managed)
AnswerA

Failover groups provide automatic failover to a readable secondary database. Active geo-replication synchronizes data with an RPO of 5 seconds and supports readable secondaries. The failover group ensures automatic failover with an RTO of typically less than 1 hour.

Why this answer

Active geo-replication with failover groups is the correct choice because it provides automatic, asynchronous replication of an Azure SQL Database to a secondary region (East US) with an RPO of up to 5 seconds and an RTO of less than 1 hour. Additionally, it supports readable secondary replicas, allowing read-only workloads to be offloaded to the secondary database during normal operations, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse active geo-replication with failover groups (which supports readable secondaries and automatic failover) with standard active geo-replication (which requires manual failover and does not provide a single endpoint), or they mistakenly think Always On availability groups applies to Azure SQL Database instead of SQL Server on VMs.

How to eliminate wrong answers

Option B is wrong because point-in-time restore (PITR) only recovers the database to a specific point in time within the same region (retention up to 35 days) and does not provide cross-region failover or a readable secondary for offloading read workloads. Option C is wrong because long-term backup retention (LTR) stores backups for up to 10 years for compliance, but it does not enable automatic failover to a secondary region or support readable secondaries for read offloading. Option D is wrong because Always On availability groups (self-managed) is a feature for SQL Server on Azure Virtual Machines, not for Azure SQL Database managed service, and it requires manual configuration and management, not automatic failover with the specified RPO/RTO.

904
MCQmedium

A company wants to deploy containerized microservices on Azure without managing virtual machines. The solution must support automatic scaling based on demand, built-in load balancing, rolling updates for zero-downtime deployments, and a fully managed platform. Which Azure compute service should they choose?

A.Azure Container Apps
B.Azure Container Instances
C.Azure Batch
D.Azure Functions
AnswerA

Azure Container Apps is a serverless platform for running containers. It provides automatic scaling based on HTTP traffic or events, built-in load balancing, and supports rolling updates via revisions. It abstracts away underlying infrastructure, so no VMs to manage.

Why this answer

Azure Container Apps is the correct choice because it provides a fully managed, serverless platform for running containerized microservices without managing virtual machines. It supports automatic scaling based on HTTP traffic or events, built-in load balancing via Envoy, and rolling updates with revision management to ensure zero-downtime deployments. This aligns perfectly with the requirement for a fully managed platform that abstracts away infrastructure.

Exam trap

The trap here is that candidates often confuse Azure Container Instances (ACI) with a managed orchestration solution, but ACI lacks the automatic scaling, load balancing, and rolling update capabilities that Container Apps provides for microservices.

How to eliminate wrong answers

Option B (Azure Container Instances) is wrong because it is designed for running individual containers on demand without built-in orchestration, automatic scaling, or rolling update capabilities—it lacks the microservice management features required. Option C (Azure Batch) is wrong because it is a job-scheduling service for high-performance computing (HPC) and parallel workloads, not for deploying containerized microservices with load balancing and rolling updates. Option D (Azure Functions) is wrong because it is a serverless compute service for event-driven code (functions), not for running containerized microservices; it does not support container orchestration or rolling updates for containers.

905
Multi-Selectmedium

Your company uses Microsoft Entra ID for identity management. You need to design a monitoring solution for sign-in logs to detect suspicious activity. Which TWO Azure services should you include in the design?

Select 2 answers
A.Azure Monitor
B.Microsoft Defender for Cloud Apps
C.Microsoft Sentinel
D.Microsoft Purview
E.Log Analytics workspace
AnswersB, C

Defender for Cloud Apps (part of Microsoft Defender XDR) detects suspicious sign-in activities.

Why this answer

Microsoft Defender for Cloud Apps (Option B) is correct because it provides Cloud Access Security Broker (CASB) capabilities that analyze sign-in logs for anomalous behavior, such as impossible travel, suspicious IP addresses, and credential theft. It integrates with Microsoft Entra ID to detect and respond to risky sign-in events in real time, making it a core component for monitoring suspicious activity.

Exam trap

The trap here is that candidates often select Azure Monitor or Log Analytics workspace alone, thinking they can detect suspicious activity, but they lack the built-in threat detection and analytics engines that are specific to security-focused services like Defender for Cloud Apps and Sentinel.

906
MCQeasy

A company is deploying a web application that must be accessible from the internet. The application is hosted on Azure virtual machines in a virtual network. The solution must provide SSL termination, web application firewall (WAF) protection, and URL path-based routing (e.g., /api/* to one backend pool, /app/* to another). The web tier must not be directly exposed to the internet. Which Azure load balancing solution should they use?

A.Azure Application Gateway v2
B.Azure Front Door
C.Azure Load Balancer
D.Azure Traffic Manager
AnswerA

Application Gateway is a layer 7 load balancer that offers SSL termination, WAF, and URL-based routing. It can be placed in front of VMs with private IPs to protect the web tier.

Why this answer

Azure Application Gateway v2 is the correct choice because it is a Layer 7 load balancer that provides SSL termination, a web application firewall (WAF), and URL path-based routing. It can route traffic to different backend pools based on URL paths (e.g., /api/* and /app/*) while keeping the web tier isolated within the virtual network, as the gateway itself is exposed to the internet.

Exam trap

The trap here is that candidates often confuse Azure Front Door with Application Gateway, but Front Door is designed for global, multi-region scenarios and cannot provide direct VNet integration for a single-region app without exposing backend public IPs, whereas Application Gateway is the correct Layer 7 solution for a single-region VNet deployment.

How to eliminate wrong answers

Option B (Azure Front Door) is wrong because it is a global, multi-region load balancer and application delivery network that operates at the edge, not within a single virtual network; it cannot provide direct SSL termination and WAF for a single-region VNet-hosted app without exposing the backend to the internet via public endpoints. Option C (Azure Load Balancer) is wrong because it operates at Layer 4 (TCP/UDP) and cannot perform SSL termination, WAF inspection, or URL path-based routing. Option D (Azure Traffic Manager) is wrong because it is a DNS-based traffic router that only directs clients to endpoints based on DNS resolution, not a proxy that can terminate SSL, apply WAF rules, or route based on URL paths.

907
MCQhard

Refer to the exhibit. You are reviewing an Azure Resource Manager deployment configuration. The deployment is failing with a conflict error. What is the most likely cause?

A.The deployment mode is Incremental instead of Complete
B.The template is not parameterized
C.The debugSetting includes requestContent, which may cause the request to exceed size limits
D.The onError property is set to DeploymentRollback
AnswerC

Including requestContent and responseContent can result in large payloads, leading to conflicts.

Why this answer

The correct answer is C because including `requestContent` in the `debugSetting` property of an ARM template deployment causes the entire HTTP request payload to be logged. For large templates or parameter files, this can exceed the Azure Resource Manager API request size limit (typically 4 MB), resulting in a conflict error (HTTP 409) as the service rejects the oversized request.

Exam trap

The trap here is that candidates often overlook the `debugSetting` property's impact on request size, mistakenly attributing conflict errors to deployment modes or rollback settings, while the real issue is the payload exceeding Azure's API size limits.

How to eliminate wrong answers

Option A is wrong because deployment mode (Incremental vs. Complete) affects resource management behavior, not request size; a conflict error is unrelated to mode selection. Option B is wrong because parameterization is a best practice for reusability, but a non-parameterized template does not cause request size overflow or conflict errors.

Option D is wrong because `onError: DeploymentRollback` defines rollback behavior on failure, but it does not cause the initial conflict error; it only triggers after a failure occurs.

908
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to allow users to sign in to multiple SaaS applications using their Microsoft Entra ID credentials without being prompted again for each application. Which Microsoft Entra ID feature should they enable?

A.Single Sign-On (SSO)
B.Multi-Factor Authentication (MFA)
C.Conditional Access
D.Identity Protection
AnswerA

Correct. SSO provides seamless access to multiple apps after a single authentication.

Why this answer

Single Sign-On (SSO) enables users to authenticate once with Microsoft Entra ID and then access multiple SaaS applications without being prompted again. This works by using standards like SAML 2.0 or OpenID Connect to issue a session token or cookie that is reused across applications, eliminating repeated credential prompts.

Exam trap

The trap here is that candidates confuse MFA or Conditional Access with SSO, thinking that additional security features inherently reduce sign-in prompts, but in reality, SSO is the specific feature designed to eliminate repeated prompts, while MFA and Conditional Access are complementary security controls that do not provide that functionality.

How to eliminate wrong answers

Option B (Multi-Factor Authentication) is wrong because MFA adds an extra layer of security by requiring a second verification factor, but it does not eliminate repeated sign-in prompts across applications; it actually increases authentication friction. Option C (Conditional Access) is wrong because it is a policy engine that enforces access controls (e.g., requiring MFA or blocking sign-ins from untrusted locations) based on signals, but it does not provide the seamless token reuse that SSO offers. Option D (Identity Protection) is wrong because it is a risk-based detection and remediation service that identifies compromised identities and suspicious sign-ins, not a mechanism to avoid repeated authentication prompts.

909
MCQhard

Your company is designing a monitoring solution for a critical line-of-business application running on multiple Azure VMs. The application emits custom performance counters. You need to ingest these counters into Azure Monitor Metrics and create a metric alert when the average value exceeds a threshold over 5 minutes. The solution must minimize latency between counter emission and alert firing. What should you use?

A.Application Insights agent to collect counters and send to Application Insights, then create a metric alert.
B.Azure Monitor agent to collect counters and send to Azure Monitor Metrics, then create a metric alert.
C.Log Analytics agent to collect counters and send to a Log Analytics workspace, then create a log alert.
D.Azure Diagnostics extension to collect counters and send to Azure Storage, then use Azure Monitor Metrics from storage.
AnswerB

Azure Monitor agent can send performance counters directly to Metrics, enabling low-latency metric alerts.

Why this answer

The Azure Monitor agent is the correct choice because it can collect custom performance counters and send them directly to Azure Monitor Metrics, which supports near-real-time metric alerts with low latency. This minimizes the delay between counter emission and alert firing, meeting the requirement for a 5-minute evaluation window.

Exam trap

The trap here is that candidates often confuse the Log Analytics agent (which sends to Log Analytics for log alerts) with the Azure Monitor agent (which sends to Metrics for metric alerts), or they incorrectly assume that Application Insights can handle custom performance counters from VMs with low latency.

How to eliminate wrong answers

Option A is wrong because Application Insights is designed for application-level telemetry (e.g., requests, dependencies) and does not natively ingest custom performance counters from VMs into Azure Monitor Metrics; it would add unnecessary latency and complexity. Option C is wrong because the Log Analytics agent sends data to a Log Analytics workspace, which uses log alerts that have higher latency (minutes to hours) and are not optimized for near-real-time metric-based alerting. Option D is wrong because the Azure Diagnostics extension sends data to Azure Storage, which is not a real-time ingestion path; reading from storage to create metric alerts introduces significant latency and is not a supported pattern for low-latency alerting.

910
MCQmedium

Refer to the exhibit. An organization deployed this ARM template to create a storage account. After deployment, they try to enable geo-redundant storage (GRS) but receive an error. What is the most likely reason?

A.The supportsHttpsTrafficOnly property must be set to false.
B.The storage account name is not globally unique.
C.The minimumTlsVersion property prevents geo-replication.
D.The storage account uses Standard_LRS, which does not support GRS.
AnswerD

LRS is single-region; GRS requires a different SKU.

Why this answer

Option D is correct because Standard_LRS (Locally Redundant Storage) does not support upgrading to GRS (Geo-Redundant Storage) directly. To enable GRS, the storage account must be created with a redundancy tier that supports geo-replication, such as Standard_GRS or Standard_RAGRS. The error occurs because the ARM template specifies Standard_LRS, which only replicates data within a single datacenter and cannot be converted to a geo-redundant tier after deployment.

Exam trap

The trap here is that candidates may confuse the supportsHttpsTrafficOnly or minimumTlsVersion properties with geo-replication settings, or assume that any storage account can be upgraded to GRS regardless of its initial redundancy tier.

How to eliminate wrong answers

Option A is wrong because the supportsHttpsTrafficOnly property controls whether HTTPS is required for traffic, not geo-replication; setting it to false would not enable GRS and is unrelated to the error. Option B is wrong because a non-unique storage account name would cause a deployment failure, not an error when trying to enable GRS after successful deployment. Option C is wrong because the minimumTlsVersion property restricts the TLS version for client connections and has no impact on geo-replication capabilities.

911
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to integrate their on-premises Active Directory with Microsoft Entra ID to enable single sign-on (SSO) for cloud applications. Users should be able to use the same password for on-premises resources and cloud applications. The company has a large on-premises user base and wants to avoid additional infrastructure for federation. Which Microsoft Entra ID feature should they implement?

A.Microsoft Entra ID Connect (Password Hash Synchronization)
B.Microsoft Entra ID Application Proxy
C.Microsoft Entra ID B2B
D.Microsoft Entra ID Domain Services
AnswerA

PHS syncs password hashes to Microsoft Entra ID, allowing users to authenticate with their on-premises credentials for cloud apps. It is simple and requires no additional federation infrastructure.

Why this answer

Password Hash Synchronization (PHS) is the correct choice because it synchronizes password hashes from on-premises Active Directory to Microsoft Entra ID, enabling users to use the same password for both on-premises and cloud resources without requiring any additional federation infrastructure. This meets the requirement for SSO to cloud applications while avoiding the complexity and cost of deploying Active Directory Federation Services (AD FS) or other federation servers.

Exam trap

The trap here is that candidates often confuse federation (e.g., AD FS) as the only way to achieve SSO with password reuse, but Password Hash Synchronization provides a simpler, infrastructure-free alternative that still meets the requirement.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Application Proxy is designed to provide secure remote access to on-premises web applications, not to synchronize identities or enable SSO via password reuse. Option C is wrong because Microsoft Entra ID B2B (Business-to-Business) is used for collaborating with external guest users from other organizations, not for integrating an on-premises AD with Entra ID for internal user SSO. Option D is wrong because Microsoft Entra ID Domain Services provides managed domain services (e.g., group policy, LDAP, Kerberos) for Azure VMs, but it does not synchronize passwords or enable SSO to cloud applications from on-premises AD.

912
MCQeasy

Your organization is migrating on-premises SQL Server databases to Azure. The databases are mission-critical and require the highest level of availability with automatic failover to a secondary region. Which Azure SQL deployment option should you recommend?

A.Azure SQL Database with active geo-replication
B.Azure Database for PostgreSQL
C.SQL Server on Azure Virtual Machines with Always On availability groups
D.Azure SQL Managed Instance with failover groups
AnswerA

Active geo-replication enables automatic failover to a secondary region.

Why this answer

Azure SQL Database with active geo-replication provides the highest level of availability with automatic failover to a secondary region by continuously replicating transactions from the primary to a readable secondary database in a different Azure region. This supports an RPO of 5 seconds and an RTO of 1 hour (or lower with forced failover), making it ideal for mission-critical workloads requiring cross-region disaster recovery.

Exam trap

The trap here is that candidates often confuse Azure SQL Managed Instance failover groups (which only support same-region automatic failover) with active geo-replication (which supports cross-region automatic failover), leading them to select Option D incorrectly.

How to eliminate wrong answers

Option B is wrong because Azure Database for PostgreSQL is a different database engine (PostgreSQL vs. SQL Server) and does not support the same high-availability features like active geo-replication or failover groups for SQL Server workloads. Option C is wrong because SQL Server on Azure Virtual Machines with Always On availability groups requires manual configuration of the secondary region, does not provide automatic failover to a secondary region out of the box, and incurs higher management overhead compared to a PaaS solution.

Option D is wrong because Azure SQL Managed Instance with failover groups supports automatic failover only within the same region (via failover groups) and does not natively support automatic failover to a secondary region; cross-region failover requires manual intervention or additional configuration.

913
MCQmedium

A company runs a critical Azure SQL Database in a single region. They need to ensure availability if an entire Azure datacenter fails. They require automatic failover with zero data loss and an RTO of 30 seconds. They also want to use the secondary database for read-only query offloading during normal operations. Which Azure SQL Database feature should they enable?

A.Active geo-replication
B.Auto-failover groups with read-scale enabled
C.Zone-redundant database
D.Point-in-time restore
AnswerB

This feature uses synchronous replication (in the Business Critical or Premium tier) to ensure zero data loss, automatic failover within 30 seconds, and allows read-only queries on the secondary.

Why this answer

Auto-failover groups with read-scale enabled meet all requirements: they provide automatic failover across regions with zero data loss when configured with the 'graceful' data loss policy (ensuring all committed transactions are replicated), an RTO of 30 seconds or less, and the ability to offload read-only queries to the secondary replica via the read-scale listener endpoint. This feature uses a secondary readable replica in a paired region, supporting both high availability and read workload distribution.

Exam trap

The trap here is that candidates often confuse Active geo-replication with auto-failover groups, assuming both support automatic failover, but only auto-failover groups provide automatic failover and a read-scale listener for read-only offloading.

How to eliminate wrong answers

Option A is wrong because Active geo-replication supports manual failover only, not automatic failover, and it does not provide a built-in read-scale listener for read-only query offloading; it also cannot guarantee zero data loss with a 30-second RTO without additional configuration. Option C is wrong because Zone-redundant databases protect against a single zone failure within a region, not an entire datacenter failure across regions, and they do not provide a secondary readable replica for read-only offloading. Option D is wrong because Point-in-time restore is a backup and recovery feature for restoring to a specific time within the retention period, not a real-time high-availability or disaster recovery solution; it cannot achieve a 30-second RTO or zero data loss during a datacenter failure.

914
MCQeasy

You need to monitor the sign-in activities of users in Microsoft Entra ID and detect risky sign-ins, such as those from anonymous IP addresses. Which service should you use?

A.Microsoft Entra Identity Protection
B.Microsoft Defender XDR
C.Azure Monitor
D.Microsoft Sentinel
AnswerA

Identity Protection uses machine learning to detect risky sign-ins and users.

Why this answer

Microsoft Entra Identity Protection is the correct service because it is specifically designed to detect and respond to risky sign-in activities, including sign-ins from anonymous IP addresses, using machine learning-based risk detection policies. It integrates directly with Microsoft Entra ID to evaluate sign-in risk in real time and can automatically block or require multi-factor authentication based on configured risk thresholds.

Exam trap

Microsoft often tests the distinction between a dedicated identity risk detection service (Identity Protection) and a broader security or monitoring platform (Defender XDR, Sentinel, or Azure Monitor), leading candidates to choose the more general tool when the question specifically asks for a service that detects risky sign-ins from anonymous IP addresses.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender XDR (Extended Detection and Response) focuses on detecting and responding to security threats across endpoints, email, and applications, not specifically on monitoring sign-in risk from anonymous IP addresses in Entra ID. Option C is wrong because Azure Monitor is a platform for collecting and analyzing telemetry from Azure resources and applications, but it does not have built-in risk detection algorithms for sign-in activities like anonymous IP addresses. Option D is wrong because Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) that ingests logs from multiple sources for advanced threat hunting and analysis, but it is not the primary service for real-time, policy-driven risky sign-in detection in Entra ID; that is the role of Identity Protection.

915
MCQeasy

A company wants to protect Azure VMs from accidental deletion or corruption by retaining daily backups for 30 days, weekly backups for 12 weeks, monthly backups for 12 months, and yearly backups for 7 years. Which backup policy type should they use?

A.Azure Backup GFS policy
B.Daily backup policy with 30-day retention
C.Monthly backup policy with 12-month retention
D.Azure Backup Enhanced policy
AnswerA

GFS policy can retain daily, weekly, monthly, yearly backups with different durations.

Why this answer

Option B is correct because Azure Backup supports a Grandfather-Father-Son (GFS) backup policy that allows retention of daily, weekly, monthly, and yearly backups with different retention periods. Option A is wrong because a simple daily backup policy cannot specify multiple retention tiers. Option C is wrong because the Enhanced policy is for SQL Server, not general VM backup.

Option D is wrong because a monthly backup policy cannot include daily or weekly backups.

916
MCQhard

You are reviewing the above Azure Policy definition assigned to a storage account. What does this policy enforce?

A.Containers can be written to only if they use the default encryption scope.
B.All containers must use a specific customer-managed encryption scope named 'customEncryptionScope' to allow write operations.
C.Write operations are allowed only when encryption scope is not specified.
D.Reading from containers is denied unless a specific encryption scope is used.
AnswerB

The policy denies writes unless the encryption scope matches the specified one.

Why this answer

The Azure Policy definition uses the 'denyAction' effect to block write operations unless the storage account's containers are configured with a specific customer-managed encryption scope named 'customEncryptionScope'. This enforces that all containers must use that exact encryption scope for write operations, ensuring data is encrypted with a customer-managed key at the container level.

Exam trap

The trap here is that candidates often confuse the 'denyAction' effect with the standard 'deny' effect, or assume the policy applies to read operations, when in fact it specifically targets write operations and requires a precise encryption scope name.

How to eliminate wrong answers

Option A is wrong because the policy does not enforce that containers can only be written to if they use the default encryption scope; it specifically requires a custom encryption scope named 'customEncryptionScope', not the default. Option C is wrong because the policy denies write operations when no encryption scope is specified, not allows them; it requires the specific scope to be present. Option D is wrong because the policy targets write operations (Microsoft.Storage/storageAccounts/blobServices/containers/write), not read operations; it does not deny reading from containers.

917
MCQhard

You are designing a data storage solution for a global e-commerce platform that handles millions of transactions per day. The platform uses Azure Cosmos DB for its transactional data. The company wants to implement a real-time analytics pipeline to monitor sales trends and detect anomalies. The analytics must be performed on the transactional data with minimal latency (under 5 seconds). The solution must not impact the transactional workload's performance. The analytics queries involve aggregations over time windows and joins with reference data stored in Azure SQL Database. You need to recommend a solution. Which option should you choose?

A.Enable Azure Synapse Link for Cosmos DB and use Synapse serverless SQL to query the transactional data directly.
B.Use Azure Data Factory to copy data from Cosmos DB to Azure Synapse Analytics every minute, and run analytics queries in Synapse.
C.Use Azure Cosmos DB change feed to stream data to Azure Stream Analytics, which performs the aggregations and joins with reference data from Azure SQL Database.
D.Use Azure Databricks with Auto Loader to incrementally load data from Cosmos DB into Delta Lake, and then query with Spark SQL.
AnswerC

Change feed provides real-time changes, Stream Analytics handles sub-second latency and joins.

Why this answer

Option A is correct because Azure Cosmos DB change feed enables real-time capture of changes, and Azure Stream Analytics can process streams with low latency and join with reference data from Azure SQL Database. Option B is wrong because Azure Data Factory is a batch ETL tool, not suitable for sub-5-second latency. Option C is wrong because Azure Synapse Link replicates data to Azure Synapse, which adds latency and is not real-time.

Option D is wrong because Azure Databricks with Auto Loader is also batch-oriented and not designed for sub-5-second streaming.

918
MCQeasy

You are designing a monitoring solution for a cloud-native application that uses Azure Functions, Azure Storage, and Azure Cosmos DB. The solution must provide centralized log collection and analysis, enable proactive alerting on application errors, and support long-term log retention for compliance (7 years). What should you include in the design?

A.Use Azure Storage with cool tier for logs and enable Azure Storage Analytics logs.
B.Store logs in Azure Monitor Metrics with a retention of 93 days.
C.Use Application Insights to collect logs and set retention to 90 days, then export to Azure Blob Storage for archival.
D.Configure diagnostic settings for each Azure resource to send logs and metrics to a Log Analytics workspace.
AnswerD

Log Analytics workspace provides centralized log storage, querying, and long-term retention.

Why this answer

Option A is correct because Azure Log Analytics workspace provides centralized log storage, analysis, and retention up to 7 years. Option B is wrong because Application Insights is for application performance monitoring, not long-term retention. Option C is wrong because Azure Monitor Metrics store numeric data only, not logs.

Option D is wrong because Azure Storage with archive tier is for raw log files, not analysis.

919
MCQhard

A company stores petabytes of sensor data in Azure Data Lake Storage Gen2. They need to run complex analytics queries that involve joining multiple datasets and aggregating time-series data. The queries must complete within seconds. Which Azure service should they use for querying?

A.Azure Stream Analytics
B.Azure Data Explorer
C.Azure Synapse Analytics
D.Azure Databricks
AnswerC

Synapse provides MPP engine for fast interactive queries on data lake data.

Why this answer

Azure Synapse Analytics (formerly SQL Data Warehouse) provides massively parallel processing (MPP) for fast analytics on data lakes. Azure Stream Analytics is for real-time streaming. Azure Data Explorer is for time-series but not optimized for joining large datasets from Data Lake.

Azure Databricks is good for big data but not as fast for interactive SQL queries.

920
Multi-Selecthard

Which THREE factors should you consider when selecting a partition key for an Azure Cosmos DB container? (Select three.)

Select 3 answers
A.Even distribution of request unit (RU) consumption
B.Low cardinality to reduce overhead
C.High cardinality (many distinct values)
D.Property with large binary data
E.Property frequently used as a filter in queries
AnswersA, C, E

Even RU distribution prevents throttling.

Why this answer

Option A is correct because an even distribution of request unit (RU) consumption across physical partitions prevents hot partitions, which can throttle throughput and degrade performance. In Azure Cosmos DB, the partition key determines how data and throughput are distributed; if RU consumption is skewed, some partitions become overloaded while others remain underutilized, violating the design goal of uniform load.

Exam trap

The trap here is that candidates confuse low cardinality with efficiency, but Cosmos DB requires high cardinality to avoid storage limits and hot partitions, and they may also mistakenly think large binary properties are acceptable partition keys despite the 2 KB limit and indexing overhead.

921
MCQhard

Your organization is migrating a legacy on-premises application to Azure. The application uses a monolithic architecture and requires high availability. The application tier runs on Windows Server and uses a SQL Server database. You need to design a migration strategy that minimizes changes to the application code while maximizing availability. The application can be stateless if session state is externalized. You have the following requirements: (1) The application must be resilient to Azure region failures. (2) The database must have an RPO of 5 minutes and RTO of 1 hour. (3) The migration must be completed within 6 months. (4) The solution should use platform-as-a-service (PaaS) services where possible to reduce operational overhead. Which approach should you recommend?

A.Rehost the application on Azure VMs in an availability set and use SQL Server Always On Availability Groups.
B.Migrate the web tier to Azure App Service with staging slots and use Azure SQL Database with active geo-replication.
C.Refactor the application into microservices and deploy to Azure Kubernetes Service.
D.Containerize the application using Docker and deploy to Azure Container Instances in paired regions.
AnswerB

PaaS services reduce overhead; App Service supports external session state; SQL Database with geo-replication meets RPO/RTO.

Why this answer

Option C is correct because Azure App Service provides a PaaS environment that can host the web tier with minimal code changes, and Azure SQL Database with active geo-replication meets the RPO/RTO requirements. Option A is wrong because Azure VMs are IaaS, not PaaS, and require more management. Option B is wrong because Azure Container Instances are not ideal for monolithic apps.

Option D is wrong because Azure Functions are event-driven and not suitable for a monolithic application.

922
Multi-Selecthard

Which THREE Azure Monitor capabilities can be used to detect and diagnose performance issues in a multi-tier application?

Select 3 answers
A.Azure Monitor Workbooks
B.Azure Policy
C.Live Metrics Stream in Application Insights
D.Application Insights Profiler
E.Application Map in Application Insights
AnswersC, D, E

Live Metrics provides real-time performance monitoring.

Why this answer

Live Metrics Stream in Application Insights (Option C) provides real-time monitoring of application performance metrics, such as request rates, response times, and failure rates, with sub-second latency. This allows immediate detection of performance issues as they occur, making it ideal for diagnosing live problems in a multi-tier application.

Exam trap

The trap here is that candidates may confuse Azure Monitor Workbooks (a visualization tool) with a diagnostic capability, or think Azure Policy can monitor performance, when in fact only Application Insights features like Live Metrics Stream, Profiler, and Application Map provide real-time or deep diagnostic insights.

923
MCQmedium

A company backs up their Azure VMs using Azure Backup. They need to meet compliance that requires backups to be stored in a separate geographic region. Additionally, they want to be able to restore the entire VM to that secondary region in case of a regional disaster. What should they configure?

A.Use a Recovery Services vault with Locally Redundant Storage (LRS) and enable cross-region restore
B.Use a Recovery Services vault with Geo-Redundant Storage (GRS) and enable cross-region restore
C.Use Azure Site Recovery to replicate the entire VM to the secondary region
D.Manually copy backup snapshots to a storage account in the secondary region
AnswerB

GRS replicates backups to a paired region, and enabling cross-region restore allows restoring VMs to that secondary region, meeting both requirements.

Why this answer

Option B is correct because Azure Backup with a Recovery Services vault using Geo-Redundant Storage (GRS) replicates backup data to a paired secondary region, meeting the compliance requirement for geographic separation. Enabling cross-region restore allows the entire VM to be restored in that secondary region during a regional disaster, as the backup data is already available there.

Exam trap

The trap here is that candidates often confuse Azure Site Recovery (continuous replication for DR) with Azure Backup (snapshot-based backup with cross-region restore), leading them to select Option C, which does not meet the backup compliance requirement for stored backups in a separate region.

How to eliminate wrong answers

Option A is wrong because Locally Redundant Storage (LRS) keeps data only within a single datacenter in the primary region, failing the compliance requirement for storage in a separate geographic region. Option C is wrong because Azure Site Recovery is a disaster recovery solution that replicates the VM for continuous replication and failover, not for backup storage or restore from backup snapshots; it addresses different RPO/RTO needs but does not meet the backup compliance requirement. Option D is wrong because manually copying backup snapshots to a secondary region is inefficient, error-prone, and does not leverage Azure Backup's built-in cross-region restore capability, which is designed for automated, compliant disaster recovery.

924
Multi-Selecthard

Which THREE components are required to implement a complete monitoring solution with Azure Monitor? (Choose three.)

Select 3 answers
A.Application Insights for every application
B.Azure Policy assignments
C.Alert rules to notify on conditions
D.A Log Analytics workspace for log storage
E.Data sources such as Azure resources and applications
AnswersC, D, E

Alerts are essential for proactive monitoring.

Why this answer

Alert rules (C) are a core component of a complete monitoring solution because they define conditions that trigger notifications or automated actions when monitored metrics or log data cross thresholds. Without alert rules, collected data remains passive and cannot proactively inform administrators of issues, making the solution incomplete.

Exam trap

The trap here is that candidates often confuse optional monitoring tools (like Application Insights) with mandatory components, or they mistakenly think governance tools (like Azure Policy) are part of the monitoring pipeline, when in fact the three required components are data sources, a Log Analytics workspace, and alert rules.

925
MCQmedium

A company uses Microsoft Entra ID to manage identities for employees and partners. They need to allow partners to self-service reset their passwords using a mobile app notification. Which feature should you enable?

A.Microsoft Entra ID Self-Service Password Reset (SSPR)
B.Microsoft Entra ID Identity Protection
C.Microsoft Intune
D.Microsoft Entra ID Privileged Identity Management
AnswerA

SSPR enables users to reset passwords via registered methods like mobile app notification.

Why this answer

Microsoft Entra ID Self-Service Password Reset (SSPR) is the correct feature because it allows users, including partners configured as external users in the tenant, to reset their own passwords without administrator intervention. SSPR supports multiple authentication methods, including mobile app notification via the Microsoft Authenticator app, which satisfies the requirement for a mobile app notification-based reset. This feature is specifically designed for password reset scenarios and can be scoped to include guest users when properly configured.

Exam trap

The trap here is that candidates often confuse Identity Protection (which deals with risk and conditional access) with SSPR, because both involve authentication methods, but Identity Protection does not enable password reset functionality.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Identity Protection is a risk-based detection and remediation tool that identifies suspicious sign-in activities and potential vulnerabilities, but it does not provide self-service password reset capabilities. Option C is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service for managing devices and apps, not a password reset feature for user accounts. Option D is wrong because Microsoft Entra ID Privileged Identity Management (PIM) manages just-in-time privileged access and role activation, not self-service password reset for standard users or partners.

926
MCQmedium

A company is designing an Azure Kubernetes Service (AKS) cluster for a microservices application. They need to ensure that pods can securely access Azure resources such as Azure Key Vault and Azure SQL Database without using service principals or connection strings. Which AKS feature should they enable?

A.Azure RBAC for Kubernetes authorization
B.Azure Policy for AKS
C.Microsoft Entra Workload ID
D.Azure CNI network plugin
AnswerC

Workload ID assigns an Azure AD identity to pods for secure access to Azure resources.

Why this answer

Azure AD pod-managed identity (now called Microsoft Entra Workload ID) allows pods to assume an identity to access Azure resources. Option A is wrong because Azure RBAC is for Kubernetes authorization. Option B is wrong because Azure Policy is for compliance.

Option C is wrong because Azure CNI is for networking.

927
MCQeasy

Refer to the exhibit. You deploy this ARM template to a resource group in the East US region. You specify the parameter storageAccountType as 'Standard_GRS'. Which of the following is true about the deployed storage account?

A.The storage account name will be 'storage' followed by a random string.
B.The storage account will be deployed in the same region as specified by the parameter.
C.The storage account is zone-redundant and replicates data across availability zones.
D.The storage account is geo-redundant and replicates data to a paired region.
AnswerD

Standard_GRS provides geo-redundancy.

Why this answer

The template deploys a StorageV2 account with Standard_GRS SKU. Standard_GRS is geo-redundant, meaning data is replicated to a paired region. Option A is correct.

Option B is incorrect because Standard_GRS is not zone-redundant. Option C is incorrect because the name is generated by uniqueString, which is deterministic based on the resource group ID. Option D is incorrect because the location is derived from the resource group location, not the parameter.

928
MCQeasy

A company stores sensitive customer data in Azure Blob Storage. They need to ensure that data at rest is encrypted using a customer-managed key stored in Azure Key Vault. Which of the following should they use?

A.Azure Storage Service Encryption with customer-managed keys in Azure Key Vault
B.Azure Disk Encryption
C.Azure Storage Service Encryption with Microsoft-managed keys
D.Azure Information Protection
AnswerA

Allows customer-managed keys for encryption.

Why this answer

Azure Storage Service Encryption with customer-managed keys allows encryption using keys from Azure Key Vault. Option B is correct because it supports customer-managed keys. Option A is wrong because it uses Microsoft-managed keys.

Option C is wrong because Azure Information Protection is for classification and labeling. Option D is wrong because Azure Disk Encryption is for virtual machine disks.

929
MCQmedium

A global e-commerce company runs a product catalog application that requires low-latency reads and writes from multiple geographic regions. The data is key-value structured and must be replicated with multi-region write capability. The company needs a fully managed NoSQL database service with guaranteed 99th percentile latency and automatic conflict resolution. Which Azure data service should they choose?

A.Azure Cosmos DB
B.Azure Table Storage
C.Azure Redis Cache
D.Azure SQL Database
AnswerA

Azure Cosmos DB is a globally distributed NoSQL database that supports multiple APIs, multi-region writes, automatic conflict resolution, and provides deterministic latency guarantees at the 99th percentile.

Why this answer

Azure Cosmos DB is the correct choice because it is a fully managed NoSQL database that supports multi-region writes with automatic conflict resolution, guarantees 99th percentile latency, and provides low-latency reads and writes globally. Its multi-master replication and tunable consistency models meet the key-value structured data requirements and the need for high availability across geographic regions.

Exam trap

The trap here is that candidates may confuse Azure Table Storage's NoSQL nature with Cosmos DB's multi-region write and latency guarantees, overlooking the critical requirements for automatic conflict resolution and 99th percentile latency SLAs.

How to eliminate wrong answers

Option B is wrong because Azure Table Storage is a NoSQL key-value store but does not support multi-region write capability or automatic conflict resolution, and it lacks guaranteed 99th percentile latency SLAs. Option C is wrong because Azure Redis Cache is an in-memory data store, not a fully managed NoSQL database, and it does not provide multi-region write replication or automatic conflict resolution for persistent data. Option D is wrong because Azure SQL Database is a relational database, not a NoSQL key-value store, and it does not natively support multi-region writes with automatic conflict resolution.

930
Matchingmedium

Match each Azure security service to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Unified security management and threat protection

Cloud-native SIEM and SOAR

Manage secrets, keys, and certificates

Protect against distributed denial-of-service attacks

Managed cloud network security service

Why these pairings

These are essential security services in Azure.

931
MCQmedium

Your company is designing a new application that will process large volumes of streaming data from IoT devices. The data will be ingested, processed in near real-time, and stored for long-term analytics. You need to design a solution that meets the following requirements: (1) Ingest up to 1 million events per second. (2) Process events with a latency of less than 10 seconds. (3) Store processed data for 7 years for compliance. (4) Enable ad-hoc querying of the stored data. Which combination of Azure services should you recommend?

A.Azure IoT Hub, Azure Stream Analytics, and Azure Cosmos DB.
B.Azure Service Bus, Azure Functions, and Azure SQL Database.
C.Azure Event Hubs, Azure Functions, and Azure Cosmos DB.
D.Azure Event Hubs, Azure Stream Analytics, and Azure Data Lake Storage Gen2.
AnswerD

Event Hubs ingests millions of events, Stream Analytics processes with low latency, Data Lake Storage provides cheap archival storage with query capability.

Why this answer

Option D is correct because Event Hubs ingests high-volume streaming data, Stream Analytics processes it in real-time, and Azure Data Lake Storage Gen2 provides cost-effective long-term storage with query capabilities via Azure Synapse or U-SQL. Option A is wrong because IoT Hub is for device management, not high-throughput ingestion. Option B is wrong because Service Bus is for messaging, not streaming.

Option C is wrong because Cosmos DB is not optimized for long-term analytics storage.

932
MCQmedium

You are the Azure architect for a healthcare organization that needs to store patient medical records (unstructured data) and provide secure access to doctors and nurses via a web application. The data must be encrypted at rest and in transit. Access must be authorized based on the requester's role (doctor, nurse, admin). The solution must be cost-effective and support high concurrency. You decide to use Azure Blob Storage. You need to design the access control mechanism. What should you recommend?

A.Enable storage service encryption and use HTTPS.
B.Use shared access signatures (SAS) with stored access policies.
C.Use Azure RBAC with Microsoft Entra ID authentication.
D.Use storage account access keys and distribute them to users.
AnswerC

Provides role-based access control natively.

Why this answer

Option A is correct. Using Azure RBAC with Microsoft Entra ID (formerly Azure AD) allows role-based access control natively integrated with Blob Storage. This meets the requirement of role-based authorization without managing additional keys.

Option B is wrong because SAS tokens are not tied to user roles. Option C is wrong because using access keys provides full access, not role-based. Option D is wrong because storage service encryption is enabled by default and doesn't provide access control.

933
MCQhard

Your company, Contoso Ltd., runs a critical line-of-business application on Azure Virtual Machines in the West Europe region. The application uses Azure SQL Database (Business Critical tier) for data storage. The compliance team requires a Recovery Point Objective (RPO) of 5 seconds and a Recovery Time Objective (RTO) of 10 seconds for the database tier. For the compute tier, the RPO is 1 minute and RTO is 5 minutes. The application must remain available during planned maintenance and regional outages. You have been asked to design the business continuity solution. You need to recommend the most cost-effective solution that meets all requirements. What should you recommend?

A.Configure active geo-replication for Azure SQL Database; deploy AKS in two regions with Azure Traffic Manager; use manual failover scripts.
B.Use Azure SQL Database backup with point-in-time restore for the database; deploy AKS in West Europe and use Azure Traffic Manager for failover to a secondary cluster in North Europe.
C.Set up auto-failover group for Azure SQL Database with a secondary in North Europe; deploy AKS in both regions with Azure Front Door for global load balancing.
D.Deploy SQL Server Always On availability groups on Azure VMs in two regions; use Azure Site Recovery for the VMs; use Azure Front Door for load balancing.
AnswerC

Auto-failover groups provide automatic failover within seconds; Azure Front Door enables fast failover for AKS with health probes.

Why this answer

Option C is correct because Auto-failover groups with active geo-replication provide synchronous replication (RPO=0) and automatic failover (RTO~10 seconds) for Azure SQL Database Business Critical tier. AKS with Azure Front Door provides fast failover for compute tier. Option A is wrong because Azure SQL Database backup restore takes too long.

Option B is wrong because Traffic Manager lacks health probe granularity and AKS failover is slower. Option D is wrong because SQL Server Always On requires additional licensing and management overhead.

934
MCQhard

Your company uses Microsoft Entra ID (formerly Azure AD) and requires that all external guest users must be automatically reviewed for access every 90 days. The review should be performed by the guest user's manager in the partner organization. However, the partner organization does not use Microsoft Entra ID. Which solution should you implement?

A.Create a custom Azure Logic App to send email reminders and manually track access expiration.
B.Configure Microsoft Entra ID access reviews to include guest users and assign the review to the guest user's external manager.
C.Use Azure AD B2C to manage guest identities and set up a custom review process.
D.Configure Microsoft Entra ID access reviews to ask the guest user to self-attest their access every 90 days.
AnswerD

Self-attestation allows guest users to confirm their need for access, which is suitable when the partner organization does not have its own identity system.

Why this answer

Option D is correct because Microsoft Entra ID access reviews can be configured to require guest users to self-attest their access. This is the only viable solution when the guest user's organization does not use Microsoft Entra ID, as there is no external manager identity to assign the review to. The self-attestation process allows the guest user to confirm whether they still need access, and the review can be set to recur every 90 days as required.

Exam trap

The trap here is that candidates assume an external manager can be assigned as a reviewer even when the partner organization does not use Microsoft Entra ID, overlooking the fact that the reviewer must exist as an identity in the tenant or be a valid email address that can respond to the review request.

How to eliminate wrong answers

Option A is wrong because creating a custom Azure Logic App for email reminders and manual tracking is not an automated, built-in governance solution and does not meet the requirement for automatic reviews every 90 days. Option B is wrong because it is not possible to assign the review to the guest user's external manager when the partner organization does not use Microsoft Entra ID; there is no identity for that manager in the directory. Option C is wrong because Azure AD B2C is designed for customer-facing identity management, not for managing guest user access reviews in a Microsoft Entra ID tenant, and it does not provide the required automatic review scheduling.

935
MCQeasy

A company stores large video files for a media streaming application. The files are accessed infrequently but need to be available instantly when requested. The company wants to minimize storage costs while ensuring high durability. Which Azure Blob Storage access tier should they use?

A.Hot tier
B.Cool tier
C.Cold tier
D.Archive tier
AnswerB

Cool tier is ideal for infrequently accessed data that needs instant access, providing lower storage costs than Hot while maintaining low latency.

Why this answer

The Cool tier is the optimal choice because it balances low storage cost with instant access for infrequently accessed data. The scenario specifies that files are accessed infrequently but require instant availability, which aligns with the Cool tier's design for data that will be stored for at least 30 days and needs millisecond retrieval latency. Hot tier would be more expensive for infrequent access, while Cold and Archive tiers introduce retrieval delays or higher access costs that violate the 'available instantly' requirement.

Exam trap

The trap here is that candidates often confuse 'infrequently accessed' with 'archival' and choose Archive tier, failing to recognize that Archive requires manual rehydration with significant latency (hours), which directly contradicts the 'available instantly' requirement in the question.

How to eliminate wrong answers

Option A is wrong because the Hot tier is designed for frequently accessed data and has higher storage costs, making it cost-inefficient for infrequently accessed video files. Option C is wrong because the Cold tier has a 30-day minimum storage duration and incurs a higher cost per read operation compared to Cool, and while it offers instant access, it is not the most cost-effective for this specific infrequent access pattern. Option D is wrong because the Archive tier has a retrieval latency of up to 15 hours (rehydration time), which violates the requirement that files be 'available instantly' when requested.

936
MCQmedium

A company uses Microsoft Entra ID. They want to allow external business partners to request access to a specific internal application. The access must be time-limited and require approval from a manager within the partner's organization. Additionally, access should automatically expire after the defined period. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Entitlement Management
B.Microsoft Entra ID B2B Collaboration
C.Microsoft Entra ID Identity Governance
D.Microsoft Entra ID Privileged Identity Management (PIM)
AnswerA

Microsoft Entra ID Entitlement Management enables you to create access packages that external users can request. You can configure approval workflows, set time limits, and auto-expire access. It is part of Microsoft Entra ID Identity Governance.

Why this answer

Microsoft Entra ID Entitlement Management enables organizations to manage access requests for internal and external users through access packages. It supports time-limited access with automatic expiration and allows delegation of approval to a manager within the partner's organization via connected organizations. This directly meets the requirement for external partner self-service access with time-bound, approved access.

Exam trap

The trap here is that candidates often confuse Entitlement Management with B2B Collaboration, thinking B2B alone provides access control and expiration, when in fact B2B only handles identity creation and invitation, while Entitlement Management adds the governance layer for time-limited, approved access.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID B2B Collaboration provides the underlying invitation and redemption mechanism for external users but does not include built-in time-limited access, approval workflows, or automatic expiration; it requires additional configuration with Entitlement Management or other features. Option C is wrong because Microsoft Entra ID Identity Governance is an overarching category that includes Entitlement Management, access reviews, and lifecycle workflows, but it is not a specific feature that directly handles external partner access requests with time limits and manager approval. Option D is wrong because Microsoft Entra ID Privileged Identity Management (PIM) is designed for managing, controlling, and monitoring privileged roles within an organization, not for granting time-limited access to applications for external business partners.

937
MCQeasy

A startup is building a new mobile app backend. They need a fully managed relational database service with built-in high availability, automatic backups, and built-in intelligence to optimize performance. They want to minimize administrative overhead for tasks like patching and scaling. Which Azure service should they use?

A.Azure SQL Database
B.SQL Server on Azure Virtual Machines
C.Azure Database for MySQL
D.Azure Cosmos DB
AnswerA

Azure SQL Database is a fully managed relational database with built-in HA, automated backups, and intelligent performance optimization.

Why this answer

Azure SQL Database is a fully managed Platform-as-a-Service (PaaS) relational database that includes built-in high availability (99.99% SLA), automatic backups with point-in-time restore, and built-in intelligence features like automatic tuning, adaptive query processing, and intelligent insights. This minimizes administrative overhead for patching, scaling, and performance optimization, making it ideal for a startup that wants to focus on app development rather than database management.

Exam trap

The trap here is that candidates often confuse 'fully managed' with 'IaaS' or pick Azure Database for MySQL because it is also fully managed, but they overlook the specific requirement for 'built-in intelligence to optimize performance,' which is a hallmark of Azure SQL Database's automatic tuning features, not available in Azure Database for MySQL.

How to eliminate wrong answers

Option B is wrong because SQL Server on Azure Virtual Machines is an Infrastructure-as-a-Service (IaaS) offering that requires you to manage patching, backups, high availability setup (e.g., Always On Availability Groups), and scaling manually, increasing administrative overhead. Option C is wrong because Azure Database for MySQL is a fully managed relational database, but it lacks the built-in intelligence features (e.g., automatic tuning, intelligent insights) that Azure SQL Database provides, and the question specifically asks for 'built-in intelligence to optimize performance.' Option D is wrong because Azure Cosmos DB is a NoSQL database (supporting document, key-value, graph, and column-family models), not a relational database, and it does not use SQL as its primary query language (though it has a SQL API, it is not a relational database engine).

938
MCQmedium

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to ensure that an alert is generated when an Azure VM is created with an open inbound SSH port (22) from the internet. The solution should use existing Azure resources and minimize administrative overhead. What should you use?

A.Create a Microsoft Sentinel analytics rule using the Azure Activity data connector.
B.Create an Azure Policy with audit effect and configure a Sentinel data connector for Azure Policy.
C.Create an Azure Monitor metric alert on the 'Network In' metric.
D.Enable Microsoft Defender for Cloud and configure a continuous export to Sentinel.
AnswerA

The analytics rule can detect VM creation events and check for open ports by correlating with NSG flow logs or resource configuration.

Why this answer

Option A is correct because Microsoft Sentinel's Azure Activity data connector ingests resource logs from Azure's control plane (Azure Resource Manager). By creating an analytics rule that detects a 'Microsoft.Compute/virtualMachines/write' operation with a network security group rule allowing inbound SSH (port 22) from 'Internet' (any IP), you can generate an alert without deploying additional agents or infrastructure. This minimizes administrative overhead by using existing Sentinel resources and the built-in Activity log connector.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing Defender for Cloud or Azure Policy, thinking they need a security-specific service, when the simplest path is to use the already-connected Azure Activity data connector in Sentinel to monitor control-plane operations for risky configurations.

How to eliminate wrong answers

Option B is wrong because Azure Policy with audit effect can evaluate compliance and log to the Activity Log, but it does not natively generate Sentinel alerts; you would need a separate data connector for Azure Policy (which is not a standard Sentinel connector) and additional logic to create alerts, increasing overhead. Option C is wrong because the 'Network In' metric on Azure Monitor measures data throughput at the VM's virtual NIC, not inbound SSH port 22 access; it cannot detect open ports or security rules. Option D is wrong because enabling Microsoft Defender for Cloud and configuring continuous export to Sentinel adds unnecessary complexity and cost; while Defender for Cloud can detect open SSH ports, the question specifically requires using existing resources with minimal overhead, and the Azure Activity data connector alone suffices.

939
Multi-Selectmedium

Your company is migrating a critical application to Azure and needs to design a highly available and disaster recovery solution. The application runs on Azure VMs with SQL Server Always On Availability Groups. You need to ensure that the database remains available even during a regional outage. Which TWO options should you include in the design? (Choose two.)

Select 2 answers
A.Enable geo-redundant backup storage (RA-GRS) for the database.
B.Configure Azure Site Recovery for the SQL Server VMs.
C.Use Azure SQL Database Managed Instance with auto-failover groups.
D.Deploy SQL Server Always On Availability Groups across availability zones.
E.Deploy a load balancer and distribute traffic to multiple replicas.
AnswersA, C

Geo-redundant backups allow point-in-time restore in another region.

Why this answer

The correct answers are B and D. Azure SQL Database Managed Instance with auto-failover groups provides automatic failover to a secondary region. Geo-redundant backup storage (RA-GRS) ensures backups are replicated to a paired region.

Option A is wrong because Always On Availability Groups require manual configuration for cross-region failover. Option C is wrong because Azure Site Recovery replicates VMs but not SQL Server databases in a consistent manner for transactional workloads. Option E is wrong because load balancers do not provide database-level failover.

940
MCQhard

Your organization uses Microsoft Entra ID and requires that all external users invited via B2B collaboration must authenticate using multi-factor authentication (MFA). You need to enforce this for all guest users. What should you configure?

A.Microsoft Entra B2B collaboration settings
B.Microsoft Entra Identity Protection user risk policy
C.Microsoft Entra ID MFA registration policy
D.Microsoft Entra Conditional Access policy
AnswerD

Conditional Access policy can target guest users and require MFA as a grant control.

Why this answer

Option D is correct because Conditional Access policies in Microsoft Entra ID allow you to enforce MFA for guest users by targeting the 'Guest or external users' identity type and requiring MFA as a grant control. This provides granular control over authentication requirements for B2B collaboration users, unlike the other options which either lack enforcement capability or apply to different scenarios.

Exam trap

The trap here is confusing MFA registration (a prerequisite) with MFA enforcement (a runtime control), leading candidates to select Option C, which only ensures users have registered for MFA but does not require them to actually use it during sign-in.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2B collaboration settings only control invitation behavior (e.g., who can invite, allowed domains) and do not enforce MFA during authentication. Option B is wrong because Identity Protection user risk policy triggers based on detected risk signals (e.g., leaked credentials) and does not enforce MFA for all guest users unconditionally. Option C is wrong because the MFA registration policy only requires users to register for MFA but does not enforce MFA during sign-in; it is a prerequisite, not an enforcement mechanism.

941
MCQhard

You are designing a disaster recovery plan for a critical application that runs on Azure VMs. The VMs are in a single region and are backed up daily. The RPO is 1 hour and the RTO is 4 hours. The current backup solution cannot meet the RPO. You need to recommend a solution that meets the requirements with minimal cost. What should you do?

A.Implement Azure Site Recovery with a replication policy of 30 minutes.
B.Configure SQL Server Always On Availability Groups across two Azure regions.
C.Increase the backup frequency to every 30 minutes.
D.Implement Azure Site Recovery with a replication policy of 15 minutes.
AnswerA

ASR provides near-synchronous replication and quick failover.

Why this answer

Option B (ASR with replication frequency of 30 minutes) meets RPO and RTO with lower cost than continuous replication. Option A (backup every 30 minutes) increases cost without meeting RTO. Option C (continuous replication) is more expensive.

Option D (always-on availability groups) requires additional licenses.

942
MCQeasy

A company wants to store application configuration settings and secrets (e.g., database connection strings, API keys) securely with automatic rotation. Access must be controlled and audited. Which Azure service should they use?

A.Azure Key Vault
B.Azure App Configuration
C.Azure Storage Queues
D.Azure Service Bus
AnswerA

Correct. Key Vault provides secure storage for secrets, supports automatic rotation policies, and integrates with Azure services for access control and auditing.

Why this answer

Azure Key Vault is the correct choice because it is designed specifically for securely storing and managing secrets, keys, and certificates. It supports automatic rotation of secrets via integration with Azure managed identities and event grid notifications, and provides fine-grained access control through Azure RBAC and access policies, with full auditing via Azure Monitor and diagnostic logs.

Exam trap

The trap here is that candidates often confuse Azure App Configuration with Key Vault because both deal with configuration, but App Configuration is for non-sensitive settings and feature flags, while Key Vault is the only service that provides secure secret storage with rotation and auditing.

How to eliminate wrong answers

Option B (Azure App Configuration) is wrong because it is optimized for managing application configuration settings and feature flags, not for storing secrets; it lacks native automatic rotation and secret-specific access policies. Option C (Azure Storage Queues) is wrong because it is a message queue service for asynchronous communication, not a secure store for secrets or configuration. Option D (Azure Service Bus) is wrong because it is an enterprise message broker for reliable messaging and pub/sub patterns, not a secrets management service.

943
MCQhard

Your organization is migrating a legacy on-premises application to Azure. The application uses a proprietary authentication protocol that is not supported by Microsoft Entra ID. You need to integrate the application with Microsoft Entra ID without modifying the application code. What should you do?

A.Use Azure Active Directory B2C with custom policies to translate the authentication protocol.
B.Deploy Azure Active Directory Domain Services and domain-join the application servers.
C.Configure Microsoft Entra ID Application Proxy to provide secure remote access and pass through authentication.
D.Implement Azure Active Directory Connect with pass-through authentication.
AnswerC

Application Proxy supports pass-through authentication for legacy protocols.

Why this answer

Option A is correct because Microsoft Entra ID Application Proxy can be configured to pass authentication to the on-premises application, allowing legacy protocols. Option B (Azure AD Domain Services) is for Kerberos/NTLM. Option C (Azure AD B2C) is for customer-facing apps.

Option D (Azure AD Connect) syncs identities but doesn't help with protocol translation.

944
MCQmedium

Your company runs a web application on Azure App Service (Standard tier) in a single region. You need to design a disaster recovery solution that can fail over to another region within 30 minutes. The application uses Azure SQL Database (General Purpose tier) and Azure Blob Storage. What should you implement?

A.Use Azure Traffic Manager with priority routing to a second App Service instance, use Azure SQL Database backup to a secondary region, and use Azure Storage zone-redundant storage (ZRS).
B.Configure App Service auto-scaling, use Azure SQL Database geo-replication with readable secondary, and use Azure Storage read-access geo-redundant storage (RA-GRS).
C.Configure App Service backup to a secondary region, use Azure SQL Database active geo-replication with auto-failover group, and use geo-redundant storage (GRS) for Blob Storage.
D.Configure App Service deployment slots, use Azure SQL Database geo-restore, and use Azure Storage locally-redundant storage (LRS).
AnswerC

App Service backup/restore can be automated; SQL auto-failover group provides RTO of ~1 min; GRS ensures blob data replicated asynchronously.

Why this answer

Option B is correct because App Service backup/restore to a secondary region, Azure SQL Database active geo-replication with failover group, and Azure Storage geo-redundant storage (GRS) together meet the RTO of 30 minutes and provide data protection. Option A uses geo-restore for SQL which has longer RPO. Option C uses read-only failover which may not allow writes.

Option D uses traffic manager but does not address database failover.

945
MCQmedium

Your company uses Microsoft Sentinel for security monitoring. You need to design a solution that automatically responds to incidents involving high-severity alerts. The response should include creating an incident in Microsoft Teams and sending an email to the security team. What should you use?

A.Microsoft Sentinel automation rules and playbooks
B.Azure Policy with remediation tasks
C.Azure Monitor alert rules with action groups
D.Microsoft Defender for Cloud security alerts
AnswerA

Automation rules can trigger playbooks (Logic Apps) to automate response actions like creating Teams messages and sending emails.

Why this answer

Microsoft Sentinel automation rules and playbooks (built on Azure Logic Apps) are specifically designed to orchestrate automated responses to security incidents. When a high-severity alert triggers an incident, an automation rule can invoke a playbook that creates a Microsoft Teams message and sends an email via connectors like Office 365 Outlook, meeting the exact requirements.

Exam trap

The trap here is that candidates confuse Azure Monitor action groups (which can send emails/SMS for metric alerts) with Sentinel's incident-specific automation, overlooking that Sentinel requires its own automation rules and playbooks to orchestrate security response workflows.

How to eliminate wrong answers

Option B is wrong because Azure Policy with remediation tasks enforces compliance rules on Azure resources (e.g., ensuring encryption is enabled) and cannot trigger incident response workflows in Microsoft Teams or send emails based on Sentinel alerts. Option C is wrong because Azure Monitor alert rules with action groups are designed for infrastructure and application monitoring (e.g., CPU usage, HTTP errors), not for security incident response; they lack the context of Sentinel's threat intelligence and cannot create Teams incidents natively. Option D is wrong because Microsoft Defender for Cloud security alerts provide security posture recommendations and threat detections but do not include built-in automation to create Teams incidents or send emails; they rely on Sentinel or other tools for response orchestration.

946
MCQeasy

You are designing a disaster recovery solution for a critical application running in Azure. The application uses Azure SQL Database. The recovery point objective (RPO) is 5 seconds, and the recovery time objective (RTO) is 30 minutes. Which Azure SQL Database configuration should you recommend?

A.Point-in-time restore to a different region
B.Active geo-replication
C.Auto-failover groups
D.Azure Backup for SQL Server in Azure VM
AnswerB

Meets RPO of 5 seconds and RTO within 30 minutes.

Why this answer

Option A is correct because active geo-replication provides continuous replication with RPO of 5 seconds and supports failover within 30 minutes. Option B is wrong because auto-failover groups have similar RPO but slightly higher RTO. Option C is wrong because point-in-time restore cannot meet the RPO of 5 seconds.

Option D is wrong because Azure Backup has higher RPO.

947
MCQeasy

Refer to the exhibit. You assign this Azure Policy to a resource group. A user attempts to create a new Azure SQL Server without specifying an administrator login. What will happen?

A.The SQL Server is created with a default administrator login.
B.The SQL Server creation is denied.
C.The policy is ignored because the condition is not met.
D.The SQL Server is created but a compliance alert is generated.
AnswerB

The policy denies creation if administratorLogin is not set.

Why this answer

The Azure Policy assigned to the resource group includes a condition that checks if the 'administratorLogin' property is missing or null when creating a SQL Server. Since the user does not specify an administrator login, the condition evaluates to true, triggering the 'deny' effect. This prevents the creation of the SQL Server entirely, as Azure Policy enforces compliance before the resource is provisioned.

Exam trap

The trap here is that candidates may assume Azure SQL Server has a default administrator login or that the policy would only generate an alert, but Azure Policy's 'deny' effect proactively blocks non-compliant resource creation, not just reports on it.

How to eliminate wrong answers

Option A is wrong because Azure SQL Server requires an administrator login to be specified; there is no default login, and the policy explicitly denies creation when it is missing. Option C is wrong because the condition is met—the administrator login is not specified—so the policy is not ignored; it actively denies the request. Option D is wrong because the policy's 'deny' effect blocks creation before the resource is deployed, so no SQL Server is created to generate a compliance alert; alerts only occur for 'audit' or 'modify' effects, not 'deny'.

948
Multi-Selectmedium

Which TWO of the following are requirements for using Azure Site Recovery to protect Azure VMs? (Choose two.)

Select 2 answers
A.VMs must use unmanaged disks
B.VMs must be using managed disks
C.VMs must be connected to a virtual network that has a VPN gateway to the target region
D.The source region must be a supported Azure region
E.VMs must be at least Standard_D2s_v3 size
AnswersB, D

Managed disks are required for Azure Site Recovery.

Why this answer

Options A and D are correct. VMs must be in a region that supports Azure Site Recovery (A). VMs must be using managed disks (D).

Option B is wrong because unmanaged disks are not supported. Option C is wrong because VMs can be any size, but there are some limitations. Option E is wrong because Site Recovery does not require a VPN connection for Azure-to-Azure replication; it uses the Azure backbone.

949
MCQhard

Your company runs a stateless web application on Azure Kubernetes Service (AKS). You need to design a disaster recovery solution that ensures the application is available in another Azure region within 30 minutes of a regional failure. The solution must balance cost and complexity. What should you recommend?

A.Use Azure SQL Database active geo-replication for the application's database.
B.Use Azure Front Door to route traffic to a single AKS cluster with pods running in multiple regions.
C.Use Azure Traffic Manager to distribute traffic across two AKS clusters in different regions.
D.Deploy a single AKS cluster with nodes in multiple availability zones.
AnswerC

Traffic Manager with priority routing can automatically failover to the secondary region, meeting the RTO.

Why this answer

Deploying AKS clusters in two regions with Traffic Manager for global load balancing provides a cost-effective and relatively simple solution for stateless applications. Option A is incorrect because Azure Front Door is not the best fit for container workloads. Option C is incorrect because it lacks automated failover.

Option D is incorrect because active geo-replication is for databases.

950
MCQmedium

Your company uses Microsoft Entra ID to manage identities for 5,000 employees. You plan to implement Microsoft Entra ID Governance to automate the user provisioning lifecycle for a third-party SaaS application. The application supports SCIM 2.0. You need to ensure that user accounts are automatically created, updated, and disabled in the application based on changes in Entra ID. What should you do?

A.Use Microsoft Graph API to write a custom provisioning solution
B.Configure Microsoft Entra B2B collaboration for the application
C.Publish the application using Microsoft Entra Application Proxy
D.Configure automatic provisioning in Microsoft Entra ID using the SCIM endpoint
AnswerD

SCIM provisioning automates lifecycle events.

Why this answer

Option D is correct because Microsoft Entra ID's automatic provisioning feature natively supports SCIM 2.0 endpoints, enabling automated creation, update, and deactivation of user accounts in third-party SaaS applications based on changes in Entra ID. This eliminates the need for custom code and provides a managed, scalable solution for the user provisioning lifecycle.

Exam trap

The trap here is that candidates may confuse the purpose of Application Proxy (remote access) or B2B collaboration (external identities) with provisioning automation, or assume that a custom Graph API solution is necessary when the built-in SCIM provisioning service is the correct, managed approach.

How to eliminate wrong answers

Option A is wrong because using Microsoft Graph API to write a custom provisioning solution would require significant development effort and ongoing maintenance, whereas the built-in provisioning service already handles SCIM-based automation without custom code. Option B is wrong because Microsoft Entra B2B collaboration is designed for external user access and guest identity management, not for automating the provisioning lifecycle of internal employees in a SaaS application. Option C is wrong because Microsoft Entra Application Proxy is used for secure remote access to on-premises web applications, not for provisioning user accounts to cloud SaaS applications.

951
Multi-Selecteasy

Which TWO Azure services can be used to provide cross-region disaster recovery for Azure App Service web applications with a custom domain? (Select TWO.)

Select 2 answers
A.Azure DNS
B.Azure Front Door
C.Azure CDN
D.Azure Application Gateway
E.Azure Traffic Manager
AnswersB, E

Front Door provides global load balancing and automatic failover.

Why this answer

Options A and B are correct. Azure Traffic Manager can route traffic to a secondary region App Service in case of primary region failure. Azure Front Door provides global load balancing and failover.

Options C, D, and E are wrong: Azure Application Gateway is regional, Azure DNS does not provide traffic routing, and Azure CDN is for content caching, not failover.

952
MCQeasy

Your organization uses Microsoft Purview for data governance. You need to classify sensitive data in Azure SQL Database and automatically apply sensitivity labels. What should you configure?

A.Azure Information Protection scanner
B.Microsoft Purview Data Map with scanning and labeling
C.Microsoft Sentinel with a workbook
D.Azure Policy with built-in SQL classification policy
AnswerB

Purview Data Map can scan Azure SQL Database and apply sensitivity labels automatically.

Why this answer

Microsoft Purview Data Map with scanning and labeling is the correct solution because it integrates with Azure SQL Database to automatically scan for sensitive data types (e.g., credit card numbers, social security numbers) and apply sensitivity labels defined in Microsoft Purview Information Protection. This native integration uses the Purview scanning infrastructure to classify data at rest and propagate labels directly to the SQL database, meeting the requirement for automated classification and labeling.

Exam trap

The trap here is that candidates often confuse Azure Policy's 'SQL classification' built-in initiative (which only audits or enforces the presence of classification) with the actual scanning and labeling capability, leading them to choose Option D instead of recognizing that Purview Data Map is the service that performs the automated classification work.

How to eliminate wrong answers

Option A is wrong because Azure Information Protection (AIP) scanner is designed for on-premises file shares and SharePoint, not for Azure SQL Database; it cannot scan or label data within a PaaS database. Option C is wrong because Microsoft Sentinel is a SIEM/SOAR solution for security monitoring and threat detection, not a data classification or labeling tool; it lacks the capability to scan database schemas or apply sensitivity labels. Option D is wrong because Azure Policy with built-in SQL classification policy only enforces compliance rules (e.g., requiring classification to be enabled) but does not perform automatic scanning or labeling of sensitive data; it is a governance policy, not a classification engine.

953
MCQeasy

You need to monitor the performance and health of your Azure virtual machines, including custom metrics and logs. You also need to set up alerts based on specific thresholds. Which Azure service should you use?

A.Application Insights
B.Azure Service Health
C.Log Analytics
D.Azure Monitor
AnswerD

Azure Monitor provides full monitoring, including metrics, logs, and alerts for VMs.

Why this answer

Azure Monitor is the correct choice because it provides a comprehensive solution for collecting, analyzing, and acting on telemetry from Azure virtual machines, including custom metrics and logs. It integrates with the Azure Monitor Agent to gather performance counters and event logs, and supports metric alerts and log alerts based on specific thresholds, directly meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse Log Analytics (a data store and query tool) with Azure Monitor (the full monitoring and alerting platform), leading them to select Option C when Azure Monitor is the correct overarching service that includes Log Analytics and alerting capabilities.

How to eliminate wrong answers

Option A is wrong because Application Insights is an Application Performance Management (APM) service focused on monitoring live web applications, not infrastructure-level metrics and logs from Azure VMs. Option B is wrong because Azure Service Health provides information about Azure service-level issues and planned maintenance, not custom metrics, logs, or threshold-based alerts for individual VMs. Option C is wrong because Log Analytics is a component within Azure Monitor that stores and queries log data, but it is not the overarching service for monitoring, alerting, and metrics; Azure Monitor is the parent service that includes Log Analytics.

954
MCQmedium

Your organization is designing a monitoring solution for a critical application running on Azure VMs. You need to collect performance metrics and logs from the VMs and send them to a centralized Log Analytics workspace. You also need to visualize the data in near real-time. Which combination of services should you use?

A.Azure Monitor Agent and Azure Workbooks
B.Azure Diagnostics extension and VM Insights
C.Azure Monitor Agent and Azure Sentinel
D.Log Analytics Agent and Azure Dashboards
AnswerA

Azure Monitor Agent is the current recommended agent; Workbooks provide rich visualizations.

Why this answer

Azure Monitor Agent is the current recommended agent for collecting performance metrics and logs from Azure VMs and sending them to a Log Analytics workspace. Azure Workbooks provide interactive, near real-time visualizations by querying the workspace data. This combination meets the requirements for centralized collection and visualization without unnecessary overhead.

Exam trap

The trap here is confusing Azure Sentinel (a SIEM) with Azure Monitor (a general monitoring solution), leading candidates to select a security-focused tool for a performance monitoring requirement.

How to eliminate wrong answers

Option B is wrong because VM Insights uses the Azure Monitor Agent (or legacy Log Analytics agent) to collect data, but it is a monitoring solution focused on VM health and dependencies, not a direct tool for building custom near real-time visualizations; the Diagnostics extension is legacy and does not send data to Log Analytics by default. Option C is wrong because Azure Sentinel is a SIEM (Security Information and Event Management) tool designed for security analytics and threat detection, not for general performance monitoring and visualization. Option D is wrong because the Log Analytics Agent is legacy and being deprecated in favor of Azure Monitor Agent, and Azure Dashboards are static views that do not support interactive near real-time querying like Workbooks do.

955
MCQmedium

You are designing a monitoring solution for a critical application running on Azure virtual machines. The application must maintain an SLA of 99.99% uptime. You need to be notified within five minutes if any VM becomes unavailable. What should you configure?

A.Log Analytics workspaces
B.Azure Advisor recommendations
C.Azure Service Health alerts
D.Azure Monitor VM Insights with availability metric alerts
AnswerD

VM Insights monitors VM heartbeat and can trigger alerts within minutes.

Why this answer

Option D is correct because VM Insights with availability metric alerts monitors the heartbeat of Azure VMs and triggers an alert within five minutes if a VM becomes unavailable. This directly supports the 99.99% SLA requirement by enabling rapid notification of downtime, using the 'VM Availability Metric (Preview)' which tracks the VM's running state via the Azure Resource Health provider.

Exam trap

The trap here is confusing Azure Service Health alerts (which cover Azure platform outages) with VM-level availability monitoring, leading candidates to choose Option C instead of the correct VM Insights metric alert approach.

How to eliminate wrong answers

Option A is wrong because Log Analytics workspaces are used for collecting and analyzing log and performance data, not for real-time availability monitoring or triggering alerts within five minutes of VM unavailability. Option B is wrong because Azure Advisor provides proactive recommendations for cost, security, reliability, and performance, but does not monitor VM uptime or send alerts for availability breaches. Option C is wrong because Azure Service Health alerts notify about Azure service-level issues affecting your subscription, not about the availability of individual VMs within your environment.

956
MCQhard

A media company uploads large video files to Azure Blob Storage. Users frequently access recent videos, while older videos are rarely accessed after 30 days. The company wants to minimize storage costs while ensuring that recently accessed videos are immediately available. Which storage tier strategy should you recommend?

A.Use Premium tier for all files
B.Use Cool tier for all files with lifecycle management to Archive
C.Use Hot tier for the first 30 days, then automatically move to Cool tier
D.Use Archive tier for all files and rehydrate on access
AnswerC

Hot tier provides immediate access; Cool tier reduces cost after 30 days.

Why this answer

Option C is correct because it balances cost and performance by using the Hot tier for the first 30 days (when videos are frequently accessed) and then automatically transitioning to the Cool tier via Azure Blob Storage lifecycle management. This ensures immediate availability for recent uploads while minimizing storage costs for older, rarely accessed content. The Cool tier offers lower storage costs than Hot but still provides low-latency access, meeting the requirement that recently accessed videos are immediately available.

Exam trap

The trap here is that candidates may assume Cool tier is always the cheapest option for infrequent access, but they overlook that Archive tier, while cheaper, introduces unacceptable rehydration delays for the 'immediately available' requirement, and that Hot tier is necessary for the initial high-access period to avoid access costs and latency.

How to eliminate wrong answers

Option A is wrong because using Premium tier for all files incurs significantly higher costs (designed for high transaction rates and low latency) without any cost optimization for rarely accessed older videos. Option B is wrong because using Cool tier from the start means recently uploaded videos (accessed frequently) are stored in a tier optimized for infrequent access, which has higher access costs and may introduce latency on first access compared to Hot tier. Option D is wrong because Archive tier has the lowest storage cost but requires rehydration (which can take up to 15 hours) before videos can be accessed, violating the requirement that recently accessed videos are immediately available.

957
MCQhard

Your organization is deploying a critical application in Azure that must maintain an uptime SLA of 99.99%. The application runs on Azure Virtual Machines in a single region. You need to design a monitoring solution that alerts the operations team within 5 minutes of any VM unavailability. The solution must minimize false positives and avoid alert fatigue. What should you include in the design?

A.Configure Azure Monitor VM insights with availability metric alerts set to fire when the VM is unavailable for 2 out of the last 5 minutes.
B.Create an Azure Service Health alert for the 'Virtual machine' service.
C.Create an Azure Monitor alert based on the Activity Log for 'Virtual Machine Guest OS Unresponsive' events.
D.Deploy the Log Analytics agent on each VM and create an alert for when heartbeat data is missing for 5 minutes.
AnswerA

VM insights availability metrics provide accurate unavailability detection with dynamic thresholds, reducing false positives.

Why this answer

Option D is correct because availability metrics from Azure Monitor provide accurate unavailability detection with minimal false positives, and multi-metric alerts reduce noise. Option A is wrong because Activity Log alerts only fire on configuration changes, not on VM unavailability itself. Option B is wrong because Service Health alerts cover Azure service incidents but not VM-level failures.

Option C is wrong because Log Analytics agent-based heartbeat alerts can have delays and require additional configuration, and single-metric alerts may cause alert fatigue.

958
MCQhard

Refer to the exhibit. You are analyzing a deployment of Azure Storage account with customer-managed key encryption. The deployment fails with an error indicating that the key vault is not accessible. Which of the following is the most likely cause?

A.The key vault name is misspelled in the keyUri
B.The key vault has a firewall enabled and does not allow access from the storage account
C.The key vault is in a different Azure region than the storage account
D.The user-assigned managed identity does not have permissions to access the key
AnswerD

The user-assigned identity must be granted at least get, wrapKey, and unwrapKey permissions on the key vault.

Why this answer

The exhibit shows a user-assigned managed identity in the encryption settings. The most likely cause is that the user-assigned managed identity does not have the necessary permissions (get, wrapKey, unwrapKey) on the key vault. Option A is incorrect because the key vault might not be in the same region, but that is not a common issue.

Option B is incorrect because the key vault is accessible via URI. Option D is irrelevant because network restrictions are not mentioned. Option C is the most common cause.

959
MCQmedium

A company runs a critical application on Azure VMs in a single region. The application writes data to Azure SQL Database (PaaS) and Azure Blob Storage. The company needs a disaster recovery plan with an RPO of less than 5 minutes for the database and less than 15 minutes for the blob storage, and an RTO of less than 1 hour for the entire solution. What should they recommend?

A.Use Azure Site Recovery for VMs, geo-replication for Azure SQL Database, and geo-redundant storage (GRS) for Blob Storage.
B.Use Azure Backup for VMs, geo-redundant storage for SQL Database backups, and geo-redundant storage for Blob Storage.
C.Use Azure Site Recovery for VMs, active geo-replication for Azure SQL Database, and read-access geo-redundant storage (RA-GRS) for Blob Storage.
D.Use Azure Front Door with multi-region deployment of VMs and Azure Cosmos DB for the database.
AnswerC

ASR replicates VMs with minutes RPO. Active geo-replication for Azure SQL Database provides a readable secondary with RPO seconds. RA-GRS provides a readable copy in the secondary region with ~15 minute RPO, meeting the blob requirement.

Why this answer

Option C is correct because Azure Site Recovery provides the VM replication needed to meet the RTO of under 1 hour, active geo-replication for Azure SQL Database offers a configurable RPO of as low as 5 seconds (well under the 5-minute requirement), and RA-GRS for Blob Storage provides read-access to a secondary region with an RPO typically under 15 minutes, enabling fast failover and read access during a disaster.

Exam trap

The trap here is that candidates often confuse geo-redundant storage (GRS) with read-access geo-redundant storage (RA-GRS), not realizing that GRS requires a storage account failover to access the secondary region, which can take up to an hour and thus fails the RTO requirement.

How to eliminate wrong answers

Option A is wrong because geo-redundant storage (GRS) for Blob Storage does not provide read access to the secondary region during a disaster; you must initiate a failover to read data, which can exceed the RTO of 1 hour. Option B is wrong because Azure Backup for VMs is a backup solution, not a replication solution, and cannot achieve an RTO of under 1 hour for full VM failover; additionally, geo-redundant storage for SQL Database backups does not provide the sub-5-minute RPO required, as backups are typically taken every 5–10 minutes. Option D is wrong because Azure Front Door with multi-region VMs and Cosmos DB does not address the existing Azure SQL Database and Blob Storage requirements; it changes the architecture entirely and does not meet the stated RPO/RTO for the current services.

960
MCQmedium

Your company uses Microsoft Intune for device management. You need to ensure that only devices that are compliant with security policies can access corporate resources. The solution must also support legacy authentication protocols. What should you implement?

A.Microsoft Defender for Endpoint
B.Device-based Conditional Access with 'Require hybrid Azure AD joined device'
C.Conditional Access policies with 'Require device to be marked as compliant'
D.Microsoft Entra application proxy
AnswerC

Conditional Access can enforce device compliance and can be configured to allow legacy authentication with appropriate conditions.

Why this answer

Option C is correct because the requirement is to enforce compliance-based access control for devices managed by Microsoft Intune, while also supporting legacy authentication protocols. Conditional Access policies with 'Require device to be marked as compliant' evaluate the device's compliance status reported by Intune and can block or allow access based on that status. This works with legacy authentication protocols (e.g., POP3, IMAP, SMTP) when combined with a compliance policy that does not require modern authentication, though legacy protocols are inherently less secure and should be used cautiously.

Exam trap

The trap here is that candidates often confuse 'device compliance' with 'hybrid Azure AD join' or 'Microsoft Defender for Endpoint', assuming that any security tool or join state can enforce access control, but only a Conditional Access policy explicitly targeting the device compliance attribute can enforce Intune-based compliance for both modern and legacy authentication.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint is a security solution for endpoint detection and response (EDR), not a policy mechanism to enforce device compliance for access control. Option B is wrong because 'Require hybrid Azure AD joined device' mandates that devices be joined to both on-premises Active Directory and Azure AD, which is not necessary for Intune-managed devices and does not directly enforce compliance policies; it also does not inherently support legacy authentication protocols. Option D is wrong because Microsoft Entra application proxy provides secure remote access to on-premises web applications via reverse proxy, but it does not enforce device compliance or control access based on Intune compliance status.

961
MCQmedium

Refer to the exhibit. You create this Azure Policy definition in a management group that contains all subscriptions. After assigning the policy, you notice that no audit events are generated when a new custom RBAC role is created. What is the most likely reason?

A.The policy should be assigned at the subscription level to audit custom role creation.
B.The 'Audit' effect with the specified details does not trigger an audit event when a custom role is created because the policy is not evaluating the correct condition.
C.The policy definition is a custom policy, and custom policies cannot audit RBAC role definitions.
D.The policy mode is set to 'All', which does not include RBAC role definitions.
AnswerB

The policy is misconfigured; it audits all role definitions but does not specifically detect creation of custom roles.

Why this answer

Option C is correct because the policy uses 'Audit' effect but the details section incorrectly references all role definitions, which does not produce an audit log entry for custom role creation. The policy should use 'AuditIfNotExists' or 'Deny' effect to detect custom roles. Option A is wrong because custom policies can audit custom roles.

Option B is wrong because the mode 'All' includes resource types like role definitions. Option D is wrong because custom RBAC roles are indeed a resource type that can be audited.

962
MCQmedium

Your company has a critical application that uses Azure Kubernetes Service (AKS) in a single region. You need to design a disaster recovery solution that can automatically fail over to a secondary region in the event of a regional outage. The application data is stored in Azure Cosmos DB. What should you do?

A.Use Azure Front Door to route traffic to the primary AKS cluster and enable Cosmos DB automatic failover.
B.Use Azure Backup for AKS with cross-region restore and Cosmos DB geo-redundancy.
C.Replicate the AKS cluster to another region using Azure Site Recovery.
D.Deploy a secondary AKS cluster in another region, use Azure Traffic Manager for global load balancing, and enable Cosmos DB multi-region writes.
AnswerD

Traffic Manager and multi-region AKS clusters provide DR.

Why this answer

Option A is correct because AKS can be deployed in multiple regions, and Azure Traffic Manager can direct traffic to the secondary region. Cosmos DB multi-region writes ensure data availability. Option B is wrong because Azure Front Door does not provide AKS failover capability.

Option C is wrong because Azure Site Recovery does not support AKS. Option D is wrong because Azure Backup does not provide failover.

963
MCQhard

A global e-commerce company uses Azure Cosmos DB to store its product catalog. The catalog is read-heavy, with users worldwide expecting consistent reads with a 99th percentile latency under 10 ms. Writes to the catalog are performed by a central admin team in one region. The company needs to minimize write latency and cost while ensuring that users always see the same data within a single session. Which Cosmos DB configuration should the company choose?

A.Single-master write region with Strong consistency and multiple read regions
B.Multi-master write with Eventual consistency and all regions enabled for writes
C.Single-master write region with Session consistency and multiple read regions
D.Multi-master write with Strong consistency and two regions
AnswerC

Session consistency provides a consistent view for a user within a session and allows low-latency reads from multiple regions. Writes are performed in one region, minimizing write latency and cost.

Why this answer

Option C is correct because Session consistency provides the required 'read your own writes' guarantee within a single session, which ensures users always see the same data during their session without the latency and cost penalties of Strong consistency. Single-master writes minimize write latency by directing all writes to one region (the central admin team's region), while multiple read regions allow global users to read from the nearest region with sub-10 ms latency. This configuration balances cost, performance, and consistency needs for a read-heavy catalog with centralized writes.

Exam trap

The trap here is that candidates often confuse 'strong consistency' with 'always correct' and overlook that Session consistency is sufficient for per-session guarantees, while Strong consistency adds unnecessary latency and cost for a read-heavy catalog with centralized writes.

How to eliminate wrong answers

Option A is wrong because Strong consistency with multiple read regions requires all replicas to acknowledge reads, which increases read latency and cost, and does not minimize write latency as writes must still propagate synchronously to all read regions. Option B is wrong because Multi-master writes with Eventual consistency would allow writes from any region, but the central admin team writes from one region, and eventual consistency does not guarantee that users see their own writes within a session, violating the 'same data within a single session' requirement. Option D is wrong because Multi-master writes with Strong consistency across two regions would introduce high write latency (due to synchronous replication) and increased cost, while the scenario only needs single-master writes from one admin region.

964
MCQmedium

A multinational company plans to deploy a new application on Azure. The application must comply with GDPR and requires data residency in the EU. The solution should minimize latency for users in Europe and provide disaster recovery across regions. Which Azure architecture should the company implement?

A.Deploy the application in two EU regions with Azure Front Door and Azure SQL Database geo-replication.
B.Deploy the application in a single Azure region in Ireland with Azure Site Recovery for DR.
C.Deploy the application in two EU regions with Azure Traffic Manager and Azure Cosmos DB multi-region writes.
D.Deploy the application in a single EU region with Azure Site Recovery and Azure Redis Cache.
AnswerC

Traffic Manager routes users to nearest region, Cosmos DB multi-region writes enable low latency and data residency within EU.

Why this answer

Option C is correct because an active-active multi-region deployment with Azure Traffic Manager and Cosmos DB provides low latency and data residency control. Option A is wrong because a single-region deployment does not provide disaster recovery across regions. Option B is wrong because Azure Front Door is for global load balancing but does not enforce data residency.

Option D is wrong because Azure Site Recovery provides DR but does not minimize latency for active traffic.

965
Multi-Selectmedium

Which TWO actions should you take to ensure that only authorized users can access sensitive data stored in Azure Blob Storage? (Choose two.)

Select 2 answers
A.Configure Azure RBAC roles to grant access to specific users.
B.Configure firewall rules to allow only specific IP addresses.
C.Enable blob versioning.
D.Enable soft delete for blobs.
E.Enable infrastructure encryption.
AnswersA, E

RBAC is the primary method to control access to Azure resources.

Why this answer

Azure RBAC roles allow you to grant granular permissions to specific users or groups, ensuring that only authorized identities can access sensitive data in Blob Storage. By assigning built-in roles like 'Storage Blob Data Reader' or 'Storage Blob Data Contributor', you enforce identity-based access control at the storage account, container, or blob level. This directly addresses the requirement of restricting access to authorized users.

Exam trap

The trap here is that candidates often confuse network-level controls (firewall rules) or data protection features (versioning, soft delete) with access control mechanisms, but only identity-based authorization (RBAC) and encryption directly ensure that only authorized users can access sensitive data.

966
MCQhard

A business-critical App Service application must survive a full regional outage. The recovery design should fail over automatically based on endpoint health and avoid DNS-cache delay where possible. Which service should front the regional deployments?

A.Azure Load Balancer
B.Azure Application Security Groups
C.Azure Front Door
D.Azure Traffic Manager only
AnswerC

Azure Front Door provides global HTTP/S load balancing, health probes, and fast failover at the edge.

Why this answer

Azure Front Door is the correct choice because it provides global HTTP/HTTPS load balancing with automatic failover across regions based on real-time endpoint health probes. It uses Anycast routing to direct traffic to the nearest healthy region, which avoids DNS-cache delay inherent in DNS-based solutions like Traffic Manager. This ensures sub-second failover and meets the requirement for a business-critical app that must survive a full regional outage.

Exam trap

The trap here is that candidates confuse Azure Traffic Manager's DNS-based global routing with Azure Front Door's Anycast-based global routing, overlooking the critical DNS-cache delay that Traffic Manager introduces.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 and is regional, not global; it cannot fail over traffic across regions in a full regional outage. Option B is wrong because Azure Application Security Groups are a network security feature for grouping VMs and applying security rules, not a traffic routing or failover service. Option D is wrong because Azure Traffic Manager is DNS-based and relies on client DNS caching, which can cause delays of minutes during failover, violating the requirement to avoid DNS-cache delay.

967
MCQhard

A company stores petabytes of image files for a content delivery network. The images are accessed frequently for the first week, then rarely afterward. They must be retained for 5 years for compliance. The company wants to minimize storage costs while maintaining performance for frequently accessed data. Which storage solution and tier strategy should they recommend?

A.Azure Blob Storage with a lifecycle policy: Hot for 7 days, Cool for the remainder of 5 years
B.Azure Files with premium tier
C.Azure Data Lake Storage Gen2 with hot tier only
D.Azure Blob Storage with archive tier from day 1
AnswerA

Lifecycle management automates tier transitions, minimizing cost while keeping data accessible.

Why this answer

Azure Blob Storage with a lifecycle policy is the correct solution because it automatically transitions blobs from the Hot tier (for frequent access during the first week) to the Cool tier (for rare access over the remaining 5 years), minimizing storage costs while maintaining low-latency performance for the initial high-access period. The Hot tier provides high throughput and low access costs for frequently read data, while the Cool tier offers lower storage costs for infrequently accessed data, meeting both performance and compliance retention requirements.

Exam trap

The trap here is that candidates often choose the Archive tier for long-term retention without considering the performance impact of frequent access during the first week, overlooking that Archive requires hours to rehydrate and incurs high read costs, making it unsuitable for the initial high-access period.

How to eliminate wrong answers

Option B is wrong because Azure Files with premium tier uses SSD-backed file shares designed for low-latency enterprise workloads (e.g., SQL Server, home directories), not for petabyte-scale image content delivery; it is cost-prohibitive for long-term retention and lacks native lifecycle tiering to reduce costs. Option C is wrong because Azure Data Lake Storage Gen2 with hot tier only provides no cost optimization for rarely accessed data after the first week, leading to unnecessarily high storage costs for 5 years of compliance retention. Option D is wrong because Azure Blob Storage with archive tier from day 1 would impose high retrieval costs and multi-hour rehydration latency for images that are frequently accessed during the first week, violating the performance requirement for the initial access period.

968
MCQhard

A multinational company runs a mission-critical application on Azure VMs in the West US region. The application uses Azure SQL Database (Business Critical tier) and Azure Cache for Redis. The company needs to ensure the application can fail over to a secondary region within 5 minutes during a regional outage. The design must minimize data loss. Which solution should you recommend?

A.Deploy VMs across Azure availability zones in West US, use Azure SQL Database geo-restore to East US, and deploy a second Azure Cache for Redis instance in East US.
B.Deploy VMs in an availability set in West US, use Azure Site Recovery to replicate to East US, and configure Azure SQL Database failover group with manual failover.
C.Deploy VMs in an Azure Site Recovery recovery plan to East US, use Azure SQL Database active geo-replication with auto-failover group, and deploy Azure Cache for Redis Standard tier in East US.
D.Deploy VMs in an Azure Site Recovery recovery plan to East US, use Azure SQL Database active geo-replication with auto-failover group, and use Azure Cache for Redis with geo-replication enabled.
AnswerD

Active geo-replication provides RPO ≤ 5 sec, auto-failover RTO ≤ 1 min; cache geo-replication ensures cache data survives region failover.

Why this answer

Option C is correct because it uses Azure SQL Database active geo-replication with a failover group for automatic failover (RPO ≤ 5 seconds, RTO ≤ 1 minute) and Azure Cache for Redis with geo-replication for cross-region replication. Option A has longer RTO for SQL failover. Option B uses Azure SQL Database with geo-restore which has RPO of 1 hour.

Option D uses cache replication that is not available in Standard tier.

969
MCQhard

You are designing a governance strategy for an Azure environment that includes multiple subscriptions. The security team requires that all storage accounts must have HTTPS traffic only. Any non-compliant storage account must be automatically remediated. What is the most efficient solution?

A.Create an Azure Blueprint that includes a policy initiative
B.Assign a custom RBAC role that denies creation of storage accounts without HTTPS
C.Use Azure Policy with a DeployIfNotExists effect to enable HTTPS-only traffic
D.Configure Azure Monitor alerts to notify the security team
AnswerC

DeployIfNotExists automatically remediates non-compliant resources.

Why this answer

Option C is correct because Azure Policy with a DeployIfNotExists effect can automatically remediate non-compliant storage accounts by enabling the 'HTTPS traffic only' property. This approach ensures continuous compliance without manual intervention, meeting the security team's requirement for automatic remediation.

Exam trap

The trap here is that candidates often confuse Azure Policy's DeployIfNotExists effect with Azure Blueprints, assuming Blueprints can also remediate, but Blueprints only enforce initial compliance and do not provide ongoing automatic remediation for existing resources.

How to eliminate wrong answers

Option A is wrong because Azure Blueprints are used to orchestrate the deployment of resource groups, policies, role assignments, and ARM templates, but they do not automatically remediate non-compliant resources after deployment; they only enforce initial compliance. Option B is wrong because a custom RBAC role that denies creation of storage accounts without HTTPS would only prevent new non-compliant accounts from being created, but it would not remediate existing non-compliant storage accounts. Option D is wrong because Azure Monitor alerts only notify the security team of non-compliance; they do not automatically remediate the issue, which is a core requirement of the question.

970
MCQhard

You are designing a network topology for a global e-commerce company that operates multiple web applications. The company has three main offices (New York, London, Tokyo) connected via ExpressRoute to Azure. Users access the applications through a public endpoint. The company requires that traffic be routed to the nearest healthy application instance based on geographic location, and that the solution provide automatic failover if an entire region goes down. Additionally, the company wants to protect against DDoS attacks at the network layer. You need to recommend a solution that meets these requirements while minimizing cost. What should you include in the design?

A.Deploy Azure Front Door with geographic routing and enable DDoS protection.
B.Deploy Azure Firewall in each region and use Public IP prefix for egress.
C.Deploy Azure Application Gateway v2 with WAF in each region and Azure DDoS Standard protection.
D.Deploy Azure Traffic Manager with geographic routing and Azure DDoS Standard protection.
AnswerA

Front Door provides global load balancing, geographic routing, and DDoS protection.

Why this answer

Option C is correct because Azure Front Door provides global load balancing with automatic failover, geographic routing, and integrated DDoS protection (Azure DDoS Protection Basic is included). Option A is wrong because Traffic Manager provides DNS-based routing without DDoS protection and has slower failover. Option B is wrong because Application Gateway is regional, not global.

Option D is wrong because Azure Firewall is a stateful firewall but does not provide global load balancing or geographic routing.

971
MCQeasy

Your organization has 500 users in Microsoft Entra ID. You need to ensure that users can only access Microsoft 365 apps from compliant devices (compliant with Intune policies). Users are already enrolled in Intune. The compliance policies are defined. You need to configure the access control mechanism. What should you do?

A.Create a Conditional Access policy that blocks all access and then create exclusions for compliant devices.
B.Configure Intune compliance policies to automatically revoke access for non-compliant devices.
C.Create a Conditional Access policy that requires device to be marked as compliant.
D.Create a Conditional Access policy that requires MFA based on location.
AnswerC

This policy enforces that only compliant devices can access Microsoft 365 apps.

Why this answer

Option C is correct because Conditional Access in Microsoft Entra ID is the mechanism that enforces access controls based on signals like device compliance. By creating a policy that requires the device to be marked as compliant, you ensure that only devices meeting Intune compliance policies can access Microsoft 365 apps. This directly addresses the requirement without blocking all access or relying on automatic revocation.

Exam trap

The trap here is that candidates confuse Intune compliance policies (which define rules) with the access control enforcement mechanism (Conditional Access), leading them to choose Option B, which incorrectly assumes compliance policies can directly revoke access without a Conditional Access policy.

How to eliminate wrong answers

Option A is wrong because blocking all access and then creating exclusions for compliant devices is an overly complex and error-prone approach; Conditional Access policies should grant access based on conditions, not block all and carve out exceptions. Option B is wrong because Intune compliance policies define the compliance criteria but do not enforce access control themselves; they rely on Conditional Access to block or allow access based on compliance status. Option D is wrong because requiring MFA based on location addresses authentication strength, not device compliance, and does not ensure that only compliant devices can access Microsoft 365 apps.

972
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID) Premium P2. They need to automatically block sign-ins from anonymous IP addresses (e.g., Tor) and force users from risky sign-ins to reset their password. They want to minimize administrative effort and use built-in features. Which Microsoft Entra ID feature should they enable?

A.Microsoft Entra ID Identity Protection risk policies (sign-in risk and user risk).
B.Conditional Access policies with locations and grant controls.
C.Microsoft Entra ID Privileged Identity Management (PIM).
D.Microsoft Entra ID Access Reviews.
AnswerA

Identity Protection includes built-in policies that automatically detect sign-in risks (including anonymous IP addresses) and user risks (e.g., leaked credentials). The sign-in risk policy can block the sign-in, and the user risk policy can require a password reset. This minimizes manual configuration.

Why this answer

Option A is correct because Microsoft Entra ID Identity Protection provides built-in risk policies that automatically detect and block sign-ins from anonymous IP addresses (e.g., Tor) via the sign-in risk policy, and force password reset for users flagged with high user risk via the user risk policy. These policies operate without manual intervention, minimizing administrative effort while leveraging Premium P2 capabilities.

Exam trap

The trap here is that candidates often confuse Conditional Access policies with Identity Protection risk policies, assuming that location-based blocking can replace dynamic risk detection, but Conditional Access lacks the built-in anonymous IP detection and automated password reset triggers that Identity Protection provides.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies with locations and grant controls can block IP ranges or require MFA, but they cannot natively detect anonymous IP addresses like Tor or automatically trigger password resets based on risk; they rely on static location definitions rather than dynamic risk signals. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not sign-in risk detection or password reset enforcement. Option D is wrong because Access Reviews are used for periodic attestation of group memberships or role assignments, not for real-time blocking of anonymous IPs or risk-based password resets.

973
MCQeasy

Your company is deploying a new application on Azure Kubernetes Service (AKS). You need to monitor the health and performance of the cluster, including container logs, metrics, and request rates. Which Azure service should you enable?

A.Azure Service Health
B.Azure Monitor for VMs
C.Azure Application Insights
D.Azure Monitor Container Insights
AnswerD

Specialized for AKS container monitoring.

Why this answer

Azure Monitor Container Insights is the correct service because it is specifically designed to monitor the health and performance of Azure Kubernetes Service (AKS) clusters. It collects container logs, metrics (such as CPU/memory usage), and request rates from the cluster via a containerized Log Analytics agent, providing visibility into the performance of workloads running on AKS.

Exam trap

The trap here is that candidates often confuse Azure Application Insights (which monitors application-level telemetry like requests and exceptions) with Container Insights (which monitors cluster-level health and container logs), leading them to choose C instead of D.

How to eliminate wrong answers

Option A is wrong because Azure Service Health provides a personalized dashboard of service issues, planned maintenance, and health advisories for Azure services, but it does not monitor the performance or logs of individual AKS clusters. Option B is wrong because Azure Monitor for VMs monitors the health and performance of virtual machines, not containerized workloads on AKS; it cannot collect container logs or request rates from Kubernetes pods. Option C is wrong because Azure Application Insights is an application performance management (APM) service for monitoring live web applications, not for collecting cluster-level metrics, container logs, or request rates from AKS infrastructure.

974
MCQhard

Your company has an Azure subscription with 100 virtual machines. You need to monitor the performance of these VMs and be alerted when the average CPU usage across a set of VMs exceeds 80% for 10 minutes. The set of VMs is defined by a tag (Environment=Production). Which Azure Monitor solution should you implement?

A.Use Azure Monitor VM Insights to visualize performance and set alerts per VM.
B.Create a metric alert rule with a dynamic threshold and scope it to a resource group containing Production VMs.
C.Create a metric alert rule with a static threshold of 80% for each Production VM individually.
D.Use a Log Analytics query to calculate average CPU and set a log alert.
AnswerB

Dynamic thresholds adapt to patterns and can be applied to a group of resources.

Why this answer

Option B is correct because a single metric alert rule with a static threshold can be scoped to a resource group and filtered by a tag (e.g., Environment=Production) using a dynamic threshold or static threshold, allowing you to monitor the average CPU usage across all VMs in that group without creating individual rules. This approach efficiently meets the requirement to alert when the average CPU usage across the set of VMs exceeds 80% for 10 minutes, as it aggregates metrics across the tagged VMs.

Exam trap

The trap here is that candidates often assume they need to use VM Insights (Option A) or individual alerts (Option C) for per-VM monitoring, but the question specifically asks for an alert based on the average across a set of VMs, which is best achieved by a single metric alert rule scoped to a resource group with tag filtering.

How to eliminate wrong answers

Option A is wrong because VM Insights provides per-VM performance visualization and alerts, but it does not natively support aggregating metrics across a set of VMs defined by a tag to trigger a single alert based on the average CPU usage. Option C is wrong because creating individual metric alert rules for each Production VM would require managing 100 separate rules, which is inefficient and does not aggregate the average CPU usage across the set; it would alert per VM, not based on the collective average. Option D is wrong because a Log Analytics query with a log alert would require sending performance data to Log Analytics, incurring additional ingestion costs and complexity, whereas a metric alert is simpler and more cost-effective for this scenario.

975
MCQeasy

A company stores log data in Azure Blob Storage. Logs are accessed frequently for the first 30 days, then rarely accessed but must be retained for 7 years for compliance. They want to minimize storage costs. Which storage tier and lifecycle management rule should they use?

A.Use the Cool tier for initial storage, and a lifecycle rule to move to Archive after 30 days.
B.Use the Hot tier for initial storage, and a lifecycle rule to move to the Cool tier after 30 days, then to Archive after 7 years.
C.Use the Hot tier for initial storage, and a lifecycle rule to move to Archive after 30 days.
D.Use the Archive tier for initial storage, and a lifecycle rule to move to Hot for the first 30 days.
AnswerC

Hot tier optimizes for frequent access during the first 30 days. Moving directly to Archive after 30 days minimizes storage cost during the long retention period, as Archive has the lowest storage cost for rarely accessed data.

Why this answer

Option C is correct because the Hot tier is optimal for frequent access during the first 30 days, and a lifecycle rule moving directly to Archive after 30 days minimizes costs by immediately transitioning to the lowest-cost storage tier for long-term retention. The Archive tier is the most cost-effective for data that is rarely accessed and must be retained for 7 years, as it offers the lowest storage cost but higher retrieval latency and cost.

Exam trap

The trap here is that candidates may overcomplicate by adding an intermediate Cool tier (Option B) or incorrectly assume Archive can be used for initial storage (Option D), failing to recognize that direct transition to Archive after the hot period is the most cost-effective for long-term retention with minimal access.

How to eliminate wrong answers

Option A is wrong because using the Cool tier for initial storage is not cost-effective for frequently accessed logs; the Hot tier has lower access costs for frequent reads/writes, making it more economical for the first 30 days. Option B is wrong because moving to Cool after 30 days and then to Archive after 7 years incurs unnecessary transition costs and storage costs in Cool for 7 years, whereas direct transition to Archive after 30 days is cheaper for long-term retention. Option D is wrong because storing data initially in the Archive tier is impractical for frequent access; Archive has high retrieval latency (up to 15 hours) and high access costs, making it unsuitable for data accessed frequently in the first 30 days.

Page 12

Page 13 of 14

Page 14