Microsoft Azure Solutions Architect Expert AZ-305 (AZ-305) — Questions 151225

999 questions total · 14pages · All types, answers revealed

Page 2

Page 3 of 14

Page 4
151
MCQmedium

A company wants to analyze IoT sensor data from millions of devices in near real-time and store the raw data for batch processing. Which combination of Azure services should they use?

A.Azure Event Hubs and Azure Synapse Analytics
B.Azure IoT Hub and Azure Cosmos DB
C.Azure Data Lake Storage and Azure Stream Analytics
D.Azure Event Hubs and Azure Blob Storage
AnswerD

Ingests and stores raw data efficiently.

Why this answer

Azure Event Hubs is a highly scalable data streaming platform and event ingestion service capable of ingesting millions of events per second from IoT devices in near real-time. Azure Blob Storage provides cost-effective, durable object storage for the raw data, which can then be used for batch processing with services like Azure Data Lake Analytics or Azure Synapse. This combination directly meets the requirements for near real-time ingestion and raw data storage for batch processing.

Exam trap

The trap here is that candidates often confuse Azure IoT Hub with Azure Event Hubs, assuming IoT Hub is required for all IoT scenarios, but Event Hubs is the correct choice for high-throughput, near real-time event ingestion without device management overhead.

How to eliminate wrong answers

Option A is wrong because Azure Synapse Analytics is primarily a data warehouse for structured analytics, not optimized for storing raw, unstructured IoT data for batch processing; using it for raw storage would be costly and unnecessary. Option B is wrong because Azure IoT Hub is a device management and messaging service, not a high-throughput event ingestion pipeline for near real-time analytics, and Azure Cosmos DB is a NoSQL database for transactional workloads, not designed for storing massive volumes of raw data for batch processing. Option C is wrong because Azure Data Lake Storage is a storage service, not an ingestion service; it cannot ingest and buffer streaming data in near real-time, and Azure Stream Analytics is a real-time processing engine, not a storage solution for raw data.

152
MCQmedium

Refer to the exhibit. You deploy an Azure SQL Database with a secondary replica in another region using the ARM template shown. You need to ensure that the database can fail over automatically with zero data loss. What is missing?

A.Configure long-term backup retention.
B.Disable readScaleOut on the primary database.
C.Create a failover group that includes both databases.
D.Set zoneRedundant to true on the primary database.
AnswerC

Failover group enables automatic failover with zero data loss.

Why this answer

Option B (failover group) is required to orchestrate automatic failover. Option A (zone redundancy) not needed. Option C (read scale) not needed.

Option D (backup) irrelevant.

153
MCQmedium

A company deploys a web application on Azure VMs across multiple availability zones in a region. They need to distribute incoming traffic across VMs in all zones, maintain session persistence, and support SSL offloading and URL-based routing (e.g., /api/* to one pool, /app/* to another). Which Azure load balancing solution should they use?

A.Azure Load Balancer
B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerB

Application Gateway is a layer-7 load balancer that provides SSL offloading, URL-based routing, and session affinity, making it suitable for this requirement.

Why this answer

Azure Application Gateway is the correct choice because it is a Layer 7 (HTTP/HTTPS) load balancer that supports SSL offloading, URL-based routing (e.g., /api/* and /app/* to different backend pools), and session persistence (cookie-based affinity). It can distribute traffic across VMs in multiple availability zones within a region, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming all load balancers support HTTP-level features like URL routing and SSL offloading, but only Layer 7 solutions do.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and does not support SSL offloading or URL-based routing; it cannot inspect HTTP paths. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic router that distributes traffic across regions, not within a single region, and it does not support SSL offloading or URL-based routing. Option D is wrong because Azure Front Door is a global Layer 7 service that supports SSL offloading and URL-based routing but is designed for multi-region distribution, not for distributing traffic across VMs within a single region's availability zones.

154
MCQhard

Refer to the exhibit. A role assignment has a condition that controls blob deletion. A user assigned this role tries to delete a blob with tag 'Project' set to 'ProjectB'. What will happen?

A.The deletion is allowed because the condition only applies to write operations
B.The deletion is allowed because the condition does not affect blob deletion
C.The deletion is denied because the blob does not have the required tag
D.The deletion is denied because the condition version is 2.0 and not supported
AnswerC

The condition requires the blob to have tag 'Project' equal to 'ProjectA'.

Why this answer

Option D is correct because the condition grants delete permission only if the blob's tag matches 'ProjectA'. Since the blob has tag 'ProjectB', the condition evaluates to false, and the delete action is denied. Option A is wrong because the condition does not block all blob deletions, only those not matching the tag.

Option B is wrong because the condition does not affect other actions. Option C is wrong because the condition is evaluated at runtime.

155
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically detect sign-in attempts from anonymous IP addresses and sign-ins from unfamiliar locations. When such a risk is detected, they want to block the sign-in or require multi-factor authentication (MFA) in real time. Additionally, they need a dashboard that provides a summary of risk events and allows investigation. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Identity Protection
B.Microsoft Entra ID Conditional Access
C.Microsoft Entra ID Privileged Identity Management (PIM)
D.Microsoft Entra ID Access Reviews
AnswerA

Identity Protection detects risky sign-ins and provides a dashboard with risk events for investigation. It can feed risk data into Conditional Access for enforcement.

Why this answer

Microsoft Entra ID Identity Protection is the correct feature because it automatically detects sign-in risks such as anonymous IP addresses and unfamiliar locations, and can trigger real-time remediation actions like blocking the sign-in or requiring MFA. It also provides a risk dashboard and investigation capabilities, directly matching the requirements for risk detection, automated response, and reporting.

Exam trap

The trap here is that candidates often confuse Conditional Access as the detection mechanism, but Conditional Access is only the enforcement layer; Identity Protection is the actual detection engine that generates the risk signals used by Conditional Access.

How to eliminate wrong answers

Option B is wrong because Conditional Access is a policy engine that enforces access controls based on conditions, but it does not itself detect risks like anonymous IPs or unfamiliar locations; it relies on Identity Protection to provide risk signals. Option C is wrong because Privileged Identity Management (PIM) focuses on just-in-time privileged role activation and access governance, not on detecting sign-in risks from anonymous IPs or unfamiliar locations. Option D is wrong because Access Reviews are used for periodic attestation of group memberships or role assignments, not for real-time risk detection or automated sign-in blocking.

156
MCQeasy

A company uses Azure Backup to protect on-premises file servers via the Azure Backup Server (MABS). They want to ensure backups are retained for 10 years for compliance. What backup tier should they use?

A.Azure Backup using the warm storage tier
B.Azure Files share snapshots
C.Azure Site Recovery
D.Azure Backup with GFS retention policy for monthly and yearly points
AnswerD

GFS allows retention for decades.

Why this answer

Option B is correct because Azure Backup supports long-term retention (up to 99 years) using the Backup vault's Grandfather-Father-Son (GFS) retention policy with monthly and yearly points. Option A is wrong because Azure Site Recovery is for replication, not backup retention. Option C is wrong because the warm storage tier is for short-term retention.

Option D is wrong because Azure Files is not a backup retention feature.

157
MCQmedium

A company runs a critical SQL Server database on an Azure virtual machine in the West US region. They need a disaster recovery solution that replicates the database to a secondary region (East US) with a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 2 hours. The solution must also support non-disruptive disaster recovery drills. The company currently uses SQL Server Standard Edition. Which Azure service should they implement?

A.Azure Site Recovery
B.SQL Server Always On Availability Groups
C.Azure Backup with cross-region restore
D.Azure SQL Database geo-replication
AnswerA

Azure Site Recovery replicates the entire VM to the secondary region, supports test failovers for drilling, and can meet the RPO/RTO requirements when configured with appropriate frequency. It works with SQL Server Standard Edition.

Why this answer

Azure Site Recovery (ASR) replicates the entire VM, including the SQL Server database, to the secondary region with an RPO as low as 15 minutes and an RTO of 2 hours when using a recovery plan. It supports non-disruptive disaster recovery drills by allowing test failovers that run in an isolated network without impacting the production environment. This makes ASR the correct choice for a SQL Server Standard Edition VM requiring cross-region DR with drills.

Exam trap

The trap here is that candidates often choose SQL Server Always On Availability Groups without realizing that Standard Edition lacks the necessary features (e.g., readable secondaries, multi-database support) to meet the RPO/RTO and drill requirements, or they mistakenly think Azure SQL Database geo-replication can be applied to a SQL Server VM.

How to eliminate wrong answers

Option B is wrong because SQL Server Always On Availability Groups requires SQL Server Enterprise Edition for the advanced features needed to meet the RPO/RTO, and Standard Edition only supports basic availability groups with a single database and no readable secondaries, which cannot achieve the required 15-minute RPO or support non-disruptive drills. Option C is wrong because Azure Backup with cross-region restore provides point-in-time backups with an RPO of typically 12-24 hours (not 15 minutes) and an RTO that can exceed 2 hours due to restore time, plus it does not support live, non-disruptive disaster recovery drills. Option D is wrong because Azure SQL Database geo-replication is a PaaS feature that cannot be applied to a SQL Server running on an Azure VM (IaaS); it only works with Azure SQL Database managed instances or single databases.

158
MCQhard

You are designing a compute solution for a batch processing workload that runs once per day for about 30 minutes. The workload is CPU-intensive and can be parallelized. The team wants to minimize cost while ensuring the job completes within 2 hours. Which of the following is the most cost-effective solution?

A.Deploy an Azure App Service plan with multiple instances, and trigger the job with a timer.
B.Use Azure Functions with a timer trigger and a Premium plan to allow longer execution.
C.Create an Azure VM that runs the job on schedule and turn it off after completion.
D.Use Azure Batch with a pool of low-priority VMs, and scale up to many nodes to complete the job quickly.
AnswerD

Azure Batch is designed for parallel batch processing; low-priority VMs offer up to 80% cost savings and the job can complete in minutes.

Why this answer

Option D is correct because Azure Batch with low-priority VMs provides significant cost savings for interruptible workloads and can be scaled to complete quickly. Option A is wrong because App Service is not designed for batch processing and would be more expensive. Option B is wrong because a VM running all the time incurs cost even when idle.

Option C is wrong because Functions have a timeout limit (default 5 min, max 10 min) unsuitable for 30-min job.

159
MCQhard

You are designing a disaster recovery strategy for an Azure virtual machine running a SQL Server Always On availability group. The primary region is East US, and the secondary region is West US. You need to ensure minimal data loss and automatic failover. Which Azure service should you use for cross-region replication of the managed disks?

A.Azure Traffic Manager
B.Azure Site Recovery
C.Azure Backup
D.Azure Storage Geo-Redundant Storage (GRS)
AnswerB

Azure Site Recovery replicates Azure VMs and supports automatic failover with low RPO.

Why this answer

Option A is correct because Azure Site Recovery provides orchestrated replication and failover for Azure VMs, including managed disks, with recovery point objectives (RPO) as low as a few seconds. Option B (Azure Backup) is for backup, not replication. Option C (Azure Storage Geo-Redundant Storage) replicates at the storage level but does not handle VM failover orchestration.

Option D (Azure Traffic Manager) is for DNS-level traffic distribution, not disk replication.

160
MCQmedium

A company runs critical Azure VMs. They want to protect against accidental deletion or corruption of data by implementing a retention policy for Azure Backup. They need to keep daily backups for 30 days, weekly backups for 12 weeks, and monthly backups for 12 months. Which Azure Backup feature should they configure?

A.Immutable vault
B.Backup policy with long-term retention
C.Backup tiering
D.Soft delete
AnswerB

Azure Backup policies allow you to define multiple retention points (daily, weekly, monthly) with specific durations. This meets the need for 30 days daily, 12 weeks weekly, and 12 months monthly.

Why this answer

A backup policy with long-term retention (LTR) in Azure Backup allows you to define granular retention rules for daily, weekly, monthly, and yearly backup points. This directly meets the requirement to keep daily backups for 30 days, weekly for 12 weeks, and monthly for 12 months by configuring the retention duration for each frequency in the backup policy.

Exam trap

The trap here is that candidates confuse Immutable vault or Soft delete with retention policies, but those features address data protection from deletion or tampering, not the ability to specify granular retention durations for different backup frequencies.

How to eliminate wrong answers

Option A is wrong because Immutable vault protects backup data from being deleted or overwritten before its retention period expires, but it does not provide the ability to configure different retention durations for daily, weekly, and monthly backups. Option C is wrong because Backup tiering moves older recovery points to a lower-cost storage tier (e.g., from hot to cold or archive), but it does not define or enforce retention durations; it is a cost-optimization feature, not a retention policy. Option D is wrong because Soft delete provides a safety net by retaining deleted backup data for a default period (14 days) to allow recovery from accidental deletion, but it does not allow you to specify custom retention periods like 30 days daily, 12 weeks weekly, or 12 months monthly.

161
MCQeasy

Your company has a Microsoft Entra ID tenant with 10,000 users. You plan to grant external partners access to a specific SharePoint Online site using Microsoft Entra B2B collaboration. You need to ensure that partners can authenticate using their own corporate credentials. What should you configure?

A.Cross-tenant synchronization
B.Conditional Access policy for guest users
C.Microsoft Entra B2B collaboration with external identities
D.Microsoft Entra guest user accounts with password
AnswerC

B2B collaboration allows external users to authenticate with their own identity provider.

Why this answer

Microsoft Entra B2B collaboration allows external partners to authenticate using their own corporate credentials (such as Azure AD, Microsoft account, or other identity providers) without requiring a separate password or local account. This is the correct solution because it directly supports the requirement for partners to use their own identity providers, enabling seamless access to the SharePoint Online site via guest user invitations.

Exam trap

The trap here is that candidates often confuse Cross-tenant synchronization (Option A) with B2B collaboration, but Cross-tenant synchronization is for internal multi-tenant scenarios, not for granting external partners access with their own credentials.

How to eliminate wrong answers

Option A is wrong because Cross-tenant synchronization is designed to synchronize users between two Azure AD tenants for internal collaboration, not for granting external partners access to a specific SharePoint site with their own credentials. Option B is wrong because a Conditional Access policy for guest users controls access conditions (e.g., MFA, device compliance) after the guest user is already invited, but it does not enable authentication with the partner's own corporate credentials. Option D is wrong because creating guest user accounts with passwords would require partners to manage separate credentials, defeating the purpose of using their own corporate identities and violating the principle of federated authentication.

162
MCQeasy

A company needs to store and retrieve large binary files (e.g., images and videos) for a web application. The data must be accessible via HTTPS URLs and support both public read access for anonymous users and private access for administrators. The solution must be highly durable and cost-effective for storing terabytes of data. Which Azure storage solution should they recommend?

A.Azure Blob Storage
B.Azure Files
C.Azure Queue Storage
D.Azure Table Storage
AnswerA

Blob Storage is optimized for storing large amounts of unstructured data and supports both public and private access levels.

Why this answer

Azure Blob Storage is the correct choice because it is designed for storing large amounts of unstructured data, such as images and videos, and supports both public anonymous read access (via a public container or blob-level access policy) and private access (via shared access signatures or Azure AD authentication). It provides HTTPS URL access for direct retrieval, offers 99.9999999999% (11 nines) durability for hot and cool tiers, and is cost-effective for terabytes of data due to its tiered storage options (hot, cool, archive).

Exam trap

The trap here is that candidates may confuse Azure Files (a managed file share) with Blob Storage because both can store files, but Azure Files uses SMB/NFS protocols and is not designed for direct HTTPS URL access or public anonymous read for large binary objects.

How to eliminate wrong answers

Option B (Azure Files) is wrong because it provides fully managed file shares accessible via SMB and NFS protocols, not HTTPS URLs for direct binary object retrieval, and is optimized for shared file access rather than large-scale unstructured blob storage. Option C (Azure Queue Storage) is wrong because it is a messaging service for asynchronous communication between application components, not for storing or retrieving binary files. Option D (Azure Table Storage) is wrong because it is a NoSQL key-value store for structured data, not for large binary files like images and videos.

163
MCQmedium

A company is designing a backup strategy for a critical Azure SQL Database. The database is used in a production environment and the company requires the ability to restore to any point within the last 35 days with a maximum granularity of 5 minutes. Which backup configuration should the company choose?

A.Use Azure Backup for SQL Server in Azure VM
B.Configure point-in-time restore with a retention period of 35 days and a backup frequency of 5 minutes
C.Use Azure SQL Database automatic backups with a retention period of 35 days
D.Configure geo-redundant backup with long-term retention
AnswerC

Automatic backups provide point-in-time restore within 35 days with 5-minute granularity.

Why this answer

Option A (Geo-redundant backup with long-term retention) does not specify point-in-time restore granularity. Option B (Configure point-in-time restore with a retention period of 35 days and a backup frequency of 5 minutes) is not possible because Azure SQL Database does not allow custom backup frequency; it uses automatic backups. Option C (Use Azure SQL Database automatic backups with a retention period of 35 days) meets the requirement because automatic backups provide point-in-time restore up to 35 days with 5-minute granularity.

Option D (Use Azure Backup for SQL Server in Azure VM) is for SQL Server on VMs, not Azure SQL Database.

164
MCQhard

You are designing a data storage solution for a healthcare application that stores patient records. The solution must meet compliance requirements that data in the US must be stored in US regions, and data in the EU must be stored in EU regions. Additionally, the solution must support global queries with low latency. What should you use?

A.Azure Blob Storage with RA-GRS storage accounts in each region
B.Azure SQL Database with active geo-replication and a failover policy
C.Azure Cosmos DB with multi-region writes and conflict resolution policy based on region
D.Azure SQL Managed Instance with failover groups
AnswerC

Cosmos DB allows you to configure write regions per compliance and resolve conflicts.

Why this answer

Azure Cosmos DB with multi-region writes is the correct choice because it provides active-active replication across multiple regions, enabling low-latency global queries by allowing writes and reads from any region. The conflict resolution policy based on region ensures that data sovereignty requirements are met by prioritizing writes from the region where the data originates (e.g., US writes win in US regions, EU writes win in EU regions), which aligns with the compliance requirement that data must stay within its respective geographic boundary.

Exam trap

The trap here is that candidates often confuse active geo-replication (which has a single writable primary) with multi-region writes (which allow multiple writable regions), and they may overlook the need for a conflict resolution policy to enforce data sovereignty, assuming that simply replicating data across regions meets compliance requirements.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage with RA-GRS provides read-only access to a secondary region and does not support multi-region writes or active-active replication, so it cannot ensure low-latency global writes or enforce data sovereignty for patient records across US and EU regions. Option B is wrong because Azure SQL Database with active geo-replication supports only one writable primary region and readable secondaries, which means writes must go to a single primary region, causing higher latency for remote users and failing to meet the low-latency global query requirement; it also lacks native conflict resolution based on region for data sovereignty. Option D is wrong because Azure SQL Managed Instance with failover groups provides only one writable primary instance and manual or automatic failover to a secondary, which does not support multi-region writes or active-active replication, leading to increased write latency for users outside the primary region and insufficient support for global low-latency queries.

165
MCQmedium

A company has multiple on-premises sites and Azure VNets in different regions. They need to connect all networks with a single mesh topology, ensuring that any network can communicate with any other network directly. They also want to minimize administrative overhead. Which Azure service should they use?

A.Azure Virtual WAN
B.Azure VPN Gateway
C.Azure ExpressRoute
D.Azure Peering Service
AnswerA

Virtual WAN provides a scalable and automated mesh connectivity solution with integrated routing, reducing manual configuration overhead.

Why this answer

Azure Virtual WAN is the correct choice because it provides a managed, global mesh network that automatically connects on-premises sites and Azure VNets across regions using a hub-and-spoke architecture with built-in transitive routing. This eliminates the need to manually configure individual VPN gateways or ExpressRoute circuits for each pair of networks, directly supporting the requirement for any-to-any direct communication with minimal administrative overhead.

Exam trap

The trap here is that candidates often confuse Azure VPN Gateway's ability to create multiple site-to-site connections with a true mesh topology, overlooking that VPN Gateway lacks automatic transitive routing and requires manual configuration for any-to-any connectivity, whereas Virtual WAN provides this natively.

How to eliminate wrong answers

Option B (Azure VPN Gateway) is wrong because it only creates point-to-site or site-to-site connections between individual networks; it does not natively support a full mesh topology without complex, manual configuration of multiple VPN tunnels and route tables, which increases administrative overhead. Option C (Azure ExpressRoute) is wrong because it provides private, dedicated connectivity between on-premises sites and Azure, but it does not inherently create a mesh between multiple on-premises sites or VNets; additional routing and gateway configurations are required to achieve transitive connectivity. Option D (Azure Peering Service) is wrong because it is designed to optimize connectivity to Microsoft cloud services over the internet, not to create a mesh network between customer-owned on-premises sites and Azure VNets.

166
MCQhard

A data platform must support analytical queries over petabytes of files in a data lake, while preserving hierarchical namespaces and fine-grained ACLs. Which storage service should you design around?

A.Azure Data Lake Storage Gen2.
B.Azure Files premium shares.
C.Azure Table Storage.
D.Azure Queue Storage.
AnswerA

It provides hierarchical namespace and data lake semantics for analytics workloads.

Why this answer

Azure Data Lake Storage Gen2 (ADLS Gen2) is the correct choice because it combines a hierarchical namespace with POSIX-like ACLs, enabling fine-grained access control at the file and directory level while supporting petabyte-scale analytical workloads. It is built on Azure Blob Storage, providing high-throughput and parallel processing for big data analytics engines like Azure Synapse, Spark, and Hadoop.

Exam trap

The trap here is that candidates may confuse Azure Files (which also supports ACLs) with ADLS Gen2, overlooking that Azure Files is optimized for shared file access (SMB/NFS) and not for petabyte-scale analytical data lake workloads with hierarchical namespace and POSIX ACLs.

How to eliminate wrong answers

Option B is wrong because Azure Files premium shares provide SMB/NFS file shares with ACLs but are designed for low-latency, IOPS-intensive workloads (e.g., lift-and-shift apps), not for petabyte-scale analytical queries over a data lake. Option C is wrong because Azure Table Storage is a NoSQL key-value store for structured, semi-structured data at scale, but it lacks a hierarchical namespace and does not support file-level ACLs or analytical query patterns over files. Option D is wrong because Azure Queue Storage is a messaging service for decoupling application components, not a storage service for data lake analytics or hierarchical namespace management.

167
MCQmedium

A multinational company stores large amounts of unstructured data (documents, images) that must be read with low latency from multiple global regions. Data is written primarily in one region but read globally. Cost optimization is a key requirement. Which Azure storage replication option should they use?

A.Azure Blob Storage with geo-redundant storage (GRS)
B.Azure Blob Storage with read-access geo-redundant storage (RA-GRS)
C.Azure Files with premium shares
D.Azure NetApp Files
AnswerB

Correct. RA-GRS replicates data to a secondary region and provides a read-only endpoint, allowing low-latency reads from the secondary region without the cost of premium storage.

Why this answer

B is correct because RA-GRS provides geo-redundant storage with read access to the secondary region, enabling low-latency reads from multiple global regions while maintaining cost efficiency. The data is written primarily in one region, but RA-GRS allows read requests to be served from the secondary region without additional compute costs, meeting the global read requirement.

Exam trap

The trap here is that candidates often confuse GRS with RA-GRS, assuming geo-redundancy alone provides read access to the secondary region, but GRS requires a manual failover to enable reads, while RA-GRS allows reads from the secondary region at all times.

How to eliminate wrong answers

Option A is wrong because GRS provides geo-redundant storage but does not allow read access to the secondary region, so reads from other regions would still be served from the primary region, increasing latency. Option C is wrong because Azure Files with premium shares is designed for high-performance file shares with low latency but uses locally redundant storage (LRS) or zone-redundant storage (ZRS), not geo-replication, and is cost-prohibitive for large-scale unstructured data. Option D is wrong because Azure NetApp Files is a high-performance file service for enterprise workloads (e.g., SAP, HPC) with NFS/SMB protocols, not optimized for cost-effective global read access of unstructured data, and uses LRS or ZRS by default.

168
Matchingmedium

Match each Azure storage redundancy option to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

3 copies within a single datacenter

3 copies across 3 availability zones in a region

LRS in primary region + LRS in paired secondary region

GRS with read access to secondary region

ZRS in primary region + LRS in paired secondary region

Why these pairings

These are the standard Azure Storage redundancy levels.

169
MCQeasy

A company has an Azure API Management instance deployed in the internal virtual network (VNet) mode. They want to securely expose their backend APIs to external partners over the internet. External partners need to authenticate using OAuth2 tokens. The company also wants to enforce rate limits (throttling) per subscription, cache responses, and enable CORS. Which Azure service should they use to expose the APIs?

A.Azure Application Gateway
B.Azure API Management
C.Azure Front Door
D.Azure Traffic Manager
AnswerB

Azure API Management is a full-featured API gateway that supports OAuth2, rate limiting, caching, CORS, and many other policies. It can be deployed with a public endpoint to securely expose APIs to external partners.

Why this answer

Azure API Management (APIM) in internal VNet mode can securely expose backend APIs to external partners over the internet by using its built-in OAuth2 token validation, per-subscription rate limiting (throttling), response caching, and CORS support. APIM acts as the API gateway that handles authentication, policy enforcement, and traffic management, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates often confuse Azure API Management with Azure Application Gateway or Azure Front Door, but only APIM provides the comprehensive API gateway features (OAuth2, throttling, caching, CORS) required for this scenario.

How to eliminate wrong answers

Option A is wrong because Azure Application Gateway is a Layer 7 load balancer and web application firewall (WAF), but it does not natively support OAuth2 token validation, per-subscription rate limiting, or API-level caching and CORS policies. Option C is wrong because Azure Front Door is a global load balancer and CDN that provides WAF and caching at the edge, but it lacks built-in OAuth2 authentication, per-subscription throttling, and API management policies. Option D is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that only routes traffic based on DNS resolution and does not provide any API gateway features like OAuth2, rate limiting, caching, or CORS.

170
MCQmedium

Your company is deploying a web application that experiences unpredictable traffic spikes. You need to ensure the application can handle sudden increases in load automatically without manual intervention and minimize costs during low traffic periods. Which Azure service should you use?

A.Azure App Service with manual scale-out
B.Azure Functions with consumption plan
C.Virtual Machine Scale Set with autoscale
D.Azure Container Instances
AnswerC

Scale Sets with autoscale rules automatically adjust capacity based on metrics.

Why this answer

Virtual Machine Scale Sets with autoscale rules can automatically adjust the number of VM instances based on demand. Option A (Azure App Service with manual scaling) does not autoscale automatically. Option B (Azure Functions) is for event-driven workloads, not web apps.

Option D (Azure Container Instances) does not autoscale natively.

171
Multi-Selecthard

Which THREE of the following are valid strategies for designing a disaster recovery plan for Azure Virtual Desktop? (Choose three.)

Select 3 answers
A.Use Azure Front Door to route RDP traffic to the secondary region
B.Use Azure File Sync to replicate FSLogix profile shares to a secondary region
C.Pre-deploy a secondary host pool in the DR region and use Azure Traffic Manager to redirect connections
D.Rely on Azure Backup to restore session hosts in the secondary region
E.Replicate session host VMs to a secondary region using Azure Site Recovery
AnswersB, C, E

Azure File Sync can sync files to a secondary region for disaster recovery.

Why this answer

Options A, B, and D are correct. Azure Site Recovery can replicate session host VMs (A). Azure Files can replicate FSLogix profiles using Azure File Sync to a secondary region (B).

A disaster recovery plan can include a secondary host pool with pre-provisioned session hosts (D). Option C is wrong because Azure Backup does not provide immediate failover; it is for backup and restore. Option E is wrong because Azure Front Door is for web traffic, not for RDP connections.

172
MCQmedium

A company runs a critical web application on Azure App Service in a single region. They need to achieve high availability across regions with automatic failover in the event of a regional outage. Which approach should they recommend?

A.Deploy multiple App Service instances in the same region with Traffic Manager
B.Deploy to multiple regions with Azure Front Door
C.Use App Service auto-scaling rules to handle increased load
D.Enable Azure Site Recovery for the App Service
AnswerB

Correct. Azure Front Door can route traffic across regions and automatically fail over to a healthy region if the primary goes down.

Why this answer

Azure Front Door provides global load balancing and automatic failover across multiple regions by routing traffic to the nearest healthy backend. For a critical web application requiring cross-region high availability, deploying App Service instances in multiple regions behind Front Door ensures seamless failover during a regional outage, as Front Door monitors endpoint health and redirects traffic away from failed regions.

Exam trap

The trap here is that candidates often confuse Traffic Manager (DNS-level, no health probe for App Service) with Azure Front Door (application-layer, with health probes and instant failover), leading them to choose Option A for cross-region scenarios.

How to eliminate wrong answers

Option A is wrong because deploying multiple App Service instances in the same region with Traffic Manager does not protect against a regional outage; Traffic Manager can distribute load but all instances share the same regional failure domain. Option C is wrong because App Service auto-scaling rules only adjust capacity within a single region based on load metrics, not across regions, and cannot provide failover during a regional outage. Option D is wrong because Azure Site Recovery is designed for virtual machine replication and failover, not for PaaS services like App Service; it does not natively support App Service and would require complex, unsupported workarounds.

173
MCQeasy

A company has multiple Azure virtual networks (VNets) in different Azure regions and an on-premises data center connected via ExpressRoute. They want to connect all VNets to each other and to the on-premises network securely over the Microsoft global backbone. They also want to simplify management by using a single orchestration interface. Which Azure service should they use?

A.Azure Virtual WAN
B.VNet peering
C.Azure VPN Gateway
D.Azure ExpressRoute
AnswerA

Virtual WAN provides a centralized hub-and-spoke architecture that connects VNets and branches over the Microsoft network, with simplified management and orchestration.

Why this answer

Azure Virtual WAN is correct because it provides a hub-and-spoke architecture that connects branch offices, VNets, and on-premises networks over the Microsoft global backbone. It offers a single orchestration interface for managing connectivity, routing, and security policies across multiple regions and ExpressRoute circuits, meeting the requirement for secure, global connectivity with simplified management.

Exam trap

The trap here is that candidates often confuse VNet peering (which is point-to-point) with the hub-and-spoke model of Virtual WAN, or assume ExpressRoute alone can connect multiple VNets, missing the requirement for a single orchestration interface and transitive routing across regions.

How to eliminate wrong answers

Option B (VNet peering) is wrong because it only connects two VNets directly and does not provide a single orchestration interface for multiple VNets across regions; it also requires manual transitive routing configuration and does not natively integrate with ExpressRoute for on-premises connectivity. Option C (Azure VPN Gateway) is wrong because it creates site-to-site VPN tunnels over the public internet, not over the Microsoft global backbone, and does not offer a unified management interface for multiple VNets and ExpressRoute connections. Option D (Azure ExpressRoute) is wrong because it only provides a dedicated private connection from on-premises to Azure, but does not connect multiple VNets to each other or offer a single orchestration interface for managing inter-VNet and hybrid connectivity.

174
MCQmedium

Your company runs a critical workload on Azure Virtual Machines in a single region. You need to design a disaster recovery solution that meets a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 1 hour. The solution should minimize cost. What should you recommend?

A.Configure Azure Backup with geo-redundant storage.
B.Deploy an active-passive pair of VMs using SQL Server Always On availability groups.
C.Use Azure Storage with read-access geo-redundant storage (RA-GRS) and failover the VMs.
D.Implement Azure Site Recovery with replication to a secondary region.
AnswerD

Azure Site Recovery can replicate Azure VMs to another region with an RPO of 15 seconds to 15 minutes and RTO of minutes to hours, meeting the requirements cost-effectively.

Why this answer

Option D is correct because Azure Site Recovery provides replication with RPO as low as 15 minutes and RTO of minutes to hours, and it is cost-effective compared to always-on replication. Option A is wrong because Azure Backup has a minimum RPO of 1 hour for VMs. Option B is wrong because read-access geo-redundant storage (RA-GRS) is for storage accounts, not VM-level recovery.

Option C is wrong because an active-passive configuration with Always On availability groups requires SQL Server and is overkill for non-database workloads.

175
Multi-Selecthard

Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You need to design a solution to monitor changes to privileged groups in both directories and ensure that any unauthorized changes trigger an automated response. Which THREE services should you include in the design?

Select 2 answers
A.Microsoft Sentinel
B.Microsoft Purview
C.Microsoft Entra Identity Protection
D.Group Policy Management Console
E.Microsoft Defender for Identity
AnswersA, E

Sentinel can collect logs from both Entra ID and on-premises and automate responses.

Why this answer

Microsoft Sentinel is correct because it serves as the centralized SIEM (Security Information and Event Management) solution that can ingest logs from both Microsoft Entra ID (via diagnostic settings) and on-premises Active Directory (via Windows Security Events or Azure Monitor Agent). It allows you to create analytics rules that detect unauthorized changes to privileged groups and trigger automated responses, such as playbooks (Logic Apps) or incident creation, ensuring a unified monitoring and response workflow.

Exam trap

The trap here is that candidates often confuse Microsoft Purview (data governance) with Microsoft Defender for Cloud Apps (which can monitor group changes in SaaS apps) or assume Entra Identity Protection covers group membership monitoring, but neither Purview nor Identity Protection is designed for auditing or responding to privileged group modifications in hybrid directories.

176
MCQmedium

You are designing a disaster recovery solution for a critical application hosted in Azure VMs. The primary region is East US. The application requires a recovery time objective (RTO) of 30 minutes and a recovery point objective (RPO) of 15 minutes. Which Azure service should you use to replicate the VMs?

A.Azure Front Door
B.Azure Backup
C.Azure Traffic Manager
D.Azure Site Recovery
AnswerD

Azure Site Recovery offers near-synchronous replication with low RPO and can meet the RTO with orchestrated failover.

Why this answer

Option C is correct because Azure Site Recovery provides replication with RPO as low as 15 minutes and can meet the RTO with proper planning. Option A is wrong because Azure Backup has higher RPO. Option B is wrong because Azure Traffic Manager is for traffic routing, not replication.

Option D is wrong because Azure Front Door is a global load balancer.

177
MCQeasy

A company needs to provide secure access to Azure resources for remote employees. They want to enforce multi-factor authentication and conditional access policies. The solution should not require a VPN connection. Which Azure service should they implement?

A.Microsoft Intune
B.Azure VPN Gateway
C.Azure Bastion
D.Microsoft Entra ID
AnswerD

Entra ID provides identity and access management with MFA and conditional access.

Why this answer

Microsoft Entra ID (formerly Azure AD) with conditional access and MFA provides secure access without VPN. Option B is wrong because Azure VPN Gateway requires VPN. Option C is wrong because Azure Bastion is for RDP/SSH to VMs.

Option D is wrong because Microsoft Intune is for device management.

178
MCQhard

A large enterprise has multiple Azure subscriptions and on-premises servers. They need to collect performance metrics (CPU, memory) from all servers, create custom dashboards to visualize health across workloads, and set up alerts for critical thresholds. They also need to retain log data for one year. Which combination of Azure services should they use?

A.A
B.B
C.C
D.D
AnswerA

Azure Monitor with Log Analytics workspaces allows collection of performance counters, creation of custom dashboards, and alert rules. Log retention can be set to one year per workspace.

Why this answer

Azure Monitor is the central service for collecting performance metrics (CPU, memory) from both Azure VMs and on-premises servers via the Log Analytics agent or Azure Monitor Agent. Log Analytics workspace stores the data, enabling custom dashboards with Azure Workbooks and alerts with Azure Monitor Alerts. The 1-year retention is achieved by configuring the workspace's data retention settings (up to 730 days by default, extendable to 2 years).

Exam trap

The trap here is that candidates confuse Azure Monitor with Azure Sentinel, thinking Sentinel is needed for long-term retention and alerting, but Sentinel is a security-specific solution, while Azure Monitor natively handles performance monitoring, dashboards, and retention for operational data.

How to eliminate wrong answers

Option B is wrong because it suggests using Azure Sentinel, which is a SIEM/SOAR for security events, not primarily for performance metrics and custom dashboards; it would add unnecessary cost and complexity. Option C is wrong because it proposes Azure Storage for log retention, but Azure Storage does not natively support querying or alerting on performance metrics; you would need additional services like Azure Data Explorer, making it inefficient. Option D is wrong because it includes Azure Event Hubs, which is for real-time data streaming and ingestion, not for long-term storage or direct dashboarding; it would require additional downstream services to achieve the requirements.

179
Multi-Selectmedium

A company is designing a data storage solution for its IoT devices that generate telemetry data. The data is ingested at high velocity (millions of events per second) and must be stored for real-time dashboards and historical analysis. The solution must also support complex event processing and alerting. Which two Azure services should the company use together? (Choose two.)

Select 2 answers
A.Azure IoT Hub
B.Azure Event Hubs
C.Azure Stream Analytics
D.Azure Synapse Analytics
E.Azure Data Lake Storage Gen2
AnswersB, C

High-throughput event ingestion.

Why this answer

Azure Event Hubs is the correct choice because it is a high-throughput data ingestion service designed to handle millions of events per second from IoT devices, providing low-latency, durable event capture for real-time dashboards and historical analysis. Azure Stream Analytics is the correct companion service because it natively integrates with Event Hubs to perform complex event processing (CEP), such as pattern matching, aggregation, and alerting, on the streaming telemetry data in real time.

Exam trap

The trap here is that candidates often confuse Azure IoT Hub with Event Hubs, assuming IoT Hub is the default for all IoT data ingestion, but IoT Hub is for device management and lower-throughput scenarios, while Event Hubs is the correct choice for high-velocity, multi-million-events-per-second telemetry ingestion.

180
MCQeasy

Your company has a large Azure environment with thousands of resources. You need to design a solution to track resource ownership and ensure that resources are cleaned up when projects end. You want to use a tag-based approach where each resource has an 'Owner' and 'Project' tag. Additionally, you need to generate a weekly report of resources that are not tagged or have been orphaned (no recent activity). What should you include in the design?

A.Use Azure Policy to audit missing tags and create a custom dashboard in Azure Monitor.
B.Use Azure Monitor alerts with a metric alert for unmodified resources.
C.Use Azure Automation runbook to inventory resources and store in a SQL database, then use Power BI to report.
D.Use Azure Resource Graph queries in an Azure Logic App scheduled to run weekly, and send the report via email.
AnswerD

Logic Apps can execute queries and send formatted reports.

Why this answer

Option C is correct because Azure Resource Graph can query all resources and their tags, and Azure Logic Apps can schedule the query and send a report via email. Option A is wrong because Azure Policy can enforce tags but does not generate reports natively. Option B is wrong because Azure Monitor alerts are for real-time notifications, not scheduled reports.

Option D is wrong because Azure Automation runbooks can do this but are more complex than Logic Apps.

181
MCQeasy

A software company runs 50 small Azure SQL databases for different clients. Each database has low average usage but unpredictable spikes. The company wants to minimize cost while providing resources for peak loads and easily adding new databases without manual sizing. Which Azure data service should they use?

A.Azure SQL Database single databases
B.Azure SQL Database elastic pool
C.Azure SQL Managed Instance
D.SQL Server on Azure Virtual Machines
AnswerB

Elastic pools allow sharing of resources across databases, ideal for variable workloads. They provide cost efficiency and the ability to handle spikes without over-provisioning each database.

Why this answer

Azure SQL Database elastic pool is ideal for multiple databases with low average usage and unpredictable spikes because it allows them to share a fixed set of resources (eDTUs or vCores). This pooling model minimizes cost by only paying for the aggregate peak usage across all databases, not each database's individual peak, and automatically handles resource allocation without manual sizing for new databases.

Exam trap

The trap here is that candidates often choose single databases (Option A) thinking they can scale individually for spikes, but they overlook the cost inefficiency of provisioning each database for its peak load versus sharing resources in an elastic pool.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database single databases would require each database to be sized for its own peak load, leading to over-provisioning and higher costs for 50 low-usage databases with spikes. Option C is wrong because Azure SQL Managed Instance is a fully managed instance of SQL Server with fixed resources, designed for lift-and-shift migrations, not for cost-efficient multi-tenant scenarios with variable loads. Option D is wrong because SQL Server on Azure Virtual Machines requires manual VM sizing, patching, and management, increasing operational overhead and cost, and does not provide the automatic resource sharing needed for unpredictable spikes.

182
MCQmedium

A healthcare organization needs to store patient records that must be immutable and auditable for compliance purposes. The records should be stored in a cost-effective manner with the ability to set retention policies. Which Azure storage solution should they implement?

A.Azure NetApp Files
B.Azure SQL Database
C.Azure Blob Storage with immutable storage
D.Azure Files
AnswerC

Azure Blob Storage with immutable storage (WORM) provides immutable and auditable records.

Why this answer

Azure Blob Storage with immutable storage (WORM policy) is the correct solution because it provides time-based retention policies and legal hold capabilities that make data non-erasable and non-modifiable, meeting compliance requirements for patient records. It is cost-effective for large volumes of data and integrates with Azure Policy for audit logging, making it ideal for healthcare compliance scenarios like HIPAA.

Exam trap

The trap here is that candidates often confuse Azure Files or Azure NetApp Files with immutable storage because they support snapshots, but snapshots can be deleted or overwritten, whereas Blob Storage immutable policies enforce true WORM compliance that cannot be bypassed.

How to eliminate wrong answers

Option A is wrong because Azure NetApp Files is a high-performance file share for NFS/SMB workloads, not designed for immutable storage or compliance retention policies. Option B is wrong because Azure SQL Database supports row-level security and auditing but does not offer native immutable storage capabilities; data can be modified or deleted unless using complex triggers or backups. Option D is wrong because Azure Files provides SMB file shares with snapshots but lacks built-in WORM (Write Once, Read Many) immutability and retention policy enforcement required for compliance.

183
MCQeasy

A company wants to implement a backup strategy for their Azure virtual machines. They need to retain backups for 7 years for compliance and ensure backups are encrypted at rest. Which solution should you recommend?

A.Azure Disk Snapshot with a lifecycle management policy.
B.Azure Backup with a vault configured for 7-year retention and encryption at rest.
C.Azure Files Backup to a Recovery Services vault.
D.Azure Site Recovery with custom retention policies.
AnswerB

Azure Backup supports long-term retention and encryption at rest.

Why this answer

Option C is correct because Azure Backup supports long-term retention (up to 99 years) and encryption at rest using Azure Storage Service Encryption. Option A is wrong because Azure Site Recovery is for disaster recovery, not long-term backup. Option B is wrong because Azure Disk Snapshot does not support 7-year retention natively.

Option D is wrong because Azure Files Backup is for file shares, not VMs.

184
MCQhard

You are designing a monitoring solution for a critical application running on Azure Kubernetes Service (AKS). The application generates custom metrics that need to be queried in real-time for dashboards. You also need to retain logs for one year for compliance. Which combination of services should you use?

A.Azure Monitor Metrics and Azure Monitor Logs
B.Prometheus and Azure Monitor Logs
C.Azure Data Explorer and Azure Blob Storage
D.Application Insights and Azure Storage
AnswerA

Metrics for real-time dashboards, Logs for long-term log retention and querying.

Why this answer

Azure Monitor Metrics is the correct choice for real-time querying of custom metrics because it stores numeric time-series data with sub-minute granularity and supports near real-time alerting and dashboarding via Azure Dashboards or Grafana. Azure Monitor Logs (Log Analytics) is required for retaining logs for one year, as it offers configurable retention up to 730 days (2 years) and supports KQL queries for compliance and audit needs. Together, they provide a unified monitoring solution for AKS that meets both real-time metric querying and long-term log retention requirements.

Exam trap

The trap here is that candidates often confuse Prometheus as the only way to collect custom metrics in AKS, but Azure Monitor Metrics natively supports custom metrics via the Azure Monitor agent and does not require a separate Prometheus deployment for real-time dashboards.

How to eliminate wrong answers

Option B is wrong because Prometheus is a third-party monitoring tool that, while commonly used with AKS, does not natively integrate with Azure Monitor Logs for log retention; you would need Azure Monitor for logs, making this combination redundant and less integrated. Option C is wrong because Azure Data Explorer is designed for big data analytics and interactive queries on large datasets, not for real-time metric dashboards, and Azure Blob Storage is a cold storage option that does not support real-time querying or native dashboarding. Option D is wrong because Application Insights is primarily for application performance monitoring (APM) and traces, not for storing custom metrics from AKS in a real-time queryable format, and Azure Storage (Blob) is not a log analytics platform and lacks the querying capabilities needed for compliance retention.

185
MCQmedium

A startup is building a social media analytics platform that processes streaming data. They need a data store for time-series events with high write throughput and fast timestamp-based range queries. Which Azure data store is most suitable for this workload?

A.Azure Cosmos DB with SQL API
B.Azure SQL Database with columnstore index
C.Azure Table Storage
D.Azure Data Lake Storage Gen2
AnswerC

Correct. Azure Table Storage is designed for high-volume structured data and supports efficient point queries and range scans on PartitionKey and RowKey, making it ideal for time-series data at low cost.

Why this answer

Azure Table Storage is a NoSQL key-value store that supports high-volume, low-latency writes and efficient range queries on the PartitionKey and RowKey, which can be structured as a timestamp for time-series data. Its schema-less design and ability to scale to massive throughput without sharding overhead make it ideal for streaming event ingestion and timestamp-based retrieval.

Exam trap

The trap here is that candidates often choose Cosmos DB for its flexibility and global distribution, but for a simple, high-throughput time-series workload with timestamp-based queries, Azure Table Storage is the most cost-effective and performant choice, as Cosmos DB adds unnecessary complexity and cost.

How to eliminate wrong answers

Option A is wrong because Azure Cosmos DB with SQL API, while supporting time-series patterns, introduces higher latency and cost for simple key-value workloads compared to Table Storage, and its throughput is provisioned per container, requiring careful RU management that adds complexity for high-write streaming. Option B is wrong because Azure SQL Database with columnstore index is optimized for analytical queries on large datasets, not for high-write throughput of individual streaming events; its transactional overhead and indexing costs make it unsuitable for real-time ingestion. Option D is wrong because Azure Data Lake Storage Gen2 is a hierarchical file system designed for big data analytics and batch processing, not for low-latency point writes or timestamp-based range queries on individual events.

186
MCQmedium

A company runs a critical OLTP application on Azure SQL Database in the West US region. They need to ensure business continuity if a regional outage occurs. The solution must have a recovery point objective (RPO) of 5 seconds and a recovery time objective (RTO) of less than 1 hour. They also want to use the secondary region for read-only query offloading. Which Azure SQL Database feature should they enable?

A.Active geo-replication with automatic failover group
B.Geo-restore
C.Azure Site Recovery
D.Read scale-out with manual regional failover
AnswerA

Active geo-replication provides a readable secondary with RPO ~5 seconds. Auto-failover groups automate failover (RTO < 1 hour) and the secondary can be used for read-only queries.

Why this answer

Active geo-replication with automatic failover groups is the correct choice because it provides continuous asynchronous data replication to a secondary Azure SQL Database in a paired region, achieving an RPO of 5 seconds and an RTO of under 1 hour. The automatic failover group enables coordinated failover of multiple databases and allows the secondary region to be used for read-only query offloading by connecting with ApplicationIntent=ReadOnly.

Exam trap

The trap here is that candidates confuse geo-restore (backup-based) with active geo-replication (continuous replication), or assume read scale-out can span regions, when in fact it only works within the same Azure region.

How to eliminate wrong answers

Option B (Geo-restore) is wrong because it restores a database from geo-replicated backups with an RPO of 1 hour and an RTO of 12+ hours, failing the 5-second RPO and 1-hour RTO requirements. Option C (Azure Site Recovery) is wrong because it is designed for IaaS VM replication, not for PaaS Azure SQL Database, and cannot meet the 5-second RPO or provide read-only query offloading. Option D (Read scale-out with manual regional failover) is wrong because read scale-out only offloads read-only queries using a readable secondary replica within the same region, not in a secondary region, and manual failover does not meet the automated RTO of under 1 hour.

187
MCQeasy

A company wants to run a containerized application on Azure without managing virtual machines. They need automatic scaling, load balancing, and rolling updates. Which Azure compute service should they choose?

A.Azure Virtual Machine Scale Sets
B.Azure Kubernetes Service (AKS)
C.Azure App Service
D.Azure Container Instances
AnswerB

AKS offers full container orchestration with built-in scaling, load balancing, and rolling updates.

Why this answer

Azure Kubernetes Service (AKS) is the correct choice because it provides a fully managed Kubernetes orchestration platform that handles containerized applications with automatic scaling (via Horizontal Pod Autoscaler), built-in load balancing (via Azure Load Balancer integration), and rolling updates (via Kubernetes deployment strategies). This meets the requirement of running containers without managing VMs, as AKS abstracts the underlying node management.

Exam trap

The trap here is that candidates often confuse Azure Container Instances (ACI) as a full orchestration solution, but ACI lacks the automatic scaling, load balancing, and rolling update capabilities that AKS provides for multi-container applications.

How to eliminate wrong answers

Option A is wrong because Azure Virtual Machine Scale Sets require you to manage VMs and the container runtime, and they do not natively support container orchestration features like rolling updates or service discovery. Option C is wrong because Azure App Service is a Platform-as-a-Service (PaaS) for web apps and APIs, not designed for containerized applications with full orchestration; it lacks native Kubernetes features like pod-level scaling and rolling update strategies. Option D is wrong because Azure Container Instances (ACI) is a serverless container service that does not provide built-in orchestration for automatic scaling, load balancing across multiple containers, or rolling updates; it is intended for simple, single-container scenarios.

188
MCQmedium

You are the Azure architect for a financial services company. The company runs a proprietary trading application on Azure Virtual Machines in the East US region. The application stores state in Azure Cache for Redis (Standard tier) and uses Azure SQL Database (General Purpose tier) for persistent data. The business has set a Recovery Point Objective (RPO) of 1 hour and a Recovery Time Objective (RTO) of 2 hours for the entire application. The solution must minimize costs. You have been asked to design a disaster recovery plan. Which approach should you recommend?

A.Use Azure Traffic Manager to distribute traffic to both regions with active-passive configuration. Configure Azure SQL Database auto-failover groups. Deploy a second Azure Cache for Redis in the secondary region.
B.Configure Azure SQL Database active geo-replication with a readable secondary. Use Azure Site Recovery for VMs. Enable Azure Cache for Redis data persistence and replicate the cache using Azure Files.
C.Back up the VMs using Azure Backup with a 1-hour frequency. Use Azure SQL Database backup with short-term retention. Manually recreate the Redis cache in the secondary region.
D.Use Azure Site Recovery to replicate the VMs to a secondary region. For Azure SQL Database, enable geo-redundant backup storage and use geo-restore during failover. For Azure Cache for Redis, document the reconfiguration steps to point to a new cache in the secondary region.
AnswerD

Azure Site Recovery meets RPO/RTO for VMs; geo-restore for SQL Database meets the 1-hour RPO and restores within minutes; Redis reconfiguration is manual but acceptable.

Why this answer

Option A is correct because Azure Site Recovery for VMs meets the 1-hour RPO and 2-hour RTO at low cost; Azure SQL Database geo-redundant backup restore can achieve RTO of 1 hour (using geo-restore) and RPO of 1 hour; for Redis, reconfiguration is acceptable. Option B is wrong because Azure Traffic Manager alone does not provide replication. Option C is wrong because active geo-replication for SQL Database is more expensive than geo-restore.

Option D is wrong because Azure Backup for VMs has minimum RPO of 1 hour but restore time may exceed 2 hours.

189
Multi-Selecteasy

You are designing a governance strategy for Azure resources. You need to enforce compliance with corporate standards and ensure that resource provisioning is audited. Which TWO Azure features should you include?

Select 2 answers
A.Azure Role-Based Access Control
B.Azure Blueprints
C.Azure Policy
D.Azure Management Groups
E.Azure Resource Graph
AnswersC, E

Enforces rules and effects on resources.

Why this answer

Azure Policy is correct because it enforces compliance by applying rules (e.g., allowed SKUs, tagging requirements) to resources during provisioning and existing resources via audit or deny effects. It ensures corporate standards are met and provides continuous compliance evaluation, which directly addresses the need to enforce standards and audit provisioning.

Exam trap

The trap here is confusing Azure Policy (which enforces and audits resource properties) with Azure Blueprints (which packages policies but does not enforce them) or RBAC (which controls access, not resource compliance).

190
MCQhard

Your organization has a hybrid identity with Microsoft Entra ID and on-premises Active Directory. You need to allow users to reset their own passwords from the cloud. What should you configure?

A.Password hash synchronization only
B.Azure AD Connect with password hash sync
C.Pass-through authentication
D.Azure AD self-service password reset with password writeback
AnswerD

SSPR with writeback allows users to reset on-premises passwords from the cloud.

Why this answer

Azure AD self-service password reset (SSPR) with password writeback is the correct configuration because it allows users to reset their on-premises Active Directory passwords from the cloud. Password writeback ensures that the new password is written back to the on-premises AD, maintaining hybrid identity synchronization. Without writeback, cloud-only password resets would not update the on-premises directory, breaking the hybrid identity model.

Exam trap

The trap here is that candidates often confuse password hash synchronization with the ability to perform password resets, not realizing that SSPR with writeback is a separate feature requiring explicit configuration beyond just syncing hashes.

How to eliminate wrong answers

Option A is wrong because password hash synchronization alone only syncs password hashes for authentication; it does not enable self-service password reset or writeback. Option B is wrong because Azure AD Connect with password hash sync is the mechanism for syncing hashes, not a feature for password reset; SSPR requires additional configuration of writeback. Option C is wrong because pass-through authentication validates passwords against on-premises AD but does not provide any password reset capability or writeback functionality.

191
MCQmedium

A company is designing private access to a PaaS database from workloads in a VNet. The database should not be reachable over its public endpoint. What should be recommended?

A.A public IP address with NSG rules
B.A route table to the internet gateway
C.Private Endpoint with public network access disabled
D.Azure CDN endpoint
AnswerC

Private Endpoint exposes the PaaS resource through a private IP in the VNet and can be combined with disabling public access.

Why this answer

Private Endpoint with public network access disabled is the correct recommendation because it assigns a private IP address from the VNet to the PaaS database, making it accessible only over the private network. This eliminates exposure to the public internet by disabling the public endpoint, aligning with the requirement that the database should not be reachable over its public endpoint.

Exam trap

The trap here is that candidates may confuse Private Endpoint with Service Endpoint, but Service Endpoint does not remove the public endpoint and still allows internet-based access if the firewall permits it, whereas Private Endpoint with public access disabled fully isolates the resource.

How to eliminate wrong answers

Option A is wrong because a public IP address with NSG rules still exposes the database to the internet, and NSGs only filter traffic at the subnet/NIC level, not prevent public endpoint access. Option B is wrong because a route table to the internet gateway directs traffic to the internet, which does not provide private access and would actually route traffic away from the private endpoint. Option D is wrong because an Azure CDN endpoint is a content delivery network for caching static content at edge locations, not a mechanism for private network access to a PaaS database.

192
Multi-Selectmedium

Which TWO of the following are true about Microsoft Entra ID Governance features?

Select 2 answers
A.Conditional Access policies govern access based on location and device.
B.Access reviews allow administrators to periodically review and attest to access rights.
C.Privileged Identity Management (PIM) provides just-in-time access for all users.
D.Identity Protection automatically blocks all risky sign-ins.
E.Entitlement management enables automation of access request workflows.
AnswersB, E

Access reviews are a key governance feature for periodic attestation.

Why this answer

Option B is correct because Microsoft Entra ID Access Reviews enable administrators to periodically review and attest to the access rights of users, groups, or applications, ensuring that only authorized users retain access. This is a core governance feature that helps organizations meet compliance and security requirements by automating the certification process.

Exam trap

The trap here is confusing security features (Conditional Access, Identity Protection) with governance features (Access Reviews, Entitlement Management), leading candidates to select options that enforce access rather than manage its lifecycle.

193
Multi-Selecthard

Your organization is designing a data platform for real-time analytics on streaming data from IoT devices. The solution must ingest millions of events per second, process the data with low latency, and store results in a format optimized for analytical queries. Which THREE Azure services should you include in the design? (Choose THREE.)

Select 3 answers
A.Azure Event Hubs
B.Azure Stream Analytics
C.Azure Functions
D.Azure Synapse Analytics
E.Azure IoT Hub
AnswersA, B, D

Capable of ingesting millions of events per second.

Why this answer

Option A (Azure Event Hubs) is for high-throughput ingestion. Option C (Azure Stream Analytics) for real-time processing. Option E (Azure Synapse Analytics) for analytical storage.

Option B (Azure IoT Hub) is for device management, not high-throughput ingestion. Option D (Azure Functions) is for serverless compute, not stream processing at scale.

194
Multi-Selecthard

Which TWO features are part of Microsoft Entra ID Governance? (Choose two.)

Select 2 answers
A.Entitlement Management
B.Self-service password reset
C.Conditional Access
D.Privileged Identity Management
E.Access Reviews
AnswersA, E

Entitlement Management is part of Entra ID Governance.

Why this answer

Options A and C are correct. Entitlement Management (A) and Access Reviews (C) are core governance features. Option B (Self-service password reset) is a user management feature.

Option D (Privileged Identity Management) is part of Identity Protection. Option E (Conditional Access) is security policy.

195
MCQmedium

A company uses Microsoft Entra ID. They need to monitor sign-in logs for anomalous activity (e.g., sign-ins from unfamiliar locations) and automatically take action such as requiring MFA or blocking sign-in. Which Microsoft Entra ID feature should they configure?

A.Identity Protection
B.Conditional Access
C.Access Reviews
D.Privileged Identity Management
AnswerA

Identity Protection provides risk detection (e.g., unfamiliar sign-ins) and allows automated remediation through integration with Conditional Access policies.

Why this answer

Identity Protection is the correct feature because it is specifically designed to detect anomalous sign-in activities, such as sign-ins from unfamiliar locations or anonymous IP addresses, and can automatically trigger risk-based remediation actions like requiring MFA or blocking sign-ins. It leverages machine learning models and real-time risk detections to assess sign-in risks and apply policies accordingly, directly meeting the requirement for monitoring and automated response.

Exam trap

The trap here is that candidates often confuse Conditional Access as the detection mechanism, but it is only the enforcement layer; Identity Protection is the service that performs the actual anomaly detection and risk assessment.

How to eliminate wrong answers

Option B (Conditional Access) is wrong because it is a policy engine that enforces access controls based on conditions (e.g., location, device state), but it does not itself detect anomalous activity; it relies on risk signals from Identity Protection to trigger actions. Option C (Access Reviews) is wrong because it is used for periodic attestation of group memberships or application access, not for real-time monitoring or automated response to sign-in anomalies. Option D (Privileged Identity Management) is wrong because it focuses on just-in-time privileged role activation and approval workflows, not on detecting or responding to anomalous sign-in behavior.

196
MCQhard

Your organization uses Microsoft Entra ID with P2 licensing. You need to implement a strategy to automatically detect and remediate risky sign-ins without requiring user interaction for low-risk events. What should you configure?

A.Identity Protection sign-in risk policy set to allow access and log for low risk, and require MFA for medium and above
B.Conditional Access policy with session control requiring MFA for all sign-ins
C.Identity Protection user risk policy set to block high risk
D.Identity Protection sign-in risk policy set to allow access with MFA for medium and above
AnswerA

Automatically remediates low risk by allowing access with logging, and requires MFA for higher risk.

Why this answer

Option A is correct because the Identity Protection sign-in risk policy allows you to automatically respond to sign-in risk levels. By configuring it to 'allow access' and 'log' for low risk, you meet the requirement of no user interaction for low-risk events, while requiring MFA for medium and above ensures remediation for higher-risk sign-ins without manual intervention.

Exam trap

The trap here is confusing sign-in risk policies (which evaluate individual sign-in events) with user risk policies (which evaluate overall user compromise), leading candidates to select Option C, which addresses user risk rather than the sign-in risk requirement.

How to eliminate wrong answers

Option B is wrong because a Conditional Access policy requiring MFA for all sign-ins does not differentiate by risk level, forcing user interaction even for low-risk events, which contradicts the requirement to avoid user interaction for low risk. Option C is wrong because the Identity Protection user risk policy targets user account compromise (e.g., leaked credentials), not sign-in risk; it blocks high-risk users but does not address the sign-in risk detection and remediation for low-risk events. Option D is wrong because it requires MFA for medium and above but does not explicitly allow and log low-risk sign-ins without user interaction; the 'allow access with MFA' for medium and above still triggers MFA for medium risk, but the policy lacks the 'log' action for low risk, potentially blocking or requiring interaction for low-risk events depending on defaults.

197
Multi-Selectmedium

Which TWO options are valid methods to secure access to Azure Cosmos DB?

Select 2 answers
A.X.509 certificate-based authentication
B.Azure Storage account keys
C.Azure RBAC roles
D.Primary and secondary keys
E.Shared access signatures (SAS)
AnswersC, D

RBAC can control access to Cosmos DB accounts.

Why this answer

Cosmos DB supports primary/secondary keys, Azure RBAC, managed identities, and Microsoft Entra ID authentication. Option A is correct because primary keys provide access. Option B is correct because RBAC can be used for fine-grained access control.

Option C is wrong because SAS tokens are not used for Cosmos DB; they are for Azure Storage. Option D is wrong because certificates are not a native authentication method. Option E is wrong because shared access signatures are for storage, not Cosmos DB.

198
MCQeasy

A company deploys a web application on multiple Azure VMs. They need to distribute incoming HTTP traffic across the VMs, offload SSL/TLS termination, and maintain session persistence (sticky sessions) so that all requests from a user session go to the same backend VM. Which Azure load balancing solution should they use?

A.Azure Application Gateway
B.Azure Load Balancer
C.Azure Traffic Manager
D.Azure Front Door
AnswerA

Application Gateway is a layer-7 load balancer that supports SSL offloading, cookie-based session affinity (sticky sessions), and HTTP-based routing.

Why this answer

Azure Application Gateway is a Layer 7 load balancer that can route HTTP/HTTPS traffic, offload SSL/TLS termination, and support session persistence using cookie-based affinity. This makes it the correct choice for distributing incoming HTTP traffic across multiple VMs while maintaining sticky sessions and handling SSL termination at the gateway.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), forgetting that SSL termination and cookie-based sticky sessions require Layer 7 capabilities, not just Layer 4 load balancing.

How to eliminate wrong answers

Option B is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot perform SSL/TLS termination or HTTP-level session persistence; it only supports source IP affinity, which is not cookie-based sticky sessions. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic router that does not handle SSL termination or session persistence; it directs traffic at the DNS level, not at the application layer. Option D is wrong because Azure Front Door is a global Layer 7 load balancer and CDN that can offload SSL and provide session affinity, but it is designed for global distribution across regions, not for distributing traffic within a single region to multiple VMs; using it for regional load balancing would introduce unnecessary latency and complexity.

199
MCQeasy

A company plans to deploy a web application on Azure VMs across multiple availability zones. They need to distribute incoming HTTP traffic across the VMs and provide health probes. Which Azure load balancing solution should they use?

A.Azure Load Balancer
B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerB

Application Gateway is a layer 7 load balancer that supports HTTP/HTTPS, health probes, SSL offloading, and can distribute traffic across VMs in availability zones.

Why this answer

Azure Application Gateway is the correct choice because it operates at Layer 7 (HTTP/HTTPS), providing application-level routing, SSL termination, and HTTP health probes. This matches the requirement to distribute incoming HTTP traffic across VMs in multiple availability zones, whereas Azure Load Balancer operates at Layer 4 and cannot inspect HTTP headers or perform URL-based routing.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming any load balancer can handle HTTP traffic, but the requirement for HTTP health probes and application-level distribution specifically demands a Layer 7 solution.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot perform HTTP-specific health probes or application-level routing; it only distributes traffic based on IP and port. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic load balancer that routes traffic at the DNS level, not at the HTTP request level, and it does not provide HTTP health probes or direct traffic to VMs across availability zones within a region. Option D is wrong because Azure Front Door is a global Layer 7 load balancer and application delivery network designed for multi-region scenarios, not for distributing HTTP traffic across VMs within a single region's availability zones.

200
Multi-Selecteasy

You need to design a solution to securely connect an on-premises data center to Azure for hybrid workloads. The connection must be private, use the internet for transport, and provide high availability. Which TWO Azure services should you consider? (Choose TWO.)

Select 2 answers
A.Azure Virtual WAN
B.Azure ExpressRoute
C.Azure VPN Gateway (Site-to-Site VPN)
D.Azure VPN Gateway (active-active mode)
E.Azure Bastion
AnswersC, D

Uses internet and can be configured for high availability with active-active tunnels.

Why this answer

Option A (Site-to-Site VPN) uses internet and can be made highly available with active-active configuration. Option D (Azure VPN Gateway supports active-active). Option B (Azure ExpressRoute) is private but not over internet.

Option C (Azure Virtual WAN) is a managed hub but still uses VPN or ExpressRoute. Option E (Azure Bastion) is for RDP/SSH access to VMs.

201
MCQhard

You run the above PowerShell script to upload a blob to Azure Storage. The script fails with an error: 'The specified container does not exist.' What should you do first to resolve the issue?

A.Create the container using New-AzStorageContainer.
B.Use a different connection string with a SAS token.
C.Grant the storage account key access to the user.
D.Change the -StandardBlobTier parameter to Cool.
AnswerA

The container must exist before uploading a blob.

Why this answer

The error 'The specified container does not exist' indicates that the target container has not been created in the Azure Storage account. The PowerShell script uses the `Set-AzStorageBlobContent` cmdlet, which requires an existing container as the destination. Therefore, the first corrective action is to create the container using `New-AzStorageContainer` before uploading the blob.

Exam trap

The trap here is that candidates may confuse authentication/authorization issues (SAS tokens, key access) with the fundamental prerequisite of container existence, leading them to select options that address permissions rather than the missing resource.

How to eliminate wrong answers

Option B is wrong because using a different connection string with a SAS token does not create the missing container; it only changes authentication, and the container still does not exist. Option C is wrong because granting storage account key access to the user addresses permissions, not the absence of the container; the container must exist regardless of access level. Option D is wrong because changing the -StandardBlobTier parameter to Cool affects the blob's access tier, not the existence of the container; the container must be present before any blob can be uploaded.

202
MCQmedium

Your company has a Microsoft Entra ID tenant with 50,000 users. You need to design a solution to ensure that users can reset their own passwords without help desk intervention, while preventing password reuse for the last 10 passwords. Which feature should you enable?

A.Microsoft Entra ID Protection
B.Microsoft Entra Connect
C.Privileged Identity Management (PIM)
D.Self-Service Password Reset (SSPR)
AnswerD

SSPR enables users to reset their own passwords, and password protection policies can enforce reuse restrictions.

Why this answer

Self-Service Password Reset (SSPR) is the correct feature because it allows users to reset their own passwords without help desk intervention. Additionally, SSPR can be configured with password protection policies that enforce password history, preventing reuse of the last 10 passwords. This directly meets both requirements stated in the question.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID Protection (which handles risk-based policies) with SSPR, or they mistakenly think PIM is involved because it deals with passwords, but PIM is strictly for privileged role management, not end-user password resets.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection is a security tool that detects and responds to identity-based risks (e.g., leaked credentials, sign-in anomalies), but it does not provide self-service password reset capabilities or enforce password history policies. Option B is wrong because Microsoft Entra Connect is used for hybrid identity synchronization between on-premises Active Directory and Azure AD, not for password reset or reuse prevention. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time access and role activation for privileged roles, not general user password reset or password history enforcement.

203
Multi-Selectmedium

Which TWO actions should you take to implement a least-privilege identity strategy for Azure resources?

Select 2 answers
A.Use managed identities for Azure resources instead of service principals with secrets
B.Assign the Contributor role at the subscription scope to allow flexibility
C.Use storage account keys for access to blob data
D.Enable Privileged Identity Management (PIM) for just-in-time role assignments
E.Use a single service principal for all applications
AnswersA, D

Managed identities provide an automatically managed identity, reducing the need to manage credentials.

Why this answer

Managed identities for Azure resources eliminate the need to manage credentials by automatically rotating them and binding them to a resource lifecycle. This removes the risk of secret leakage or mismanagement that exists with service principal secrets, directly supporting a least-privilege identity strategy by ensuring identities are scoped and ephemeral.

Exam trap

The trap here is that candidates often confuse 'least privilege' with 'convenience' and select broad roles like Contributor at subscription scope, thinking it provides flexibility, when in reality it grants excessive permissions that violate the core principle.

204
Drag & Dropmedium

Drag and drop the steps to set up Azure Private Link for an Azure SQL Database into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create endpoint, approve, configure DNS, test, then disable public access.

205
MCQhard

A company runs a critical SAP HANA database on an Azure large instance. They need a disaster recovery solution that provides automatic failover to a secondary region with an RPO of 15 minutes and RTO of 30 minutes. The solution must not require manual intervention to start replication. What should they use?

A.SAP HANA System Replication with HANA Pacemaker
B.Azure Site Recovery with replication policy for SAP HANA
C.Azure NetApp Files with cross-region replication
D.Azure Backup for SAP HANA
AnswerA

HANA System Replication with Pacemaker provides automatic failover within RPO/RTO.

Why this answer

Option B is correct because SAP HANA System Replication with HANA Pacemaker can provide automatic failover with an RPO of 15 minutes and RTO of 30 minutes. Option A is wrong because Azure Site Recovery for SAP HANA requires manual steps to start replication. Option C is wrong because Azure Backup for SAP HANA has a higher RPO.

Option D is wrong because Azure NetApp Files is a storage solution, not a replication mechanism.

206
MCQeasy

A company deploys a web application across multiple Azure VMs in a single region. They want to distribute incoming HTTP traffic evenly across the VMs, offload SSL encryption, and provide a fixed public IP address for clients. Which Azure load balancing solution should they use?

A.Azure Application Gateway
B.Azure Load Balancer
C.Azure Traffic Manager
D.Azure Front Door
AnswerA

Azure Application Gateway is a layer 7 load balancer that provides SSL offloading, session persistence, and URL-based routing. It can distribute HTTP/HTTPS traffic across VMs and expose a fixed public IP address.

Why this answer

Azure Application Gateway is the correct choice because it is a Layer 7 load balancer that supports HTTP/HTTPS traffic, SSL termination, and cookie-based session affinity. It can distribute incoming HTTP traffic evenly across VMs, offload SSL encryption to reduce backend processing, and provide a fixed public IP address (VIP) for client access. This aligns with all three requirements: load balancing, SSL offload, and a static public IP.

Exam trap

The trap here is confusing Layer 4 (Azure Load Balancer) with Layer 7 (Application Gateway) capabilities, leading candidates to pick Azure Load Balancer because it is the default choice for distributing traffic across VMs, but it cannot offload SSL or handle HTTP-specific features like session affinity.

How to eliminate wrong answers

Option B (Azure Load Balancer) is wrong because it operates at Layer 4 (TCP/UDP) and cannot perform SSL termination or inspect HTTP traffic; it only forwards packets without understanding application-layer protocols. Option C (Azure Traffic Manager) is wrong because it is a DNS-based traffic router that distributes traffic across regions, not within a single region, and it does not provide a fixed public IP for clients (it uses DNS names) nor offloads SSL. Option D (Azure Front Door) is wrong because it is a global Layer 7 service designed for multi-region scenarios with advanced WAF and acceleration features; it does not provide a fixed public IP for clients (it uses a dynamic anycast IP) and is overkill for a single-region deployment.

207
MCQeasy

A company plans to migrate an on-premises application with strict low-latency requirements to Azure. The application must communicate with an Azure SQL Database. Which of the following is the best design to minimize latency?

A.Deploy the application in one region and Azure SQL Database in a different region, using Azure Traffic Manager.
B.Deploy the application on-premises and use a Point-to-Site VPN to connect to Azure SQL Database.
C.Deploy the application and Azure SQL Database in the same Azure region, and connect via Azure Private Link.
D.Deploy the application on-premises and use ExpressRoute to connect to Azure SQL Database.
AnswerC

Same region ensures low latency; Private Link provides private connectivity within Azure backbone.

Why this answer

Option A is correct because deploying in the same region and using Azure Private Link for a private connection keeps traffic within the Microsoft backbone, minimizing latency. Option B is wrong because ExpressRoute adds extra latency. Option C is wrong because different regions increase latency.

Option D is wrong because Point-to-Site VPN is not suitable for production applications and adds latency.

208
MCQmedium

Refer to the exhibit. You are reviewing a backup policy for an Azure VM. The policy is defined using the Azure Backup REST API. What is the maximum number of recovery points that can be retained according to this policy?

A.24
B.17
C.29
D.12
AnswerA

12 weekly (every Mon, Wed, Fri for 12 weeks) + 12 monthly (first Sunday each month for 12 months) = 24 recovery points.

Why this answer

The weekly retention keeps 12 weekly points (count=12, durationType=Weeks). The monthly retention keeps 12 monthly points (count=12, durationType=Months). Instant RP retention adds up to 5 days, but those are additional recovery points not counted in the long-term retention.

So total long-term recovery points = 12 (weekly) + 12 (monthly) = 24. Option B is correct.

209
MCQeasy

Your company has multiple Azure subscriptions and needs a single pane of glass to monitor the health and performance of all resources across subscriptions. Which Azure service should you use?

A.Microsoft Sentinel
B.Azure Service Health
C.Azure Monitor
D.Azure Advisor
AnswerC

Azure Monitor provides metrics, logs, and alerts for all Azure resources across subscriptions.

Why this answer

Azure Monitor is the correct choice because it provides a unified, single-pane-of-glass experience for collecting, analyzing, and acting on telemetry from all Azure resources across multiple subscriptions. It aggregates metrics, logs, and alerts from various sources, enabling cross-subscription monitoring of health and performance without requiring separate tools.

Exam trap

The trap here is confusing Azure Monitor's broad monitoring capabilities with specialized services like Sentinel (security) or Service Health (Azure infrastructure status), leading candidates to pick a tool that addresses only a subset of the requirement.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) tool focused on security detection, investigation, and response, not general resource health and performance monitoring. Option B is wrong because Azure Service Health provides personalized alerts and guidance for Azure service issues and planned maintenance, but it does not monitor the health and performance of your own deployed resources. Option D is wrong because Azure Advisor is a personalized cloud consultant that offers best-practice recommendations for cost, security, reliability, and performance, but it does not provide real-time monitoring or a dashboard for resource health and performance.

210
MCQmedium

A company is designing a disaster recovery solution for a critical application that runs on Azure VMs in a single region. The RTO is 4 hours, and the RPO is 1 hour. The application uses Azure SQL Database. The company wants to minimize the cost of the disaster recovery solution while meeting the RTO and RPO. You need to recommend a solution. What should you recommend?

A.Use Azure SQL Database active geo-replication for the database and Azure Backup for VMs.
B.Use Azure Backup to back up VMs and Azure SQL Database to a secondary region.
C.Use Azure Traffic Manager to distribute traffic to VMs in multiple regions and Azure SQL Database failover groups.
D.Use Azure Site Recovery to replicate VMs to a secondary region and Azure SQL Database geo-replication for the database.
AnswerD

Site Recovery meets RPO of 1 hour; geo-replication provides low RPO for SQL.

Why this answer

Option C is correct because Azure Site Recovery can replicate VMs to a secondary region with a 1-hour RPO, and Azure SQL Database active geo-replication can provide a secondary database with RPO of seconds. Option A is wrong because Azure Backup has a higher RPO (typically 4 hours). Option B is wrong because read-scale replicas are for read-only workloads, not disaster recovery.

Option D is wrong because Traffic Manager does not handle database failover.

211
Multi-Selecthard

A company wants to ensure that their Azure Storage account containing blobs is protected against accidental deletion or corruption. The solution must enable recovery of previous versions up to 30 days. Which TWO features should they enable? (Choose TWO.)

Select 2 answers
A.Blob versioning
B.Blob soft delete
C.Change feed
D.Azure Backup for Azure Blobs
E.Point-in-time restore for Azure Files
AnswersA, B

Versioning preserves previous versions of blobs.

Why this answer

Options A and C are correct. Blob soft delete allows recovery of deleted blobs, and versioning keeps previous versions of blobs. Together, they provide protection against deletion and corruption with 30-day retention.

Option B is wrong because point-in-time restore is for Azure Files. Option D is wrong because change feed tracks changes but does not enable recovery. Option E is wrong because Azure Backup for blobs is an alternative but not the combination requested.

212
MCQhard

Refer to the exhibit. An administrator configured Azure Site Recovery replication for a VM using the policy shown. The VM workload is a critical database that requires application-consistent snapshots every 30 minutes to meet compliance. What is the issue with the current configuration?

A.The application-consistent snapshot frequency is 60 minutes, which is too high (should be 30 minutes).
B.The recovery point retention is set too low (1440 minutes).
C.The target region eastus2 is not a valid paired region for the source.
D.The storage account type is Standard_LRS; it should be Premium_LRS.
AnswerA

The requirement is 30 minutes, but the policy is set to 60 minutes.

Why this answer

Option B is correct because the application-consistent snapshot frequency is set to 60 minutes, which does not meet the requirement of 30 minutes. Option A is wrong because the recovery point retention is 1440 minutes (24 hours), which is sufficient. Option C is wrong because Standard_LRS is acceptable for replication.

Option D is wrong because the target region eastus2 is valid.

213
Drag & Dropmedium

Drag and drop the steps to configure Azure Load Balancer for high availability of web servers into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create backend pool, health probe, rule, associate public IP, test.

214
MCQhard

Refer to the exhibit. You are assigned an Azure policy that restricts resource group locations to eastus, westus, and centralus. A user attempts to create a resource group in 'eastus2' and receives a denial. The user argues that there are existing resources in 'eastus2' and that the policy should allow it. What is the best course of action to allow the resource group creation while maintaining compliance?

A.Instruct the user to create the resource group in an allowed location and then deploy resources to 'eastus2'
B.Add 'eastus2' to the list of allowed locations in the policy parameters
C.Create an Azure Policy exemption for the user's subscription
D.Disable the policy assignment for that subscription
AnswerA

The policy only restricts resource group locations; resources can be deployed to any region supported by the subscription.

Why this answer

Option D is correct because the policy applies only to resource groups, not individual resources. The user can create the resource group in an allowed location (e.g., eastus) and then deploy resources to eastus2, as the policy does not restrict resource locations. Option A is wrong because modifying the policy to include eastus2 would weaken compliance.

Option B is wrong because creating an exemption is not necessary if the policy does not restrict resource locations. Option C is wrong because disabling the policy would remove compliance.

215
MCQmedium

A company has 10 branch offices, each with Windows file servers. They want to centralize file storage in Azure and allow each branch office to cache files locally for fast access. The solution must support cloud tiering so that only frequently accessed files are kept locally. Which Azure service should they implement?

A.Azure File Sync
B.Azure Files
C.Azure Blob Storage with Azure File Sync
D.Azure NetApp Files
AnswerA

Correct. Azure File Sync synchronizes on-premises file servers with Azure Files and offers cloud tiering for local caching.

Why this answer

Azure File Sync is the correct choice because it enables centralizing file shares in Azure Files while providing local caching on Windows file servers at each branch office. It supports cloud tiering, which automatically keeps only frequently accessed files locally and moves cold data to the cloud, meeting the requirement for fast local access and efficient storage.

Exam trap

The trap here is that candidates often confuse Azure Files (a standalone cloud file share) with Azure File Sync (the hybrid caching and sync service), or incorrectly assume Azure Blob Storage can be used with File Sync, when in fact File Sync only integrates with Azure Files.

How to eliminate wrong answers

Option B (Azure Files) is wrong because it provides cloud-based file shares without native local caching or cloud tiering; it requires Azure File Sync to achieve those capabilities. Option C (Azure Blob Storage with Azure File Sync) is wrong because Azure File Sync works exclusively with Azure Files, not Azure Blob Storage; Blob Storage is designed for unstructured data and does not support the SMB protocol or file-level caching needed for branch office file servers. Option D (Azure NetApp Files) is wrong because it is a high-performance, enterprise-grade NFS/SMB file service for specialized workloads like HPC, not designed for distributed branch office caching with cloud tiering, and it lacks the integrated sync and tiering features of Azure File Sync.

216
MCQeasy

A multinational company uses Microsoft Entra ID. The company has regional IT teams that need to manage users and groups within their respective regions. Each region has a distinct set of users in specific organizational units. The company wants to assign the User Administrator role to regional IT staff, but limit their scope to only the users in their region. Which Microsoft Entra ID feature should they use?

A.Administrative Units
B.Dynamic Groups
C.Microsoft Entra ID B2B
D.Microsoft Entra ID Identity Protection
AnswerA

Correct. Administrative Units enable scoping of role assignments to a specific set of users or groups, allowing regional IT teams to manage only their local users.

Why this answer

Administrative Units in Microsoft Entra ID allow you to delegate administrative roles, such as User Administrator, to a specific subset of users and groups defined by organizational boundaries (e.g., region). By creating an Administrative Unit for each region and adding the regional users and groups to it, you can assign the User Administrator role scoped to that unit, ensuring regional IT staff can only manage their own region's identities.

Exam trap

The trap here is that candidates often confuse Administrative Units with Dynamic Groups, thinking that group-based membership scoping is equivalent to role-based administrative scoping, but Dynamic Groups only control group membership, not administrative permissions.

How to eliminate wrong answers

Option B is wrong because Dynamic Groups automatically manage group membership based on user attributes (e.g., department), but they do not provide role-based access control scoping; they cannot restrict administrative permissions to a subset of users. Option C is wrong because Microsoft Entra ID B2B is designed for external collaboration with guest users from partner organizations, not for delegating administrative control over internal users within the same tenant. Option D is wrong because Microsoft Entra ID Identity Protection is a security feature that detects and responds to identity risks (e.g., compromised credentials), and it does not offer any capability to scope administrative roles to specific users or regions.

217
MCQeasy

A company needs to store large amounts of unstructured data such as images and videos for a content management system. The data must be accessible via HTTPS and support tiered storage for cost optimization. Which Azure service should they use?

A.Azure Cosmos DB
B.Azure Blob Storage
C.Azure Data Lake Storage
D.Azure Files
AnswerB

Unstructured data, HTTPS, tiered storage.

Why this answer

Azure Blob Storage is the correct choice because it is designed for storing large amounts of unstructured data (such as images and videos) and provides HTTPS access. It also offers tiered storage (hot, cool, cold, and archive tiers) to optimize costs based on data access patterns, making it ideal for a content management system.

Exam trap

The trap here is that candidates often confuse Azure Data Lake Storage (which is built on Blob Storage) as a separate service for unstructured data, but it is specifically optimized for analytics workloads, not general-purpose content management with tiered storage.

How to eliminate wrong answers

Option A is wrong because Azure Cosmos DB is a NoSQL document database designed for structured or semi-structured data with low-latency queries, not for storing large unstructured blobs like images and videos. Option C is wrong because Azure Data Lake Storage is built on Blob Storage but is optimized for big data analytics workloads (e.g., Hadoop/Spark) and hierarchical namespaces, not for general-purpose content management with tiered storage. Option D is wrong because Azure Files provides SMB and NFS file shares for shared file access, not HTTPS-based blob storage, and its tiering is limited to transaction-optimized, hot, and cool tiers, lacking the full archive tier for deep cost optimization.

218
MCQeasy

You need to ensure that only authorized users can access the Azure portal. What should you use?

A.Conditional Access policies
B.Azure RBAC
C.Privileged Identity Management (PIM)
D.Azure AD Identity Protection
AnswerA

Conditional Access can enforce MFA and device compliance to access the portal.

Why this answer

Conditional Access policies are the correct choice because they enforce access control decisions at the Azure AD authentication layer, allowing you to require specific conditions (e.g., MFA, compliant device, trusted IP) before a user can sign in to the Azure portal. This directly ensures that only authorized users—those meeting the defined conditions—can access the portal, regardless of their role assignments. Azure RBAC controls what actions a user can perform after authentication, not whether they can sign in at all.

Exam trap

The trap here is confusing authorization (what you can do after signing in, handled by RBAC) with authentication and access control (who can sign in, handled by Conditional Access), leading candidates to incorrectly choose Azure RBAC or PIM.

How to eliminate wrong answers

Option B is wrong because Azure RBAC (Role-Based Access Control) manages permissions for Azure resources after authentication, such as who can create VMs or read storage accounts, but it does not control the initial sign-in process to the Azure portal. Option C is wrong because Privileged Identity Management (PIM) provides just-in-time activation and approval workflows for privileged roles, but it does not block unauthorized users from accessing the portal; it only manages role assignments and activation. Option D is wrong because Azure AD Identity Protection detects and responds to identity risks (e.g., leaked credentials, sign-ins from anonymous IPs) but does not directly enforce access control policies to block unauthorized users from the portal; it feeds risk signals into Conditional Access for enforcement.

219
MCQmedium

You are an Azure administrator. You attempt to create a new virtual machine with size Standard_DS2_v2 in a subscription where the above Azure Policy is assigned. What will happen?

A.The VM will be created but a compliance alert will be generated.
B.The VM will be created but the size will be changed to Standard_D2s_v3.
C.The VM creation will be denied.
D.The VM will be created successfully.
AnswerC

The policy explicitly denies VM sizes not in the allowed list.

Why this answer

Option D is correct. The policy denies VM creation if the size is NOT in the allowed list. Standard_DS2_v2 is not in the list, so the VM creation will be denied.

Option A is wrong because the policy applies to all VMs. Option B is wrong because the effect is deny, not audit. Option C is wrong because the VM size is not allowed.

220
MCQmedium

A company runs a critical application on Azure Virtual Machines in a single availability set. They want to protect against an entire Azure region failure. They need a recovery time objective (RTO) of 30 minutes and a recovery point objective (RPO) of 15 minutes. Which solution should they use?

A.Azure Backup for VMs with geo-redundant backup storage.
B.Azure Site Recovery to another region.
C.Deploy VMs in an availability zone within the same region.
D.Use Azure managed disks with geo-replication (LRS to GRS).
AnswerB

Azure Site Recovery replicates VMs continuously to a secondary region. It can achieve RPO as low as 15 seconds (with app-consistent snapshots) and RTO of minutes (30 minutes is typical). It supports planned and unplanned failover.

Why this answer

Azure Site Recovery (ASR) provides orchestrated replication, failover, and failback of Azure VMs to a secondary region, enabling a recovery time objective (RTO) of 30 minutes and a recovery point objective (RPO) of 15 minutes as required. ASR replicates VM disks continuously to the target region, and in a regional failure, you can initiate a planned or unplanned failover to bring up the application within the specified RTO/RPO. This is the only option that offers both cross-region disaster recovery and the granular recovery objectives stated.

Exam trap

The trap here is that candidates often confuse Azure Backup (which provides long-term retention with geo-redundancy) with Azure Site Recovery (which provides near-synchronous replication and automated failover), leading them to select Option A despite its inability to meet the strict RTO/RPO requirements.

How to eliminate wrong answers

Option A is wrong because Azure Backup with geo-redundant storage (GRS) is designed for long-term backup and restore, not for rapid failover; its typical RTO is hours or days, not 30 minutes, and it does not support orchestrated cross-region failover. Option C is wrong because deploying VMs in an availability zone within the same region protects against datacenter failures, not an entire Azure region failure, and thus does not meet the requirement for cross-region disaster recovery. Option D is wrong because Azure managed disks with geo-replication (LRS to GRS) is not a supported feature—managed disks use locally redundant storage (LRS) by default and cannot be directly geo-replicated; the misconception is that GRS applies to disks, but it applies only to storage accounts, and even then it does not provide the orchestrated failover or RTO/RPO guarantees of Azure Site Recovery.

221
MCQmedium

Refer to the exhibit. You have an Azure Storage account with hierarchical namespace enabled. You create this JSON policy to assign to a container. Users report that they can access the container from any IP, not just the specified range. What is the most likely reason?

A.Hierarchical namespace disables IP-based restrictions
B.Anonymous access is enabled on the container
C.IP address conditions are not supported in RBAC for Azure Storage data plane operations
D.The resource scope is incorrect; RBAC cannot be assigned at the container level
AnswerC

RBAC conditions for IP are not evaluated; use storage account firewall instead.

Why this answer

The policy shown is an Azure RBAC role assignment JSON, but the correct way to restrict IP access is via a service endpoint or firewall rule on the storage account, not in RBAC. RBAC conditions for IP are not supported for data plane operations. Option A is correct because the Condition element does not work as intended; IP restrictions are set at the storage account firewall.

Option B is wrong because anonymous access is disabled by default. Option C is wrong because hierarchical namespace does not affect IP restriction. Option D is wrong because RBAC can be applied to containers.

222
MCQeasy

A company needs to store massive amounts of unstructured data, such as images and videos, for a media processing application. The data must be accessible via REST APIs and support tiered storage for cost optimization. Which Azure storage solution should they use?

A.Azure Blob Storage
B.Azure Files
C.Azure Data Lake Storage Gen2
D.Azure Disk Storage
AnswerA

Azure Blob Storage is designed for storing large amounts of unstructured data, supports REST API access, and offers tiered storage (hot, cool, archive) to optimize costs.

Why this answer

Azure Blob Storage is the correct choice because it is designed for massive amounts of unstructured data (images, videos) and provides REST API access via HTTP/HTTPS. It also supports tiered storage (Hot, Cool, Cold, Archive) to optimize costs based on data access patterns, making it ideal for media processing workloads.

Exam trap

The trap here is that candidates may choose Azure Data Lake Storage Gen2 because it also stores unstructured data, but they overlook that the question emphasizes REST API access and tiered storage for cost optimization, which are native to Blob Storage, while Data Lake Storage Gen2 is optimized for hierarchical namespace and analytics workloads, not general media storage.

How to eliminate wrong answers

Option B is wrong because Azure Files provides SMB and NFS file shares for structured file access, not REST APIs, and its tiering is limited to transaction-optimized, hot, and cool tiers, lacking the deep archive tier needed for cost optimization of massive unstructured data. Option C is wrong because Azure Data Lake Storage Gen2 is built on Blob Storage but adds a hierarchical namespace for big data analytics (e.g., with Hadoop/Spark), not specifically for REST API-based media processing, and its tiering is the same as Blob Storage but the primary use case is analytics, not general unstructured data storage. Option D is wrong because Azure Disk Storage provides block-level storage for VMs (iSCSI-based), not REST API access, and does not support tiered storage for cost optimization.

223
MCQhard

You are a cloud architect at a healthcare company. They have an existing application running on Azure VMs in a single region. The application uses SQL Server on a VM for its database. The company is migrating to Azure SQL Managed Instance for better manageability and compliance. The database is 2 TB and requires point-in-time restore (PITR) capability with a retention period of 35 days. The workload is critical with an RPO of 5 minutes and an RTO of 2 hours. The company wants to minimize costs while meeting these requirements. Which of the following should you recommend?

A.Use Azure SQL Managed Instance with automated backups configured for 35-day retention and a backup storage redundancy of Locally Redundant Storage (LRS)
B.Use Azure SQL Managed Instance with active geo-replication to a secondary region
C.Use Azure SQL Managed Instance with long-term retention (LTR) backups
D.Use Azure SQL Database with the Hyperscale service tier
AnswerA

Meets all requirements cost-effectively.

Why this answer

Azure SQL Managed Instance provides built-in automated backups with configurable retention. Option A is correct because it meets the RPO (backups every 5-10 min) and RTO (restore within hours) with PITR retention up to 35 days. Option B is wrong because geo-replication is for disaster recovery, not PITR.

Option C is wrong because long-term retention is for backups older than 35 days. Option D is wrong because cost savings are not guaranteed for the backup storage.

224
MCQeasy

A company stores backup data for Azure VMs in a Recovery Services vault. They need to ensure that the backup data is protected from accidental deletion and remains available even if the entire Azure region fails. What should you configure?

A.Assign Azure RBAC roles to limit access to the vault.
B.Enable soft delete in the vault and use geo-redundant storage (GRS).
C.Enable immutable storage for the vault.
D.Enable locally redundant storage (LRS) for the vault.
AnswerB

Soft delete prevents accidental deletion; GRS protects against region failure.

Why this answer

Option B (soft delete and geo-redundant storage) provides protection against deletion and region failure. Option A (LRS) does not protect against region failure. Option C (immutable storage) is not available in Recovery Services vaults.

Option D (RBAC) does not protect against deletion by authorized users.

225
Multi-Selecteasy

Your organization is implementing a security strategy for Azure resources. You need to enforce consistent security policies across all subscriptions and ensure compliance with regulatory standards. Which TWO services should you use?

Select 2 answers
A.Azure RBAC
B.Microsoft Defender for Cloud
C.Microsoft Sentinel
D.Azure Blueprints
E.Azure Policy
AnswersB, E

Provides security posture management and compliance monitoring.

Why this answer

Option A is correct because Azure Policy enforces rules across resources. Option C is correct because Microsoft Defender for Cloud provides security posture management and compliance monitoring. Option B is incorrect because Azure Blueprints are deprecated.

Option D is incorrect because Azure RBAC is for access control, not policy enforcement. Option E is incorrect because Microsoft Sentinel is for SIEM, not policy enforcement.

Page 2

Page 3 of 14

Page 4