Microsoft Azure Solutions Architect Expert AZ-305 (AZ-305) — Questions 976999

999 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQmedium

A company must prevent non-compliant devices from accessing Exchange Online and SharePoint Online. Which design should you recommend?

A.Conditional Access policy requiring a compliant device.
B.Azure Firewall application rule.
C.Storage account network rule.
D.Resource lock on the Microsoft 365 tenant.
AnswerA

This uses device compliance as an access-control signal for cloud apps.

Why this answer

Conditional Access policies in Microsoft Entra ID (formerly Azure AD) can enforce device compliance by integrating with Microsoft Intune. When a policy requires a compliant device, it checks the device's compliance status before granting access to Exchange Online and SharePoint Online, blocking non-compliant devices at the authentication layer. This is the correct design because it directly controls access to these cloud services based on device health.

Exam trap

The trap here is that candidates may confuse network-level controls (like Azure Firewall) with identity-driven access controls (like Conditional Access), assuming a firewall can filter SaaS traffic, but Azure Firewall cannot inspect or enforce device compliance for Microsoft 365 services.

How to eliminate wrong answers

Option B is wrong because Azure Firewall is a network-layer firewall for Azure virtual networks and cannot inspect or control access to SaaS applications like Exchange Online or SharePoint Online, which are accessed over the internet. Option C is wrong because Storage account network rules control access to Azure Blob, File, Queue, and Table storage, not to Microsoft 365 services like Exchange Online or SharePoint Online. Option D is wrong because a resource lock prevents accidental deletion or modification of an Azure resource but does not enforce any access control or device compliance requirements for Microsoft 365 tenants.

977
MCQeasy

A company plans to migrate a legacy web application to Azure. The application runs on multiple Windows virtual machines (VMs) in an availability set. The VMs must be exposed to the internet via a single endpoint that performs SSL termination and health checks. The load-balancing solution must preserve the original client IP address for logging purposes. Which Azure service should the company use?

A.Azure Load Balancer (Standard)
B.Azure Application Gateway v2
C.Azure Traffic Manager
D.Azure Front Door
AnswerB

Application Gateway is a layer-7 load balancer that provides SSL termination, health probes, and preserves the client IP address via X-Forwarded-For headers.

Why this answer

Azure Application Gateway v2 is the correct choice because it is a Layer 7 load balancer that supports SSL termination, health probes, and provides a single public endpoint. It preserves the original client IP address by inserting the X-Forwarded-For header in the HTTP request, which the backend VMs can read for logging. This meets all requirements: single internet-facing endpoint, SSL offload, health checks, and client IP preservation.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming that any load balancer can terminate SSL and preserve client IP, but only Layer 7 services can inspect HTTP headers and perform SSL offload natively.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer (Standard) operates at Layer 4 (TCP/UDP) and does not support SSL termination or HTTP-level health checks; it also preserves client IP only via Direct Server Return (DSR) mode, which is not suitable for SSL termination and adds complexity. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic router that does not perform SSL termination or health checks at the application layer; it only directs traffic based on DNS resolution and cannot preserve the original client IP in the HTTP headers. Option D is wrong because Azure Front Door is a global Layer 7 service that does support SSL termination and health checks, but it is designed for global distribution and CDN scenarios, not for a single regional endpoint; it also modifies the client IP by default (inserting X-Forwarded-For but also adding its own IP), which can complicate logging if only a single regional endpoint is needed.

978
MCQeasy

Your company uses Microsoft Entra ID for identity management. You need to ensure that only devices compliant with your company's security policies can access corporate resources. Which solution should you implement?

A.Conditional Access with device compliance policies from Microsoft Intune
B.Microsoft Purview Information Protection
C.Microsoft Sentinel
D.Microsoft Defender XDR
AnswerA

Conditional Access evaluates device compliance to allow access.

Why this answer

Conditional Access in Microsoft Entra ID allows you to enforce access controls based on conditions, including device compliance. By integrating with Microsoft Intune, you can define device compliance policies (e.g., requiring encryption, a minimum OS version, or anti-malware status) and then configure a Conditional Access policy to block or grant access only to devices that are marked as compliant. This directly ensures that only compliant devices can access corporate resources.

Exam trap

The trap here is that candidates often confuse Microsoft Defender XDR (which handles threat detection) with device compliance enforcement, not realizing that Conditional Access with Intune is the specific mechanism to gate access based on device health.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Information Protection focuses on classifying, labeling, and protecting sensitive data (e.g., via encryption and rights management), not on controlling device-level access based on compliance. Option C is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR) solution for threat detection and incident response, not for enforcing device compliance access policies. Option D is wrong because Microsoft Defender XDR (Extended Detection and Response) provides cross-domain threat detection and response across endpoints, email, and identities, but it does not natively enforce device compliance-based access control; that is the role of Conditional Access with Intune.

979
MCQmedium

A company deploys a containerized microservices application on Azure Kubernetes Service (AKS). They need to expose the application to the internet with TLS termination and provide a single endpoint for multiple services. The solution must also include a Web Application Firewall (WAF). Which Azure service should they use as the ingress controller?

A.Azure Application Gateway with WAF
B.Azure Front Door with WAF
C.Azure Load Balancer with TLS termination
D.Azure Traffic Manager with health probes
AnswerA

Application Gateway Ingress Controller (AGIC) enables TLS termination, WAF, and single endpoint for AKS services.

Why this answer

Azure Application Gateway with WAF is the correct choice because it is a regional, layer-7 load balancer that can act as an ingress controller for AKS. It provides TLS termination at the gateway and integrates a Web Application Firewall (WAF) to protect against common web exploits. This allows a single public endpoint to route traffic to multiple microservices within the AKS cluster based on URL paths or host headers.

Exam trap

The trap here is that candidates often confuse Azure Front Door (global, edge-based) with Application Gateway (regional, cluster-facing), assuming both can serve as an AKS ingress controller, but only Application Gateway integrates natively with AKS via AGIC for internal cluster routing.

How to eliminate wrong answers

Option B is wrong because Azure Front Door is a global, multi-region load balancer and application delivery controller, not a regional ingress controller for AKS; it is designed for global HTTP(S) load balancing and WAF at the edge, not for terminating TLS and routing directly into a single AKS cluster's internal services. Option C is wrong because Azure Load Balancer operates at layer 4 (TCP/UDP) and does not support TLS termination or WAF; it cannot inspect HTTP headers or perform path-based routing. Option D is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that operates at layer 3/4 and does not provide TLS termination, WAF, or HTTP-level routing; it only directs traffic to endpoints based on DNS resolution.

980
MCQhard

You are designing a storage solution for a healthcare application that stores patient records. The solution must meet the following requirements: - Support for both structured and unstructured data. - Provide low-latency access to frequently accessed data. - Automatically move cold data to a lower-cost tier. - Encrypt data at rest using customer-managed keys. Which combination of Azure services should you recommend?

A.Azure Table Storage for structured data and Azure Blob Storage for unstructured data
B.Azure Files for unstructured data and Azure SQL Database for structured data
C.Azure Blob Storage for unstructured data and Azure Cosmos DB for structured data
D.Azure Blob Storage for unstructured data and Azure SQL Database for structured data
AnswerC

Blob Storage provides tiering; Cosmos DB provides low-latency access; both support CMK.

Why this answer

Option A is correct. Azure Blob Storage supports unstructured data with hot, cool, and archive tiers; Azure Cosmos DB supports structured data with low-latency access; both support customer-managed keys. Option B is wrong because Azure Files is for file shares, not a database.

Option C is wrong because Azure SQL Database is for relational data only. Option D is wrong because Azure Table Storage is a NoSQL key-value store but does not support automatic tiering.

981
Multi-Selectmedium

Which THREE considerations are important when designing a data archiving solution for Azure Storage to optimize costs?

Select 3 answers
A.Use the hot tier for all data to ensure high performance.
B.Consider early deletion penalties for data moved to archive tier.
C.Account for data retrieval (rehydration) costs when accessing archived data.
D.Choose the appropriate access tier (hot, cool, or archive) based on access frequency.
E.Use geo-redundant storage (GRS) for all archive data.
AnswersB, C, D

Archive tier has a minimum 180-day retention charge.

Why this answer

Option B is correct because Azure Archive tier has a minimum storage duration of 180 days; deleting or moving data before that incurs an early deletion penalty equal to the cost of the remaining days. This is critical for cost optimization as it prevents unexpected charges from short-lived data.

Exam trap

The trap here is that candidates often overlook early deletion penalties and rehydration costs, focusing only on the low storage price of archive tier, leading to unexpected charges when data is deleted or accessed prematurely.

982
MCQmedium

Your company is designing a governance strategy for Azure resources. The security team requires that all resource groups in the production subscription must have a specific tag (Environment=Production) applied automatically. Any resource group created without this tag must be reported within 24 hours. Which Azure policy should you implement?

A.Create a policy with effect 'audit' to report non-compliant resource groups.
B.Create a policy with effect 'append' to add the missing tag automatically.
C.Create a policy with effect 'deny' on the missing tag condition.
D.Create a policy with effect 'modify' to add the tag using a managed identity.
AnswerC

Deny prevents creation of resource groups without the required tag, ensuring compliance.

Why this answer

Option C is correct because the 'deny' effect prevents the creation of any resource group that does not include the required tag, enforcing compliance at the point of creation. The requirement to report non-compliant resource groups within 24 hours is satisfied by Azure Policy's built-in compliance evaluation, which automatically marks denied requests as non-compliant and surfaces them in the compliance dashboard. This approach ensures that no resource group can be created without the tag, eliminating the need for a separate reporting mechanism.

Exam trap

The trap here is that candidates often confuse 'audit' and 'deny' effects, thinking that reporting non-compliance is sufficient, but the requirement explicitly states the tag must be 'applied automatically', which 'deny' enforces by blocking creation, while 'audit' only reports after the fact.

How to eliminate wrong answers

Option A is wrong because the 'audit' effect only reports non-compliant resource groups after creation, but the requirement demands that the tag be applied automatically, not just reported. Option B is wrong because the 'append' effect adds the tag to existing non-compliant resources but does not prevent creation of untagged resource groups; it would also not trigger a report within 24 hours for newly created groups. Option D is wrong because the 'modify' effect requires a managed identity to add or change tags, which is unnecessary overhead for a simple tag enforcement scenario, and it does not block creation of untagged resource groups.

983
MCQeasy

You are a Solutions Architect for an e-commerce company that runs its online store on Azure. The application consists of: - Azure App Service (Windows) hosting the web frontend - Azure SQL Database (General Purpose, serverless) for product catalog and orders - Azure Cache for Redis for session state - Azure Blob Storage for product images The application is deployed in the East US region. The company wants to implement a disaster recovery (DR) plan that can fail over to a secondary region (West US) with minimal data loss. The requirements are: - RPO: 5 minutes for the database - RTO: 30 minutes for the entire application - The solution must be cost-effective and not require manual intervention during failover. Which of the following is the BEST course of action to meet these requirements?

A.Use Azure Backup for the SQL database with 5-minute backup frequency, deploy App Service in West US with staging slots, and use Azure Traffic Manager with priority routing.
B.Configure Azure SQL Database geo-replication with readable secondary, deploy App Service in West US with deployment slots, and use Azure Front Door with health probes. Cache for Redis is not critical and can be rebuilt.
C.Configure Azure SQL Database active geo-replication with auto-failover group, deploy App Service in West US with a separate App Service plan, enable geo-replication for Cache for Redis, and use RA-GRS for Blob Storage. Use Azure Traffic Manager with priority routing for the web app.
D.Deploy the entire application in an active-active configuration using Azure Front Door, with Azure SQL Database using failover groups and manual failover. Use Azure Backup for the database with 1-hour backup frequency.
AnswerC

Auto-failover group meets RPO and automates failover; Traffic Manager routes traffic; Redis geo-replication and RA-GRS ensure low data loss.

Why this answer

Option C is correct. Azure SQL Database active geo-replication with auto-failover groups achieves RPO of 5 seconds and RTO of 1 hour (with auto-failover, typically <1 hour). App Service can be deployed in paired region with traffic manager or Front Door for quick failover.

Blob Storage can use geo-redundant storage (GRS) with read access (RA-GRS) for fast failover. Redis can be configured with geo-replication. Option A is wrong because Azure Backup does not provide 5-minute RPO.

Option B is wrong because read-only replicas are not for failover. Option D is wrong because manual steps increase RTO beyond 30 minutes, and Azure Backup is not suitable for the required RPO.

984
MCQhard

Your company uses Azure SQL Database and needs to archive data older than 7 years for compliance. The archived data must be stored in the most cost-effective manner, must be immutable, and must be deleted exactly after 10 years. What should you use?

A.Azure Archive Storage with lifecycle management to delete after 10 years
B.Azure Blob Storage with immutable storage and time-based retention policy
C.Azure SQL Database restore to a point in time with a retention period of 10 years
D.Azure SQL Database long-term retention (LTR) backups
AnswerB

Immutable storage enforces write-once-read-many (WORM) and time-based retention ensures deletion after 10 years.

Why this answer

Azure Blob Storage with immutable storage and a time-based retention policy ensures that archived data cannot be modified or deleted until the specified retention period expires. This meets the compliance requirements for immutability and a 10-year deletion timeline, while blob storage tiers (e.g., cool or archive) can be used for cost-effective long-term storage.

Exam trap

The trap here is that candidates often confuse Azure Archive Storage's low cost with immutability, failing to realize that immutability requires a separate WORM policy, which Archive Storage does not inherently provide.

How to eliminate wrong answers

Option A is wrong because Azure Archive Storage alone does not provide immutability; it only offers low-cost storage with lifecycle management for deletion, but without a write-once-read-many (WORM) policy, data could be altered or deleted prematurely. Option C is wrong because Azure SQL Database point-in-time restore has a maximum retention period of 35 days, not 10 years, and does not provide immutability. Option D is wrong because Azure SQL Database long-term retention (LTR) backups are not immutable; they can be manually deleted before the retention period ends, and they are stored as backups, not as an immutable archive.

985
MCQhard

A company has a hub-spoke network topology in Azure. They have multiple spoke VNets connected to a hub VNet via peering. They need to ensure that all east-west traffic between spoke VNets goes through a network virtual appliance (NVA) in the hub for inspection. Additionally, all outbound internet traffic from spoke VMs must use a single public IP address. What should they configure?

A.Configure spoke VNets with a default route to the NVA IP, and deploy a NAT gateway in the hub for outbound traffic.
B.Configure a route table in each spoke with a route to the hub NVA for inter-spoke traffic, and use Azure Firewall in the hub for outbound internet traffic.
C.Enable 'Allow gateway transit' on the hub VNet and 'Use remote gateways' on the spoke VNets for the NVA.
D.Configure VNet peering with 'Allow forwarded traffic' enabled, add user-defined routes in each spoke pointing to the NVA IP for inter-spoke traffic, and use Azure Firewall in the hub for outbound internet with a default route in spokes.
AnswerD

This combination correctly routes east-west traffic through the NVA using UDRs and 'Allow forwarded traffic'. For outbound, Azure Firewall provides a single public IP and UDRs direct internet traffic to it.

Why this answer

Option D is correct because it combines two critical configurations: user-defined routes (UDRs) in each spoke VNet force inter-spoke traffic through the NVA in the hub by specifying the NVA's IP as the next hop, and 'Allow forwarded traffic' on the VNet peering enables the hub NVA to forward packets between spokes. For outbound internet traffic, Azure Firewall in the hub provides a single public IP, and a default route (0.0.0.0/0) in the spoke UDRs directs all internet-bound traffic to the Azure Firewall's private IP, ensuring centralized inspection and egress.

Exam trap

The trap here is that candidates often forget to enable 'Allow forwarded traffic' on the VNet peering, assuming UDRs alone are sufficient for transitive routing through an NVA, or they confuse 'Allow gateway transit' with NVA forwarding, which is a common misstep in hub-spoke design questions.

How to eliminate wrong answers

Option A is wrong because a NAT gateway in the hub does not inspect traffic; it only provides source network address translation (SNAT) for outbound connections, failing the inspection requirement. Option B is wrong because while it correctly uses Azure Firewall for outbound traffic, it omits the critical 'Allow forwarded traffic' setting on the VNet peering, without which the hub NVA cannot forward packets between spoke VNets even with UDRs in place. Option C is wrong because 'Allow gateway transit' and 'Use remote gateways' are used for VPN/ExpressRoute gateway sharing, not for routing traffic through an NVA; these settings do not force inter-spoke traffic through the NVA.

986
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to grant external partners access to an internal application for a limited time (30 days). The access request must be approved by a manager from the partner's organization, and after 30 days the access must automatically expire. They also want to send email reminders 7 days before expiration. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Identity Protection
B.Microsoft Entra ID Privileged Identity Management (PIM)
C.Microsoft Entra ID Entitlement Management
D.Microsoft Entra ID B2B with Conditional Access
AnswerC

Entitlement management is designed for governing access to resources, including external users, with approval workflows, time limits, and automatic expiration and reminders.

Why this answer

Microsoft Entra ID Entitlement Management enables organizations to manage access for external partners through access packages, which can include time-limited assignments, approval workflows (including manager approval from the partner's organization), and automatic expiration with email notifications. This directly meets the requirement for a 30-day access period with manager approval and 7-day reminder emails.

Exam trap

The trap here is that candidates often confuse PIM (which handles privileged role activation for internal admins) with Entitlement Management (which handles external partner access with full lifecycle governance), or assume B2B with Conditional Access alone can enforce time limits and reminders without the access package framework.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Identity Protection is a security tool for detecting and responding to identity risks (e.g., compromised credentials, sign-in anomalies), not for managing time-limited external access with approvals and expiration. Option B is wrong because Microsoft Entra ID Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and oversight for internal users, not for granting external partner access to applications with manager approval from the partner's organization. Option D is wrong because Microsoft Entra ID B2B with Conditional Access provides guest user invitations and access policies, but it lacks built-in capabilities for time-limited access packages, multi-stage approval workflows, and automatic expiration with email reminders; these require Entitlement Management.

987
MCQeasy

You are designing a solution to securely store secrets, keys, and certificates for a cloud application. Which Azure service should you use?

A.Azure App Configuration
B.Azure Key Vault
C.Azure Managed HSM
D.Azure Storage
AnswerB

Azure Key Vault is designed for secure storage of secrets, keys, and certificates.

Why this answer

Azure Key Vault is the correct service for securely storing and managing secrets, keys, and certificates. Option A (Azure App Configuration) is wrong because it is optimized for application configuration, not secrets. Option B (Azure Managed HSM) is a hardware security module but is more specialized and not the standard recommendation for general secret storage.

Option D (Azure Storage) is incorrect as it lacks native secret management capabilities.

988
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to require multi-factor authentication (MFA) for all users accessing the Azure portal, but do not want MFA to be required for other applications like Office 365. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID Security defaults
B.Microsoft Entra ID Conditional Access
C.Microsoft Entra ID Identity Protection
D.Microsoft Entra ID Privileged Identity Management (PIM)
AnswerB

Conditional Access policies can target specific cloud apps (e.g., Microsoft Azure Management) and require MFA only for those apps, leaving other apps unaffected.

Why this answer

Conditional Access in Microsoft Entra ID allows granular control over authentication requirements based on conditions such as application, user, location, or device state. By creating a Conditional Access policy targeting the Azure Portal application and requiring MFA, the company can enforce MFA specifically for Azure Portal access without affecting other applications like Office 365, which can be excluded from the policy.

Exam trap

The trap here is that candidates often confuse Security defaults (which enforces MFA broadly) with Conditional Access (which provides granular application-specific control), leading them to choose Security defaults when the question explicitly requires selective enforcement.

How to eliminate wrong answers

Option A is wrong because Security defaults enforces MFA for all users across all applications, including Office 365, which does not meet the requirement to restrict MFA only to the Azure portal. Option C is wrong because Identity Protection is a risk-based detection and remediation service that can trigger MFA based on user or sign-in risk, but it cannot be configured to require MFA for a specific application like the Azure portal while excluding others. Option D is wrong because Privileged Identity Management (PIM) provides just-in-time privileged access and approval workflows, not the ability to enforce MFA selectively per application.

989
MCQhard

Refer to the exhibit. You are implementing an Azure Policy to control VM SKU deployment. You assign this policy to a subscription. A developer attempts to deploy a virtual machine with SKU Standard_DS2_v2. What is the outcome?

A.The deployment is audited and logged.
B.The deployment is allowed.
C.The VM is deployed but flagged as non-compliant.
D.The deployment is denied.
AnswerD

The policy denies any VM SKU that is not Standard_D2s_v3.

Why this answer

The Azure Policy in the exhibit uses a 'deny' effect, which explicitly blocks any deployment that does not match the allowed VM SKUs. Since Standard_DS2_v2 is not in the allowed list, the policy engine evaluates the request during deployment and rejects it before any resource is created. This results in the deployment being denied entirely, not just audited or flagged.

Exam trap

The trap here is that candidates confuse the 'deny' effect with 'audit' or 'disabled', assuming the policy only logs non-compliance or allows deployment with a flag, when in fact 'deny' actively blocks the resource creation.

How to eliminate wrong answers

Option A is wrong because an 'audit' effect would log the non-compliant deployment without blocking it, but the policy uses 'deny', not 'audit'. Option B is wrong because the policy explicitly denies any SKU not in the allowed list, so the deployment is not allowed. Option C is wrong because the VM is never deployed; the 'deny' effect prevents resource creation, so there is no VM to flag as non-compliant.

990
MCQmedium

You are designing a disaster recovery solution for a SQL Server database hosted on an Azure VM. The recovery point objective (RPO) is 5 minutes, and the recovery time objective (RTO) is 1 hour. Which strategy should you recommend?

A.Use Azure SQL Managed Instance with failover groups.
B.Configure log shipping to a secondary VM in another region.
C.Use Azure Backup to back up the database every 5 minutes.
D.Replicate the VM using Azure Site Recovery with 5-minute replication.
AnswerA

Failover groups provide automated replication and fast failover meeting RPO and RTO.

Why this answer

Azure SQL Managed Instance with failover groups provides automated, synchronous or asynchronous replication of the database to a secondary region, enabling a Recovery Point Objective (RPO) of 5 minutes and a Recovery Time Objective (RTO) of 1 hour. The failover group handles automatic or manual failover at the instance level, ensuring minimal data loss and rapid recovery without complex manual log shipping or backup restoration.

Exam trap

The trap here is that candidates often confuse Azure Site Recovery's 5-minute replication frequency with meeting database-level RPO, but Site Recovery replicates disk blocks, not SQL Server transaction log consistency, so it cannot guarantee a 5-minute RPO for database transactions without additional configuration like log shipping or Always On availability groups.

How to eliminate wrong answers

Option B is wrong because log shipping to a secondary VM in another region typically has an RPO of 15 minutes or more (depending on log backup frequency) and requires manual failover steps, making it unable to consistently meet a 5-minute RPO and 1-hour RTO. Option C is wrong because Azure Backup for SQL Server on Azure VM has a minimum backup frequency of 15 minutes for transaction log backups, not 5 minutes, and restoring from backups takes longer than 1 hour due to restore time and point-in-time recovery overhead. Option D is wrong because Azure Site Recovery replicates the entire VM at the disk level, not the database transaction logs, and its 5-minute replication frequency applies to disk changes, not SQL Server transaction log consistency, leading to potential data corruption or longer recovery times for database-consistent failover.

991
MCQeasy

A company has Azure virtual networks (VNets) in three different Azure regions (West US, East US, and West Europe). They also have an on-premises data center connected to the East US region via ExpressRoute. They need to connect all VNets to each other and to the on-premises network. The solution must support transitive routing between all sites and provide centralized management of connectivity and routing policies. Which Azure service should they use?

A.VNet peering
B.Azure Virtual WAN
C.VPN Gateway
D.ExpressRoute Direct
AnswerB

Azure Virtual WAN provides a hub-and-spoke architecture with built-in transitive routing between VNets and on-premises sites via ExpressRoute or VPN. It offers centralized management of connectivity, routing, and security policies.

Why this answer

Azure Virtual WAN is correct because it provides a hub-and-spoke architecture with built-in transitive routing between all VNets and on-premises sites. It supports automatic connectivity through Virtual Hub routers, which use BGP to propagate routes across all spokes and branches, meeting the requirement for centralized management of connectivity and routing policies.

Exam trap

The trap here is that candidates often assume VNet peering can be chained to achieve transitive routing, but Azure explicitly blocks transitive routing through peered VNets unless a network virtual appliance or Azure Virtual WAN is used.

How to eliminate wrong answers

Option A is wrong because VNet peering does not support transitive routing; peered VNets cannot route traffic through each other to reach a third VNet or on-premises network without additional user-defined routes and network virtual appliances. Option C is wrong because a VPN Gateway only provides site-to-site or point-to-site connectivity to a single VNet and does not inherently enable transitive routing between multiple VNets or centralized policy management across regions. Option D is wrong because ExpressRoute Direct is a physical port offering for dedicated private connections to Azure, not a service that provides transitive routing or centralized connectivity management between multiple VNets and on-premises networks.

992
MCQeasy

You need to design a solution to store configuration data for a cloud-native application. The configuration must be centrally managed, versioned, and accessible to multiple services without hard-coding values. Which Azure service should you use?

A.Azure App Configuration
B.Azure Cosmos DB
C.Azure Blob Storage
D.Azure Key Vault
AnswerA

App Configuration is designed for managing application settings.

Why this answer

Option A is correct. Azure App Configuration provides centralized management, versioning, and access for application settings. Option B is wrong because Azure Key Vault is for secrets, not configuration.

Option C is wrong because Azure Cosmos DB is a database, not a configuration store. Option D is wrong because Azure Blob Storage is for unstructured data.

993
MCQmedium

A company runs an application on Azure VMs that must be backed up according to regulatory compliance: daily backups retained for 30 days, weekly backups retained for 12 months, and yearly backups retained for 7 years. The backups must be stored in a secondary region for disaster recovery. They want to use Azure Backup for VMs. Which backup policy and storage configuration should they implement?

A.Configure a backup policy in Azure Backup for VMs with daily, weekly, and yearly retention rules, and enable cross-region restore by using a Recovery Services Vault with geo-redundant storage.
B.Enable backup with Azure Backup using the default policy and select Geo-Redundant Storage (GRS) for the Recovery Services Vault.
C.Use Azure Site Recovery to replicate VMs to the secondary region and configure retention policies in the replication settings.
D.Perform file-level backups using Azure Backup and store them in a separate storage account with read-access geo-redundant storage (RA-GRS).
AnswerA

Azure Backup policies can specify different retention durations for daily, weekly, and yearly backups. Cross-region restore is enabled by default with geo-redundant storage, allowing recovery in a secondary region.

Why this answer

Option A is correct because Azure Backup for VMs allows you to create a custom backup policy with daily, weekly, and yearly retention points, meeting the regulatory requirements. By enabling cross-region restore (CRR) on a Recovery Services Vault configured with geo-redundant storage (GRS), backups are automatically replicated to a paired secondary region, providing disaster recovery without additional infrastructure.

Exam trap

The trap here is that candidates often confuse Azure Site Recovery (disaster recovery) with Azure Backup (long-term retention), or assume the default policy can be customized to include yearly retention without realizing it must be explicitly configured.

How to eliminate wrong answers

Option B is wrong because the default backup policy in Azure Backup does not include yearly retention rules, so it cannot meet the 7-year yearly retention requirement. Option C is wrong because Azure Site Recovery is designed for replication and failover, not for long-term backup retention; it does not support granular retention policies like daily, weekly, and yearly backups. Option D is wrong because file-level backups do not capture the full VM state (including OS and application consistency), and RA-GRS storage alone does not provide the integrated backup policy with retention rules required for compliance.

994
Multi-Selectmedium

A company is designing a highly available architecture for a web application on Azure VMs. The solution must protect against both planned and unplanned downtime and provide automatic failover. Which TWO Azure services should the company use together? (Choose two.)

Select 2 answers
A.Azure Availability Zones
B.Azure Site Recovery
C.Azure Traffic Manager
D.Azure Load Balancer
E.Azure Application Gateway
AnswersA, D

Availability Zones place VMs in different physical locations within a region, providing fault isolation.

Why this answer

Option A (Azure Load Balancer) distributes traffic but does not provide automatic failover across zones. Option B (Azure Traffic Manager) provides DNS-based failover across regions. Option C (Azure Application Gateway) provides load balancing and WAF but is regional.

Option D (Azure Availability Zones) protects against datacenter failures within a region. Option E (Azure Site Recovery) provides disaster recovery across regions. To achieve high availability within a region, use Availability Sets or Availability Zones along with a load balancer.

The correct combination for automatic failover across zones is Azure Load Balancer (or App Gateway) with Availability Zones. But the options include Load Balancer and Availability Zones. Option B is for cross-region, not intra-region.

The best answer is A and D: Azure Load Balancer (standard SKU) with Availability Zones provides automatic failover within a region.

995
MCQhard

Contoso is a global e-commerce company that runs its platform on Azure Kubernetes Service (AKS) with Istio service mesh. The application uses Azure Cosmos DB (API for MongoDB) with multi-region writes enabled. The platform also uses Azure Cache for Redis Enterprise for session caching. The business requires a Recovery Time Objective (RTO) of 30 seconds and a Recovery Point Objective (RPO) of 0 for all tiers. You need to design a disaster recovery solution that meets these requirements with high availability. What should you recommend?

A.Deploy AKS in two regions with Azure Traffic Manager. Use Azure Cosmos DB with multi-region writes. Use Azure Cache for Redis Enterprise with active geo-replication.
B.Deploy AKS in two regions with Azure Front Door. Use Azure Cosmos DB with a single write region and auto-failover. Use Azure Cache for Redis Standard with geo-replication.
C.Deploy AKS in two regions with Azure Front Door. Use Azure Cosmos DB with multi-region writes. Use Azure Cache for Redis Enterprise with active geo-replication.
D.Use Azure SQL Database with auto-failover groups for the database tier. Deploy AKS in two regions with Azure Front Door. Use Azure Cache for Redis Enterprise with active geo-replication.
AnswerC

All tiers support multi-region writes with zero data loss; Azure Front Door provides automatic failover within seconds.

Why this answer

Option D is correct because Azure Cosmos DB multi-region writes provides zero data loss; Azure Front Door provides fast failover for AKS; Azure Cache for Redis Enterprise active geo-replication supports multi-region writes with zero data loss. Option A is wrong because Cosmos DB single-region writes cannot achieve RPO=0 during a regional outage. Option B is wrong because Azure Traffic Manager is DNS-based and slower.

Option C is wrong because Azure SQL Database does not support multi-region writes with RPO=0.

996
MCQeasy

A company uses Microsoft Entra ID. They want to require users to use multi-factor authentication when accessing the Azure portal from any device. They do not want to require MFA for other applications. Which Microsoft Entra ID feature should they configure?

A.Conditional Access policy targeting Azure Portal
B.Per-user MFA (legacy)
C.Security defaults
D.Identity Protection
AnswerA

Correct. Conditional Access can be scoped to the Azure Portal application and require MFA, without affecting other apps.

Why this answer

Conditional Access policies allow granular control over authentication requirements based on conditions such as application, user, location, or device state. By creating a policy that targets the 'Microsoft Azure Management' cloud app and requires multi-factor authentication, you can enforce MFA specifically for the Azure portal without affecting other applications. This provides the precise control requested, unlike broader or legacy methods.

Exam trap

The trap here is that candidates often confuse Security defaults (which is a blanket MFA enforcement for all apps) with the ability to scope MFA to a single application, leading them to choose Security defaults instead of the more precise Conditional Access policy.

How to eliminate wrong answers

Option B (Per-user MFA) is wrong because it enables MFA for all applications and sign-ins for the assigned user, not just the Azure portal, and is a legacy feature that lacks the conditional targeting required. Option C (Security defaults) is wrong because it enforces MFA for all users and all applications, including every cloud app, which contradicts the requirement to not require MFA for other applications. Option D (Identity Protection) is wrong because it is a risk-based detection and remediation service that can trigger MFA based on sign-in risk, but it does not allow you to target a specific application like the Azure portal; it works in conjunction with Conditional Access but is not the feature to configure for this requirement.

997
Multi-Selecteasy

Which TWO are valid methods to authenticate users in a Microsoft Entra ID hybrid identity solution? (Select TWO.)

Select 2 answers
A.Cloud-only authentication
B.Password hash synchronization
C.Federation with Active Directory Federation Services (ADFS)
D.Pass-through Authentication
E.Seamless Single Sign-On
AnswersB, D

Synchronizes password hashes to cloud for authentication.

Why this answer

Password hash synchronization (B) is a valid authentication method for Microsoft Entra ID hybrid identity because it synchronizes password hashes from on-premises Active Directory to Azure AD, allowing users to authenticate using the same password without needing additional infrastructure. Pass-through authentication (D) is also valid as it validates passwords directly against on-premises Active Directory via agents, without storing password hashes in the cloud. Both methods are supported in hybrid identity scenarios and can be combined with Seamless SSO for a seamless experience.

Exam trap

The trap here is that candidates often confuse Seamless Single Sign-On (SSO) as an authentication method, when it is actually a feature that works on top of password hash sync or pass-through authentication to provide automatic sign-in, not a standalone authentication method.

998
MCQhard

A company runs a mission-critical SQL Server database on an Azure virtual machine using SQL Server Standard Edition. They need a disaster recovery solution that replicates the database to a secondary Azure region with a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 1 hour. The solution must support non-disruptive disaster recovery drills. The company cannot modify the SQL Server configuration or use Always On features due to licensing constraints. Which Azure service should they use?

A.Azure Site Recovery
B.SQL Server log shipping to a VM in the secondary region
C.Azure Backup with cross-region restore
D.Azure SQL Database geo-replication
AnswerA

Site Recovery replicates the VM and can create consistent recovery points every 15 minutes. It supports test failovers that do not impact production, fulfilling the DR drill requirement.

Why this answer

Azure Site Recovery (ASR) replicates the entire VM (including the SQL Server database) to a secondary Azure region, meeting the RPO of 15 minutes and RTO of 1 hour. It supports non-disruptive disaster recovery drills by allowing test failovers in an isolated network without affecting the production environment. ASR does not require any changes to SQL Server configuration or licensing, as it operates at the hypervisor level using continuous replication.

Exam trap

The trap here is that candidates often choose Azure Backup (Option C) thinking it provides cross-region restore with low RPO, but they overlook that Backup's cross-region restore is designed for long-term retention and compliance, not for sub-hour RPOs, and it does not support non-disruptive drills.

How to eliminate wrong answers

Option B is wrong because SQL Server log shipping requires modifying the SQL Server configuration (setting up backup, copy, and restore jobs) and uses Always On features that are not available in Standard Edition without additional licensing; it also does not support non-disruptive drills without breaking the log chain. Option C is wrong because Azure Backup with cross-region restore provides only point-in-time snapshots with a typical RPO of 24 hours (or longer for cross-region), far exceeding the 15-minute requirement, and does not support non-disruptive drills. Option D is wrong because Azure SQL Database geo-replication is a PaaS feature that cannot be used with a SQL Server running on an Azure VM (IaaS); it requires migrating to Azure SQL Database, which is not the scenario described.

999
MCQmedium

Your company plans to deploy a new application to Azure. The application will be used by external partners. You need to design an identity solution that allows partners to authenticate using their own corporate credentials while ensuring that the application can enforce conditional access policies based on partner device compliance. What should you include in the design?

A.Federate your Microsoft Entra tenant with each partner's on-premises Active Directory.
B.Create guest user accounts in your Microsoft Entra tenant and assign them application roles.
C.Configure Microsoft Entra B2C and federate with partner identity providers.
D.Configure Microsoft Entra B2B collaboration and enable conditional access policies for guest users.
AnswerD

Entra B2B allows partners to use their own identities and conditional access can evaluate device compliance.

Why this answer

Option D is correct because Microsoft Entra B2B collaboration allows you to invite external partners as guest users who can authenticate with their own corporate credentials. You can then enforce conditional access policies, including device compliance checks, on these guest users by targeting the policy to the 'Guest' user type or specific external users.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2C (for customers) with Microsoft Entra B2B (for partners), leading them to choose Option C, which cannot enforce conditional access policies based on partner device compliance.

How to eliminate wrong answers

Option A is wrong because federating your Entra tenant with each partner's on-premises Active Directory would require you to manage federation trusts for every partner, and it does not inherently enable conditional access policies based on partner device compliance; device compliance is typically evaluated against your own tenant's policies, not the partner's. Option B is wrong because creating guest user accounts and assigning application roles alone does not enable conditional access policies based on partner device compliance; guest users can authenticate, but without B2B collaboration settings, you cannot enforce device-based conditional access on their external devices. Option C is wrong because Microsoft Entra B2C is designed for customer-facing identity management with self-service sign-up, not for external partner access where partners use their own corporate credentials; B2C does not natively support conditional access policies based on device compliance for guest users.

Page 13

Page 14 of 14