Microsoft Azure Solutions Architect Expert AZ-305 (AZ-305) — Questions 301375

999 questions total · 14pages · All types, answers revealed

Page 4

Page 5 of 14

Page 6
301
MCQeasy

A company wants to back up their Azure VMs (running Windows and Linux) to a Recovery Services vault. The backup data must be encrypted at rest using customer-managed keys. They also need to retain monthly backups for 5 years for compliance. Which configuration should they use?

A.A
B.B
C.C
D.D
AnswerA

Azure Backup supports customer-managed keys for encrypting backup data. Configure the Recovery Services vault with a customer-managed key from Key Vault and create a backup policy that includes daily and monthly retention points.

Why this answer

Option A is correct because Azure Backup supports encryption at rest using customer-managed keys (CMK) via Azure Disk Encryption or Azure Disk Encryption Set (DES) with a key vault. For long-term retention, the backup policy can be configured to retain monthly recovery points for up to 5 years, meeting compliance requirements. The Recovery Services vault stores encrypted backup data, and CMK ensures the customer controls the encryption keys.

Exam trap

The trap here is that candidates often confuse Azure Backup with Azure Site Recovery or assume that platform-managed encryption (SSE) satisfies customer-managed key requirements, but only CMK via a key vault meets the compliance need for customer-controlled encryption keys.

How to eliminate wrong answers

Option B is wrong because it suggests using Azure Backup with Azure Site Recovery, which is for disaster recovery, not backup retention; Site Recovery does not support monthly retention for 5 years. Option C is wrong because it proposes using Azure Backup with Azure Storage Service Encryption (SSE) using platform-managed keys, which does not meet the customer-managed key requirement. Option D is wrong because it recommends using Azure Backup with Azure Disk Encryption (ADE) but without specifying a key vault for CMK, which is required for customer-managed keys; ADE alone uses Azure-managed keys unless a key vault is explicitly configured.

302
MCQmedium

You are designing an identity solution for a large enterprise that uses Microsoft Entra ID. The company has a partner organization that needs access to a specific application. The partner uses their own identity provider (IdP). You need to enable seamless access without duplicating user accounts. What should you configure?

A.Federation with the partner's IdP
B.Microsoft Entra External ID
C.Passwordless authentication
D.Identity synchronization
AnswerB

External ID enables external users to bring their own identities.

Why this answer

Microsoft Entra External ID (formerly Azure AD B2B) is the correct solution because it allows the partner organization to access the specific application using their own identity provider (IdP) without requiring duplicate user accounts in your tenant. It leverages federation trust, enabling seamless single sign-on (SSO) by authenticating users against their home IdP and issuing a token for your application. This aligns with the requirement for a zero-trust, external identity scenario where user lifecycle is managed externally.

Exam trap

The trap here is that candidates often confuse federation (Option A) with External ID, not realizing that federation is a broader concept that can be implemented via External ID for external users, while the exam expects you to recognize that External ID is the specific service designed for this partner access scenario without account duplication.

How to eliminate wrong answers

Option A is wrong because federation with the partner's IdP typically implies a direct trust relationship between your Entra ID and the partner's IdP for all users, which is more complex and often used for hybrid identity scenarios, not for granting granular application access to external users without account duplication. Option C is wrong because passwordless authentication (e.g., FIDO2, Windows Hello) is an internal authentication method that does not solve the problem of allowing external users from a different IdP to access your application; it focuses on eliminating passwords for your own users. Option D is wrong because identity synchronization (e.g., using Azure AD Connect) would require creating and syncing user objects from the partner's directory into your tenant, which duplicates accounts and violates the requirement to avoid duplication.

303
MCQmedium

A company has deployed several Azure VMs that do not have public IP addresses. Administrators need to securely connect to these VMs using RDP and SSH from the internet over a browser without deploying a jump box or managing VPN connections. The solution must use Microsoft Entra ID authentication for single sign-on. Which Azure service should they use?

A.Azure Jump Box VM
B.Azure Bastion
C.Azure VPN Gateway
D.Azure ExpressRoute
AnswerB

Azure Bastion offers secure, browser-based RDP/SSH connections to VMs without public IPs, supports Microsoft Entra ID authentication, and is fully managed.

Why this answer

Azure Bastion provides secure, seamless RDP and SSH connectivity to Azure VMs directly from the Azure portal over TLS, without requiring public IP addresses, jump boxes, or VPN connections. It supports Microsoft Entra ID authentication for single sign-on, meeting the requirement for browser-based access with no additional management overhead.

Exam trap

The trap here is that candidates often confuse Azure Bastion with a jump box VM or assume VPN Gateway is required for secure remote access, overlooking that Bastion provides browser-based RDP/SSH without any public IP or VPN infrastructure.

How to eliminate wrong answers

Option A is wrong because a jump box VM would itself require a public IP address or VPN connectivity, and would need to be managed and patched, violating the 'without deploying a jump box' requirement. Option C is wrong because Azure VPN Gateway establishes site-to-site or point-to-site VPN tunnels, requiring client software and VPN configuration, not browser-based access, and does not inherently support Microsoft Entra ID authentication for RDP/SSH sessions. Option D is wrong because Azure ExpressRoute provides a dedicated private network connection from on-premises to Azure, not internet-based browser access, and does not offer RDP/SSH connectivity over a browser.

304
Multi-Selectmedium

Which TWO Microsoft Entra ID features should you use to protect against credential attacks?

Select 2 answers
A.Password Protection
B.Identity Protection
C.Group-based licensing
D.Self-Service Password Reset (SSPR)
E.Application Proxy
AnswersA, B

Password Protection blocks weak passwords and common password patterns.

Why this answer

Password Protection is correct because it specifically targets credential attacks by blocking weak passwords and common variations (e.g., 'Password123!') using a global banned password list and the option to add custom terms. Identity Protection is correct because it uses real-time risk detection (e.g., leaked credentials, anonymous IP addresses) to automatically block or require MFA for suspicious sign-ins, directly mitigating credential-based attacks like password spray or brute force.

Exam trap

The trap here is that candidates often confuse SSPR (a self-service recovery tool) with a proactive attack prevention feature, but SSPR does not block credential attacks—it only helps users after they are locked out or have forgotten their password.

305
MCQmedium

Your organization has a critical application deployed on Azure VMs in the West US region. The application uses a Standard_D8s_v3 VM with two data disks (512 GB each) and a separate log disk (256 GB). The application writes data continuously to the data disks and logs. The business continuity requirements are: RPO of 15 minutes, RTO of 2 hours, and the ability to recover to a specific point in time within the last 7 days. You need to design a disaster recovery solution that replicates the VMs and disks to the East US region. The solution must also support failback to West US after a disaster. What should you do?

A.Use Azure Site Recovery to replicate the VMs to East US with a recovery plan that includes the VM and disks, and configure failback using reprotection
B.Use Azure Migrate to migrate the VMs to East US and then set up replication back to West US
C.Configure Azure Backup for the VMs with a backup policy that has a 15-minute frequency and replicate backups to the East US region using geo-redundant storage
D.Use Azure Storage geo-redundant storage (GRS) for the managed disks and manually attach the disks to a new VM in East US during a disaster
AnswerA

Azure Site Recovery meets RPO and RTO requirements and supports failback.

Why this answer

Option C is correct because Azure Site Recovery can replicate Azure VMs to a secondary region with continuous replication meeting RPO of 15 minutes. It supports failback by reprotecting and failing back. Option A is wrong because Azure Backup has RPO of 1 hour for Azure VMs and does not support failback.

Option B is wrong because geo-redundant storage (GRS) for managed disks does not provide VM replication or failback. Option D is wrong because Azure Migrate is for migration, not disaster recovery.

306
Multi-Selectmedium

Your company is designing a hybrid network architecture that connects multiple on-premises sites to Azure. You need to ensure high availability and redundancy for the connection. Which TWO solutions should you recommend? (Choose two.)

Select 2 answers
A.Deploy two ExpressRoute circuits in active-passive mode
B.Implement Azure DNS Private Resolver for resolution
C.Use Azure VPN Gateway in active-active mode
D.Use a single VPN gateway with active-standby mode
E.Use a single ExpressRoute circuit with a VPN gateway as failover
AnswersA, C

Two ExpressRoute circuits provide redundancy; active-passive ensures failover.

Why this answer

Options A and D are correct. Active-passive ExpressRoute with redundant circuits provides high availability at the circuit level. VPN Gateway active-active mode provides redundancy for VPN connections.

Option B (single ExpressRoute with VPN failover) works but is less redundant than two ExpressRoute circuits. Option C (single VPN gateway) is not highly available. Option E (Azure DNS) does not affect hybrid connectivity.

307
Multi-Selecthard

Which THREE Azure services or features should you use to design a comprehensive monitoring solution for a hybrid infrastructure spanning on-premises and Azure?

Select 3 answers
A.Azure Monitor
B.Network Watcher
C.Log Analytics agent (or Azure Monitor Agent)
D.Azure Arc-enabled servers
E.Azure Traffic Manager
AnswersA, C, D

Azure Monitor collects and analyzes metrics and logs from Azure and on-premises resources.

Why this answer

Azure Monitor is the central platform for collecting, analyzing, and acting on telemetry from both Azure and on-premises resources. It provides a unified monitoring experience by aggregating metrics and logs, enabling alerting, dashboards, and integration with other services like Log Analytics. For a hybrid infrastructure, Azure Monitor serves as the core data ingestion and analysis hub, making it essential for a comprehensive monitoring solution.

Exam trap

The trap here is that candidates often confuse Network Watcher (a network diagnostics tool) with a general monitoring solution, or they overlook Azure Arc-enabled servers as a prerequisite for managing and monitoring on-premises machines with Azure Monitor.

308
MCQhard

You are designing a networking solution for a multi-tier application in Azure. The front-end web tier must be accessible from the internet, while the back-end database tier must only be accessible from the web tier. You need to minimize management overhead and ensure that the back-end tier is not directly reachable from the internet. What should you use?

A.Azure Application Gateway on the web subnet and network security groups on the database subnet
B.Azure Bastion for database access and Azure Front Door for web access
C.Azure Front Door with private link for the web tier and service endpoints for the database tier
D.Azure Firewall in a hub VNet with forced tunneling for all traffic
AnswerA

Application Gateway provides internet-facing access to the web tier; NSGs restrict database traffic to the web subnet only.

Why this answer

Option C is correct. Azure Application Gateway can be placed in front of the web tier in a VNet, and network security groups (NSGs) on the database subnet can restrict inbound traffic to only the web tier subnet. Option A is wrong because Azure Front Door is a global load balancer, not a regional one, and does not provide VNet-level isolation.

Option B is wrong because Azure Firewall is a managed firewall but adds unnecessary complexity; NSGs are simpler for subnet-level filtering. Option D is wrong because Azure Bastion is for RDP/SSH access, not for application traffic.

309
MCQhard

A global IoT platform ingests telemetry data from millions of devices. The application requires multi-region writes to support low-latency ingestion from any location. The schema uses JSON documents and fields often vary. The team needs automatic conflict resolution when the same document is updated concurrently from different regions. Additionally, read operations for device commands must use strong consistency, while user-facing dashboard queries can use eventual consistency. Which Azure Cosmos DB configuration should they choose?

A.Azure Cosmos DB with single-master and multiple read regions
B.Azure Cosmos DB with multi-master and default strong consistency
C.Azure Cosmos DB with multi-master and per-request consistency override
D.Azure Cosmos DB with multi-master and eventual consistency only
AnswerC

Multi-master allows writes in any region and automatic conflict resolution. Per-request consistency override enables the application to use strong consistency for critical device command reads and eventual consistency for other reads, meeting all requirements.

Why this answer

Option C is correct because the scenario requires multi-region writes (multi-master) for low-latency ingestion, automatic conflict resolution (which multi-master provides via last-writer-wins or custom conflict resolvers), and strong consistency for device command reads while allowing eventual consistency for dashboards. Per-request consistency override in Azure Cosmos DB lets the application set strong consistency on specific read operations (e.g., device commands) while defaulting to eventual consistency for others, meeting all requirements without sacrificing performance.

Exam trap

The trap here is that candidates often assume multi-master forces a single consistency level across all operations, but Azure Cosmos DB allows per-request overrides to mix consistency levels, which is the key to satisfying mixed requirements without over-provisioning.

How to eliminate wrong answers

Option A is wrong because single-master with multiple read regions only supports writes in one region, failing the multi-region write requirement for low-latency ingestion from any location. Option B is wrong because default strong consistency in a multi-master configuration would force all reads to use strong consistency, which is unnecessary for dashboard queries and would increase latency and RU costs. Option D is wrong because eventual consistency only does not allow the strong consistency needed for device command reads, violating the requirement for strong consistency on those operations.

310
MCQeasy

A company wants to automatically tier data between hot, cool, and archive access tiers based on last access time to optimize costs. Which Azure feature should they implement?

A.Azure Blob Storage lifecycle management
B.Azure Data Box
C.Azure Backup
D.Azure File Sync
AnswerA

Lifecycle management automatically tiers data based on rules.

Why this answer

Azure Blob Storage lifecycle management allows you to define policies that automatically move blobs between hot, cool, and archive access tiers based on conditions such as last access time or age. This directly addresses the requirement to optimize costs by tiering data according to access patterns without manual intervention.

Exam trap

The trap here is that candidates may confuse Azure File Sync's 'cloud tiering' feature with blob lifecycle management, but File Sync only tiers between local server and Azure Files (not between hot/cool/archive tiers) and does not use last access time for tiering decisions.

How to eliminate wrong answers

Option B (Azure Data Box) is wrong because it is a physical data transfer service for offline migration of large datasets, not a tool for automated tiering based on access time. Option C (Azure Backup) is wrong because it provides backup and restore capabilities for Azure resources, not data lifecycle management between access tiers. Option D (Azure File Sync) is wrong because it synchronizes on-premises file servers with Azure file shares and can enable cloud tiering, but it does not support moving data between hot, cool, and archive tiers based on last access time; its tiering is limited to local vs. cloud caching.

311
MCQmedium

A healthcare company is designing a data storage solution for its electronic health records (EHR) system. The system must store patient data in Azure SQL Database with high availability. The solution must meet the following requirements: - Data must be stored in the East US region with automatic failover to a secondary region in West US in case of a regional outage. - The Recovery Point Objective (RPO) must be less than 5 seconds. - The Recovery Time Objective (RTO) must be less than 1 hour. - The solution must minimize costs while meeting the RPO and RTO. Which Azure SQL Database configuration should the company recommend?

A.Deploy Azure SQL Database Managed Instance with failover group to a secondary instance in West US.
B.Deploy Azure SQL Database with active geo-replication to a secondary server in West US. Configure automatic failover using a failover group.
C.Deploy Azure SQL Database Business Critical tier with auto-failover group and a secondary replica in a different availability zone within East US.
D.Deploy Azure SQL Database General Purpose tier with zone-redundant configuration.
AnswerB

Active geo-replication provides low RPO and RTO across regions.

Why this answer

Option A is correct because Azure SQL Database active geo-replication with a secondary in West US meets the RPO of 5 seconds (typically 5-10 seconds) and RTO of 1 hour (failover time is usually < 30 minutes). Option B is wrong because auto-failover groups use the same replication but require a secondary in the same region for premium tiers. Option C is wrong because zone-redundant configuration provides high availability within a region, not across regions.

Option D is wrong because Azure SQL Database Managed Instance does not support active geo-replication with sub-5-second RPO.

312
MCQmedium

A company ingests IoT sensor data into Azure Blob Storage. Data is written frequently and is accessed rarely after the first 24 hours. The company must retain the data for exactly 90 days for compliance. They want to minimize storage costs by automatically moving data to the cheapest possible storage tier as soon as possible. Which Azure Blob Storage lifecycle management policy should they implement?

A.Move to Cool tier after 1 day, delete after 90 days
B.Move to Archive tier after 1 day, delete after 90 days
C.Move to Cool tier after 30 days, delete after 90 days
D.Move to Archive tier after 30 days, delete after 90 days
AnswerA

Cool tier is the most cost-effective for data accessed rarely. Moving after 1 day minimizes storage cost early. Deleting after exactly 90 days meets compliance without early deletion penalties.

Why this answer

Option A is correct because the data is rarely accessed after 24 hours, so moving it to Cool tier after 1 day minimizes cost while still allowing low-latency access. The 90-day deletion aligns with the compliance retention requirement. Cool tier is the cheapest online tier, and moving data there as soon as possible (after 1 day) reduces costs without incurring the early deletion penalty or retrieval latency of Archive tier.

Exam trap

The trap here is that candidates often choose Archive tier thinking it is the cheapest, but they overlook the 180-day early deletion penalty and the fact that Cool tier is sufficient for 90-day retention with no penalty, making it the true cheapest option for this exact retention window.

How to eliminate wrong answers

Option B is wrong because moving data to Archive tier after 1 day would make it inaccessible for immediate use (Archive has a retrieval latency of up to 15 hours) and incurs a higher cost for early deletion if deleted before 180 days. Option C is wrong because waiting 30 days to move to Cool tier leaves data in the Hot tier for 29 extra days, incurring unnecessary storage costs when it could have been moved after 1 day. Option D is wrong because moving to Archive tier after 30 days still incurs the early deletion penalty (Archive requires a minimum 180-day retention) and the data is rarely accessed, but Cool tier after 1 day is cheaper and more appropriate.

313
MCQeasy

A startup is building a web application that will be used by a small number of users initially but is expected to grow rapidly. The application runs on Linux and uses a PostgreSQL database. The company wants to minimize operational overhead and costs during the early stages. You need to recommend a platform as a service (PaaS) solution for both the application and the database. What should you recommend?

A.Deploy the application on Azure App Service for Linux and use Azure Database for PostgreSQL.
B.Deploy the application on Azure Kubernetes Service (AKS) and use Azure Database for PostgreSQL.
C.Deploy the application as Azure Functions and use Azure Cosmos DB for storage.
D.Deploy the application on Azure Virtual Machines and use PostgreSQL on the same VM.
AnswerA

Both are PaaS, minimizing management overhead.

Why this answer

Option B is correct because Azure App Service for Linux provides a PaaS environment for web apps, and Azure Database for PostgreSQL is a managed database service. Option A is wrong because Azure Virtual Machines are IaaS, not PaaS, and require more management. Option C is wrong because Azure Kubernetes Service adds unnecessary complexity.

Option D is wrong because Azure Functions is for event-driven workloads, not for standard web apps.

314
MCQeasy

A company has virtual machines in Azure that need to be grouped across multiple fault domains and update domains to ensure high availability. They plan to deploy three VMs running the same application tier. Which Azure feature should they use to provide redundancy within a single region?

A.Availability Zone
B.Availability Set
C.Virtual Machine Scale Set with manual scaling
D.Azure Site Recovery
AnswerB

Availability Sets ensure VMs are placed in different fault and update domains within a single datacenter, meeting the requirement.

Why this answer

An Availability Set distributes VMs across multiple fault domains (shared hardware, power, and networking) and update domains (planned maintenance) within a single Azure datacenter. This ensures that at least one VM remains available during both hardware failures and Azure patching cycles. For three VMs running the same application tier, an Availability Set provides the required redundancy without the complexity of zone-level isolation.

Exam trap

The trap here is that candidates often confuse Availability Zones (which provide datacenter-level isolation) with Availability Sets (which provide rack-level isolation within a single datacenter), leading them to select Availability Zones when the scenario only requires intra-datacenter redundancy.

How to eliminate wrong answers

Option A is wrong because Availability Zones provide physical separation across different datacenters within a region, which is overkill and incurs cross-zone latency; the question specifies redundancy within a single region but not across zones. Option C is wrong because Virtual Machine Scale Sets with manual scaling still place VMs across fault and update domains automatically, but the question explicitly asks for grouping across multiple fault and update domains, which is the core purpose of an Availability Set, not a scale set. Option D is wrong because Azure Site Recovery is a disaster recovery solution for replicating VMs to a secondary region, not for providing redundancy within a single region.

315
MCQeasy

A company runs an Azure SQL Database with active geo-replication configured to a secondary region. The primary region experiences a complete outage. The company needs to promote the secondary database to become the new primary with minimal data loss. Which action should they take?

A.Forced failover
B.Planned failover
C.Enable geo-replication
D.Failover
AnswerA

Correct. Forced failover transitions the secondary to primary, acknowledging possible data loss.

Why this answer

Forced failover is the correct action because it immediately promotes the secondary database to primary without waiting for synchronization, which is necessary during a complete primary region outage. This option minimizes data loss by accepting any unsynchronized data at the secondary, prioritizing availability over consistency. In contrast, planned failover requires synchronous data transfer and fails if the primary is unreachable.

Exam trap

The trap here is that candidates confuse 'Failover' (which in Azure SQL Database can mean either planned or forced depending on context) with the specific 'Forced failover' action required during a disaster, leading them to select the ambiguous 'Failover' option instead.

How to eliminate wrong answers

Option B (Planned failover) is wrong because it requires the primary database to be online and fully synchronized before promoting the secondary, which is impossible during a complete outage. Option C (Enable geo-replication) is wrong because geo-replication is already configured per the scenario; re-enabling it would not promote the secondary. Option D (Failover) is wrong because 'Failover' in Azure SQL Database context typically refers to a planned failover (with no data loss) or an unplanned failover (forced), but the generic term is ambiguous; the specific action needed here is 'Forced failover' to handle the outage with minimal data loss.

316
MCQmedium

A company deploys a web application across multiple Azure VMs in a single region. They need to distribute incoming HTTP traffic, offload SSL termination, and perform URL-based routing to different backend pools (e.g., /images to one pool, /api to another). Which Azure load balancing solution should they use?

A.Azure Application Gateway
B.Azure Load Balancer
C.Azure Traffic Manager
D.Azure Front Door
AnswerA

Correct: Application Gateway provides Layer 7 load balancing with path-based routing and SSL offload.

Why this answer

Azure Application Gateway is a Layer 7 load balancer that can distribute HTTP traffic, offload SSL termination, and perform URL-based routing to different backend pools. This directly matches the requirements for routing /images and /api traffic to separate pools while handling SSL termination at the gateway.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming all load balancers can handle HTTP routing and SSL termination, but only Layer 7 solutions like Application Gateway or Front Door can perform URL-based routing and SSL offloading.

How to eliminate wrong answers

Option B is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot perform SSL termination or URL-based routing, which are Layer 7 features. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic router that directs traffic based on DNS resolution, not HTTP-level routing or SSL termination. Option D is wrong because Azure Front Door is a global Layer 7 service designed for multi-region scenarios with CDN capabilities, but the question specifies a single-region deployment, making Application Gateway the more appropriate and cost-effective choice.

317
MCQmedium

Your organization uses Azure Monitor to monitor a fleet of 500 VMs running Windows Server. You need to collect security event logs (Event ID 4625 for failed logons) from all VMs and send them to a Log Analytics workspace. The solution must support centralized configuration and be scalable. You also want to filter out high-volume noise events to reduce costs. What should you do?

A.Enable VM Insights on all VMs and use the Performance view to detect failed logons.
B.Stream events to Azure Event Hubs and use a function to filter and send to Log Analytics.
C.Install the Log Analytics agent on each VM and configure Windows Event log collection in the workspace.
D.Deploy the Azure Monitor agent via Azure Policy and create a data collection rule to collect Event ID 4625.
AnswerD

Azure Monitor agent with DCRs provides scalable, centralized configuration and filtering.

Why this answer

Option D is correct because the Azure Monitor agent (AMA) is the current recommended agent for collecting security events from VMs, and using Azure Policy to deploy it ensures centralized, scalable configuration across 500 VMs. A data collection rule (DCR) can be configured to collect only Event ID 4625, filtering out high-volume noise events at the source, which reduces costs by minimizing data ingestion into the Log Analytics workspace.

Exam trap

The trap here is that candidates may choose the Log Analytics agent (MMA) option because it is familiar from legacy setups, but the exam tests knowledge of the newer Azure Monitor agent (AMA) and its centralized configuration via DCRs, which is the recommended and scalable solution for modern environments.

How to eliminate wrong answers

Option A is wrong because VM Insights is designed for performance monitoring (CPU, memory, disk, network) and does not collect security event logs like Event ID 4625; it cannot detect failed logons. Option B is wrong because streaming events to Azure Event Hubs and using a function to filter and send to Log Analytics adds unnecessary complexity and cost; the Azure Monitor agent with a DCR can filter events directly without intermediate services. Option C is wrong because the Log Analytics agent (MMA) is deprecated in favor of the Azure Monitor agent (AMA), and while it can collect Windows event logs, it does not support centralized configuration via DCRs as efficiently as AMA, and it lacks the native filtering capabilities to reduce noise at the source.

318
Multi-Selecthard

You are designing a microservices architecture on Azure Kubernetes Service (AKS). The solution must handle traffic spikes by automatically scaling pods based on CPU utilization. Additionally, you need to minimize cost by scaling down nodes when not in use. Which two features should you implement? (Choose two.)

Select 2 answers
A.Azure Load Balancer
B.Horizontal Pod Autoscaler (HPA)
C.Vertical Pod Autoscaler (VPA)
D.Azure Container Instances (ACI)
E.Cluster Autoscaler
AnswersB, E

HPA automatically scales pod replicas based on CPU utilization.

Why this answer

Options A and D are correct. Horizontal Pod Autoscaler (HPA) scales pods based on CPU/memory metrics, and Cluster Autoscaler scales nodes up/down based on pod scheduling needs. Option B (Vertical Pod Autoscaler) scales pod resources but not nodes.

Option C (Azure Load Balancer) distributes traffic but does not autoscale. Option E (Azure Container Instances) is for serverless containers, not integrated with AKS autoscaling.

319
Multi-Selecthard

A multinational corporation is designing a backup and disaster recovery strategy for Azure IaaS VMs. The solution must support cross-region failover, meet a recovery point objective (RPO) of 15 minutes, and a recovery time objective (RTO) of 1 hour. Which THREE options should you include in the design?

Select 3 answers
A.Azure Backup with geo-redundant storage (GRS)
B.Azure Backup with locally redundant storage (LRS)
C.Managed disk snapshots
D.Azure Backup with zone-redundant storage (ZRS)
E.Azure Site Recovery
AnswersA, D, E

Enables cross-region recovery.

Why this answer

Option A is correct because Azure Backup with geo-redundant storage (GRS) enables cross-region recovery. Option B is correct because Azure Site Recovery replicates VMs to a secondary region for failover. Option C is correct because Azure Backup with locally redundant storage (LRS) does not support cross-region failover.

Option D is incorrect because managed disk snapshots are not cross-region. Option E is correct because Azure Backup with zone-redundant storage (ZRS) provides redundancy within a region but not cross-region.

320
Multi-Selectmedium

A company is designing a network architecture for a three-tier application hosted on Azure VMs. The web tier must be accessible from the internet, while the application and database tiers must not have direct internet access. They also need to encrypt traffic between tiers. Which TWO solutions should they implement?

Select 2 answers
A.Use Azure Application Gateway with WAF
B.Deploy a network virtual appliance (NVA) as a reverse proxy for the web tier
C.Use Azure Private Link for the database tier
D.Use Azure Front Door
E.Use VNet peering to connect the tiers
AnswersB, C

NVA can restrict access and encrypt traffic.

Why this answer

Options A and D are correct. A network virtual appliance (NVA) can act as a reverse proxy for the web tier and restrict access. Azure Private Link can be used to access PaaS services (like SQL Database) privately.

Option B is incorrect because Application Gateway can provide WAF but does not encrypt traffic between VMs. Option C is incorrect because VNet peering does not encrypt traffic. Option E is incorrect because Azure Front Door is a global load balancer.

321
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to allow external business partners to access an internal web application using their own organizational identities. The solution must support self-service sign-up and enforce multi-factor authentication for partner users. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID B2B collaboration
B.Microsoft Entra ID B2C
C.Microsoft Entra ID Domain Services
D.Microsoft Entra ID Connect
AnswerA

Microsoft Entra ID B2B collaboration enables sharing applications with external users and allows them to use their own identities. It supports self-service sign-up and conditional access policies like MFA.

Why this answer

Microsoft Entra ID B2B collaboration is the correct feature because it allows external business partners to access internal applications using their own organizational identities (home directory credentials) without requiring them to have a separate account in your tenant. It supports self-service sign-up through entitlement management and can enforce multi-factor authentication (MFA) via Conditional Access policies that evaluate the partner user's session, even if the partner's home tenant does not enforce MFA.

Exam trap

The trap here is that candidates often confuse B2B collaboration (for business partners with existing organizational identities) with B2C (for customers using social or local accounts), leading them to select B2C when the requirement explicitly states 'business partners' and 'their own organizational identities.'

How to eliminate wrong answers

Option B (Microsoft Entra ID B2C) is wrong because B2C is designed for customer-facing applications where users sign up with social or local identities, not for business partner access with existing organizational identities. Option C (Microsoft Entra ID Domain Services) is wrong because it provides managed domain services (e.g., LDAP, Kerberos) for legacy applications, not external identity federation or self-service sign-up. Option D (Microsoft Entra ID Connect) is wrong because it synchronizes on-premises Active Directory objects to Entra ID for internal users, not for inviting external partners or enforcing MFA on guest users.

322
MCQmedium

Refer to the exhibit. You are reviewing the configuration of an Azure Blob Storage container used for storing financial audit records. The exhibit shows the container's immutability policy and legal hold settings. You need to ensure that the audit records cannot be deleted or modified for at least 7 years. What should you do?

A.Delete the container, create a new container, and set the immutability policy to 2555 days before locking.
B.Increase the immutability period to 2555 days by updating the policy.
C.Modify the immutability period to 2555 days.
D.Add additional legal hold tags for each year.
AnswerA

Only way to achieve 7-year retention with locked policy.

Why this answer

Option B is correct because the immutability policy is locked at 365 days (1 year) and cannot be increased after locking; you must delete the container, create a new one, and set the immutability period to 2555 days (7 years) before locking. Option A is wrong because you cannot modify a locked policy. Option C is wrong because legal hold does not enforce a time-based retention.

Option D is wrong because you cannot add more time to a locked policy.

323
Multi-Selecteasy

Which THREE are valid Azure RBAC role types? (Choose three.)

Select 3 answers
A.Service roles
B.Directory roles
C.Custom roles
D.Built-in roles
E.Guest roles
AnswersA, C, D

Service roles are used by Azure services.

Why this answer

Options B, C, and E are correct. Built-in roles (B), custom roles (C), and service roles (E) exist. Option A (Guest roles) is not a category.

Option D (Directory roles) are for Entra ID, not Azure RBAC.

324
MCQeasy

Your organization needs to provide temporary, limited-privilege access to Azure resources for external auditors. The access must be time-bound and require approval from a manager. Which Azure feature should you use?

A.Managed identities
B.Conditional Access policies
C.Azure RBAC roles
D.Microsoft Entra Privileged Identity Management (PIM)
AnswerD

PIM provides just-in-time access with time-bound and approval workflows.

Why this answer

Option A is incorrect because Azure RBAC does not provide time-bound access. Option B is incorrect because Managed identities are for Azure resources, not external users. Option C is correct because Microsoft Entra Privileged Identity Management (PIM) provides just-in-time access with time-bound and approval workflows.

Option D is incorrect because Conditional Access policies control access based on conditions, not time-bound approvals.

325
MCQeasy

A financial company must store customer transaction records in Azure Blob Storage. Regulatory requirements mandate that the records must not be modified or deleted for 7 years. Even administrators must be unable to alter or remove the blobs during this period. Which Azure Blob Storage feature should they enable?

A.Immutable storage with time-based retention policy
B.Legal hold
C.Soft delete
D.Versioning
AnswerA

Correct. A time-based retention policy enforces WORM for a fixed period, satisfying the 7-year regulatory requirement.

Why this answer

Immutable storage with a time-based retention policy (WORM – Write Once, Read Many) ensures that blobs cannot be modified or deleted for a specified duration, even by administrators. This directly satisfies the 7-year regulatory requirement by locking the data at the storage level, overriding any delete or write operations.

Exam trap

The trap here is that candidates often confuse soft delete or versioning with immutable storage, not realizing that only WORM policies (time-based retention or legal hold) provide true, administrator-proof immutability for a defined period.

How to eliminate wrong answers

Option B (Legal hold) is wrong because legal hold is an indefinite, policy-based lock that must be explicitly cleared; it does not enforce a fixed 7-year retention period and is typically used for litigation, not time-bound regulatory compliance. Option C (Soft delete) is wrong because soft delete only protects against accidental deletion by retaining deleted blobs for a configurable period, but it does not prevent modification or deletion by administrators during the retention window. Option D (Versioning) is wrong because versioning preserves previous blob versions but does not prevent deletion or overwrite of the current version; administrators can still delete or modify blobs, and versioning alone does not enforce a write-once, read-many constraint.

326
MCQmedium

Your organization has multiple Azure subscriptions managed through Azure Management Groups. You need to enforce a policy that requires all resources to have a 'CostCenter' tag. If a resource is created without the tag, the deployment should be denied. Additionally, you need to ensure that existing non-compliant resources are automatically remediated. Which combination of actions should you take?

A.Create a policy with DeployIfNotExists effect only, and rely on periodic evaluation.
B.Create a policy with Modify effect to add the tag, and assign it at the management group level.
C.Create a policy with Deny effect for new resources, and create a remediation task using a DeployIfNotExists policy for existing resources.
D.Create a policy with Deny effect only, and run a script to tag existing resources.
AnswerC

Deny blocks new; remediation fixes existing.

Why this answer

Option C is correct because it combines two policy effects to address both requirements: the Deny effect blocks creation of new resources without the 'CostCenter' tag, while a separate DeployIfNotExists policy with a remediation task automatically adds the tag to existing non-compliant resources. This dual approach ensures enforcement for new deployments and automated remediation for existing resources, which is necessary because a single policy effect cannot both deny and remediate simultaneously.

Exam trap

The trap here is that candidates often think a single policy effect (like Modify or DeployIfNotExists) can both deny new non-compliant resources and remediate existing ones, but Azure Policy requires separate effects for denial and remediation, and Modify does not deny—it silently changes the resource, which may not meet strict governance requirements.

How to eliminate wrong answers

Option A is wrong because DeployIfNotExists only remediates existing resources and does not deny creation of new non-compliant resources, leaving a gap in enforcement. Option B is wrong because the Modify effect can add tags during creation or update but does not deny deployments; it modifies the resource to comply, which may not be acceptable if the requirement is to deny creation without the tag. Option D is wrong because a Deny-only policy blocks new non-compliant resources but provides no automated remediation for existing resources, requiring manual scripting which violates the 'automatically remediated' requirement.

327
MCQmedium

Refer to the exhibit. An Azure Policy is assigned to a subscription. A user tries to create a blob container via the Azure portal and receives a deny error. What is the most likely reason?

A.The policy denies creation of blob containers
B.The blob container requires immutable storage
C.The user is trying to enable public access on the container
D.The storage account does not have encryption enabled
AnswerA

The policy explicitly denies the write action for containers when the request is a PUT (create).

Why this answer

Option A is correct because the policy denies the 'Microsoft.Storage/storageAccounts/blobServices/containers/write' action when the request action is 'Microsoft.Storage/storageAccounts/blobServices/containers/put', which is the create container operation. Option B is wrong because the policy does not check encryption. Option C is wrong because the policy does not check public access.

Option D is wrong because the policy does not check blob immutability.

328
MCQmedium

You are designing a storage solution for a media company that needs to store large video files (up to 50 GB each) and serve them to a global audience with low latency. The solution must be cost-effective and support resumable uploads. Which Azure storage solution should you recommend?

A.Azure Files with Azure File Sync and Azure CDN.
B.Azure Disk Storage with Azure Load Balancer.
C.Azure Blob Storage with Azure CDN and Azure Files for resumable uploads using AzCopy.
D.Azure NetApp Files with Azure Front Door.
AnswerC

Blob Storage is cost-effective for large files; CDN provides low latency; AzCopy supports resumable uploads.

Why this answer

Option B is correct because Azure Blob Storage with CDN and Azure Files with AzCopy provides cost-effective storage for large files, CDN for low latency global delivery, and resumable uploads via AzCopy. Option A is wrong because Azure Files alone does not provide global CDN. Option C is wrong because Azure NetApp Files is enterprise-grade and expensive.

Option D is wrong because Azure Disk Storage is for VM disks, not for serving files.

329
MCQmedium

A global company stores customer profile data in JSON format. The application requires low-latency writes and reads from multiple regions. The solution must support multi-region writes with automatic conflict resolution and provide high availability. Which Azure Cosmos DB configuration should they choose?

A.SQL API with eventual consistency and multi-region writes enabled
B.MongoDB API with strong consistency and multi-region writes enabled
C.Table API with consistent prefix consistency and single-region writes
D.Gremlin API with session consistency and multi-region writes enabled
AnswerA

SQL API handles JSON, eventual consistency supports multi-region writes, and conflict resolution is automatic.

Why this answer

The scenario demands low-latency multi-region writes with automatic conflict resolution and high availability. Azure Cosmos DB's SQL API supports multi-region writes with eventual consistency, which is the only consistency level that allows multi-region writes. Eventual consistency provides the lowest latency and highest availability, and Cosmos DB's automatic conflict resolution handles concurrent writes across regions using last-writer-wins (LWW) or custom conflict resolution policies.

Exam trap

The trap here is that candidates often assume strong consistency is required for data integrity, but Azure Cosmos DB enforces that multi-region writes only work with eventual consistency, and automatic conflict resolution handles the trade-off between consistency and availability.

How to eliminate wrong answers

Option B is wrong because strong consistency cannot be used with multi-region writes; Cosmos DB restricts multi-region writes to eventual consistency only, as strong consistency would require synchronous replication across regions, defeating low-latency writes. Option C is wrong because single-region writes do not meet the requirement for multi-region writes, and consistent prefix consistency is not the recommended choice for multi-region write scenarios. Option D is wrong because Gremlin API (graph) is not optimized for JSON document storage and multi-region writes with session consistency do not provide automatic conflict resolution; session consistency is scoped to a single client session and does not handle cross-region conflicts.

330
MCQhard

A company needs to store and analyze petabytes of semi-structured data from IoT devices. The data is append-only and written in time order. They need to support fast queries on time ranges and also aggregate data in real-time. Which Azure data service should they use?

A.Azure Data Explorer
B.Azure Cosmos DB
C.Azure SQL Database
D.Azure Table Storage
AnswerA

ADX (Kusto) is built for real-time analysis on large volumes of streaming data. It supports efficient time-series queries, ingestion from IoT sources, and real-time aggregations.

Why this answer

Azure Data Explorer (ADX) is purpose-built for high-performance analysis of large volumes of time-series and semi-structured data. It supports append-only ingestion, optimized time-range queries via its columnar storage and indexing, and real-time aggregation using Kusto Query Language (KQL) with built-in materialized views and update policies.

Exam trap

The trap here is that candidates often confuse Azure Data Explorer with Azure Cosmos DB because both handle semi-structured data, but Cosmos DB is optimized for transactional workloads with point reads and writes, not for petabyte-scale analytical time-series queries.

How to eliminate wrong answers

Option B (Azure Cosmos DB) is wrong because it is a globally distributed, multi-model NoSQL database optimized for low-latency transactional workloads, not for petabyte-scale analytical queries on append-only time-series data; its indexing and query patterns are not designed for high-throughput time-range scans. Option C (Azure SQL Database) is wrong because it is a relational OLTP database that struggles with petabyte-scale semi-structured data and append-only ingestion rates, and its indexing and query engine are not optimized for time-series analytics. Option D (Azure Table Storage) is wrong because it is a key-value store with limited query capabilities (only on partition and row keys), no native support for time-range aggregations, and poor performance for real-time analytics on large datasets.

331
Multi-Selecteasy

Which TWO Azure Policy effects can be used to prevent the creation of non-compliant resources?

Select 2 answers
A.Audit
B.Append
C.Deny
D.Modify
E.Manual
AnswersC, D

Deny effect blocks the request if the resource does not comply with the policy.

Why this answer

The 'Deny' effect (Option C) is correct because it actively blocks any resource creation or update request that violates a policy rule, ensuring non-compliant resources are never deployed. The 'Modify' effect (Option D) is also correct because it can add or change resource properties during creation or update to enforce compliance, effectively preventing non-compliant configurations from being created. Both effects operate at the time of the resource request, stopping non-compliant resources before they exist.

Exam trap

The trap here is that candidates often confuse 'Audit' with a blocking effect, or mistakenly think 'Append' can prevent creation, when in reality only 'Deny' and 'Modify' (with its ability to alter properties during deployment) can stop non-compliant resources from being created.

332
MCQmedium

A company runs a production Azure SQL Database. They need a business continuity solution that allows point-in-time restore to any time within the last 7 days and provides geo-failover capability with RTO of 1 hour. What is the MOST COST-EFFECTIVE option?

A.Use Azure SQL Database long-term retention (LTR) for backups
B.Deploy a zone-redundant Azure SQL Database
C.Configure active geo-replication with a readable secondary in another region
D.Deploy auto-failover groups with a secondary in another region
AnswerC

Active geo-replication provides geo-failover and point-in-time restore at lower cost.

Why this answer

Option B is correct because Active Geo-Replication provides geo-failover with RTO of 1 hour and supports point-in-time restore. It is more cost-effective than Auto-failover groups for a single database. Option A is wrong because auto-failover groups are designed for multiple databases and have higher cost due to additional listener.

Option C is wrong because long-term retention is for backups, not failover. Option D is wrong because zone-redundant databases protect within a region, not cross-region.

333
MCQeasy

Refer to the exhibit. You deploy this Bicep template. Which region is the primary write region?

A.West US
B.The resource group's location
C.East US
D.Both regions are primary
AnswerC

East US has failoverPriority 0, making it the primary write region.

Why this answer

Option A is correct because the location with failoverPriority 0 is the primary write region. Option B is wrong because failoverPriority 1 is secondary. Option C is wrong because the template does not specify a primary region explicitly; the priority determines it.

Option D is wrong because the location is set to the resource group's location, but the primary write region is defined by failoverPriority.

334
MCQhard

A large enterprise is designing a hybrid network architecture. The company has an on-premises data center connected to Azure via ExpressRoute. They want to extend their on-premises network to Azure by using a site-to-site VPN as a backup connection. The company has multiple VNets in Azure that need to communicate with each other and with the on-premises network. The solution must be highly available and provide redundancy for the ExpressRoute connection. You need to recommend a network connectivity design. What should you include?

A.Use Azure ExpressRoute as the primary connection, and configure VNet-to-VNet VPN as a backup for ExpressRoute.
B.Use Azure VPN Gateway to connect the on-premises network to Azure, and use VNet peering for VNet-to-VNet connectivity.
C.Use Azure ExpressRoute as the primary connection, and use Azure Firewall to inspect traffic between VNets.
D.Use Azure ExpressRoute as the primary connection, and configure a site-to-site VPN as a backup. Use VNet peering for VNet-to-VNet connectivity.
AnswerD

ExpressRoute primary, VPN backup, VNet peering for VNet connectivity.

Why this answer

Option D is correct because using ExpressRoute as the primary connection and a site-to-site VPN as backup provides redundancy. VNet peering allows VNets to communicate. Option A is wrong because Azure VPN Gateway alone does not provide ExpressRoute backup.

Option B is wrong because Azure Firewall is not a connectivity solution. Option C is wrong because VNet-to-VNet VPN is for VNet communication, not for backup.

335
MCQmedium

Your company runs a mission-critical application on Azure VMs. You need to design a cross-region disaster recovery solution that meets a recovery time objective (RTO) of 15 minutes and a recovery point objective (RPO) of 5 minutes. The solution must minimize costs. What should you recommend?

A.Use Azure SQL Database active geo-replication with a failover group.
B.Use Azure Storage with read-access geo-redundant storage (RA-GRS) and Azure Traffic Manager.
C.Use Azure Backup with geo-redundant storage.
D.Use Azure Site Recovery with replication frequency set to 30 seconds.
AnswerD

Azure Site Recovery supports replication frequencies as low as 30 seconds, enabling an RPO of 5 minutes and an RTO of 15 minutes.

Why this answer

Azure Site Recovery with replication frequency set to 30 seconds meets the RPO of 5 minutes and can achieve an RTO of 15 minutes with proper planning. Option A is incorrect because Azure Backup has a minimum RPO of 15 minutes for VMs. Option B is incorrect because Read-access geo-redundant storage does not provide automated failover for compute.

Option D is incorrect because active geo-replication is for databases, not VMs.

336
MCQmedium

Your company runs a critical database on Azure SQL Managed Instance. You need to ensure zero data loss and automatic failover to a secondary region in the event of a regional outage. What should you configure?

A.Auto-failover groups for the Azure SQL Managed Instance
B.A single Azure SQL Managed Instance with zone-redundant configuration
C.Active geo-replication for the database
D.Failover groups with manual failover policy and automatic data synchronization
AnswerD

Failover groups provide automatic failover when configured correctly.

Why this answer

Option D is correct because it describes a failover group configured with manual failover policy and automatic data synchronization, which ensures zero data loss by synchronously replicating data to the secondary region and allows you to control when failover occurs, meeting the requirement for automatic failover in a regional outage scenario. For Azure SQL Managed Instance, failover groups with manual failover policy are the only way to achieve zero data loss (RPO=0) across regions, as automatic failover policy would allow asynchronous replication and potential data loss.

Exam trap

The trap here is that candidates confuse active geo-replication (available for Azure SQL Database) with failover groups for Azure SQL Managed Instance, or assume that auto-failover groups guarantee zero data loss when they actually use asynchronous replication by default.

How to eliminate wrong answers

Option A is wrong because auto-failover groups for Azure SQL Managed Instance use asynchronous replication by default, which cannot guarantee zero data loss (RPO > 0) during a regional outage. Option B is wrong because zone-redundant configuration protects against failures within a single region (availability zone failures), not against a complete regional outage, and it does not provide cross-region disaster recovery. Option C is wrong because active geo-replication is not supported for Azure SQL Managed Instance; it is a feature for Azure SQL Database (single database or elastic pool), not for managed instances.

337
MCQmedium

A software company hosts multiple small databases for different clients on Azure SQL Database. Each database has low average usage but experiences unpredictable spikes. The company wants to minimize cost by pooling resources across databases while allowing each database to consume resources up to a set limit during spikes. They also need the ability to easily add new databases without manual sizing. Which Azure SQL Database deployment option should they choose?

A.Azure SQL Database elastic pool
B.Azure SQL Database single database with reserved capacity
C.Azure SQL Managed Instance
D.SQL Server on Azure Virtual Machines
AnswerA

Elastic pools allow databases to share resources from a common pool, reducing cost for databases with low average usage and high, unpredictable spikes. They also simplify adding new databases.

Why this answer

Azure SQL Database elastic pool is the correct choice because it allows multiple databases to share a fixed pool of resources (eDTUs or vCores), which minimizes cost by pooling resources across databases with low average usage and unpredictable spikes. Each database can automatically burst up to a configurable per-database resource limit (e.g., max eDTU per database) during spikes, and new databases can be added to the pool without manual sizing, as they simply consume from the shared pool.

Exam trap

The trap here is that candidates may choose single database with reserved capacity (Option B) thinking it offers cost savings, but they overlook that reserved capacity applies to a single database and does not provide resource pooling or automatic bursting across multiple databases, making it more expensive for the described workload.

How to eliminate wrong answers

Option B is wrong because Azure SQL Database single database with reserved capacity reserves compute resources for a single database, which does not pool resources across multiple databases and would be cost-inefficient for low-average-usage databases with spikes. Option C is wrong because Azure SQL Managed Instance is a fully managed instance of SQL Server with fixed resource limits per instance, not designed for pooling resources across many small databases with unpredictable spikes, and it requires manual sizing for each new database. Option D is wrong because SQL Server on Azure Virtual Machines requires manual management of VM resources, does not provide built-in resource pooling or automatic bursting across databases, and incurs higher operational overhead and cost for many small databases.

338
MCQhard

Your company has multiple Azure subscriptions managed by a management group. You need to enforce that all resources are deployed in the West US region only. Additionally, you must allow a specific resource group in the production subscription to be deployed in East US. What should you configure?

A.Assign a policy at the management group level that denies all locations except West US, and assign a separate policy at the subscription level that allows East US.
B.Assign a policy at each subscription level allowing only West US, and grant the resource group owner role to bypass.
C.Assign a policy at the management group level that denies all locations except West US, and create a policy exemption for the specific resource group.
D.Use Azure Blueprints to assign a policy at the management group and then edit the blueprint for the exception.
AnswerC

Exemption allows the resource group to bypass the policy.

Why this answer

Azure Policy can be assigned at the management group level with a deny effect to restrict locations. To allow exceptions, you can create an exclusion by specifying the resource group as an exemption or by using a policy assignment at a lower scope with a different effect. The best practice is to use policy exemptions for specific RGs.

339
MCQmedium

A company runs a data analytics workload that processes large amounts of unstructured data (images and videos). The data is accessed frequently for the first month, then rarely. They need to store the data cost-effectively for 7 years to meet compliance. The solution must support fast retrieval of data within the first month. Which Azure storage solution should they recommend?

A.Azure Blob Storage with hot tier for 30 days, then lifecycle management to cool tier for 6 months, then archive tier
B.Azure Blob Storage with premium tier for 30 days, then lifecycle to archive tier
C.Azure Files with lifecycle management
D.Azure Disk Storage with snapshots
AnswerA

Hot tier offers fast access for the first month; lifecycle management moves data to cool/archive to reduce cost.

Why this answer

Azure Blob Storage with hot tier for the first 30 days meets the fast retrieval requirement for frequently accessed data, while lifecycle management automatically moves data to cool tier for 6 months and then to archive tier for the remaining 7-year compliance period, minimizing cost. The archive tier offers the lowest storage cost for rarely accessed data, and lifecycle policies ensure seamless transitions without manual intervention.

Exam trap

The trap here is that candidates often confuse 'premium' with 'fast retrieval' and overlook that the hot tier already provides low-latency access for frequently used data, while premium is overkill and cost-prohibitive for this workload.

How to eliminate wrong answers

Option B is wrong because the premium tier is designed for low-latency, high-transaction workloads (e.g., IoT, interactive apps) and is unnecessarily expensive for this scenario; it also lacks a cool tier transition, leading to higher costs before archiving. Option C is wrong because Azure Files is a fully managed file share for SMB/NFS protocols, not optimized for large-scale unstructured data like images and videos, and its lifecycle management is limited compared to Blob Storage tiers. Option D is wrong because Azure Disk Storage provides block-level storage for VMs, not cost-effective long-term archival for unstructured data, and snapshots are incremental backups, not a tiered storage solution for compliance.

340
MCQeasy

A company uses Azure Backup to protect on-premises Windows servers and Azure VMs. They need to restore a file from a backup of an Azure VM that was deleted three months ago. The backup policy retains daily backups for 30 days and weekly backups for 12 months. What is the CORRECT way to restore the file?

A.Azure Backup does not support file-level restore for Azure VMs; restore the entire disk
B.Restore the entire VM from a weekly recovery point and then copy the file
C.Use the 'Restore to a new VM' option and select the file during the restore process
D.Use the file-level recovery option to mount the recovery point as a drive and copy the file
AnswerD

Azure Backup provides file-level restore for Azure VMs by mounting the backup as a drive.

Why this answer

Option C is correct because Azure Backup allows file-level recovery from Azure VM backups. You can mount the recovery point as a drive and copy the file. Option A is wrong because you cannot restore a file from a backup of a deleted VM by restoring the entire VM; that would be overkill and may not be possible if the VM is deleted.

Option B is wrong because Azure Backup does not directly support restoring to a different VM without first restoring the disk. Option D is wrong because file-level restore is supported for Azure VMs.

341
MCQmedium

A company needs to monitor sign-in logs from multiple Microsoft Entra ID tenants and analyze user sign-in patterns across those tenants. Which Azure solution should they use?

A.Azure Sentinel with Microsoft Entra ID connectors
B.Azure Log Analytics workspace with Microsoft Entra ID diagnostic settings
C.Microsoft Entra ID Reports and Monitoring
D.Azure Monitor Workbooks
AnswerA

Correct. Azure Sentinel can connect to multiple Microsoft Entra ID tenants via connectors and perform advanced analytics across data sources, making it ideal for cross-tenant sign-in analysis.

Why this answer

Azure Sentinel (now Microsoft Sentinel) is the correct choice because it provides a cloud-native SIEM that can ingest sign-in logs from multiple Microsoft Entra ID tenants via its built-in Microsoft Entra ID connectors. This enables cross-tenant analysis of user sign-in patterns, which is not possible with single-tenant monitoring tools. Sentinel's analytics rules and workbooks allow security teams to detect anomalies and investigate sign-in behaviors across all connected tenants.

Exam trap

The trap here is that candidates often confuse Azure Monitor Workbooks or Log Analytics workspaces as sufficient for multi-tenant log aggregation, but they lack the cross-tenant ingestion and correlation capabilities that only a SIEM like Microsoft Sentinel provides.

How to eliminate wrong answers

Option B is wrong because a Log Analytics workspace with Microsoft Entra ID diagnostic settings can only stream logs from a single tenant per workspace; it does not natively aggregate logs from multiple tenants for cross-tenant analysis. Option C is wrong because Microsoft Entra ID Reports and Monitoring provides sign-in logs and reports only within the scope of a single tenant, lacking the capability to combine data from multiple tenants. Option D is wrong because Azure Monitor Workbooks are visualization tools that can display data from a single Log Analytics workspace or data source, but they cannot independently ingest or correlate sign-in logs from multiple Entra ID tenants without a SIEM like Sentinel.

342
MCQhard

Your company has a hybrid identity environment with 10,000 on-premises users synchronized to Microsoft Entra ID using Microsoft Entra Connect. You plan to implement a modern access control strategy for all cloud applications. The requirements are: enforce multifactor authentication (MFA) for all users when accessing sensitive applications, allow users to self-remediate risky sign-ins via a mobile app, and minimize infrastructure complexity. You need to design the identity and governance solution. What should you do?

A.Deploy Azure AD Domain Services and configure Kerberos authentication for cloud apps. Use Azure MFA Server on-premises for MFA enforcement.
B.Configure Microsoft Entra ID Protection to detect risky sign-ins and create a conditional access policy that requires MFA for sensitive apps. Enable the risky user policy to require password change, and use Microsoft Authenticator for self-remediation.
C.Implement Microsoft Defender for Identity to monitor on-premises AD and require MFA via on-premises NPS extension.
D.Use Microsoft Entra Permissions Management to enforce MFA policies and manage user permissions.
AnswerB

This solution leverages Entra ID Protection and Conditional Access without additional infrastructure.

Why this answer

Option B is correct because it uses Microsoft Entra ID Protection to detect risky sign-ins and a Conditional Access policy to require MFA for sensitive applications, meeting the MFA enforcement requirement. The risky user policy requiring a password change combined with Microsoft Authenticator for self-remediation allows users to resolve their own risk without admin intervention, satisfying the self-remediation requirement. This approach minimizes infrastructure complexity by relying entirely on cloud-native services rather than on-premises components.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Identity or Azure AD Domain Services with identity protection and access control solutions, overlooking that Entra ID Protection and Conditional Access are the correct cloud-native services for risk-based MFA enforcement and self-remediation.

How to eliminate wrong answers

Option A is wrong because deploying Azure AD Domain Services and configuring Kerberos authentication for cloud apps does not enforce MFA or provide self-remediation; Azure MFA Server is deprecated and adds on-premises complexity, contradicting the requirement to minimize infrastructure complexity. Option C is wrong because Microsoft Defender for Identity monitors on-premises AD for security threats but does not enforce MFA or provide self-remediation; the on-premises NPS extension for MFA requires additional infrastructure and does not support user self-remediation via a mobile app. Option D is wrong because Microsoft Entra Permissions Management (formerly CloudKnox) focuses on cloud infrastructure entitlement management and permissions, not on enforcing MFA policies or providing self-remediation for risky sign-ins.

343
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically detect identity risks, such as users with leaked credentials or sign-ins from anonymous IP addresses, and generate alerts. They also want to automatically trigger a password reset for high-risk users. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID Identity Protection
B.Microsoft Entra ID Privileged Identity Management
C.Microsoft Entra ID Conditional Access
D.Microsoft Entra ID Access Reviews
AnswerA

Microsoft Entra ID Identity Protection detects risk events like leaked credentials and anonymous IP addresses. It can be configured to automatically require password reset for high-risk users.

Why this answer

Microsoft Entra ID Identity Protection is the correct feature because it is specifically designed to automatically detect identity risks such as leaked credentials and sign-ins from anonymous IP addresses. It generates alerts based on risk detections and can be configured to automatically trigger remediation actions like forcing a password reset for high-risk users through risk-based policies.

Exam trap

The trap here is that candidates often confuse Conditional Access with Identity Protection, but Conditional Access is a policy engine that enforces controls based on risk signals, whereas Identity Protection is the service that generates those risk signals and can directly trigger password resets.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because it focuses on just-in-time privileged access management and role activation, not on detecting identity risks like leaked credentials or anonymous IP sign-ins. Option C (Conditional Access) is wrong because it enforces access control policies based on signals (e.g., location, device compliance) but does not natively detect or alert on identity risks or automatically trigger password resets; it can integrate with Identity Protection but is not the primary feature for risk detection. Option D (Access Reviews) is wrong because it provides periodic attestation of group memberships and role assignments, not real-time risk detection or automated password reset triggers.

344
MCQhard

A company uses Microsoft Entra ID (Microsoft Entra ID). They have many guest users with access to internal SharePoint sites and applications. They need to review guest user access every 90 days and automatically remove access if the guest does not respond to the review request. The solution must be fully automated without custom scripting. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Access Reviews
B.Microsoft Entra ID Conditional Access
C.Microsoft Entra ID Identity Protection
D.Microsoft Entra ID Privileged Identity Management
AnswerA

Access Reviews can be configured to periodically review guest access and automatically remove users who do not respond or are not approved.

Why this answer

Microsoft Entra ID Access Reviews is the correct feature because it allows administrators to create recurring reviews of guest user access to groups, applications, and SharePoint sites. It can be configured to automatically remove access if the guest does not respond within a specified period (e.g., 90 days), and it supports full automation without custom scripting by leveraging built-in review schedules and auto-apply actions.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Access Reviews, but PIM is designed for privileged roles and requires activation, whereas Access Reviews handle recurring attestation of any user's access, including guest users, with automatic removal on non-response.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Conditional Access enforces access policies based on signals like location or device state, but it does not provide recurring access reviews or automatic removal of access for non-responsive guests. Option C is wrong because Microsoft Entra ID Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) but does not schedule periodic guest access reviews or remove access based on lack of response. Option D is wrong because Microsoft Entra ID Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not recurring reviews of standard guest user access to SharePoint sites and applications.

345
MCQmedium

A company is developing a containerized microservices application. They want to minimize operational overhead for managing orchestration. The application has a low-to-medium traffic pattern that can spike unpredictably. They need fast scaling and pay-per-second billing. Which Azure compute service should they use?

A.A
B.B
C.C
D.D
AnswerB

Azure Container Instances (ACI) runs containers directly without orchestration, scales automatically in seconds, and bills per second, minimizing overhead.

Why this answer

Azure Container Instances (ACI) is the correct choice because it provides serverless container orchestration with per-second billing and rapid scaling, ideal for low-to-medium traffic with unpredictable spikes. Unlike Azure Kubernetes Service (AKS), ACI eliminates the need to manage a control plane or node pools, minimizing operational overhead while supporting fast scaling for containerized microservices.

Exam trap

The trap here is that candidates often choose Azure Kubernetes Service (AKS) thinking it is the only option for containerized microservices, overlooking the operational overhead of managing a Kubernetes cluster, which contradicts the requirement to minimize orchestration management.

How to eliminate wrong answers

Option A (Azure Kubernetes Service) is wrong because it requires managing a Kubernetes control plane and node pools, adding operational overhead that contradicts the goal of minimizing orchestration management. Option C (Azure App Service) is wrong because it is designed for web apps and APIs, not for containerized microservices with fast scaling and per-second billing; it also lacks native container orchestration features. Option D (Azure Functions) is wrong because it is event-driven and optimized for short-lived, stateless functions, not for containerized microservices that may require persistent state or longer-running processes, and it does not provide per-second billing for containers.

346
MCQmedium

A company is building a global real-time collaboration platform. The application data is stored as JSON documents and needs to be available for low-latency reads and writes from multiple geographic regions. The application must support multi-region writes so that users can update data from any region with automatic conflict resolution. The company wants a fully managed database service with a guaranteed SLA for availability and throughput. Which Azure data service should they choose?

A.Azure Cosmos DB with SQL API and multiple write regions
B.Azure SQL Database with active geo-replication
C.Azure Table Storage
D.Azure Cache for Redis
AnswerA

Cosmos DB supports multi-region writes, automatic conflict resolution, global distribution, low latency, and 99.999% availability. It is ideal for globally distributed real-time applications.

Why this answer

Azure Cosmos DB with SQL API and multiple write regions is the correct choice because it is a fully managed, globally distributed NoSQL database that natively supports multi-region writes with automatic conflict resolution. It provides low-latency reads and writes from any region, a guaranteed SLA for availability (99.999% for multi-region writes) and throughput, and is optimized for JSON document storage, making it ideal for a real-time collaboration platform.

Exam trap

The trap here is that candidates often confuse active geo-replication in Azure SQL Database (which supports only single-region writes) with true multi-region write support, leading them to choose Option B despite its read-only secondary regions.

How to eliminate wrong answers

Option B is wrong because Azure SQL Database with active geo-replication supports only a single writable primary region; secondary regions are read-only, which does not meet the requirement for multi-region writes. Option C is wrong because Azure Table Storage is a key-value store that does not support multi-region writes with automatic conflict resolution and lacks a guaranteed throughput SLA. Option D is wrong because Azure Cache for Redis is an in-memory cache, not a fully managed database service; it does not provide durable storage or native multi-region write capabilities with conflict resolution.

347
MCQhard

A company is designing a solution to store and analyze petabytes of IoT sensor data. The data is written once, rarely accessed, and must be retained for 10 years for compliance. The data must be queryable using SQL. Which combination of Azure services would be MOST cost-effective?

A.Azure Cosmos DB with analytical store
B.Azure SQL Database with Hyperscale tier
C.Azure Data Lake Storage Gen2 with Azure Synapse Serverless SQL
D.Azure Databricks with Delta Lake
AnswerC

Cost-effective storage and SQL querying.

Why this answer

Option C is correct because Azure Data Lake Storage Gen2 (ADLS Gen2) provides low-cost storage for large volumes of data, and Azure Synapse Serverless SQL can query the data directly. Option A is wrong because Azure SQL Database is expensive for petabytes of cold data. Option B is wrong because Azure Cosmos DB is expensive for large cold storage.

Option D is wrong because Azure Databricks is more expensive for simple SQL queries.

348
Multi-Selecthard

Your company is designing a governance strategy for Azure. You need to ensure that all resource groups in a subscription are created with a specific naming convention and mandatory tags. Which THREE services or features should you use together? (Choose three.)

Select 3 answers
A.Azure RBAC
B.Azure Blueprints
C.Management Groups
D.Azure Policy
E.Resource Locks
AnswersB, C, D

Blueprints can include policy assignments and role assignments to enforce governance across subscriptions.

Why this answer

Azure Blueprints is correct because it enables the orchestrated deployment of Azure Policy, RBAC, and resource templates as a single composable artifact. By defining a blueprint that includes a policy for naming conventions and mandatory tags, you can enforce these requirements consistently across all resource groups within a subscription or management group hierarchy.

Exam trap

The trap here is that candidates often confuse Azure RBAC (which controls permissions) with Azure Policy (which enforces rules on resource properties), or they overlook that Blueprints is the orchestration layer that bundles Policy, RBAC, and templates together to enforce governance at scale.

349
MCQmedium

Your organization uses Microsoft Sentinel for security monitoring. You need to ensure that all sign-in logs from Microsoft Entra ID are ingested into a Log Analytics workspace in real time. Which diagnostic setting should you configure?

A.NonInteractiveUserSignInLogs
B.AuditLogs
C.SignInLogs
D.ServicePrincipalSignInLogs
AnswerC

SignInLogs include all interactive sign-in events from Entra ID.

Why this answer

The SignInLogs diagnostic setting captures all user sign-in activities, including interactive and non-interactive sign-ins, which is required for real-time ingestion of all sign-in logs from Microsoft Entra ID into a Log Analytics workspace. This setting ensures that every authentication event is streamed to Sentinel for security monitoring without delay.

Exam trap

The trap here is that candidates often confuse the SignInLogs category with the more specific subcategories like NonInteractiveUserSignInLogs or ServicePrincipalSignInLogs, mistakenly thinking they need to select multiple options or that a single subcategory covers all sign-in events, when in fact SignInLogs is the umbrella category that includes all sign-in types.

How to eliminate wrong answers

Option A is wrong because NonInteractiveUserSignInLogs only captures sign-ins performed by a client on behalf of a user without user interaction, such as refresh token requests, and does not include interactive sign-ins, so it does not cover all sign-in logs. Option B is wrong because AuditLogs contain directory activity logs like user and group management changes, not authentication events, so they are irrelevant for sign-in log ingestion. Option D is wrong because ServicePrincipalSignInLogs only captures sign-ins by service principals (non-human identities), not user sign-ins, and thus fails to meet the requirement for all sign-in logs.

350
MCQeasy

A company uses Microsoft Entra ID. They want to enforce that all users must use multi-factor authentication (MFA) when accessing sensitive applications from outside the corporate network, but allow access without MFA when coming from the corporate office IP range. Which Microsoft Entra ID feature should they use to create this policy?

A.Conditional Access policy
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Microsoft Entra ID roles
AnswerA

Conditional Access policies evaluate signals such as IP location to enforce MFA only when needed.

Why this answer

Conditional Access policies in Microsoft Entra ID allow administrators to define access controls based on conditions such as user location, device state, and application sensitivity. By creating a policy that requires MFA for all users accessing sensitive applications from outside the corporate network, and excluding the trusted corporate office IP range from the MFA requirement, the company can enforce the desired behavior. This is the correct feature because it directly supports location-based access controls and granular policy conditions.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based policies with Conditional Access's location-based MFA enforcement, assuming that risk policies can also enforce MFA based on network location, but Identity Protection only triggers MFA based on risk level, not static IP ranges.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it focuses on detecting and remediating identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) and does not provide the ability to enforce MFA based on network location or IP ranges. Option C (Privileged Identity Management, PIM) is wrong because it is designed for just-in-time privileged role activation and access reviews, not for enforcing MFA on end-user access to applications based on location. Option D (Microsoft Entra ID roles) is wrong because roles define administrative permissions within the directory, not access policies for end-user application access; they cannot enforce MFA based on network location.

351
MCQhard

Refer to the exhibit. You deploy this Azure Network Watcher connection monitor to test TCP connectivity on port 443 between two VMs. The test consistently shows 'Unreachable' status. Both VMs are running and have correct NSG rules allowing inbound port 443 from the source VM's IP. What is the most likely cause?

A.The source VM does not have the Network Watcher Agent installed.
B.The destination VM's NSG is blocking the traffic despite the rule.
C.The destination VM's private IP address is incorrect.
D.A firewall on the destination VM is blocking TCP port 443.
AnswerA

The agent is required for connection monitor to initiate tests.

Why this answer

The correct answer is A because Azure Network Watcher connection monitor relies on the Network Watcher Agent extension installed on both source and destination VMs to collect and report connectivity data. Without the agent on the source VM, the test cannot initiate the TCP probes, resulting in a persistent 'Unreachable' status regardless of NSG rules or VM health.

Exam trap

The trap here is that candidates often assume NSG rules are the sole cause of connectivity failures, overlooking the prerequisite that the Network Watcher Agent must be installed on both VMs for connection monitor to function.

How to eliminate wrong answers

Option B is wrong because the question states that correct NSG rules allowing inbound port 443 from the source VM's IP are in place, so the NSG is not blocking traffic. Option C is wrong because an incorrect private IP address would cause a different error (e.g., 'Invalid endpoint' or failure to resolve), not a consistent 'Unreachable' status in a connection monitor test that already references the correct VM. Option D is wrong because while a guest OS firewall could block port 443, the question specifies that the test consistently shows 'Unreachable' and both VMs are running with correct NSG rules; the most likely cause given the dependency on the Network Watcher Agent is its absence, not a firewall misconfiguration.

352
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to provide external business partners with access to an internal application. The access must be time-limited to 60 days, approved by a manager within the partner company, and automatically expire. The company also needs to generate reports of who has access. Which Microsoft Entra ID feature should they implement?

A.Microsoft Entra ID B2B collaboration with entitlement management
B.Microsoft Entra ID B2C custom policies
C.Microsoft Entra ID Identity Governance with Privileged Identity Management (PIM)
D.Microsoft Entra ID Conditional Access with session controls
AnswerA

Entitlement management allows creating access packages with approval, time-bound access, and reporting, while B2B collaboration handles external users.

Why this answer

Microsoft Entra ID B2B collaboration with entitlement management allows you to invite external users from partner companies and manage their access through access packages. These packages can enforce time-limited access (e.g., 60 days), require approval from the partner's manager, and automatically expire. Entitlement management also provides built-in reporting to track who has access, meeting all stated requirements.

Exam trap

The trap here is confusing Identity Governance with Privileged Identity Management (PIM) — PIM is for privileged roles, not for managing external partner access with time-limited, approved, and expiring access packages.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID B2C custom policies are designed for consumer-facing identity scenarios (e.g., sign-up/sign-in for customers), not for granting time-limited access to external business partners with manager approval and automatic expiration. Option C is wrong because Privileged Identity Management (PIM) focuses on just-in-time privileged role activation for internal users, not on managing external partner access with time limits, approval workflows, and expiration. Option D is wrong because Conditional Access with session controls enforces policies during authentication (e.g., MFA, device compliance) but cannot manage time-limited access, approval workflows, or automatic expiration for external users.

353
MCQhard

A company has multiple Azure VNets deployed in a hub-spoke topology. They want to inspect all outbound internet traffic from spoke VMs using a central firewall and ensure that traffic from all VNets goes through the firewall before reaching the internet. They also need to log all outbound connections. Which architecture should they implement?

A.Deploy network virtual appliances (NVAs) in each spoke VNet and configure user-defined routes (UDRs) to route internet traffic to the NVAs
B.Deploy Azure Firewall in the hub VNet and configure a default route (0.0.0.0/0) in each spoke's route table pointing to Azure Firewall as the next hop
C.Use Azure Application Gateway with Web Application Firewall (WAF) in the hub VNet to inspect all traffic
D.Deploy Azure Firewall in each spoke VNet and use Azure Monitor to aggregate logs
AnswerB

This forces all outbound internet traffic from spoke VMs to pass through Azure Firewall in the hub, enabling inspection, logging, and a single public IP for outbound traffic.

Why this answer

Option B is correct because Azure Firewall is a managed, stateful firewall-as-a-service that can centrally inspect and log outbound internet traffic. By deploying Azure Firewall in the hub VNet and configuring a default route (0.0.0.0/0) in each spoke's route table with the Azure Firewall private IP as the next hop, all outbound traffic from spoke VMs is forced through the firewall before reaching the internet. This satisfies both the inspection and logging requirements, as Azure Firewall provides built-in outbound connection logging via diagnostic settings.

Exam trap

The trap here is that candidates often confuse Azure Firewall with Azure Application Gateway, mistakenly thinking WAF can inspect outbound traffic, or they assume deploying NVAs per spoke is acceptable for central inspection, missing the requirement for a single central firewall in the hub.

How to eliminate wrong answers

Option A is wrong because deploying NVAs in each spoke VNet violates the central inspection requirement and introduces management overhead; it also does not ensure traffic from all VNets goes through a single central firewall. Option C is wrong because Azure Application Gateway with WAF is a Layer 7 load balancer designed for inbound HTTP/S traffic inspection, not for routing or inspecting all outbound internet traffic (including non-HTTP protocols). Option D is wrong because deploying Azure Firewall in each spoke VNet creates a decentralized model that fails the central inspection requirement, and Azure Monitor alone does not enforce routing—it only aggregates logs without controlling traffic flow.

354
MCQhard

Your company runs a mission-critical application on Azure Virtual Machines that requires a Recovery Time Objective (RTO) of 5 minutes and a Recovery Point Objective (RPO) of 1 minute. The application uses a single VM with a managed disk. You need to design a disaster recovery solution that meets these requirements with minimal cost. What should you recommend?

A.Configure Azure Backup for the VM with a 1-minute backup frequency.
B.Store the managed disk in geo-redundant storage and use Azure Resource Manager templates to redeploy.
C.Use Azure Site Recovery to replicate the VM to a secondary region with a recovery plan.
D.Deploy a second VM in a secondary region and use continuous replication with Azure Migrate.
AnswerC

Azure Site Recovery for Azure VMs can achieve an RPO as low as 5 seconds and an RTO of minutes, meeting the requirements cost-effectively.

Why this answer

Option C is correct because Azure Site Recovery can replicate Azure VMs with a disk-level RPO of 5 seconds and RTO of minutes, meeting the requirements. Option A is wrong because Azure Backup has a minimum RPO of 1 hour for VMs. Option B is wrong because read-access geo-redundant storage does not replicate the VM configuration.

Option D is wrong because a secondary VM with replication would be more expensive than Azure Site Recovery's pay-as-you-go model.

355
MCQmedium

Your company has a Microsoft Entra ID tenant with 10,000 users. You need to design a monitoring solution to detect when users are assigned to high-privilege roles (e.g., Global Administrator) and ensure that any such assignment triggers an automated investigation. Additionally, you need to monitor sign-in failures for guest users and automatically block accounts after 5 failed attempts within 10 minutes. You have the following requirements: 1) Use a cloud-native solution that minimizes administrative overhead. 2) Integrate with Microsoft Sentinel for incident response. 3) Use built-in features where possible. What should you do?

A.Use Microsoft Entra audit logs streamed to Log Analytics, create Azure Logic Apps to detect role assignments and sign-in failures, and trigger Sentinel incidents.
B.Use Azure Policy to audit role assignments and create custom KQL functions in Log Analytics to detect sign-in failures, then forward to Sentinel.
C.Use Microsoft Entra Privileged Identity Management (PIM) alerts for role assignments and Microsoft Entra Identity Protection for sign-in risk policies; integrate both with Microsoft Sentinel.
D.Deploy Microsoft Identity Manager (MIM) on-premises to monitor role changes, and use Azure AD Connect Health for sign-in failures.
AnswerC

PIM alerts on role activation, Identity Protection can block after repeated failures, both integrate with Sentinel.

Why this answer

Option C is correct because Microsoft Entra Privileged Identity Management (PIM) provides built-in alerts for high-privilege role assignments, and Microsoft Entra Identity Protection offers risk-based policies for sign-in failures, including user risk policies that can automatically block accounts after a specified number of failures. Both services natively integrate with Microsoft Sentinel via built-in data connectors, enabling automated incident creation with minimal administrative overhead, meeting all requirements.

Exam trap

The trap here is that candidates often over-engineer a solution with custom Logic Apps or KQL queries, overlooking the fact that PIM and Identity Protection already provide built-in alerting and automated blocking capabilities that natively integrate with Sentinel, satisfying the 'cloud-native' and 'minimize administrative overhead' requirements.

How to eliminate wrong answers

Option A is wrong because while audit logs can be streamed to Log Analytics, using Azure Logic Apps to detect role assignments and sign-in failures introduces unnecessary custom development and administrative overhead, contradicting the requirement to use built-in features and minimize overhead. Option B is wrong because Azure Policy is designed for auditing and enforcing compliance of Azure resources, not for monitoring Entra ID role assignments or sign-in failures; custom KQL functions in Log Analytics would require manual setup and lack the automated blocking capability for guest accounts. Option D is wrong because Microsoft Identity Manager (MIM) is an on-premises identity management solution that adds complexity and does not provide cloud-native monitoring; Azure AD Connect Health focuses on synchronization health, not sign-in failure monitoring or automated blocking.

356
MCQmedium

Your company is migrating on-premises Oracle databases to Azure. The new solution must support a minimum of 99.99% availability SLA and allow for schema changes with minimal downtime. What should you recommend?

A.Azure SQL Managed Instance Business Critical tier
B.Azure Cosmos DB for PostgreSQL
C.Azure SQL Database Business Critical tier with zone redundancy
D.Azure Virtual Machines running Oracle Database with Availability Zones
AnswerC

Business Critical tier offers high availability and zone redundancy, meeting 99.99% SLA.

Why this answer

Azure SQL Database Business Critical tier with zone redundancy provides a 99.995% SLA, exceeding the 99.99% requirement, and supports online schema changes with minimal downtime via features like online index operations and schema modification with minimal blocking. Zone redundancy replicates data across three Azure Availability Zones within a region, ensuring high availability and automatic failover without data loss.

Exam trap

The trap here is that candidates often assume Azure SQL Managed Instance is equivalent to Azure SQL Database for high availability, but Managed Instance lacks zone redundancy, making it unable to meet the 99.99% SLA in a multi-zone failure scenario.

How to eliminate wrong answers

Option A is wrong because Azure SQL Managed Instance Business Critical tier offers a 99.99% SLA but does not support zone redundancy, limiting its availability to a single zone and potentially causing downtime during a zonal failure. Option B is wrong because Azure Cosmos DB for PostgreSQL is a distributed database optimized for horizontally scalable workloads and does not natively support schema changes with minimal downtime; schema changes often require table locks or downtime. Option D is wrong because Azure Virtual Machines running Oracle Database with Availability Zones can achieve high availability but requires manual configuration for patching, failover, and schema changes, leading to more downtime compared to a managed service like Azure SQL Database.

357
MCQmedium

A company ingests millions of IoT sensor data points per second. They need a fully managed analytics service optimized for time-series data that can ingest high-velocity data, perform real-time analytics, and store data for historical analysis. The solution must integrate with Azure Stream Analytics for stream processing. Which Azure data service should they choose?

A.Azure Cosmos DB
B.Azure SQL Database
C.Azure Data Explorer (ADX)
D.Azure Blob Storage
AnswerC

ADX is purpose-built for large-scale time-series data, providing rapid data ingestion, real-time analytics, and seamless integration with Azure Stream Analytics.

Why this answer

Azure Data Explorer (ADX) is the correct choice because it is a fully managed, high-performance analytics service optimized for time-series and log data. It can ingest millions of IoT sensor data points per second, perform real-time analytics with sub-second query latency, and store data for historical analysis. ADX natively integrates with Azure Stream Analytics for stream processing, making it ideal for this scenario.

Exam trap

The trap here is that candidates often confuse Azure Data Explorer with Azure Cosmos DB or Azure SQL Database because they all support time-series data, but only ADX is purpose-built for high-velocity ingestion and real-time analytics with native Stream Analytics integration.

How to eliminate wrong answers

Option A is wrong because Azure Cosmos DB is a NoSQL database designed for transactional workloads with multi-model support, not optimized for high-velocity time-series analytics or native integration with Azure Stream Analytics. Option B is wrong because Azure SQL Database is a relational database for OLTP workloads, lacking the columnar storage, ingestion pipeline, and query engine optimized for time-series data at millions of events per second. Option D is wrong because Azure Blob Storage is an object storage service for unstructured data, not an analytics engine; it cannot perform real-time analytics or directly integrate with Azure Stream Analytics for stream processing.

358
MCQeasy

A company plans to migrate on-premises applications to Azure. They require users to authenticate using their existing on-premises Active Directory credentials without syncing password hashes to the cloud. Which Microsoft Entra ID authentication method should they use?

A.Microsoft Entra ID Pass-through Authentication
B.Microsoft Entra ID Password Hash Sync
C.Microsoft Entra ID Federation Services (AD FS)
D.Microsoft Entra ID Connect with Seamless SSO
AnswerA

Correct. Pass-through Authentication validates passwords on-premises, so no password hashes are stored in Microsoft Entra ID.

Why this answer

Pass-through Authentication (PTA) validates user passwords directly against on-premises Active Directory without storing password hashes in the cloud. A lightweight agent on-premises forwards authentication requests to the local domain controller, meeting the requirement to avoid password hash synchronization.

Exam trap

The trap here is that candidates often confuse Seamless SSO (which is a convenience feature, not an authentication method) with a primary authentication method, or they assume AD FS is required when the real constraint is avoiding password hash sync.

How to eliminate wrong answers

Option B (Password Hash Sync) is wrong because it synchronizes password hashes to Microsoft Entra ID, which violates the requirement to not sync password hashes. Option C (AD FS) is wrong because it requires deploying and managing federation infrastructure (on-premises or in Azure) and does not inherently avoid password hash sync; it also introduces additional complexity and a separate trust relationship. Option D (Seamless SSO) is wrong because it is not a standalone authentication method—it is a feature that works with Password Hash Sync or Pass-through Authentication to provide silent sign-on, and by itself it does not handle password validation without one of those methods.

359
MCQeasy

Your organization has a policy that all administrative access to Azure resources must be performed using just-in-time (JIT) access. Which Azure service allows you to enable JIT VM access?

A.Azure Policy
B.Microsoft Defender for Cloud
C.Microsoft Sentinel
D.Azure AD Privileged Identity Management
AnswerB

Defender for Cloud includes JIT VM access to reduce exposure to attacks.

Why this answer

Option B is correct because Microsoft Defender for Cloud provides JIT VM access as a security feature. Option A is wrong because Azure Policy is for compliance. Option C is wrong because Microsoft Sentinel is a SIEM.

Option D is wrong because Azure AD Privileged Identity Management (PIM) is for user role management, not VM access.

360
Multi-Selectmedium

Which TWO of the following are benefits of using Azure Cosmos DB for a globally distributed application?

Select 2 answers
A.Support for foreign key constraints across containers
B.Multiple consistency models to choose from
C.Built-in support for transactional replication
D.Native support for SQL Server stored procedures
E.Automatic indexing of all data
AnswersB, E

Cosmos DB offers five consistency levels.

Why this answer

Azure Cosmos DB offers multiple well-defined consistency models (strong, bounded staleness, session, consistent prefix, and eventual) that allow developers to balance consistency, availability, and latency according to application needs. This is a key benefit for globally distributed applications because it enables tuning data guarantees across regions without sacrificing performance.

Exam trap

The trap here is that candidates confuse Cosmos DB's JavaScript-based stored procedures with SQL Server stored procedures, or assume that a globally distributed NoSQL database would support foreign keys or transactional replication like a traditional relational database.

361
MCQmedium

Your company has a hybrid network with multiple on-premises sites connected to Azure via ExpressRoute. You need to design a DNS resolution strategy that allows Azure resources to resolve on-premises hostnames and on-premises clients to resolve Azure hostnames. The solution must minimize administrative overhead. What should you use?

A.Azure Bastion
B.Azure DNS public zones with conditional forwarding
C.Azure DNS Private Resolver
D.Azure Firewall DNS proxy
AnswerC

Azure DNS Private Resolver provides bidirectional DNS resolution between on-premises and Azure private DNS zones with minimal overhead.

Why this answer

Option B is correct because Azure DNS Private Resolver can resolve between on-premises and Azure DNS zones without additional DNS servers. Option A is wrong because Azure DNS (public) does not resolve private hostnames. Option C is wrong because Azure Firewall DNS proxy requires manual forwarding rules.

Option D is wrong because Azure Bastion is not a DNS resolution service.

362
Multi-Selectmedium

Which TWO of the following are benefits of using Azure Cosmos DB for a globally distributed application?

Select 2 answers
A.Multiple well-defined consistency levels
B.Full support for SQL Server features like stored procedures
C.Turnkey global distribution across multiple Azure regions
D.Automatic failover to a secondary region without manual intervention
E.Support for only the SQL API
AnswersA, C

Cosmos DB offers five consistency levels.

Why this answer

Azure Cosmos DB offers multiple well-defined consistency levels (Strong, Bounded Staleness, Session, Consistent Prefix, Eventual) that allow developers to balance data consistency, availability, and latency according to application requirements. This flexibility is a key benefit for globally distributed applications because different operations may tolerate different levels of staleness while still meeting SLAs.

Exam trap

The trap here is that candidates often confuse 'automatic failover' with 'no manual intervention required'—Azure Cosmos DB requires explicit configuration (enabling automatic failover and setting region priorities) for it to occur automatically, and even then, failover is not instantaneous and may involve a brief period of unavailability.

363
MCQmedium

A company is building a customer-facing web application. They want to allow users to sign in using their existing social accounts (Microsoft, Google, Facebook) or create a local account. The solution must be fully managed and support custom branding. Which Azure service should they use?

A.Microsoft Entra ID B2C (Business to Consumer)
B.Microsoft Entra ID External Identities
C.Microsoft Entra ID B2B collaboration
D.Microsoft Entra ID Application Proxy
AnswerA

Correct. Microsoft Entra ID B2C is built for consumer identity management with social and local accounts, including customization.

Why this answer

Microsoft Entra ID B2C (Business to Consumer) is the correct choice because it is a fully managed identity service designed specifically for customer-facing applications. It supports social identity providers (Microsoft, Google, Facebook) via OAuth 2.0 and OpenID Connect, allows local account creation, and provides extensive custom branding capabilities through customizable user flows and page layouts.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID External Identities (which includes B2B collaboration) with B2C, but External Identities is for business partner access to internal apps, not for building a consumer-facing identity system with social logins and local accounts.

How to eliminate wrong answers

Option B (Microsoft Entra ID External Identities) is wrong because it is primarily designed for B2B scenarios, allowing external business partners to sign in with their own corporate identities, not for consumer social logins or local account creation. Option C (Microsoft Entra ID B2B collaboration) is wrong because it focuses on inviting external business users from other organizations to access internal resources, not on building a customer-facing sign-in experience with social providers. Option D (Microsoft Entra ID Application Proxy) is wrong because it is a reverse proxy service for publishing on-premises web applications to external users, not an identity provider for authentication or sign-in.

364
Multi-Selecthard

Your organization uses Azure Monitor Logs to analyze application performance. You need to create a custom log query that calculates the 95th percentile of response times for a web app over the last 24 hours. Which THREE KQL functions should you use? (Choose three.)

Select 3 answers
A.percentile
B.summarize
C.project
D.sort
E.where
AnswersA, B, E

Percentile function calculates the specified percentile (e.g., 95th).

Why this answer

The `percentile` function in KQL calculates percentile values, such as the 95th percentile, which is essential for analyzing response time distributions. The `summarize` function groups and aggregates data, allowing you to apply `percentile` across the dataset. The `where` function filters the log data to include only records from the last 24 hours, ensuring the query operates on the correct time range.

Exam trap

The trap here is that candidates often confuse `project` or `sort` with filtering or aggregation functions, mistakenly thinking they can help narrow the data or compute percentiles, when in fact only `where`, `summarize`, and `percentile` perform the required operations.

365
MCQmedium

A company runs SQL Server on Azure VMs using SQL Server Standard Edition. They need a disaster recovery solution that replicates the database to a secondary Azure region with a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 2 hours. They cannot use Always On Availability Groups due to licensing constraints. They also need to perform non-disruptive disaster recovery drills. Which Azure service should they implement?

A.Azure Backup for SQL Server
B.Azure Site Recovery
C.SQL Server Log Shipping to an Azure VM
D.Geo-replication for Azure SQL Database
AnswerB

ASR replicates VMs continuously and provides app-consistent recovery points. It supports test failover for non-disruptive drills and can achieve an RPO of 15 minutes and RTO of 2 hours.

Why this answer

Azure Site Recovery (ASR) replicates entire SQL Server VMs (including their databases) to a secondary Azure region, supporting RPOs as low as 30 seconds and RTOs of 2 hours or less. It allows non-disruptive disaster recovery drills by performing test failovers in an isolated network without affecting the production environment. This solution avoids the licensing constraints of Always On Availability Groups and works with SQL Server Standard Edition.

Exam trap

The trap here is that candidates often confuse Azure Site Recovery (VM-level replication) with Azure Backup (file/volume-level backup) or assume that log shipping can meet the drill requirement, but ASR is the only option that provides automated, non-disruptive test failovers for IaaS SQL Server VMs.

How to eliminate wrong answers

Option A is wrong because Azure Backup for SQL Server is designed for long-term retention and point-in-time restore, not for continuous replication to a secondary region with a 15-minute RPO or for performing non-disruptive DR drills. Option C is wrong because SQL Server Log Shipping to an Azure VM requires manual failover and does not support automated, non-disruptive DR drills; it also has higher RTO and RPO variability compared to ASR. Option D is wrong because Geo-replication for Azure SQL Database applies only to Azure SQL Database (PaaS), not to SQL Server running on Azure VMs (IaaS).

366
MCQhard

Refer to the exhibit. You deploy this ARM template to create an Azure Monitor Workbook. The template deploys successfully. What will the workbook display?

A.CPU utilization averaged over 1-hour intervals.
B.CPU utilization averaged over 5-minute intervals.
C.Memory utilization over time.
D.Disk I/O utilization over time.
AnswerB

The query uses Processor % Processor Time, summarizes avg over 5min, and renders timechart.

Why this answer

The ARM template configures an Azure Monitor Workbook to query the `InsightsMetrics` table for the `cpu_usage_percentage` metric, which is collected by Azure Monitor Agent (AMA) at a default granularity of 1 minute. The workbook uses the `avg` aggregation and a time grain of `5m` (5 minutes) in the query, so it displays CPU utilization averaged over 5-minute intervals. The `summarize` operator with `bin(TimeGenerated, 5m)` explicitly groups data into 5-minute buckets, making option B correct.

Exam trap

The trap here is that candidates assume the default collection interval (1 minute) determines the display granularity, but the `bin()` function in the KQL query explicitly overrides that to 5-minute averages, making option B correct instead of a 1-hour or raw interval.

How to eliminate wrong answers

Option A is wrong because the query uses `bin(TimeGenerated, 5m)` to aggregate data into 5-minute intervals, not 1-hour intervals; a 1-hour interval would require `bin(TimeGenerated, 1h)`. Option C is wrong because the query filters for `cpu_usage_percentage` (CPU metric), not memory utilization; memory would require a metric like `memory_available_bytes` or `memory_percentage`. Option D is wrong because the query targets CPU utilization, not disk I/O; disk I/O would involve metrics such as `disk_read_bytes_per_second` or `disk_write_operations_per_second`.

367
Multi-Selecteasy

Which TWO of the following are features of Azure SQL Database that help ensure high availability? (Select two.)

Select 2 answers
A.Active geo-replication
B.Long-term retention (LTR) backups
C.Automatic tuning
D.Zone-redundant availability
E.Transparent Data Encryption (TDE)
AnswersA, D

Replicates data to a secondary region for disaster recovery.

Why this answer

Active geo-replication (Option A) creates readable secondary replicas of an Azure SQL Database in a paired Azure region, enabling manual or automatic failover to maintain availability during a regional outage. This feature ensures high availability by providing disaster recovery capabilities with a Recovery Point Objective (RPO) of up to 5 seconds and a Recovery Time Objective (RTO) of less than 1 hour, depending on the failover group configuration.

Exam trap

The trap here is that candidates often confuse backup features (like LTR) or security features (like TDE) with high availability mechanisms, but only replication-based solutions (geo-replication and zone-redundancy) directly address availability during failures.

368
MCQmedium

Your company uses Microsoft Sentinel for security monitoring. You need to design a solution to analyze sign-in logs and detect patterns of anomalous access from different geographical locations within a short time frame. Which feature should you use?

A.Microsoft Sentinel Analytics Rules
B.Microsoft Sentinel Playbooks
C.Kusto Query Language (KQL) queries
D.Microsoft Sentinel Workbooks
AnswerC

KQL is used to query and analyze sign-in logs for anomalous patterns.

Why this answer

C is correct because Kusto Query Language (KQL) queries are the native query language used in Microsoft Sentinel to perform deep analysis of log data, including sign-in logs. To detect patterns of anomalous access from different geographical locations within a short time frame, you would write a KQL query that aggregates sign-in events by user, timestamp, and location, then applies threshold-based logic (e.g., multiple distinct countries within 10 minutes) to surface the anomaly. This is a custom detection scenario that requires direct querying of the Log Analytics workspace, which KQL enables.

Exam trap

The trap here is that candidates often confuse the purpose of Analytics Rules (which automate detection) with the raw querying capability of KQL, assuming that rules themselves perform the analysis rather than being a container for KQL logic.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel Analytics Rules are built on top of KQL queries to generate alerts automatically, but they are not the feature used to analyze logs directly; they consume pre-written KQL queries. Option B is wrong because Microsoft Sentinel Playbooks are automated response workflows (based on Azure Logic Apps) triggered by alerts, not a tool for analyzing sign-in logs or detecting patterns. Option D is wrong because Microsoft Sentinel Workbooks are interactive dashboards for visualizing data, not for performing ad-hoc or custom log analysis to detect specific anomalous patterns.

369
MCQhard

A company stores terabytes of archival data that must be retained for 10 years per regulatory requirements. The data is accessed infrequently (once or twice per year) and retrieval latency of up to 5 hours is acceptable. The company wants the lowest storage cost. They also need to ensure data is encrypted at rest and immutability to prevent deletion or modification during the retention period. Which Azure storage solution should they choose?

A.Azure Blob Storage with Hot tier and lifecycle management to Archive tier with WORM policy
B.Azure Blob Storage with Cool tier and lifecycle management to Archive tier with legal hold
C.Azure Blob Storage with Archive tier and immutability policy (time-based retention)
D.Azure Files with premium tier and soft delete
AnswerC

Archive tier offers the lowest cost, and immutability policy ensures data cannot be deleted or modified during the 10-year retention.

Why this answer

Option C is correct because Azure Blob Storage's Archive tier offers the lowest storage cost for infrequently accessed data, and the immutability policy with time-based retention provides WORM (Write Once, Read Many) compliance to prevent deletion or modification for the required 10-year period. The 5-hour retrieval latency is acceptable for archival data accessed once or twice per year, and encryption at rest is automatically enabled for all Azure Blob Storage tiers.

Exam trap

The trap here is that candidates often confuse legal hold (which is indefinite and does not prevent modification) with time-based retention immutability policy, or they incorrectly choose a higher-cost tier like Hot or Cool thinking lifecycle management will reduce costs, ignoring that the Archive tier itself is the cheapest and directly meets the latency requirement.

How to eliminate wrong answers

Option A is wrong because the Hot tier is the most expensive storage tier and is unnecessary for archival data accessed once or twice per year; lifecycle management to Archive tier adds complexity but the Hot tier cost is wasted. Option B is wrong because legal hold is an indefinite retention mechanism that cannot enforce a specific 10-year retention period, and it does not prevent modification of blobs (only deletion); the Cool tier is also more expensive than Archive. Option D is wrong because Azure Files with premium tier is designed for low-latency file shares and is extremely costly for terabytes of archival data, and soft delete does not provide immutability or prevent modification.

370
Multi-Selecthard

You are designing a governance and compliance solution for a large Azure environment with multiple subscriptions. The solution must enforce tagging policies, restrict resource types, and ensure compliance with regulatory standards. Which THREE Azure services or features should you use? (Choose three.)

Select 3 answers
A.Azure Resource Graph
B.Azure Management Groups
C.Azure Cost Management
D.Azure Blueprints (or Policy Initiatives)
E.Azure Policy
AnswersB, D, E

Management Groups allow hierarchical organization and policy assignment at scale.

Why this answer

Options A, B, and D are correct. Azure Policy enforces tags and restricts resource types. Management Groups allow hierarchical policy assignment.

Azure Blueprints (now part of Azure Policy with initiatives) package policies and role assignments. Option C (Resource Graph) is for querying, not enforcement. Option E (Cost Management) monitors costs but not compliance.

371
MCQhard

You are designing a network architecture for a multi-tier application. The front-end tier is an Azure Application Gateway that routes traffic to a web app on Azure App Service. The back-end tier is an Azure SQL Database. You need to ensure that all traffic between the Application Gateway and the web app remains within the Azure backbone network, and that the web app can only be accessed through the Application Gateway. What should you configure?

A.Use Azure Private Link for the web app and disable public access.
B.Enable Service Endpoints for the web app and configure the Application Gateway with a private IP.
C.Deploy Azure Firewall in front of the Application Gateway.
D.Use a site-to-site VPN between the App Service and Application Gateway.
AnswerB

Service Endpoints ensure traffic stays on Azure backbone; private IP restricts access to the gateway.

Why this answer

Option C is correct because enabling Service Endpoints for the web app's subnet restricts access to that subnet, and configuring the Application Gateway to use a private IP ensures traffic stays within Azure. App Service can be integrated with a VNet via regional VNet integration, but Service Endpoints are simpler for this scenario. Option A (Azure Firewall) is not needed.

Option B (VPN Gateway) is for hybrid connectivity. Option D (Private Link) is more complex and used for PaaS services; Service Endpoints are sufficient.

372
MCQeasy

A startup needs a cost-effective data storage solution for its application logs. The logs are accessed infrequently but must be available for audit purposes for up to 3 years. The solution should minimize storage costs while allowing data retrieval within 24 hours when needed. Which Azure storage tier should the company recommend?

A.Azure Blob Storage Cool tier
B.Azure Blob Storage Hot tier
C.Azure Blob Storage Archive tier
D.Azure Blob Storage Premium tier
AnswerC

Lowest cost for rarely accessed data with retrieval time in hours.

Why this answer

The Archive tier is the most cost-effective option for data that is infrequently accessed and requires retrieval times of up to 15 hours (standard) or 24 hours (high-priority). Since the logs must be available within 24 hours and stored for up to 3 years, Archive meets both the cost and retrieval requirements, as it offers the lowest storage cost among Azure Blob Storage tiers.

Exam trap

The trap here is that candidates often confuse the Archive tier's retrieval time with the Hot or Cool tiers, assuming Archive is too slow for any audit requirement, but the 24-hour SLA for high-priority rehydration makes it suitable for this scenario.

How to eliminate wrong answers

Option A is wrong because the Cool tier is designed for data accessed less than once per month, but its storage cost is higher than Archive, and it offers near-instant retrieval, which is unnecessary given the 24-hour retrieval window. Option B is wrong because the Hot tier is optimized for frequent access (multiple times per month) and has the highest storage cost, making it unsuitable for infrequently accessed audit logs. Option D is wrong because the Premium tier is intended for low-latency, high-transaction workloads (e.g., IoT, real-time analytics) and incurs the highest cost, which is not justified for archival audit logs.

373
MCQmedium

A healthcare organization stores patient records in Azure SQL Database. They need to ensure that all read queries against the database are directed to a read-only replica to offload the primary. Which feature should you configure?

A.Elastic database queries
B.Failover groups
C.Read scale-out
D.Active geo-replication
AnswerC

Read scale-out enables routing read-only queries to a readable secondary replica.

Why this answer

Read scale-out in Azure SQL Database allows you to direct read-only queries to a read-only replica, offloading the primary database. By setting the `ApplicationIntent=ReadOnly` connection string parameter, queries are automatically routed to the secondary replica, which is ideal for read-heavy workloads like patient record queries.

Exam trap

The trap here is that candidates confuse Active geo-replication (which also provides readable secondaries) with Read scale-out, but Active geo-replication requires explicit connection string changes per replica, whereas Read scale-out automatically routes read-only queries via the same logical server endpoint.

How to eliminate wrong answers

Option A is wrong because Elastic database queries are used to run distributed queries across multiple databases, not to offload reads to a read-only replica. Option B is wrong because Failover groups provide high availability and geo-replication management, but they do not automatically route read queries to a read-only replica without additional configuration. Option D is wrong because Active geo-replication creates readable secondary replicas in different regions for disaster recovery, but it does not natively support automatic read-only query routing from the primary connection string; it requires manual connection string changes.

374
MCQhard

Refer to the exhibit. This ARM template configures backup for an Azure App Service web app. The backup is scheduled daily. What is the primary limitation of this backup strategy in meeting a disaster recovery RPO of 4 hours?

A.The backup storage account is in the same region as the web app
B.The backup frequency is 1 day, resulting in an RPO of up to 24 hours
C.The retention period of 30 days is too short
D.The backup does not include the web app configuration
AnswerB

Daily backup cannot meet 4-hour RPO.

Why this answer

Option B is correct because the backup schedule is daily, leading to an RPO of up to 24 hours, which exceeds the 4-hour requirement. Option A is wrong because storage account location does not affect RPO. Option C is wrong because retention period does not affect RPO.

Option D is wrong because the backup includes the app content, but the frequency is the issue.

375
MCQmedium

Your organization uses Microsoft Entra ID. You need to allow external users to sign in using their own identity providers (e.g., Google, Facebook) to access a custom application. What should you configure?

A.Microsoft Entra Connect
B.Microsoft Entra External ID
C.Microsoft Entra B2B collaboration
D.Microsoft Entra ID (tenant)
AnswerB

External ID supports social identity providers.

Why this answer

Microsoft Entra External ID (formerly Azure AD External Identities) is the correct solution because it is specifically designed to allow external users to authenticate using their own social identity providers (e.g., Google, Facebook) via OAuth 2.0 and OpenID Connect protocols. This configuration enables a custom application to accept sign-ins from these external identities without requiring them to have a Microsoft Entra ID account, using a dedicated external tenant or identity experience.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration (which is for business-to-business guest access using work/school accounts) with Microsoft Entra External ID (which is for consumer-facing social identity providers), leading them to incorrectly select B2B collaboration.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Connect is used for hybrid identity synchronization between on-premises Active Directory and Microsoft Entra ID, not for enabling external social identity providers. Option C is wrong because Microsoft Entra B2B collaboration allows external users to access your organization's resources using their own work or school accounts (e.g., another Microsoft Entra tenant), but it does not natively support social identity providers like Google or Facebook for custom applications. Option D is wrong because a standard Microsoft Entra ID (tenant) alone does not provide the built-in identity provider federation for social logins; it requires the External ID configuration to add those social identity providers.

Page 4

Page 5 of 14

Page 6