Microsoft Azure Solutions Architect Expert AZ-305 (AZ-305) — Questions 76150

999 questions total · 14pages · All types, answers revealed

Page 1

Page 2 of 14

Page 3
76
MCQmedium

A global e-commerce platform uses Azure Cosmos DB for its product catalog. The application requires multi-region writes to provide low-latency updates from any geographic location. Two users may update the same product item concurrently, so the solution must automatically resolve conflicts. For real-time inventory checks, reads must be strongly consistent, while product description reads can be eventually consistent. Which Cosmos DB configuration should they choose?

A.SQL API with multi-region writes, last-writer-wins conflict resolution, and per-request strong consistency
B.MongoDB API with multi-region writes and automatic conflict resolution
C.Table API with multi-region writes and strong consistency
D.Cassandra API with multi-region writes and strong consistency
AnswerA

SQL API supports multi-master writes, customizable conflict resolution, and the ability to set strong consistency on a per-request basis.

Why this answer

Option A is correct because the SQL API in Cosmos DB supports multi-region writes with last-writer-wins (LWW) conflict resolution using a timestamp or custom property, which automatically resolves concurrent updates to the same product item. Per-request strong consistency allows inventory reads to achieve linearizability by setting the consistency level at the request level, while product description reads can use the default session or eventual consistency for performance. This combination meets all requirements: multi-region writes, automatic conflict resolution, and the ability to mix strong and eventual consistency on a per-request basis.

Exam trap

The trap here is that candidates assume all Cosmos DB APIs support multi-region writes and per-request strong consistency equally, but only the SQL API (and the Table API with specific limitations) offers the full flexibility to mix consistency levels per request, while the MongoDB, Cassandra, and Table APIs have fixed account-level consistency or lack multi-region write support entirely.

How to eliminate wrong answers

Option B is wrong because the MongoDB API in Cosmos DB does not support per-request strong consistency; it only offers a fixed set of consistency levels at the account level, and its automatic conflict resolution is limited to LWW without the flexibility to mix consistency levels per request. Option C is wrong because the Table API does not support multi-region writes; it is designed for single-region writes with read-only replicas, and it lacks per-request strong consistency. Option D is wrong because the Cassandra API does not support multi-region writes in Cosmos DB; it is limited to single-region writes, and its consistency model is based on Cassandra's tunable consistency (e.g., QUORUM) rather than Cosmos DB's per-request strong consistency.

77
MCQmedium

A company is designing a multi-region disaster recovery solution for Azure VMs. They need to ensure that if the primary region fails, VMs can be failed over to a secondary region with minimal data loss. The application writes data to Azure SQL Database and Azure Files. Which Azure service should they use to meet the recovery point objective (RPO) of 5 seconds for the SQL Database?

A.Azure Site Recovery for SQL Server
B.Active geo-replication for SQL Database
C.Failover groups with auto-failover
D.Geo-restore of SQL Database backups
AnswerB

Active geo-replication provides an RPO of 5 seconds.

Why this answer

Option C is correct because Azure SQL Database active geo-replication provides a configurable RPO of 5 seconds. Option A is incorrect because failover groups provide a higher RPO of 1 hour. Option B is incorrect because geo-restore has an RPO of hours.

Option D is incorrect because Azure Site Recovery replicates VMs, not the database, and does not meet the SQL RPO.

78
MCQhard

Your company runs a critical application on Azure App Service. You need to design a disaster recovery solution that ensures the application is available in another region within 5 minutes of a regional failure. The application uses Azure SQL Database as its backend. The solution must minimize data loss and cost. What should you recommend?

A.Deploy App Service in two regions with Azure Traffic Manager. Use Azure SQL Database failover groups with active geo-replication.
B.Deploy App Service in one region with multiple instances. Use Azure SQL Database failover groups with manual failover.
C.Deploy App Service in two regions with Azure Front Door. Use Azure SQL Database with zone-redundant configuration.
D.Deploy App Service in two regions with Azure Traffic Manager. Use Azure SQL Database geo-restore for the database.
AnswerA

Failover groups provide an RTO of less than 1 minute, meeting the requirement.

Why this answer

Deploying App Service in two regions with Traffic Manager for routing and Azure SQL Database failover groups with active geo-replication provides the best balance of cost and performance. Option A is incorrect because it does not include database replication. Option C is incorrect because it uses Azure Front Door which is more expensive.

Option D is incorrect because manual failover does not meet the 5-minute RTO.

79
MCQhard

A company is designing a hybrid storage solution to connect on-premises file shares to Azure. They need to cache frequently accessed files locally for low-latency access while storing all files in Azure. The solution must support SMB protocol and integrate with existing Windows file servers. Which Azure service should they use?

A.Azure Blob Storage with NFS 3.0 support
B.Azure Files
C.Azure File Sync
D.Azure NetApp Files
AnswerC

Azure File Sync provides cloud tiering and local caching with SMB.

Why this answer

Azure File Sync is the correct choice because it enables caching of frequently accessed files on-premises via a sync agent installed on Windows Server, while all files are stored in Azure Files. This provides low-latency access for local users and supports SMB protocol, seamlessly integrating with existing Windows file servers through a cloud tiering feature that keeps only hot files locally.

Exam trap

The trap here is that candidates often confuse Azure Files (a cloud-only SMB share) with Azure File Sync (which adds local caching and sync capabilities), leading them to select Azure Files without recognizing the requirement for on-premises low-latency access.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage with NFS 3.0 support does not natively support SMB protocol and cannot integrate with existing Windows file servers as a cached file share; it is designed for POSIX-compliant workloads. Option B is wrong because Azure Files alone provides a cloud-based SMB share but does not cache files locally on-premises; it requires direct network connectivity and does not offer local caching for low-latency access. Option D is wrong because Azure NetApp Files supports SMB but is a fully managed, high-performance file service that does not provide local caching on existing Windows file servers; it is intended for enterprise workloads requiring dedicated throughput, not hybrid caching.

80
MCQhard

Your company plans to deploy a new SaaS application that will be used by employees and external users. The application requires single sign-on (SSO) and must support conditional access policies that enforce MFA for external users. Additionally, the application must be able to read user profile attributes from Microsoft Entra ID. You need to design an identity solution that meets these requirements. What should you include in the design?

A.Register the application in Microsoft Entra ID (App Registration) and configure it to use OpenID Connect for authentication; apply conditional access policies to the app.
B.Use Azure AD Application Proxy to publish the SaaS app and configure pre-authentication with Entra ID.
C.Use Microsoft Entra Domain Services to authenticate the application via LDAP.
D.Register the application in Microsoft Entra B2C and configure federation with your Entra ID tenant.
AnswerA

App registration supports SSO, conditional access, and Graph API for profile reads.

Why this answer

Option A is correct because registering the application in Microsoft Entra ID (App Registration) and configuring OpenID Connect (OIDC) enables SSO and allows the application to read user profile attributes via the Microsoft Graph API. Conditional access policies can be applied directly to the enterprise app in Entra ID to enforce MFA for external users, meeting all stated requirements.

Exam trap

The trap here is that candidates may confuse Azure AD Application Proxy (for on-premises apps) or Entra B2C (for customer identities) with the correct solution for a SaaS app requiring employee and external user access with conditional access and Graph API reads.

How to eliminate wrong answers

Option B is wrong because Azure AD Application Proxy is designed for publishing on-premises apps, not SaaS applications, and does not inherently support reading user profile attributes via Graph API. Option C is wrong because Microsoft Entra Domain Services provides LDAP/Kerberos/NTLM authentication for legacy apps and does not support modern SSO protocols like OIDC or conditional access policies for SaaS apps. Option D is wrong because Microsoft Entra B2C is intended for customer-facing identity management with external identity providers, not for employee access to a SaaS app, and it does not natively support reading user profile attributes from the primary Entra ID tenant via Graph API.

81
MCQeasy

A company is designing a data storage solution for a globally distributed application that requires low-latency read access to frequently accessed data and high throughput for write operations. The data is non-relational and can be stored as key-value pairs. Which Azure service should they use?

A.Azure Table Storage
B.Azure Cosmos DB
C.Azure SQL Database
D.Azure Blob Storage
AnswerB

Azure Cosmos DB provides global distribution, low-latency reads, and high throughput for key-value data.

Why this answer

Azure Cosmos DB is the correct choice because it is a globally distributed, multi-model database service that provides guaranteed low-latency reads (under 10 ms at the 99th percentile) and high throughput for write operations, with automatic indexing and turnkey global distribution. It natively supports key-value data models, making it ideal for non-relational, frequently accessed data requiring consistent performance across regions.

Exam trap

The trap here is that candidates often confuse Azure Table Storage as a sufficient key-value store for global scenarios, overlooking its lack of global distribution and guaranteed low-latency SLAs, which Cosmos DB uniquely provides.

How to eliminate wrong answers

Option A is wrong because Azure Table Storage is a NoSQL key-value store but lacks global distribution, automatic indexing, and guaranteed low-latency SLAs; it is designed for simpler, less demanding workloads and cannot match Cosmos DB's throughput and latency guarantees. Option C is wrong because Azure SQL Database is a relational database that requires a fixed schema and does not natively support key-value pair storage; it is optimized for structured, relational data and ACID transactions, not for high-throughput, low-latency key-value access. Option D is wrong because Azure Blob Storage is an object storage service for unstructured data (e.g., images, videos) and does not provide key-value pair semantics or the sub-10 ms read latency and high write throughput required for a globally distributed application; it is designed for bulk storage and streaming, not transactional key-value operations.

82
Multi-Selectmedium

Which TWO of the following Azure services support storing JSON documents without requiring a predefined schema? (Select two.)

Select 2 answers
A.Azure Purview
B.Azure Blob Storage
C.Azure Cosmos DB
D.Azure Analysis Services
E.Azure SQL Database
AnswersB, C

Blob Storage can store JSON files as blobs without schema enforcement.

Why this answer

Azure Blob Storage is correct because it can store JSON documents as blobs (block blobs) without requiring a predefined schema. The service treats the JSON as opaque binary data, allowing you to upload, download, and manage JSON files with no schema enforcement, making it suitable for schema-less document storage.

Exam trap

The trap here is that candidates may mistakenly think Azure SQL Database's JSON support (e.g., OPENJSON, JSON_VALUE) means it can store JSON without a schema, but in reality, the JSON must be inserted into a predefined table column, so the table schema is still required.

83
MCQeasy

You need to design a storage solution for unstructured data that requires low latency (single-digit milliseconds) for frequently accessed files and must support NFS and SMB protocols. Which Azure storage solution should you recommend?

A.Azure Files
B.Azure Blob Storage
C.Azure Disk Storage
D.Azure NetApp Files
AnswerD

Azure NetApp Files offers high-performance file shares with both NFS and SMB, low latency.

Why this answer

Azure NetApp Files provides high-performance file storage with NFS and SMB support in a fully managed service. Option A (Azure Blob Storage) is object storage, not file shares. Option B (Azure Files) supports SMB but not NFS and may have higher latency.

Option D (Azure Disk Storage) is block storage for VMs.

84
MCQhard

Refer to the exhibit. You run this Kusto query in Azure Monitor Logs. What does it return?

A.The number of heartbeats per computer in the last hour.
B.Computers that sent a heartbeat in the last 5 minutes.
C.Computers that have not sent a heartbeat in the last 5 minutes.
D.The average heartbeat frequency per computer.
AnswerC

The query filters for computers whose last heartbeat is older than 5 minutes.

Why this answer

The query uses the `Heartbeat` table and filters for heartbeats older than 5 minutes (`ago(5m)`). The `where` clause selects records where `TimeGenerated` is less than 5 minutes ago, meaning it finds heartbeats that were sent before that threshold. The `distinct Computer` then returns only computers whose most recent heartbeat is older than 5 minutes, i.e., computers that have not sent a heartbeat in the last 5 minutes.

This is a common pattern for detecting unresponsive or offline machines.

Exam trap

The trap here is that candidates misread the comparison operator: `TimeGenerated < ago(5m)` selects records older than 5 minutes (not newer), leading them to incorrectly think the query returns computers that recently sent a heartbeat.

How to eliminate wrong answers

Option A is wrong because the query does not count heartbeats per computer; it uses `distinct Computer` to return unique computer names, not an aggregation like `summarize count()`. Option B is wrong because the filter `TimeGenerated < ago(5m)` selects records older than 5 minutes, not records within the last 5 minutes; to find computers that sent a heartbeat in the last 5 minutes, the filter would be `TimeGenerated > ago(5m)`. Option D is wrong because the query does not calculate any average or frequency; it simply returns distinct computer names based on a time filter, with no aggregation or statistical function.

85
MCQhard

A financial services company needs to store sensitive transaction records in Azure for 7 years to meet regulatory compliance. The data must be immutable and cannot be deleted or modified during the retention period. Which Azure storage feature should you enable?

A.Blob versioning with lifecycle management
B.Soft delete for blob storage
C.Immutable blob with time-based retention policy
D.Legal hold on the storage container
AnswerC

Immutable blob policies guarantee data cannot be deleted or modified for a specified period.

Why this answer

Option C is correct because immutable blob storage with a time-based retention policy enforces WORM (Write Once, Read Many) compliance, ensuring that data cannot be deleted or modified for a specified retention period. This meets the 7-year regulatory requirement for sensitive transaction records, as the policy locks the data at the blob level and prevents any overwrite or deletion, even by administrators with elevated permissions.

Exam trap

The trap here is that candidates confuse soft delete or versioning with immutability, not realizing that only immutable blob storage provides true WORM protection that prevents any modification or deletion during the retention period.

How to eliminate wrong answers

Option A is wrong because blob versioning with lifecycle management preserves previous versions of blobs but does not prevent deletion or modification of the current version; it only allows recovery of older versions, not immutability. Option B is wrong because soft delete for blob storage retains deleted blobs for a configurable period but does not prevent deletion in the first place; data can still be deleted (and later recovered), which violates the immutable requirement. Option D is wrong because a legal hold on the storage container prevents deletion of blobs only while the hold is active, but it does not enforce a fixed retention period and can be removed by an authorized user, failing the 7-year compliance mandate.

86
MCQmedium

Your organization uses Microsoft Entra ID and requires that all external users accessing resources must be approved by a designated reviewer. You need to automate the review process for external identities. What should you implement?

A.Microsoft Purview
B.Privileged Identity Management (PIM)
C.Microsoft Entra access reviews
D.Conditional Access
AnswerC

Access reviews automate the periodic review of external users' access.

Why this answer

Microsoft Entra access reviews allow you to automate the periodic review of external identities, ensuring that only approved users retain access. This feature directly supports the requirement for a designated reviewer to approve or deny external users, with automated reminders and results. It is the correct choice because it is purpose-built for governance of external identities in Entra ID.

Exam trap

The trap here is confusing Privileged Identity Management (PIM) with access reviews, as both involve approvals, but PIM is for privileged roles while access reviews are for ongoing user access certification, especially for external identities.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview is a data governance and compliance solution focused on data classification, labeling, and risk management, not on automating identity access reviews. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval, not the periodic review of all external identities. Option D is wrong because Conditional Access enforces access policies based on conditions like location or device state, but does not provide a workflow for designated reviewers to approve or deny external user access.

87
Multi-Selectmedium

You are designing a highly available architecture for a stateful application running on Azure Virtual Machines. The application requires a shared storage solution that supports concurrent read/write access from multiple VMs, and must be resilient to zone failures. Which TWO Azure solutions meet these requirements? (Choose TWO.)

Select 2 answers
A.Azure Disk Storage with shared disks enabled
B.Azure NetApp Files with cross-zone replication
C.Azure Files (Premium tier) with zone-redundant storage (ZRS)
D.Azure Managed Disks with Standard SSD
E.Azure Blob Storage with hot access tier and geo-redundant storage (GRS)
AnswersB, C

Supports concurrent access and zone resilience.

Why this answer

Option A (Azure Files premium shares) supports SMB multichannel and concurrent access, and can be zone-redundant. Option C (Azure NetApp Files) supports NFS/SMB and cross-zone replication. Option B (Azure Blob Storage) does not support concurrent access as a file share.

Option D (Azure Managed Disks) cannot be shared without special clustering. Option E (Azure Disk Storage with shared disks) is limited to 2-3 nodes and not zone-redundant.

88
Multi-Selectmedium

Your company uses Microsoft Entra ID. You need to implement a governance strategy for guest users. Which TWO actions should you take? (Choose two.)

Select 2 answers
A.Create access reviews for guest users
B.Disable external identities
C.Block all guest user access
D.Enable self-service sign-up for guest users
E.Configure Microsoft Entra entitlement management
AnswersA, E

Access reviews ensure guest access is reviewed periodically.

Why this answer

Access reviews for guest users (Option A) are a core governance control in Microsoft Entra ID, allowing administrators to periodically review and confirm or revoke guest access. This ensures that guest accounts remain necessary and compliant with security policies, directly addressing the governance requirement.

Exam trap

The trap here is that candidates may confuse blocking or disabling guest access (Options B and C) with governance, when the correct approach involves reviewing and managing guest access through reviews and entitlement management.

89
MCQeasy

A company needs to back up an Azure virtual machine that runs a file server. They want to restore individual files quickly without restoring the entire VM. Which backup option should they use?

A.Azure File Sync with cloud tiering.
B.Azure Backup using MARS agent with file and folder backup.
C.Azure Backup for Azure VMs with file-level restore.
D.Azure Backup for Azure VMs with instant restore.
AnswerC

File-level restore allows mounting the backup as a disk to recover files.

Why this answer

Option B (Azure Backup with file-level restore) allows restoring individual files. Option A (VM backup) is whole VM. Option C (Azure Files sync) is backup, not restore.

Option D (snapshots) not integrated.

90
MCQhard

Refer to the exhibit. You run a KQL query against Azure Cosmos DB diagnostics logs. The query shows increasing latency for Query operations over time. Which is the most likely root cause?

A.A query is consuming increasing RU over time, possibly due to a hot partition
B.The Cosmos DB account has reached its storage limit
C.The Cosmos DB account is being throttled due to insufficient RUs
D.There is network latency between the client and the Cosmos DB endpoint
AnswerA

Increasing latency indicates inefficient queries or hot partitions consuming more RUs.

Why this answer

The query latency increase over time, combined with the fact that the query is consuming more Request Units (RU) per execution, strongly indicates a hot partition. In Azure Cosmos DB, a hot partition occurs when a disproportionate amount of traffic hits a single physical partition, causing that partition's RU budget to be exhausted while others remain underutilized. This leads to increased latency for queries targeting that partition, as the partition's resources become saturated.

Exam trap

The trap here is that candidates often confuse throttling (Option C) with latency degradation, but throttling is an immediate rejection (HTTP 429), not a gradual latency increase; the key clue is the 'increasing latency over time' combined with 'increasing RU consumption,' which points to a hot partition, not a capacity issue.

How to eliminate wrong answers

Option B is wrong because Cosmos DB has no fixed storage limit; it scales horizontally, and storage limits are tied to provisioned throughput, not a hard cap that would cause increasing latency. Option C is wrong because throttling (HTTP 429) would cause immediate errors or retries, not a gradual increase in latency over time; the query would either succeed or fail, not slowly degrade. Option D is wrong because network latency between client and endpoint would manifest as a constant baseline delay, not a trend of increasing latency; it would not correlate with query RU consumption.

91
MCQmedium

A company is building a big data analytics platform that will process structured, semi-structured, and unstructured data using Azure Synapse Analytics and other tools. They need a storage layer that supports hierarchical namespaces and fine-grained access control at the directory level. Which Azure storage solution should they use?

A.Azure Blob Storage
B.Azure Data Lake Storage Gen2
C.Azure Files
D.Azure Cosmos DB
AnswerB

ADLS Gen2 provides a hierarchical namespace and ACL support, enabling efficient data management and security at the directory level for big data analytics.

Why this answer

Azure Data Lake Storage Gen2 (ADLS Gen2) is the correct choice because it combines Azure Blob Storage with a hierarchical namespace, enabling directory-level access control lists (ACLs) and POSIX-compliant permissions. This is essential for the big data analytics platform described, as it must support structured, semi-structured, and unstructured data with fine-grained access control at the directory level, which Azure Synapse Analytics can directly query via ABFS (Azure Blob File System) driver.

Exam trap

The trap here is that candidates often confuse Azure Blob Storage with ADLS Gen2, assuming blob storage supports hierarchical namespaces natively, but it requires explicit enabling of the hierarchical namespace feature, which is only available in ADLS Gen2 accounts.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage does not support a hierarchical namespace by default; it uses a flat namespace, which prevents directory-level ACLs and requires workarounds for folder-like structures. Option C is wrong because Azure Files provides SMB file shares with directory-level access, but it is designed for lift-and-shift file shares and lacks the hierarchical namespace and POSIX ACLs needed for big data analytics with Azure Synapse. Option D is wrong because Azure Cosmos DB is a NoSQL database for globally distributed, low-latency applications, not a storage layer for hierarchical namespace and directory-level ACLs; it uses a document or graph model, not a file system.

92
Multi-Selecteasy

Your company uses Microsoft Entra ID for identity management. You need to implement a solution that automatically blocks sign-ins from risky users and requires multi-factor authentication (MFA) when a sign-in risk is detected. Which TWO services should you use? (Choose two.)

Select 2 answers
A.Microsoft Purview
B.Microsoft Entra ID Protection
C.Microsoft Defender XDR
D.Microsoft Intune
E.Conditional Access policies
AnswersB, E

Identity Protection detects risky users and sign-ins.

Why this answer

Microsoft Entra ID Protection (B) is the service that detects sign-in risks (e.g., anonymous IP, atypical travel) and labels users or sign-ins as risky. Conditional Access policies (E) then enforce automated responses, such as blocking the sign-in or requiring MFA, based on the risk level from Entra ID Protection. Together, they provide the detection and enforcement mechanism described in the requirement.

Exam trap

The trap here is that candidates often confuse Microsoft Defender XDR (which includes identity threat detection) with the policy enforcement layer, but only Conditional Access policies can apply the automated MFA or block action based on risk from Entra ID Protection.

93
MCQeasy

A retail company runs its e-commerce platform on Azure VMs. The application uses Azure SQL Database. You are designing a business continuity plan. The company wants to minimize recovery time for a regional outage. Which Azure service should you use to replicate the VMs to a secondary region?

A.Azure Traffic Manager
B.Azure Backup
C.Azure Load Balancer
D.Azure Site Recovery
AnswerD

Site Recovery orchestrates replication and failover of VMs to a secondary region.

Why this answer

Option B is correct because Azure Site Recovery is designed for VM replication to a secondary region, providing RTO in minutes. Option A (Azure Backup) is for backup and restore, not replication. Option C (Azure Traffic Manager) is for traffic routing.

Option D (Azure Load Balancer) is for distributing traffic within a region.

94
MCQmedium

A company deploys a web application on multiple Azure VMs in a single region. They need to distribute incoming HTTP and HTTPS traffic across the VMs, offload SSL/TLS termination, and maintain session persistence (sticky sessions) so that all requests from a user session go to the same backend VM. Which Azure load balancing solution should they use?

A.Azure Application Gateway
B.Azure Load Balancer
C.Azure Traffic Manager
D.Azure Front Door
AnswerA

Correct: Application Gateway provides Layer 7 load balancing, SSL termination, and cookie-based session affinity.

Why this answer

Azure Application Gateway is a Layer 7 load balancer that can distribute HTTP/HTTPS traffic, offload SSL/TLS termination, and support session persistence via cookie-based affinity (sticky sessions). These capabilities directly match the requirements, making it the correct choice.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming that any load balancer can handle SSL termination and sticky sessions, but only Layer 7 solutions like Application Gateway or Front Door provide these features.

How to eliminate wrong answers

Option B (Azure Load Balancer) is wrong because it operates at Layer 4 (TCP/UDP) and cannot perform SSL/TLS termination or inspect HTTP/HTTPS traffic for session persistence. Option C (Azure Traffic Manager) is wrong because it is a DNS-based traffic router that directs traffic across regions, not within a single region, and it does not handle SSL termination or sticky sessions. Option D (Azure Front Door) is wrong because it is a global Layer 7 load balancer and CDN designed for multi-region distribution, not for a single-region deployment, and its session affinity uses different mechanisms (e.g., ARR affinity) that are not optimized for intra-region VM load balancing.

95
Multi-Selectmedium

Which TWO features should you use to meet an RPO of 0 seconds for an Azure SQL Database that is part of a critical application?

Select 2 answers
A.Azure Site Recovery for SQL VMs.
B.Azure SQL Database backups with short-term retention.
C.Failover group with readable secondary.
D.Active geo-replication with auto-failover group.
E.Auto-failover group with asynchronous replication.
AnswersC, D

Failover group uses active geo-replication with synchronous mode.

Why this answer

Option B (active geo-replication with auto-failover group) and Option D (failover group) provide synchronous replication with RPO=0. Option A (backup) has higher RPO. Option C (ASR) not for databases.

Option E (auto-failover group) includes active geo-replication.

96
Multi-Selecthard

Which THREE of the following are required components for a disaster recovery solution using Azure Site Recovery for on-premises Hyper-V VMs?

Select 3 answers
A.A Recovery Services vault in the target Azure region.
B.A replication policy that defines retention and recovery points.
C.The Azure Site Recovery Provider installed on each Hyper-V host.
D.Azure Backup Server installed on-premises.
E.An ExpressRoute connection from on-premises to Azure.
AnswersA, B, C

Vault stores replication data and settings.

Why this answer

Options A, B, and D are correct. Azure Site Recovery requires a Recovery Services vault, a replication policy, and the Azure Site Recovery Provider installed on Hyper-V hosts. Option C (Azure Backup Server) is not required; Site Recovery uses its own replication mechanism.

Option E (ExpressRoute) is optional.

97
MCQhard

Your company is designing a data lake solution using Azure Data Lake Storage Gen2. The solution must support hierarchical namespace for efficient directory operations, and must provide encryption at rest using customer-managed keys stored in Azure Key Vault. Which steps must you take to enable customer-managed key encryption for the storage account?

A.Create the storage account with a user-assigned managed identity, then enable hierarchical namespace, and configure encryption.
B.Create the storage account without hierarchical namespace, then enable it later, and configure encryption with Key Vault.
C.Create the storage account and specify customer-managed key encryption during creation using the Azure portal.
D.Create the storage account with hierarchical namespace enabled, then assign a system-assigned managed identity, and configure encryption with Azure Key Vault.
AnswerD

This is the correct order: create account, enable identity, configure encryption.

Why this answer

Option D is correct because Azure Data Lake Storage Gen2 requires hierarchical namespace to be enabled at account creation time, and customer-managed key encryption with Azure Key Vault requires a system-assigned managed identity to be assigned to the storage account after creation. The system-assigned identity is used to authenticate to Key Vault for key access, and encryption with customer-managed keys can be configured post-creation via the Azure portal or PowerShell.

Exam trap

The trap here is that candidates assume customer-managed key encryption can be configured during storage account creation, but Azure requires it to be set post-creation after a managed identity is assigned, and hierarchical namespace must be enabled at creation time.

How to eliminate wrong answers

Option A is wrong because a user-assigned managed identity is not required; a system-assigned managed identity is the correct identity type for customer-managed key encryption with Key Vault, and hierarchical namespace must be enabled during creation, not after. Option B is wrong because hierarchical namespace cannot be enabled after the storage account is created; it must be specified at creation time. Option C is wrong because customer-managed key encryption cannot be specified during storage account creation in the Azure portal; it must be configured after the account is created, and a managed identity must be assigned first.

98
MCQmedium

Your company is deploying a new application that uses Azure Cosmos DB for globally distributed low-latency reads and writes. The application must be highly available with a recovery point objective (RPO) of less than 5 seconds and recovery time objective (RTO) of less than 1 second in case of a regional outage. Which Cosmos DB configuration should you recommend?

A.Multiple write regions with manual failover and eventual consistency.
B.Single write region with strong consistency and multi-region writes disabled.
C.Single write region with multiple read regions and multi-region writes disabled.
D.Multiple write regions enabled with automatic failover and session consistency.
AnswerD

Multi-region writes allow RTO < 1s and RPO = 0 for writes within the same region.

Why this answer

Option B is correct because enabling multiple write regions with automatic failover provides RTO < 1s and RPO = 0 within a region. Option A (single write region with read replicas) has RTO > 1s. Option C (strong consistency) limits availability.

Option D (manual failover) increases RTO.

99
MCQmedium

A company uses Azure SQL Database for a critical OLTP workload. They need a disaster recovery solution that automatically fails over to a secondary region with an RPO of 5 seconds and an RTO of 1 hour. What should they implement?

A.Azure SQL Database zone-redundant configuration
B.Azure SQL Database active geo-replication
C.Azure SQL Database auto-failover groups
D.Azure SQL Managed Instance failover groups
AnswerB

Active geo-replication provides RPO of 5 seconds and RTO of 1 hour.

Why this answer

Option C is correct because Azure SQL Database active geo-replication provides an RPO of up to 5 seconds and an RTO of 1 hour. Option A is wrong because auto-failover groups with read-write failover policy can also meet the requirements, but the question asks for active geo-replication specifically. Option B is wrong because Azure SQL Database automatic failover groups typically have an RTO of 1 hour but RPO is higher for geo-failover.

Option D is wrong because Azure SQL Managed Instance has different RPO/RTO characteristics.

100
MCQhard

Your Azure subscription contains multiple virtual machines (VMs) that run a line-of-business application. You need to configure alerts when the CPU usage exceeds 90% for more than 5 minutes. Additionally, the alert must automatically trigger a runbook to scale out the application. Which Azure service should you use to create this alert?

A.Azure Automation
B.Azure Logic Apps
C.Azure Monitor metric alert
D.Azure Autoscale
AnswerC

Metric alerts can trigger action groups that include runbooks.

Why this answer

Azure Monitor metric alerts can evaluate resource metrics like CPU usage at a specified frequency and trigger actions when a threshold (e.g., 90%) is breached for a given duration (e.g., 5 minutes). The alert can invoke an Automation runbook via an action group, enabling automatic scaling of the application. This is the correct service because it directly supports metric-based alerting with multi-condition evaluation and action group integration.

Exam trap

The trap here is that candidates confuse Azure Monitor metric alerts with Azure Autoscale, assuming Autoscale can both alert and trigger runbooks, when in fact Autoscale only performs scaling actions based on its own rules and does not generate alerts or invoke runbooks.

How to eliminate wrong answers

Option A is wrong because Azure Automation is a service for authoring and running runbooks, but it does not itself evaluate metrics or generate alerts; it can only be triggered by an alert action group. Option B is wrong because Azure Logic Apps is a workflow orchestration service that can respond to alerts via connectors, but it is not the native alerting service for metric thresholds and would require additional configuration to evaluate CPU usage. Option D is wrong because Azure Autoscale is a scaling service that can automatically adjust resources based on metrics, but it does not create alerts or trigger runbooks; it directly scales resources without an intermediate alerting step.

101
Multi-Selecteasy

Which TWO of the following are valid data storage solutions for an Azure-based microservices architecture that requires high throughput and low latency? (Choose two.)

Select 2 answers
A.Azure Table Storage
B.Azure Cosmos DB
C.Azure Files
D.Azure Cache for Redis
E.Azure SQL Database
AnswersB, D

Cosmos DB is a globally distributed, multi-model database with guaranteed low latency and high throughput.

Why this answer

Correct answers are A and D. Option B is wrong because Azure SQL Database is relational and may not provide the scalability needed for high throughput. Option C is wrong because Azure Files is for file shares, not optimized for microservices.

Option E is wrong because Table Storage is for NoSQL key-value store but lower throughput than Cosmos DB.

102
MCQmedium

Your organization is building a serverless application that processes events from Azure Event Hubs and stores results in Azure Cosmos DB. The processing logic must be scalable and cost-effective, with no idle costs. Which compute service should you use?

A.Azure Functions
B.Azure Container Instances
C.Azure Logic Apps
D.Azure Kubernetes Service
AnswerA

Functions are serverless, scalable, and cost-effective with no idle costs.

Why this answer

Option A is correct because Azure Functions can be triggered by Event Hubs and scales automatically, with pay-per-execution pricing. Option B is incorrect because Azure Logic Apps is more expensive and less suitable for high-throughput event processing. Option C is incorrect because Azure Container Instances have idle costs and are not serverless.

Option D is incorrect because Azure Kubernetes Service has management overhead and idle costs.

103
MCQmedium

A company uses Microsoft Entra ID. They want to grant a user temporary access to the Global Administrator role for a specific task. The access must require approval from a manager and automatically expire after 4 hours. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Conditional Access
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID Privileged Identity Management (PIM)
D.Microsoft Entra ID Access Reviews
AnswerC

PIM enables just-in-time privileged access to Microsoft Entra ID roles with approval, activation time limits, and automatic expiration, meeting the requirement.

Why this answer

Microsoft Entra ID Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access, allowing users to activate roles like Global Administrator for a limited time. It supports approval workflows (manager approval) and configurable activation duration (e.g., 4 hours), making it the correct choice for temporary, approved, time-bound role elevation.

Exam trap

The trap here is confusing PIM's JIT activation with Conditional Access policies, which control access to applications but not role elevation, or with Access Reviews, which are for periodic recertification rather than temporary activation.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces policies based on signals like location or device state to control access to resources, but it does not provide time-bound role activation or approval workflows for privileged roles. Option B is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-in anomalies) and does not manage role activation or approval. Option D is wrong because Access Reviews automate periodic attestation of group memberships or role assignments but do not support on-demand, temporary activation with approval and automatic expiration.

104
MCQhard

Refer to the exhibit. An administrator configured Azure Site Recovery for a VM. The replication is ongoing but the health shows a warning. What is the most likely cause?

A.The recovery point retention is set to 5 days, causing storage issues.
B.The replication provisioning state failed.
C.The Azure Site Recovery service does not have sufficient permissions to access the source VM or storage account.
D.The replication interval is set to 15 minutes, exceeding the required RPO.
AnswerC

Error 0x80070005 is an access denied error, indicating a permissions issue.

Why this answer

Option B is correct because the error code 0x80070005 indicates an access denied error, typically caused by insufficient permissions on the source VM or storage account. Option A is wrong because the replication frequency is set to 300 seconds, which means a 5-minute RPO, not 15 minutes. Option C is wrong because the recovery point retention is set to 1440 minutes (24 hours), not 5 days.

Option D is wrong because the provisioning state is Succeeded, so there is no provisioning failure.

105
MCQeasy

You are designing a business continuity solution for a mission-critical Azure Kubernetes Service (AKS) cluster. The cluster hosts a stateful application that uses Azure Disks for persistent volumes. You need to ensure that the application can be recovered in a secondary region within 1 hour of a regional failure. What should you use to replicate the persistent volumes?

A.Azure Disk Backup with geo-redundant storage
B.Azure Backup with disk snapshot policies
C.Azure File Sync to replicate the disk content
D.Azure Site Recovery with replication of the AKS node VMs and attached disks
AnswerD

ASR replicates VMs and disks to secondary region.

Why this answer

Option A is correct because Azure Site Recovery can replicate Azure Disks (via VM replication) to a secondary region. Velero can back up AKS resources, but for stateful disks, ASR is more appropriate for DR. Option B is wrong because Azure Backup is for file/VM backup, not disk replication.

Option C is wrong because Azure File Sync is for file shares, not disks. Option D is wrong because Azure Disk Backup is for backup, not replication for DR.

106
MCQeasy

A company is planning to migrate its on-premises Active Directory to Microsoft Entra ID. They have a complex on-premises infrastructure with multiple forests and over 50,000 users. They need to synchronize identities and enable single sign-on (SSO) for Office 365. What should you recommend?

A.Microsoft Entra Connect Cloud Sync
B.Microsoft Entra Connect
C.Microsoft Entra ID synchronization
D.Microsoft Entra Connect Sync
AnswerD

Microsoft Entra Connect Sync supports multiple forests and large-scale deployments.

Why this answer

Option A is incorrect because Microsoft Entra Connect is the correct tool, but it only supports a single forest. Option B is correct because Microsoft Entra Connect Sync supports multiple forests and large numbers of users. Option C is incorrect because Microsoft Entra Connect Cloud Sync is for simpler scenarios and does not support multiple forests.

Option D is incorrect because Microsoft Entra ID synchronization is not a product name; it is a concept.

107
MCQmedium

Refer to the exhibit. The JSON shows role assignments for user1. The role definition IDs are: b24988ac-6180-42a0-ab88-20f7382dd24c = Key Vault Secrets User, 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 = Reader. User1 reports being unable to list secrets in the key vault 'vault-prod' using Azure CLI. What is the most likely cause?

A.User1 does not have any role assignment on the key vault
B.The Key Vault Secrets User role does not include the ability to list secrets
C.User1 must have the Contributor role on the key vault
D.The Reader role at resource group scope overrides the vault role
AnswerB

The role only allows reading secret values, not listing.

Why this answer

Option B is correct because the Key Vault Secrets User role at the vault scope does not include the 'list' permission on secrets; it only allows reading secret values. Option A is wrong because user1 has a role assignment at the vault scope. Option C is wrong because the Reader role at resource group scope does not grant permissions on secrets.

Option D is wrong because the permissions are explicit.

108
MCQmedium

Your company has a hybrid identity solution with Microsoft Entra ID Connect syncing on-premises Active Directory to Microsoft Entra ID. You need to design a business continuity solution for the identity service in case of an on-premises outage. The solution must allow users to authenticate and access cloud applications even if the on-premises domain controllers are unavailable. Which feature should you enable?

A.Federation with AD FS in a secondary on-premises site
B.Password hash synchronization
C.Seamless Single Sign-On
D.Pass-through authentication with an agent in a secondary on-premises site
AnswerB

Enables cloud authentication without on-premises DCs.

Why this answer

Option C is correct because Microsoft Entra Connect sync provides password hash synchronization, which allows cloud authentication even if on-premises DCs are down. Option A is wrong because pass-through authentication requires on-premises agents. Option B is wrong because federation requires on-premises AD FS.

Option D is wrong because Seamless SSO relies on on-premises authentication.

109
MCQeasy

A company uses Microsoft Entra ID. They need to grant external partners access to an internal application for a limited time (30 days). The access must be approved by a manager from the partner's organization. After the period ends, access should automatically be removed. The company also wants to send email reminders 7 days before expiration. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Access Reviews
B.Microsoft Entra ID Entitlement Management
C.Microsoft Entra ID Conditional Access
D.Microsoft Entra ID Identity Protection
AnswerB

Entitlement Management provides access packages that can define time-limited access, require approval from specified managers, automatically expire, and send email notifications before expiration.

Why this answer

Microsoft Entra ID Entitlement Management is the correct feature because it provides automated access lifecycle management for external users, including time-limited access packages, approval workflows (including external manager approval), and automatic expiration with email notifications. This directly matches the requirement for 30-day access with partner manager approval and 7-day reminder emails.

Exam trap

The trap here is confusing Entitlement Management (which handles the full lifecycle of external access with expiration and approvals) with Access Reviews (which is a periodic review tool, not an automated expiration mechanism).

How to eliminate wrong answers

Option A is wrong because Access Reviews are a periodic attestation mechanism that requires manual or semi-automated review cycles, not a one-time 30-day expiration with automatic removal and email reminders. Option C is wrong because Conditional Access enforces access policies (e.g., MFA, device compliance) in real time but does not manage access expiration, approval workflows, or automated email reminders. Option D is wrong because Identity Protection focuses on detecting and remediating identity-based risks (e.g., leaked credentials, sign-in anomalies) and does not handle external partner access lifecycle or time-bound approvals.

110
MCQhard

A healthcare organization needs to store patient health records in Azure. The data must be encrypted at rest and in transit. The organization requires a customer-managed key (CMK) with automatic key rotation every 90 days. The solution must support Azure SQL Database and Azure Blob Storage. Which key management solution should you recommend?

A.Azure Storage Service Encryption
B.Azure Information Protection
C.Azure Key Vault Standard
D.Azure Key Vault Managed HSM (Premium tier)
AnswerD

Supports CMK with automatic rotation and FIPS 140-2 Level 3.

Why this answer

Option A is correct because Azure Key Vault Managed HSM supports CMK with automatic rotation and FIPS 140-2 Level 3 validation, meeting compliance. Option B is wrong because Key Vault Standard does not support automatic rotation. Option C is wrong because Azure Information Protection is for classification, not key management.

Option D is wrong because Azure Storage encryption uses Microsoft-managed keys by default.

111
MCQmedium

Refer to the exhibit. You are analyzing Azure VM performance using Azure Monitor Logs. You run the KQL query shown. What is the purpose of the 'take 10' operator?

A.Limits the results to the first 10 rows after sorting by time.
B.Limits the time range to the last 10 hours.
C.Filters the results to only include the top 10 CPUs.
D.Samples the data to reduce query cost.
AnswerA

'take' returns the specified number of rows from the result set.

Why this answer

The 'take' operator returns a specified number of rows. Here, it limits the output to 10 rows after sorting by TimeGenerated ascending. Option A is correct.

Option B is incorrect because 'take' does not sample; it returns the first N rows. Option C is incorrect because the query returns rows after aggregation. Option D is incorrect because 'take' is not specific to time windows.

112
Multi-Selectmedium

Which TWO Azure services can be used to automatically redirect traffic to an alternate region in the event of a regional outage? (Choose two.)

Select 2 answers
A.Azure Application Gateway
B.Azure Load Balancer
C.Azure Traffic Manager
D.Azure DNS
E.Azure Front Door
AnswersC, E

Traffic Manager uses DNS-based routing and health probes to redirect traffic.

Why this answer

Azure Traffic Manager and Azure Front Door both provide global load balancing with automatic failover. Option A is incorrect because Application Gateway is regional. Option D is incorrect because Azure Load Balancer is regional.

Option E is incorrect because Azure DNS does not provide traffic redirection based on health.

113
MCQhard

Your organization is designing a secure microservices architecture using Azure Kubernetes Service (AKS). The application must be compliant with PCI DSS, which requires strict network segmentation and encryption of data at rest and in transit. You need to design a solution that meets these requirements while minimizing operational overhead. The AKS cluster will be deployed in a virtual network. The application consists of multiple microservices that need to communicate with each other and with an Azure SQL Database. Some microservices are public-facing. Which design should you recommend?

A.Deploy AKS with a private API server, enable network policies, and use a service endpoint or private endpoint for Azure SQL Database.
B.Deploy AKS with a public API server and use Network Security Groups (NSGs) to restrict access.
C.Deploy AKS with a private API server and use a jump box for administration.
D.Deploy AKS with a public API server and disable network policies to simplify management.
AnswerA

Private cluster ensures API server is not exposed; network policies enforce micro-segmentation; private endpoints secure database connectivity.

Why this answer

Option C is correct because a private AKS cluster with a service endpoint on the subnet and Azure SQL Database firewall rules ensures network isolation. AKS can enforce network policies for micro-segmentation. Option A is wrong because a public cluster exposes the API server, which is less secure.

Option B is wrong because a jump box adds operational overhead and is not required. Option D is wrong because disabling network policies reduces security.

114
MCQmedium

Refer to the exhibit. You have an Azure Storage account with the settings shown. A developer reports that they cannot access the storage account from their Azure VM that is connected to subnet-a. The VM's subnet ID matches the one in the rule. What is the most likely cause of the issue?

A.The storage account requires HTTPS and the VM is using HTTP
B.The storage account does not have a firewall rule for the VM's public IP
C.The subnet does not have a service endpoint for Microsoft.Storage enabled
D.The storage account uses GRS replication which is not supported with network rules
AnswerC

Virtual network rules require a service endpoint on the subnet to be effective.

Why this answer

The network rule set has defaultAction set to Deny, and only virtual network rules are configured. For traffic from a VM in subnet-a to be allowed, the VM's subnet must be listed. However, the VM might not have a service endpoint enabled for Microsoft.Storage on that subnet.

Option A is wrong because the subnet is listed. Option C is wrong because HTTPS is enabled. Option D is wrong because GRS does not prevent access.

115
MCQmedium

A company uses Azure Redis Cache to improve the performance of a web application. They need to ensure that cached data survives a failover to a secondary region. Which Azure Redis Cache tier should they choose?

A.Standard tier
B.Basic tier
C.Premium tier
D.Enterprise tier
AnswerC

Premium tier includes geo-replication for cross-region data persistence.

Why this answer

Azure Redis Cache Premium tier supports geo-replication for cross-region disaster recovery. Standard tier only replicates within a datacenter. Basic tier has no replication.

Enterprise tier also supports geo-replication but is more expensive and complex.

116
Multi-Selectmedium

A company is designing a solution for storing sensitive financial records that must be retained for 7 years. The solution must meet the following requirements: - Data must be immutable during the retention period. - After the retention period, data must be automatically deleted. - The solution must minimize storage costs. Which two Azure services should the company use? (Choose two.)

Select 2 answers
A.Microsoft Purview Data Map
B.Azure Blob Storage lifecycle management
C.Azure NetApp Files with replication
D.Azure Blob Storage with immutable storage policy
E.Azure Files with snapshots
AnswersB, D

Lifecycle management can delete blobs after a defined period.

Why this answer

Option A is correct because Azure Blob Storage provides immutable storage with time-based retention policies. Option C is correct because Azure Blob Storage lifecycle management can automatically delete blobs after a specified period. Option B is wrong because Azure Files does not support immutable storage natively.

Option D is wrong because Azure NetApp Files does not have built-in immutability or lifecycle management. Option E is wrong because Azure Purview is a data governance service, not for storage.

117
MCQmedium

A company is designing a hybrid identity solution that allows users to access both on-premises applications and Microsoft 365 using a single identity. The solution must support legacy authentication protocols for on-premises apps and modern authentication for cloud apps. Which Azure service should the company use?

A.Active Directory Federation Services (AD FS)
B.Microsoft Entra Application Proxy
C.Microsoft Entra ID
D.Microsoft Entra Connect
AnswerB

Application Proxy provides secure access to on-premises apps with modern authentication and supports legacy protocols.

Why this answer

Option A (Microsoft Entra ID) provides modern authentication but does not natively support legacy on-premises protocols. Option B (Microsoft Entra Connect) syncs identities to the cloud. Option C (Microsoft Entra Application Proxy) provides access to on-premises apps without requiring legacy protocols on the client side.

Option D (Active Directory Federation Services) can be used but is not a managed Azure service. The best answer is Microsoft Entra Application Proxy, which enables secure access to on-premises apps using modern authentication while the proxy handles the legacy protocol translation.

118
MCQmedium

A company uses Microsoft Entra ID Premium P2. They need to automatically detect users with high-risk sign-ins (e.g., from anonymous IP addresses or leaked credentials) and require them to reset their password. Which Microsoft Entra ID feature should they configure?

A.Identity Protection
B.Privileged Identity Management
C.Conditional Access
D.Access Reviews
AnswerA

Detects identity risks and can automate remediation like password reset.

Why this answer

Identity Protection is the correct feature because it is specifically designed to detect and remediate risky sign-ins, including those from anonymous IP addresses or leaked credentials. It uses machine learning to assign a risk level to each sign-in and user, and can automatically enforce password resets when high-risk events are detected, aligning with the requirement for automated detection and remediation.

Exam trap

The trap here is that candidates often confuse Conditional Access with Identity Protection, not realizing that Conditional Access is the enforcement engine that requires Identity Protection to first detect and assign the risk level, making Identity Protection the correct feature for automatic detection.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because it focuses on just-in-time access and approval workflows for privileged roles, not on detecting risky sign-ins or enforcing password resets for all users. Option C (Conditional Access) is wrong because while it can enforce policies based on sign-in risk, it does not automatically detect or assign risk levels; it relies on Identity Protection to provide the risk assessment. Option D (Access Reviews) is wrong because it is a governance tool for periodic review of group memberships or application access, not for real-time risk detection or password reset enforcement.

119
MCQhard

A company runs a multi-tier application on Azure VMs in the West US region. The application has web, application, and database tiers. They want to use Azure Site Recovery for disaster recovery to East US. They need to ensure that after failover, the web tier starts first, then the application tier, and finally the database tier after a consistency check. They also need to be able to perform non-disruptive DR drills. Which Azure Site Recovery capabilities should they use together?

A.Create a recovery plan with custom groups and scripts for startup order, and use test failover for DR drills
B.Use Azure Backup for the VMs and restore them in order after failover
C.Use an availability set to control startup order and use disaster recovery drills in a separate VNet
D.Use Azure Traffic Manager to route traffic after failover and manually start VMs in order
AnswerA

Recovery Plans enforce order via scripts; test failover provides an isolated drill environment.

Why this answer

Azure Site Recovery (ASR) recovery plans allow you to define custom groups and scripts to control the startup order of VMs after failover. By placing the web, application, and database tiers into separate groups with pre- and post-actions (e.g., PowerShell scripts), you can ensure the web tier starts first, then the application tier, and finally the database tier after a consistency check. ASR's test failover capability performs a non-disruptive DR drill by creating isolated copies of VMs in a separate VNet without impacting the production environment.

Exam trap

The trap here is that candidates may confuse Azure Backup's restore capabilities with ASR's orchestrated failover, or assume that availability sets or Traffic Manager can control startup sequencing, when only ASR recovery plans with custom groups and scripts provide the required ordered startup and non-disruptive DR drill functionality.

How to eliminate wrong answers

Option B is wrong because Azure Backup is designed for long-term retention and point-in-time restore, not for orchestrating multi-tier application startup order or performing non-disruptive DR drills with failover sequencing. Option C is wrong because availability sets control VM placement for high availability within a region, not startup order after failover, and they do not provide DR drill capabilities. Option D is wrong because Azure Traffic Manager handles DNS-based traffic routing, not VM startup sequencing, and manually starting VMs in order does not provide automated, scriptable orchestration or non-disruptive DR drills.

120
MCQeasy

Your company plans to migrate an on-premises application to Azure. The application requires low-latency access to a shared file system that supports SMB protocol. Which Azure storage solution should you recommend?

A.Azure Blob Storage
B.Azure Disk Storage
C.Azure Files
D.Azure Queue Storage
AnswerC

Azure Files supports SMB protocol and provides shared file access.

Why this answer

Option B is correct because Azure Files supports SMB protocol and can be used as a shared file system with low-latency access when deployed in the same region. Option A is wrong because Blob Storage does not support SMB natively. Option C is wrong because Disk Storage is block-level and not shared.

Option D is wrong because Queue Storage is for messaging.

121
MCQhard

You are designing a storage strategy for a data analytics solution that processes large volumes of streaming data. The data must be stored in a cost-effective manner with low latency for hot data and infrequent access for cold data after 30 days. The solution must support both batch and interactive queries. Which combination of Azure storage services should you recommend?

A.Azure Data Lake Storage Gen2 with lifecycle management
B.Azure SQL Database with geo-replication
C.Azure Blob Storage with hot and cool access tiers
D.Azure Cosmos DB with multiple consistency levels
AnswerA

ADLS Gen2 is optimized for analytics and lifecycle management can move cold data to cheaper storage.

Why this answer

Option B is correct because Azure Data Lake Storage Gen2 provides scalable storage for analytics with hierarchical namespace, and lifecycle management policies can move data to cool or archive tiers. Option A is wrong because Blob Storage with hot/cool tiers works but Data Lake Gen2 is optimized for analytics. Option C is wrong because Azure SQL Database is relational and expensive for large-scale analytics.

Option D is wrong because Cosmos DB is for NoSQL workloads.

122
MCQeasy

Refer to the exhibit. You are configuring Azure Site Recovery replication for a VM. The exhibit shows the replication policy settings. What is the RPO and RTO that can be achieved with this policy?

A.RPO of 15 minutes and RTO of 5 minutes.
B.RPO of 5 minutes and RTO of 15 minutes.
C.RPO of 5 minutes and RTO of 30 minutes.
D.RPO of 10 minutes and RTO of 15 minutes.
AnswerB

Settings explicitly define RPO and RTO.

Why this answer

Option B (RPO 5 min, RTO 15 min) matches the settings (300 seconds = 5 min, 900 seconds = 15 min). Option A (RPO 15 min) is wrong. Option C (RPO 5 min, RTO 30 min) wrong.

Option D (RPO 10 min) wrong.

123
MCQhard

You are designing a high-availability solution for a stateful application that uses Azure NetApp Files (ANF) for persistent storage. The application must withstand a zonal failure within a region. What should you do?

A.Use Azure Files with zone-redundant storage (ZRS) and SMB multi-channel.
B.Use Azure NetApp Files cross-zone replication to replicate data between availability zones.
C.Use Azure Backup for ANF with daily snapshots stored in a different zone.
D.Deploy the application in an Availability Set and use ANF volumes with zone-redundant storage (ZRS).
AnswerB

Cross-zone replication provides zonal resilience.

Why this answer

Option B is correct because ANF cross-zone replication (preview) replicates volumes across zones synchronously (with some lag) to provide zonal resilience. Option A is wrong because ANF doesn't support Availability Zones directly. Option C is wrong because Azure Files is not ANF.

Option D is wrong because Azure Backup is not for real-time failover.

124
MCQeasy

A company uses Azure Backup to protect their critical Azure VMs. An administrator accidentally deleted a file from one of the VMs. They need to restore that specific file quickly without restoring the entire VM. Which Azure Backup feature should they use?

A.Azure Backup full VM restore
B.Azure Backup file recovery
C.Azure Site Recovery
D.Azure Storage snapshots
AnswerB

Azure Backup file recovery allows you to mount a recovery point as a drive and copy specific files, meeting the requirement for quick file-level restore.

Why this answer

Azure Backup's file recovery feature allows you to mount a recovery point as a drive on the VM (or another machine) using iSCSI, enabling you to browse and copy individual files without restoring the entire VM. This is the correct choice because it meets the requirement for a quick, granular restore of a single deleted file.

Exam trap

The trap here is that candidates may confuse Azure Backup's file recovery with Azure Site Recovery, thinking both provide granular restore, but Site Recovery is for replication and failover, not for point-in-time file recovery from backups.

How to eliminate wrong answers

Option A is wrong because full VM restore would recover the entire virtual machine, which is unnecessary and time-consuming for restoring a single file. Option C is wrong because Azure Site Recovery is designed for disaster recovery and replication of entire workloads to a secondary region, not for granular file-level recovery from backup snapshots. Option D is wrong because Azure Storage snapshots are a feature of Azure Storage accounts (blobs, files, disks) and are not directly integrated with Azure Backup's VM-level recovery points; they also require manual management and do not provide the iSCSI mount capability for file-level recovery.

125
Multi-Selectmedium

Your company is designing a hybrid network architecture to connect an on-premises data center to Azure. The requirements include: high availability, low latency, and cost optimization. Which TWO options should you recommend?

Select 2 answers
A.ExpressRoute Gateway
B.Single ExpressRoute circuit
C.Site-to-Site VPN
D.ExpressRoute Direct
E.Two ExpressRoute circuits from different providers
AnswersA, E

Provides low latency and high bandwidth.

Why this answer

Option A is correct because ExpressRoute offers low latency and high bandwidth. Option C is correct because two ExpressRoute circuits from different providers provide high availability. Option B is incorrect because VPN Gateway can be used for backup but does not provide low latency.

Option D is incorrect because ExpressRoute Direct is not required for high availability. Option E is incorrect because a single ExpressRoute circuit does not provide high availability.

126
MCQmedium

An enterprise data platform must store petabytes of raw files for analytics and support fine-grained access control through Microsoft Entra ID. Which storage solution should be selected?

A.Azure Queue Storage
B.Azure Disk Storage attached to one VM
C.Azure Cache for Redis
D.Azure Data Lake Storage Gen2
AnswerD

ADLS Gen2 combines Blob Storage scalability with hierarchical namespace and Entra ID-based ACLs.

Why this answer

Azure Data Lake Storage Gen2 (ADLS Gen2) combines a hierarchical namespace with Azure Blob Storage, enabling petabyte-scale storage for raw files and fine-grained access control via POSIX-like ACLs integrated with Microsoft Entra ID (formerly Azure AD). This makes it the ideal solution for enterprise analytics requiring both massive capacity and granular security.

Exam trap

The trap here is that candidates may confuse Azure Blob Storage (which lacks a hierarchical namespace and fine-grained ACLs) with ADLS Gen2, or assume that any Azure storage service can handle petabyte-scale analytics, ignoring the specific requirements for Entra ID integration and granular permissions.

How to eliminate wrong answers

Option A is wrong because Azure Queue Storage is a messaging service for asynchronous communication between application components, not a storage solution for raw analytics files, and it lacks the hierarchical namespace and Entra ID-based ACLs needed for fine-grained access control. Option B is wrong because Azure Disk Storage attached to a single VM is limited to the VM's capacity (typically terabytes, not petabytes), is not designed for multi-user analytics access, and requires the VM's OS to manage access, which does not natively integrate with Entra ID for fine-grained control. Option C is wrong because Azure Cache for Redis is an in-memory data store for caching and low-latency access, not a durable storage system for petabytes of raw files, and it does not support Entra ID-based ACLs for file-level permissions.

127
MCQhard

A company runs a mission-critical application on Azure virtual machines (VMs) in the West US region. The application consists of multiple VMs that must be recovered in a specific order during a disaster: database VM first, then application VMs, then web VMs. They also require that after failover to East US, the VMs retain their private IP addresses to avoid DNS updates. The recovery point objective (RPO) is 5 minutes and recovery time objective (RTO) is 30 minutes. The company needs to perform quarterly disaster recovery tests without impacting production. Which combination of Azure Site Recovery features should they configure?

A.Use crash-consistent replication, recovery plans with manual ordering, and target network with same IP address range
B.Use app-consistent replication, recovery plans with pre/post scripts for ordering, and static IP address assignment in failover settings
C.Use multi-VM consistency groups, recovery plans with automation runbooks, and Azure Traffic Manager to redirect traffic
D.Use application-consistent replication, recovery plans with pre/post scripts for ordering, and target network with different IP address range and DNS updates
AnswerB

App-consistent replication ensures data integrity. Recovery plans with scripts automate the ordering. Static IP assignment retains private IPs.

Why this answer

Option B is correct because the requirement for an RPO of 5 minutes and RTO of 30 minutes necessitates application-consistent replication, which ensures database and application integrity. The need to recover VMs in a specific order is met by recovery plans with pre/post scripts, which allow custom actions (e.g., starting the database VM first, then application, then web). Static IP address assignment in failover settings ensures that VMs retain their private IP addresses after failover to East US, avoiding DNS updates.

Exam trap

The trap here is that candidates often confuse crash-consistent replication (which is faster but not application-safe) with application-consistent replication, or they assume that manual ordering in recovery plans is sufficient without realizing that pre/post scripts are required for complex multi-tier dependencies and that static IP assignment is needed to retain IP addresses across regions.

How to eliminate wrong answers

Option A is wrong because crash-consistent replication cannot achieve a 5-minute RPO for a mission-critical application with database VMs, as it does not guarantee application consistency; also, manual ordering in recovery plans is not sufficient for complex multi-tier recovery sequences. Option C is wrong because multi-VM consistency groups ensure crash consistency across VMs but do not provide the application-consistent replication needed for the 5-minute RPO, and Azure Traffic Manager is for traffic routing, not for retaining private IP addresses or ordering recovery. Option D is wrong because using a target network with a different IP address range and DNS updates contradicts the requirement to retain private IP addresses to avoid DNS updates.

128
Multi-Selecthard

Which THREE of the following are considerations when designing a storage solution for a high-availability application on Azure?

Select 3 answers
A.Recovery Point Objective (RPO) and Recovery Time Objective (RTO)
B.Use of zone-redundant storage (ZRS) for within-region resilience
C.Data encryption at rest using Azure Storage Service Encryption
D.Data striping with RAID 0 for performance
E.Use of geo-redundant storage (GRS) for cross-region disaster recovery
AnswersA, B, E

These metrics guide the replication and failover design.

Why this answer

Option A is correct because RPO and RTO are fundamental design considerations for any high-availability application. RPO defines the maximum acceptable data loss (measured in time), which directly influences the choice of backup frequency and replication type (e.g., synchronous vs. asynchronous). RTO defines the maximum acceptable downtime, which dictates the failover mechanism and infrastructure redundancy (e.g., active-passive vs. active-active).

Both metrics must be explicitly defined before selecting a storage redundancy tier or disaster recovery strategy.

Exam trap

The trap here is confusing security features (encryption at rest) or performance optimizations (RAID 0) with high-availability design requirements, leading candidates to select options that are valid in other contexts but irrelevant to uptime and disaster recovery.

129
MCQmedium

A company runs a global e-commerce platform on Azure VMs in a single region. They need to replicate the VMs to a secondary region for disaster recovery. Recovery must be possible within 30 minutes of a failure. The VMs run custom software that must be started in a specific order (database tier before web tier). Which Azure service should they use to meet both the replication and orchestration requirements?

A.Azure Site Recovery with recovery plans
B.Azure Backup with cross-region restore
C.Azure Migrate with replication
D.Azure Automation runbooks
AnswerA

Azure Site Recovery replicates VMs to a secondary region and recovery plans enable defining startup order, achieving the required RTO of 30 minutes.

Why this answer

Azure Site Recovery (ASR) with recovery plans is the correct choice because it provides both VM replication to a secondary region and the ability to orchestrate the startup order of VMs. Recovery plans allow you to group VMs into tiers (e.g., database and web) and define dependencies, ensuring the database tier starts before the web tier. ASR meets the 30-minute recovery time objective (RTO) by enabling failover to the secondary region within that timeframe.

Exam trap

The trap here is that candidates often confuse Azure Backup (which is for data protection and long-term retention) with Azure Site Recovery (which is for replication and failover), and overlook the orchestration requirement that only recovery plans can fulfill.

How to eliminate wrong answers

Option B is wrong because Azure Backup with cross-region restore is designed for long-term data retention and point-in-time recovery, not for orchestrating multi-tier application startup order or meeting a 30-minute RTO for full VM failover. Option C is wrong because Azure Migrate is a tool for assessing and migrating on-premises workloads to Azure, not for ongoing replication or disaster recovery orchestration. Option D is wrong because Azure Automation runbooks can execute scripts to start VMs in order, but they do not provide the underlying VM replication to a secondary region, which is required for disaster recovery.

130
MCQeasy

You run the above KQL query in Azure Monitor Logs. What does the query return?

A.The number of failed VM creation attempts per hour.
B.The total number of successful operations across all Azure resources.
C.The number of successful VM write operations per caller per hour.
D.A list of all Azure activity log entries.
AnswerC

The query summarizes successful VM write operations by caller and hour.

Why this answer

Option B is correct. The query filters AzureActivity for successful VM write operations, then summarizes the count by caller and hourly bins. Option A is wrong because it counts only successful, not failed.

Option C is wrong because it groups by caller and hour. Option D is wrong because it does not include operation names.

131
MCQmedium

You have an Azure subscription that contains 100 virtual machines. You need to monitor the virtual machines for security vulnerabilities and receive recommendations. What should you use?

A.Microsoft Defender for Cloud
B.Azure Monitor
C.Microsoft Sentinel
D.Microsoft Defender XDR
AnswerA

Defender for Cloud provides vulnerability assessment and security recommendations.

Why this answer

Microsoft Defender for Cloud (formerly Azure Security Center) provides unified security management and advanced threat protection across hybrid cloud workloads. It continuously assesses your virtual machines for security vulnerabilities, misconfigurations, and missing updates, then delivers actionable recommendations and a secure score to prioritize remediation. This directly matches the requirement to monitor VMs for vulnerabilities and receive recommendations.

Exam trap

The trap here is that candidates confuse Azure Monitor (which monitors performance and availability) with security monitoring, or assume Microsoft Sentinel (a SIEM) is the correct tool for vulnerability scanning, when in fact Defender for Cloud is the dedicated service for security posture management and vulnerability assessment.

How to eliminate wrong answers

Option B is wrong because Azure Monitor is a platform for collecting and analyzing telemetry data (metrics, logs) from resources, but it does not perform vulnerability scanning or provide security recommendations—it lacks the built-in vulnerability assessment and secure score features. Option C is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR solution for aggregating security logs, detecting threats, and orchestrating incident response; it does not natively scan VMs for vulnerabilities or generate compliance recommendations. Option D is wrong because Microsoft Defender XDR (formerly Microsoft 365 Defender) is an extended detection and response solution that correlates signals across endpoints, email, and identities, but it is not designed for vulnerability assessment of Azure VMs and does not provide the same centralized security posture management as Defender for Cloud.

132
MCQhard

You are reviewing a Conditional Access policy for a Microsoft Entra ID tenant. The exhibit shows the policy configuration. Users report that they are prompted for MFA every hour even when using approved Microsoft applications. The security team wants to reduce MFA prompts but maintain security. What should you modify?

A.Enable 'persistentBrowser' session control
B.Change cloudAppSecurityType to 'blockDownloads'
C.Remove the 'approvedApplication' grant control
D.Increase the signInFrequency value to 24 hours
AnswerD

Increasing sign-in frequency to 24 hours reduces MFA prompts while maintaining security.

Why this answer

The sign-in frequency control in Conditional Access determines how often a user must re-authenticate. Increasing the value from 1 hour to 24 hours directly reduces the frequency of MFA prompts while still requiring re-authentication daily, balancing security and user experience. This change applies to approved Microsoft applications as configured in the policy.

Exam trap

The trap here is that candidates confuse session controls like 'persistentBrowser' with sign-in frequency, assuming that keeping the browser session alive will also reduce MFA prompts, but sign-in frequency is a separate, explicit time-based re-authentication control that overrides session persistence.

How to eliminate wrong answers

Option A is wrong because enabling 'persistentBrowser' session control keeps the browser session alive but does not affect the sign-in frequency for MFA prompts; it only prevents re-authentication for browser-based sessions, not for all approved applications. Option B is wrong because changing cloudAppSecurityType to 'blockDownloads' is a session control for Microsoft Defender for Cloud Apps that restricts data exfiltration, not a mechanism to reduce MFA prompt frequency. Option C is wrong because removing the 'approvedApplication' grant control would eliminate the requirement that only approved Microsoft applications can be used, potentially allowing non-approved apps and increasing security risk, not reducing MFA prompts.

133
Matchingmedium

Match each Azure identity service to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cloud-based identity and access management

Customer identity and access management for apps

Managed domain services like LDAP and Kerberos

Role-based access control for Azure resources

Policy-based evaluation to enforce access controls

Why these pairings

These are key identity and access management services in Azure.

134
MCQmedium

A gaming company is developing a multiplayer online game that requires a low-latency data store for player profiles, inventory, and session state. The data is accessed globally, and the solution must support millions of concurrent players. The company expects write-heavy workloads with occasional reads. The solution must provide single-digit millisecond latency for reads and writes. The company also needs to run analytics on the data to understand player behavior, but analytics queries can tolerate higher latency (minutes). Which Azure data storage solution should the company recommend for the transactional data?

A.Azure SQL Database with active geo-replication
B.Azure Redis Cache with persistence
C.Azure Cosmos DB with multiple write regions
D.Azure Table Storage with geo-redundancy
AnswerC

Provides single-digit ms latency globally with multi-master writes.

Why this answer

Option B is correct because Azure Cosmos DB with multi-master writes provides global low-latency access and high throughput. Option A is wrong because Azure SQL Database with geo-replication may have higher latency for writes due to replication. Option C is wrong because Azure Redis Cache is a caching layer, not a durable data store.

Option D is wrong because Azure Table Storage is not designed for single-digit millisecond latency and global distribution.

135
MCQhard

You are a solutions architect for a financial services company. The company uses Microsoft Entra ID and has the following requirements: 1. All Azure administrators must use Privileged Identity Management (PIM) to activate their roles for a maximum of 4 hours. 2. Activation must require Azure Multi-Factor Authentication (MFA) and a ticket number. 3. Approvers must be notified via email when a role is activated. 4. All activation requests must be audited. You configure PIM for Entra ID roles. Which additional configuration is needed to meet all requirements?

A.Configure a Conditional Access policy to require MFA for all admins.
B.Enable Azure AD audit logs in the Azure portal.
C.Set the maximum activation duration to 4 hours in the PIM settings.
D.Create an Azure Monitor alert rule for role activations.
AnswerC

PIM allows configuring max activation duration per role.

Why this answer

Option C is correct. PIM for Entra ID roles already supports MFA, ticket numbers, email notifications, and audit logs. However, the requirement to limit activation to 4 hours requires configuring a maximum activation duration in PIM settings.

Option A (Conditional Access) is not needed because PIM handles MFA separately. Option B (Azure AD audit logs) is already enabled. Option D (Azure Monitor) is not required for this scenario.

136
MCQeasy

A media company stores raw video files and processed output in Azure. These files are accessed via REST APIs by a processing application. After processing, the files are rarely accessed but must be retained. To minimize costs, the company wants to automatically move files to a cheaper storage tier after 30 days and archive them after 90 days. Which Azure storage solution and feature should they use?

A.Azure Blob Storage with lifecycle management policies
B.Azure Files with snapshot schedules
C.Azure Disk Storage with incremental snapshots
D.Azure NetApp Files with snapshot policies
AnswerA

Blob Storage offers multiple tiers and lifecycle management can automate tier transitions (e.g., cool after 30 days, archive after 90 days).

Why this answer

Azure Blob Storage with lifecycle management policies is correct because it allows you to define rules that automatically transition blobs from the hot tier to the cool tier after 30 days and then to the archive tier after 90 days. This directly meets the cost-minimization requirement for rarely accessed files that must be retained, as lifecycle management automates tier transitions without manual intervention.

Exam trap

The trap here is that candidates may confuse Azure Files or Azure NetApp Files with object storage, not realizing that only Azure Blob Storage supports REST API access and automated lifecycle tiering to cool and archive tiers.

How to eliminate wrong answers

Option B is wrong because Azure Files is a fully managed file share accessed via SMB or NFS, not REST APIs, and snapshot schedules provide point-in-time recovery, not automated tiering between storage tiers. Option C is wrong because Azure Disk Storage provides block-level storage for VMs with incremental snapshots for backup, not object storage with lifecycle tiering, and it does not support REST API access for media files. Option D is wrong because Azure NetApp Files offers high-performance NFS/SMB volumes with snapshot policies for data protection, but it lacks built-in lifecycle management to automatically move data to cheaper tiers like cool or archive.

137
MCQhard

A company has multiple Azure virtual networks (VNets) in different regions and an on-premises data center connected via ExpressRoute. They need to implement a hub-and-spoke topology where a hub VNet hosts shared network virtual appliances (NVAs) for traffic inspection. All traffic between spokes and between spokes and on-premises must be routed through the hub. The company wants to minimize the administrative overhead of configuring and maintaining routing. Which Azure solution should they implement?

A.Use Azure Virtual WAN with a secured virtual hub.
B.Use VNet peering with user-defined routes (UDRs) in each spoke and Azure Route Server.
C.Create a single large VNet and use network security groups (NSGs) to isolate traffic.
D.Use Azure Firewall in the hub VNet and configure forced tunneling via custom routes.
AnswerA

Azure Virtual WAN provides a managed hub-and-spoke architecture with automatic routing. A secured virtual hub can integrate NVAs or Azure Firewall, and it handles transitive routing between spokes and on-premises without manual route tables or UDRs.

Why this answer

Azure Virtual WAN with a secured virtual hub is the correct choice because it provides a managed hub-and-spoke topology with built-in routing, eliminating the need for manual user-defined routes (UDRs) and route tables. The secured virtual hub includes Azure Firewall for traffic inspection, and all inter-spoke and on-premises traffic is automatically routed through the hub via the Virtual WAN routing engine, which uses the Border Gateway Protocol (BGP) to propagate routes dynamically. This minimizes administrative overhead by centralizing routing and security management.

Exam trap

The trap here is that candidates often choose VNet peering with UDRs (Option B) because it is a familiar pattern for hub-and-spoke, but they overlook that Azure Virtual WAN is the managed service designed to eliminate the administrative overhead of manual routing, especially when multiple regions and on-premises connectivity are involved.

How to eliminate wrong answers

Option B is wrong because using VNet peering with UDRs in each spoke and Azure Route Server still requires manual configuration and maintenance of UDRs for each spoke to force traffic through the hub NVAs, which increases administrative overhead and does not provide a fully managed routing solution. Option C is wrong because creating a single large VNet and using NSGs to isolate traffic violates the hub-and-spoke requirement for traffic inspection through NVAs; NSGs are stateless or stateful filters that do not route traffic through a central inspection point, and a single VNet cannot span multiple regions natively without additional complexity. Option D is wrong because using Azure Firewall in the hub VNet with forced tunneling via custom routes still requires manual UDR configuration on each spoke subnet to direct traffic to the firewall, and it does not provide the automated, scalable routing that Azure Virtual WAN offers for multi-region and on-premises connectivity.

138
MCQhard

Your company has a large number of IoT devices sending telemetry to Azure IoT Hub. The data must be processed in near real-time to detect anomalies and trigger alerts. Additionally, the processed data must be stored in a time-series database for historical analysis. Which combination of Azure services should you recommend?

A.Azure Functions and Azure SQL Database
B.Azure HDInsight and Azure Cosmos DB
C.Azure Data Factory and Azure Blob Storage
D.Azure Stream Analytics and Azure Data Explorer
AnswerD

Stream Analytics provides real-time processing; Data Explorer is a time-series database.

Why this answer

Option D is correct. Azure Stream Analytics can process streaming data from IoT Hub in near real-time and output to Azure Data Explorer (time-series database) for historical analysis. Option A is wrong because Azure Functions is not optimized for streaming.

Option B is wrong because Azure Data Factory is for batch processing, not real-time. Option C is wrong because Azure HDInsight is for big data but not as efficient for time-series.

139
MCQeasy

A company needs to store video files for a media streaming application. The files are accessed frequently for the first 30 days, then rarely after that. The solution must minimize storage costs while ensuring low-latency access during the initial period. Which storage tier should be used for the first 30 days?

A.Azure Blob Storage Hot tier
B.Azure Blob Storage Cool tier
C.Azure Premium Blob Storage
D.Azure Blob Storage Archive tier
AnswerA

Hot tier is optimized for frequent access with low latency, suitable for first 30 days.

Why this answer

Azure Blob Storage Hot tier is designed for data that is accessed frequently, offering low-latency access (typically under 10 milliseconds for first-byte read) and the highest storage cost but lowest access cost. Since the video files require low-latency access during the first 30 days, the Hot tier meets the performance requirement while minimizing overall cost compared to Premium Blob Storage, which is optimized for sub-millisecond latency and higher IOPS scenarios.

Exam trap

The trap here is that candidates often choose the Cool tier thinking it balances cost and access, but they overlook that Cool tier has higher access costs and a 30-day early deletion penalty, making it more expensive than Hot for frequent access during the first 30 days.

How to eliminate wrong answers

Option B is wrong because the Cool tier has higher access costs and a 30-day early deletion penalty, making it suboptimal for frequent access during the first 30 days; it is designed for data accessed infrequently (about once a month or less). Option C is wrong because Azure Premium Blob Storage provides sub-millisecond latency via SSDs and is intended for high-transaction workloads, not for minimizing storage costs for frequently accessed video files; it would be significantly more expensive than the Hot tier. Option D is wrong because the Archive tier has the lowest storage cost but the highest access latency (hours to rehydrate) and is intended for data that is rarely accessed (less than once a year); it cannot provide low-latency access during the first 30 days.

140
MCQhard

A company is designing a solution for a global e-commerce platform that requires low-latency access to product catalog data from multiple regions. The data is read-heavy with occasional updates. The solution must support automatic scaling and provide high availability. Which Azure service should you recommend?

A.Azure SQL Database with active geo-replication
B.Azure Cosmos DB with multi-region writes
C.Azure Table Storage
D.Azure Cache for Redis
AnswerB

Cosmos DB provides global distribution, low-latency reads, automatic scaling, and high availability.

Why this answer

Option A is incorrect because Azure SQL Database with geo-replication can provide global distribution but is not optimized for low-latency reads. Option B is correct because Azure Cosmos DB with multi-region writes provides global distribution, low-latency reads, automatic scaling, and high availability. Option C is incorrect because Azure Table Storage is not as performant for global low-latency reads.

Option D is incorrect because Azure Cache for Redis is a cache, not a primary data store.

141
Multi-Selecthard

Which TWO options are valid ways to enforce data residency in Azure Storage to ensure data does not leave a specific Azure region?

Select 2 answers
A.Use Azure Policy to deny storage accounts with geo-redundant storage (GRS) or read-access geo-redundant storage (RA-GRS).
B.Use Azure Data Lake Storage Gen2 with hierarchical namespace.
C.Enable Azure Front Door with caching.
D.Use read-access geo-redundant storage (RA-GRS).
E.Configure Azure Storage firewall and virtual network service endpoints with a deny-all default rule.
AnswersA, E

Azure Policy can enforce that storage accounts are only LRS or ZRS, keeping data in region.

Why this answer

Azure Policy can enforce data residency by denying the creation of storage accounts that use geo-redundant storage (GRS) or read-access geo-redundant storage (RA-GRS), as these replication options replicate data to a paired secondary region. By applying a policy that blocks these SKUs, you ensure that all storage account data remains within a single Azure region, meeting data residency requirements.

Exam trap

The trap here is that candidates often confuse data residency with data security or access control, mistakenly thinking that firewall rules (Option E) or network restrictions alone prevent data from leaving a region, when in fact replication settings (GRS/RA-GRS) are the primary mechanism that moves data across regions.

142
MCQmedium

Your company is designing a data storage solution for a global e-commerce platform. The solution must support high-frequency read and write operations with sub-millisecond latency, and must be able to handle schema-less JSON documents. Which Azure data service should you recommend?

A.Azure SQL Database
B.Azure Blob Storage
C.Azure Cosmos DB
D.Azure Table Storage
AnswerC

Cosmos DB provides schema-less NoSQL storage with guaranteed sub-millisecond latency globally.

Why this answer

Azure Cosmos DB is the correct choice because it is a globally distributed, multi-model database service that offers guaranteed single-digit-millisecond latency for both reads and writes at the 99th percentile, making it ideal for high-frequency operations. It natively supports schema-less JSON documents through its SQL API, allowing flexible data models without requiring schema definitions or migrations.

Exam trap

The trap here is that candidates often confuse Azure Table Storage's schema-less nature with Cosmos DB's capabilities, overlooking the critical requirement for sub-millisecond latency and global distribution that only Cosmos DB guarantees.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database is a relational database that requires a fixed schema and does not natively support schema-less JSON documents; while it has JSON functions, it is not optimized for sub-millisecond latency at scale. Option B is wrong because Azure Blob Storage is an object storage service designed for unstructured binary data and large files, not for high-frequency read/write operations on individual JSON documents with sub-millisecond latency. Option D is wrong because Azure Table Storage is a NoSQL key-value store that supports schema-less entities, but it does not provide sub-millisecond latency guarantees and lacks the rich querying capabilities and global distribution features of Cosmos DB.

143
MCQmedium

A global e-commerce company runs a web application in multiple Azure regions. They need to distribute incoming HTTPS traffic across regional deployments to provide low latency and high availability. The solution must support SSL offloading, Web Application Firewall (WAF) policies, and content caching to reduce backend load. They also need to route users to the nearest healthy backend region. Which Azure service should they use?

A.Azure Traffic Manager
B.Azure Front Door
C.Azure Application Gateway
D.Azure Content Delivery Network (CDN)
AnswerB

Azure Front Door is a global layer 7 load balancer. It offers SSL offload, WAF, content caching, and intelligent routing to the nearest region, meeting all requirements.

Why this answer

Azure Front Door is the correct choice because it is a global, scalable entry point that provides HTTPS traffic distribution across multiple Azure regions with low latency, SSL offloading, WAF policies, and content caching. It uses Anycast-based routing to direct users to the nearest healthy backend region, meeting all the requirements for high availability and performance.

Exam trap

The trap here is that candidates often confuse Azure Traffic Manager (DNS-level routing) with Azure Front Door (HTTP/HTTPS-level routing), overlooking the need for SSL offloading, WAF, and content caching, which Traffic Manager cannot provide.

How to eliminate wrong answers

Option A (Azure Traffic Manager) is wrong because it operates at the DNS level and does not support SSL offloading, WAF policies, or content caching; it only routes traffic based on DNS responses without inspecting the HTTP/HTTPS payload. Option C (Azure Application Gateway) is wrong because it is a regional load balancer that provides SSL offloading and WAF, but it cannot distribute traffic across multiple regions or route users to the nearest healthy backend region globally. Option D (Azure Content Delivery Network (CDN)) is wrong because it focuses on caching static content at edge locations and does not provide SSL offloading, WAF, or intelligent routing to the nearest healthy backend region for dynamic traffic.

144
Multi-Selecteasy

Which TWO of the following are valid replication options for Azure Blob Storage?

Select 2 answers
A.GRS (Geo-Redundant Storage)
B.RA-GRS (Read-Access Geo-Redundant Storage)
C.LRS (Locally Redundant Storage)
D.ZRS (Zone-Redundant Storage)
E.ASR (Azure Site Recovery)
AnswersA, C

GRS replicates data to a secondary region.

Why this answer

Azure Blob Storage offers multiple redundancy options to protect data against failures. GRS (Geo-Redundant Storage) replicates your data synchronously three times within a single primary region using LRS, then asynchronously replicates to a secondary region hundreds of miles away, ensuring durability even during a regional outage. LRS (Locally Redundant Storage) replicates data three times within a single datacenter in the same region, providing protection against server and drive failures but not against datacenter-level disasters.

Exam trap

The trap here is that candidates often confuse RA-GRS as a separate replication option rather than recognizing it as an access feature of GRS, and they may overlook that ZRS is also a valid replication option but the question specifically expects GRS and LRS based on the classic redundancy tiers emphasized in the AZ-305 exam.

145
MCQmedium

A company is deploying an internal web application on Azure VMs. The application requires SSL offloading, session stickiness, and URL-based routing (e.g., /api/* to one backend, /app/* to another). The solution must operate within a single Azure region and must not be exposed to the public internet. Which Azure load balancing solution should they use?

A.A
B.B
C.C
D.D
AnswerC

Azure Application Gateway can be deployed internally (internal Application Gateway) and provides all required features: SSL offloading, session affinity, and URL path-based routing.

Why this answer

Azure Application Gateway v2 is the correct choice because it provides SSL offloading (SSL termination at the gateway), session stickiness (cookie-based affinity), and URL-based routing (path-based routing rules) within a single Azure region. It can be deployed with a private IP address only, ensuring it is not exposed to the public internet, meeting all requirements.

Exam trap

The trap here is that candidates often confuse Azure Front Door with Application Gateway, but Front Door is a global service requiring public endpoints and multi-region support, whereas Application Gateway can be deployed privately within a single region.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot perform SSL offloading or URL-based routing; it only distributes traffic based on IP and port. Option B is wrong because Azure Traffic Manager is a DNS-based global load balancer that operates across regions and requires public endpoints; it cannot provide SSL offloading or URL-based routing within a single region. Option D is wrong because Azure Front Door is a global Layer 7 load balancer with SSL offloading and URL routing, but it is designed for multi-region deployments and requires public internet exposure; it cannot be restricted to a single region with private-only access.

146
MCQmedium

Your company runs a critical e-commerce application on Azure Virtual Machines (VMs) in a single region. You need to design a disaster recovery (DR) solution that meets a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 1 hour for the application tier. The application uses Azure SQL Database (single database). Which combination of Azure services should you recommend to meet the RPO and RTO?

A.Use Azure Site Recovery for VMs and Azure SQL Database read-scale replicas
B.Use Azure Backup for VM replication and Azure SQL Database auto-failover groups
C.Use Azure Front Door with regional load balancing and Azure SQL Database geo-restore
D.Use Azure Site Recovery for VM replication to a secondary region and Azure SQL Database active geo-replication
AnswerD

Site Recovery meets the VM RPO/RTO; active geo-replication meets the SQL RPO/RTO.

Why this answer

Option B is correct because Azure Site Recovery can replicate VMs to a secondary region with an RPO of 15 minutes and RTO of 1 hour for the application tier. Azure SQL Database active geo-replication provides an RPO of 5 seconds and RTO of 1 hour. Option A is wrong because Azure Backup has a higher RPO (typically 12 hours for VMs).

Option C is wrong because read-scale replicas do not support failover. Option D is wrong because Azure Front Door is for global load balancing, not DR replication.

147
Multi-Selecteasy

You are designing a highly available architecture for a web application that runs on Azure VMs. The solution must distribute incoming traffic across multiple VMs in an availability set. Which TWO Azure components should you include? (Choose two.)

Select 2 answers
A.Azure Load Balancer
B.Azure Traffic Manager
C.Azure Front Door
D.Availability Set
E.Azure Application Gateway
AnswersA, D

Load Balancer distributes traffic to VMs in the same region.

Why this answer

Options A and D are correct. Azure Load Balancer distributes incoming traffic. Availability Set provides VM redundancy.

Option B is wrong because Azure Traffic Manager is for global traffic routing. Option C is wrong because Azure Application Gateway is a layer 7 load balancer with additional features, but the scenario specifically mentions distributing traffic across VMs in an availability set, which is a basic load balancer function. However, both Load Balancer and Application Gateway can distribute traffic, but the simplest is Load Balancer.

For high availability, you need both a load balancer and an availability set. Option E is wrong because Azure Front Door is for global load balancing.

148
MCQmedium

A company runs a critical application on Azure VMs in a single region. The application uses Azure SQL Database as its data store. The company needs a disaster recovery solution that can fail over the entire application stack (VMs and database) to another region with a Recovery Point Objective (RPO) of 5 minutes and a Recovery Time Objective (RTO) of 1 hour. The solution must be automated and minimize manual steps. Which combination of Azure services should they implement?

A.Azure Site Recovery for VMs and active geo-replication with auto-failover groups for Azure SQL Database
B.Azure Backup for VMs and Azure SQL Database backup to another region
C.Azure Site Recovery for VMs and Azure DNS for database failover
D.Azure Load Balancer for VMs and Azure SQL Database failover groups
AnswerA

ASR replicates VMs to the secondary region with low RPO, and active geo-replication with auto-failover groups provides database failover with RPO of 5 seconds and RTO of under 1 hour.

Why this answer

Azure Site Recovery (ASR) orchestrates replication and automated failover of Azure VMs to a secondary region, meeting the RTO of 1 hour. Active geo-replication with auto-failover groups for Azure SQL Database provides a readable secondary replica in another region with an RPO of 5 seconds (well under the 5-minute requirement) and enables automatic failover without manual intervention. Together, they automate the entire application stack failover, minimizing manual steps.

Exam trap

The trap here is that candidates often confuse Azure Backup (which is for data recovery, not failover) with Azure Site Recovery (which is for full-stack disaster recovery), or they assume DNS or load balancers alone can handle database failover without understanding that database replication is required first.

How to eliminate wrong answers

Option B is wrong because Azure Backup for VMs and Azure SQL Database backup to another region provides point-in-time restore but does not support automated failover; restoring from backup would take hours, exceeding the 1-hour RTO, and the RPO would be limited to the backup schedule (typically 24 hours). Option C is wrong because Azure DNS for database failover does not handle database replication or failover; it only manages DNS records, leaving the database unreplicated and requiring manual steps to redirect traffic, which fails the automation requirement. Option D is wrong because Azure Load Balancer distributes traffic but does not replicate VMs or databases; it cannot fail over VMs to another region, and Azure SQL Database failover groups alone (without active geo-replication) do not provide the required RPO of 5 minutes—failover groups require geo-replication to be configured separately.

149
Multi-Selecthard

A company is designing a backup strategy for Azure resources. They have the following resources: Azure VMs, Azure SQL Database, and Azure Files shares. They need to meet the following requirements: 1) Backup of VMs must be application-consistent. 2) SQL Database backups must be retained for 10 years. 3) Azure Files backups must support soft delete. Which THREE services or features should they use?

Select 3 answers
A.Azure Backup
B.Soft delete for Azure Files
C.Long-term retention (LTR) for Azure SQL Database
D.Azure Site Recovery
E.Azure Policy
AnswersA, B, C

Azure Backup provides application-consistent backups for VMs.

Why this answer

Options B, C, and D are correct. Azure Backup can perform application-consistent backups for VMs (using VSS). Long-term retention (LTR) for SQL Database can retain backups for up to 10 years.

Soft delete for Azure Files can be enabled to protect against accidental deletion. Option A is incorrect because Azure Site Recovery is for disaster recovery, not backup. Option E is incorrect because Azure Policy is for governance, not backup.

150
MCQmedium

A company ingests IoT sensor data into Azure Blob Storage. Data is written frequently and accessed rarely after the first 24 hours. The company must retain the data for exactly 90 days for compliance. They want to minimize storage costs by automatically moving data to cheaper tiers as soon as possible. Which lifecycle management policy should they implement?

A.Move to Cool tier immediately (0 days) and then to Archive after 30 days
B.Move to Cool tier after 1 day and then to Archive after 30 days
C.Move to Archive tier after 1 day
D.Move to Cool tier after 30 days and to Archive after 90 days
AnswerB

This policy moves data to Cool after 1 day (when access frequency drops) and then to Archive after 30 days, minimizing costs while meeting the 90-day retention requirement. Archive is the cheapest tier for long-term storage.

Why this answer

Option B is correct because it aligns with the access pattern: data is frequently accessed only in the first 24 hours, so moving to Cool tier after 1 day (when access drops) saves costs, then moving to Archive after 30 days meets the 90-day retention requirement while minimizing storage costs. The lifecycle policy must ensure data is not moved to Archive before the compliance period ends, and moving to Cool immediately (0 days) would incur unnecessary write costs for frequently written data.

Exam trap

The trap here is that candidates often choose Option A (move to Cool immediately) thinking it saves the most money, but they overlook the frequent write pattern and the fact that Cool tier has higher write costs, making a 1-day delay more cost-effective.

How to eliminate wrong answers

Option A is wrong because moving to Cool tier immediately (0 days) does not account for the frequent writes in the first 24 hours, potentially incurring higher write costs and not aligning with the access pattern. Option C is wrong because moving directly to Archive after 1 day violates the 90-day retention requirement, as Archive tier has a minimum 180-day retention policy (early deletion fee) and data would be inaccessible for compliance needs. Option D is wrong because moving to Cool after 30 days and to Archive after 90 days fails to minimize costs—data should be moved to Cool sooner (after 1 day) to reduce costs during the low-access period, and moving to Archive at 90 days does not take advantage of cheaper Archive storage for the remaining 60 days.

Page 1

Page 2 of 14

Page 3