Microsoft Azure Solutions Architect Expert AZ-305 (AZ-305) — Questions 376450

999 questions total · 14pages · All types, answers revealed

Page 5

Page 6 of 14

Page 7
376
MCQhard

Refer to the exhibit. You are testing a disaster recovery plan for three Azure VMs. The recovery plan in the exhibit is failing during a test failover. VM3 fails to start after failover. What is the most likely cause?

A.VM3 is not replicated properly.
B.The boot order is incorrect; VM3 should be before VM1.
C.VM3 is in a Shutdown group, which means it is not started during failover.
D.The primary and recovery locations are swapped.
AnswerC

Shutdown group is used for graceful shutdown, not startup.

Why this answer

Option C (Shutdown group) is correct because VM3 is in a Shutdown group, which means it is not started during failover. Option A (replication) is not indicated. Option B (boot order) not shown.

Option D (recovery location) is valid.

377
Multi-Selecthard

A multinational corporation is designing a hybrid identity solution using Microsoft Entra ID. The company has multiple on-premises Active Directory forests with complex trust relationships. They require that users can authenticate to both cloud and on-premises resources using the same credentials, and they want to minimize changes to the existing infrastructure. Which THREE components should be part of the solution? (Choose three.)

Select 3 answers
A.Microsoft Entra Connect Sync
B.Password hash synchronization
C.Microsoft Entra Connect Health
D.Active Directory Federation Services (AD FS)
E.Microsoft Entra Domain Services
AnswersA, B, D

Synchronizes identities from multiple on-premises AD forests.

Why this answer

The correct answers are A, C, and D. Microsoft Entra Connect Sync synchronizes identities from multiple forests. Active Directory Federation Services (AD FS) can be used for federated authentication with Entra ID.

Password hash synchronization provides a fallback authentication method. Option B is wrong because Microsoft Entra Connect Health monitors the sync health but is not a core identity component. Option E is wrong because Microsoft Entra Domain Services is for domain-join scenarios without on-premises AD, not for hybrid identity.

378
Multi-Selecthard

Which THREE of the following are valid methods to securely transfer data to Azure Blob Storage? (Select three.)

Select 3 answers
A.Azure Data Box
B.Azure File Sync
C.AzCopy
D.Azure Migrate
E.Azure Import/Export service
AnswersA, C, E

Physical appliance for large data transfers to blob storage.

Why this answer

Azure Data Box is a physical data transfer solution that allows you to securely transfer large volumes of data to Azure Blob Storage when network transfer is impractical. It uses AES-256 encryption for data at rest and TLS for data in transit, and after the device is shipped back, data is automatically uploaded to your designated storage account.

Exam trap

The trap here is that candidates often confuse Azure File Sync with a general-purpose data transfer tool, but it is strictly for file shares (SMB) and cannot target Blob Storage, while Azure Migrate is mistaken for a data transfer service when it is actually a migration orchestration tool for servers and applications.

379
Multi-Selectmedium

Which TWO Azure networking services provide DDoS protection at the application layer (Layer 7)?

Select 2 answers
A.Azure Front Door Premium with WAF
B.Azure Firewall
C.Azure DDoS Protection Standard
D.Azure Web Application Firewall on Azure Application Gateway
E.Azure Bastion
AnswersA, D

Front Door Premium includes WAF with Layer 7 DDoS protection.

Why this answer

Azure Web Application Firewall (WAF) on Application Gateway and Azure Front Door Premium provide Layer 7 DDoS protection. Azure DDoS Protection is for network layers. Azure Firewall is for network and application layers but not specifically DDoS.

Azure Bastion is for secure access.

380
Multi-Selectmedium

Your organization needs to ensure that all Azure resources are compliant with corporate security policies. You need to design a solution that can enforce policies at scale, audit compliance, and automatically remediate non-compliant resources. Which THREE Azure services should you include?

Select 3 answers
A.Azure Policy
B.Azure Monitor
C.Azure Automation
D.Azure RBAC
E.Azure Blueprints
AnswersA, C, E

Enforces compliance rules.

Why this answer

Options A, C, and D are correct. Azure Policy enforces rules, Azure Blueprints packages policies, and Azure Automation can run remediation scripts. Option B is wrong because Azure RBAC is for access control, not policy enforcement.

Option E is wrong because Azure Monitor is for monitoring, not policy.

381
MCQmedium

Your company uses Microsoft Sentinel for security monitoring. You need to design a solution to detect when a user account is created in Microsoft Entra ID with Global Administrator privileges. When detected, an incident must be created in Sentinel and the account should be disabled temporarily until reviewed. You want to use built-in capabilities where possible. What should you do?

A.Use Microsoft Entra Privileged Identity Management to require approval for role activation, and audit logs to detect permanent assignments.
B.Use Microsoft Defender for Cloud Apps to monitor for privileged role assignments and send an alert to Sentinel.
C.Use a Microsoft Sentinel analytics rule template for 'Suspicious Entra ID role assignment' and configure a playbook to disable the account via Microsoft Graph API.
D.Create a custom KQL query in Log Analytics and schedule it as a Sentinel analytics rule, then use an Azure Function to disable the account.
AnswerC

Built-in rule and playbook automation meet requirements.

Why this answer

Option C is correct because it uses a built-in Sentinel analytics rule template specifically designed to detect suspicious Entra ID role assignments, which meets the requirement for built-in capabilities. The playbook, triggered by the rule, can use the Microsoft Graph API to disable the account temporarily, providing automated remediation without custom code or external services.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing custom KQL queries or external services (like Defender for Cloud Apps) when a built-in analytics rule template and playbook are available and sufficient for the detection and automated response.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) requires approval for role activation but does not detect permanent assignments or create Sentinel incidents; it focuses on just-in-time access, not post-creation detection. Option B is wrong because Microsoft Defender for Cloud Apps can monitor for privileged role assignments but is not a built-in Sentinel capability for creating incidents directly; it would require additional configuration to forward alerts to Sentinel, and it does not natively disable accounts. Option D is wrong because creating a custom KQL query and using an Azure Function introduces unnecessary custom development and complexity, whereas built-in analytics rule templates and playbooks are available and preferred for this scenario.

382
MCQhard

A company runs a critical application on Azure VMs in a single region. They need to improve availability to meet an SLA of 99.99% while minimizing costs. The application is stateless and can run on multiple VMs. Which solution should you recommend?

A.Deploy a virtual machine scale set across multiple availability zones in a single region.
B.Deploy two VMs in the same availability set in a single region.
C.Deploy a single VM with Azure Site Recovery to another region.
D.Deploy two VMs in two different Azure regions with Azure Traffic Manager.
AnswerA

VMSS with zones provides 99.99% SLA and cost-effective scaling.

Why this answer

Option C is correct because a virtual machine scale set (VMSS) with zones across three availability zones provides 99.99% SLA and allows scaling. Option A is wrong because two VMs in an availability set provide only 99.95% SLA. Option B is wrong because two VMs in different regions adds cost and complexity.

Option D is wrong because a single VM in a single zone offers no high availability.

383
Multi-Selectmedium

Your company is planning to use Azure Monitor Workbooks to create custom dashboards for IT operations. You need to select the data sources that can be used in a workbook. Which TWO data sources are supported? (Choose two.)

Select 2 answers
A.Azure Resource Graph
B.Azure SQL Database
C.Microsoft Sentinel
D.Log Analytics workspace
E.Azure Blob Storage
AnswersA, D

Workbooks support Azure Resource Graph queries.

Why this answer

Azure Monitor Workbooks support multiple data sources including Azure Resource Graph, Log Analytics workspaces, Azure Monitor Metrics, and more. Azure Resource Graph allows querying Azure resources across subscriptions. Log Analytics workspaces allow querying log data.

Azure SQL Database is not directly a data source; you need a Log Analytics workspace that collects SQL logs. Azure Blob Storage is not a direct data source; you would need to use a Log Analytics workspace that ingests storage logs. Application Insights is supported as a data source.

384
MCQmedium

A company runs a critical application on an Azure virtual machine in the West US region. They want to enable disaster recovery to East US with the ability to perform non-disruptive DR drills. They need an RPO of a few minutes. Which Azure service should they use?

A.Azure Site Recovery
B.Azure Backup
C.Azure Traffic Manager
D.Azure Blueprints
AnswerA

Azure Site Recovery replicates VMs continuously and allows you to run test failovers in isolation for DR drills.

Why this answer

Azure Site Recovery (ASR) is the correct service because it provides continuous replication of Azure VMs from a primary region (West US) to a secondary region (East US) with a Recovery Point Objective (RPO) of a few minutes. It also supports non-disruptive disaster recovery drills by allowing you to perform test failovers in an isolated network without impacting the production workload.

Exam trap

The trap here is that candidates often confuse Azure Backup (which is for long-term retention) with Azure Site Recovery (which is for replication and failover), leading them to choose Backup for DR scenarios that require low RPO and non-disruptive testing.

How to eliminate wrong answers

Option B (Azure Backup) is wrong because it is designed for long-term backup and retention, not for low-RPO replication or non-disruptive DR drills; its RPO is typically hours or days, not a few minutes. Option C (Azure Traffic Manager) is wrong because it is a DNS-based traffic load balancer for distributing incoming traffic across endpoints, not a replication or failover service for disaster recovery with a specific RPO. Option D (Azure Blueprints) is wrong because it is a governance and compliance tool for defining repeatable Azure resource templates, not a disaster recovery or replication service.

385
MCQmedium

Your company is planning to migrate a large number of on-premises servers to Azure. The migration must be completed within 3 months. You need to assess the current on-premises environment and recommend the most appropriate Azure VM sizes and costs. What should you do?

A.Create a manual inventory of all servers and use Azure Pricing Calculator to estimate costs.
B.Use Azure Migrate to discover and assess the on-premises environment, and generate sizing and cost recommendations.
C.Use Azure Advisor to analyze on-premises server usage and recommend Azure VM sizes.
D.Use Azure Cost Management to estimate costs based on manual input of server specifications.
AnswerB

Azure Migrate is the tool for migration assessment and planning.

Why this answer

Option A is correct because Azure Migrate provides assessment, sizing recommendations, and cost estimates. Option B (Azure Advisor) is for optimization of existing resources. Option C (Azure Cost Management) is for cost analysis.

Option D (manual inventory) is time-consuming and error-prone.

386
MCQmedium

Your organization is deploying a critical application on Azure virtual machines. You need to ensure that the VMs are distributed across multiple fault domains and update domains within an availability set. You create an availability set with 3 fault domains and 5 update domains. How many VMs can you add to this availability set to maximize fault tolerance?

A.5 VMs
B.Unlimited
C.15 VMs
D.3 VMs
AnswerB

There is no maximum number of VMs in an availability set; you can add as many as your subscription allows.

Why this answer

Option D is correct. There is no limit on the number of VMs you can add to an availability set, but to maximize fault tolerance, you should add as many VMs as needed; the fault domains and update domains will be used to distribute them. The question asks for the number of VMs you can add, which is unlimited (subject to subscription limits).

Options A, B, and C are incorrect because they imply a limit.

387
MCQhard

You are troubleshooting access for a user named John Doe. The exhibit shows the output of Get-AzRoleAssignment. John reports he cannot create virtual machines in the Prod resource group. Other users with the same role can create VMs. What is the most likely cause?

A.John does not have multi-factor authentication enabled
B.John is not assigned the Contributor role
C.John has a deny assignment that prevents VM creation
D.The role assignment is at the wrong scope
AnswerC

A deny assignment can override the Contributor role, preventing VM creation even though he has the role.

Why this answer

The correct answer is C because Azure RBAC supports deny assignments that explicitly block specific actions even if the user has an allow assignment like Contributor. Since other users with the same role can create VMs, John's role assignment is not the issue; a deny assignment at a higher scope (e.g., management group or subscription) or directly on the resource group is overriding the allow, preventing VM creation. This is a common troubleshooting scenario where a deny assignment is the root cause.

Exam trap

The trap here is that candidates often assume the issue is a missing or misconfigured role assignment (like Contributor), but the question explicitly states other users with the same role succeed, pointing to a deny assignment as the only logical explanation for a user-specific block.

How to eliminate wrong answers

Option A is wrong because multi-factor authentication (MFA) is an authentication requirement, not an authorization control; it does not affect RBAC permissions for creating VMs. Option B is wrong because the exhibit shows Get-AzRoleAssignment output, and if John had the same role as other users who can create VMs, he would have the Contributor role; the issue is not the role itself but an overriding deny assignment. Option D is wrong because the role assignment scope is the same for all users with that role (as implied by the exhibit), and if the scope were incorrect, other users would also be affected; the problem is specific to John, indicating a deny assignment targeting him or his group.

388
MCQhard

You are reviewing a custom RBAC role in Azure. The exhibit shows the role definition. A user with this role reports they cannot read diagnostic settings for a storage account in the Production resource group. What is the most likely cause?

A.The role does not include 'Microsoft.Storage/storageAccounts/read'
B.Custom roles cannot be assigned to users
C.The role lacks the 'Microsoft.Storage/storageAccounts/listKeys/action' permission
D.The role is assigned at the wrong scope
AnswerA

Without the read action on storage accounts, the user cannot enumerate storage accounts in the portal or via API.

Why this answer

The user cannot read diagnostic settings because the custom role lacks the 'Microsoft.Storage/storageAccounts/read' permission. This permission is required to read the storage account resource itself, which is a prerequisite for accessing its diagnostic settings. Without it, the role cannot perform any read operations on the storage account, including reading diagnostic logs or metrics configuration.

Exam trap

The trap here is that candidates may confuse data plane permissions (like listKeys) with control plane permissions (like read), or assume that diagnostic settings can be read independently of the parent resource's read permission.

How to eliminate wrong answers

Option B is wrong because custom roles can be assigned to users, groups, or service principals just like built-in roles; the limitation is that custom roles must be defined in the same tenant. Option C is wrong because 'listKeys/action' is used to retrieve storage account access keys for data plane operations, not for reading diagnostic settings, which is a control plane operation. Option D is wrong because even if the role is assigned at the wrong scope, the core issue is the missing 'read' permission; assigning at the correct scope would still fail without the required permission.

389
MCQhard

A large enterprise has a management group hierarchy with 50 subscriptions. They need to enforce that every resource group must have a 'CostCenter' tag and that any new resource group without that tag is automatically denied creation. Additionally, they need to ensure that only the Finance team can modify tags on any resource. They also want to generate monthly compliance reports showing which resources are non-compliant. Which combination of Azure services should they use?

A.Azure Policy for tag enforcement, Azure RBAC for scoping tag modification to Finance, and Azure Policy for compliance reporting
B.Azure Blueprints with tag policy and Azure RBAC, and Azure Security Center for compliance
C.Azure Policy for tag enforcement, Azure Management Groups for governance, and Azure Monitor for compliance reports
D.Azure Policy for tag enforcement, Azure RBAC for tag modification, and Azure Security Center for compliance
AnswerA

Correct. Azure Policy enforces the tag requirement and provides compliance reports; RBAC restricts tag modification to the Finance team.

Why this answer

Option A is correct because Azure Policy can enforce the 'CostCenter' tag on resource groups via a 'deny' effect policy, Azure RBAC can restrict tag modification to the Finance team by assigning the 'Tag Contributor' role at the appropriate scope, and Azure Policy's compliance reporting (via the Azure Policy Compliance dashboard or export to Log Analytics) provides monthly reports on non-compliant resources without needing additional services.

Exam trap

The trap here is that candidates confuse Azure Security Center (for security compliance) with Azure Policy (for governance compliance), or assume Azure Monitor can generate compliance reports when it is designed for metrics and logs, not policy evaluation.

How to eliminate wrong answers

Option B is wrong because Azure Blueprints are for deploying consistent environments (including policies), but they do not provide ongoing compliance reporting; Azure Security Center (now Microsoft Defender for Cloud) focuses on security posture, not tag compliance. Option C is wrong because Azure Management Groups are for organizing subscriptions and applying policies, not for governance enforcement itself, and Azure Monitor is for telemetry and alerts, not for generating compliance reports on tags. Option D is wrong because Azure Security Center is not designed for tag compliance reporting; it handles security recommendations and vulnerabilities, not resource metadata compliance.

390
Multi-Selecteasy

Which TWO of the following are valid options to achieve high availability for Azure SQL Database? (Choose two.)

Select 2 answers
A.Deploy a single database with locally redundant storage (LRS)
B.Deploy a zone-redundant Azure SQL Database
C.Configure manual failover to a secondary replica in the same region
D.Configure SQL Server Always On availability groups
E.Configure active geo-replication to a secondary database in a different region
AnswersB, E

Zone-redundancy provides intra-region HA.

Why this answer

Options B and D are correct. Zone-redundant deployment (B) provides high availability within a region by replicating across availability zones. Active geo-replication (D) provides cross-region high availability and disaster recovery.

Option A is wrong because a single database with locally redundant storage offers no high availability. Option C is wrong because Azure SQL Database does not support manual failover to a replica without geo-replication. Option E is wrong because always on availability groups are for SQL Server on VMs, not Azure SQL Database.

391
MCQhard

You are designing a storage solution for a global e-commerce platform that must serve users from multiple regions with low latency. The data includes product catalog (read-heavy, rarely updated) and user session state (write-heavy, short-lived). Which combination of Azure services meets the requirements?

A.Azure Cosmos DB for session state and Azure Front Door with Azure CDN for catalog.
B.Azure Cache for Redis for session state and Azure Front Door for catalog.
C.Azure Table Storage for session state and Azure Front Door for catalog.
D.Azure SQL Database with geo-replication for both.
AnswerA

Cosmos DB multi-region writes for session state; Front Door + CDN for read-heavy catalog.

Why this answer

Option A is correct because Azure Cosmos DB provides multi-region writes for low-latency session state, and Azure Front Door with Azure CDN can cache static catalog data globally. Option B is wrong because Azure SQL Database with geo-replication is not ideal for session state due to cost and performance. Option C is wrong because Azure Table Storage does not support multi-region writes natively.

Option D is wrong because Azure Cache for Redis is not suitable as the primary persistent store for session state.

392
Matchingmedium

Match each Azure compute service to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IaaS with full control over OS and apps

PaaS for web apps, APIs, and mobile backends

Managed Kubernetes for container orchestration

Serverless compute for event-driven code

Simple, fast container deployment without orchestration

Why these pairings

These are the main compute options in Azure.

393
MCQeasy

Your organization is moving to a cloud-only identity model using Microsoft Entra ID. You need to ensure that users can reset their own passwords without help desk intervention. The solution must support multi-factor authentication and notify administrators of password resets. What should you implement?

A.Microsoft Entra Connect Password Writeback
B.Conditional Access policies for password change
C.Microsoft Entra Self-Service Password Reset (SSPR)
D.Microsoft Entra ID Protection
AnswerC

SSPR meets all requirements: self-service, MFA support, and admin notifications.

Why this answer

Microsoft Entra Self-Service Password Reset (SSPR) allows users to reset their own passwords without help desk intervention. It supports multi-factor authentication (MFA) as a verification step before resetting, and can be configured to send notifications to administrators when a password reset occurs. This directly meets all stated requirements.

Exam trap

The trap here is that candidates often confuse password writeback (a prerequisite for hybrid environments) with the actual self-service reset feature, or they mistake Conditional Access policies (which enforce MFA during sign-in) for the self-service reset process itself.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Connect Password Writeback is a feature that enables password changes from the cloud to be written back to an on-premises Active Directory; it is not a self-service reset solution and does not by itself provide MFA or admin notifications. Option B is wrong because Conditional Access policies for password change control the conditions under which a password change is allowed (e.g., requiring MFA during sign-in), but they do not provide a self-service reset portal or admin notification for password resets. Option D is wrong because Microsoft Entra ID Protection is a risk-based security service that detects and responds to identity risks (e.g., leaked credentials, anomalous sign-ins); it does not provide a self-service password reset capability.

394
MCQhard

A company uses Azure NetApp Files for high-performance file shares accessed by Linux VMs. They need to reduce latency for read-heavy workloads. Which configuration should you implement?

A.Migrate to Azure Files with Azure File Sync
B.Enable read-only cache on the volume
C.Disable the export policy to allow all clients
D.Mount the volume using SMB protocol
AnswerB

Read-only cache reduces latency for read-heavy workloads.

Why this answer

Azure NetApp Files supports a read-only cache option on volumes, which stores frequently accessed data in a high-speed cache (SSD-based) local to the compute resources. This reduces read latency for read-heavy workloads by serving data from the cache instead of the underlying storage tier. The cache is transparent to the Linux VMs and requires no application changes.

Exam trap

The trap here is that candidates may confuse Azure NetApp Files with Azure Files, assuming that Azure File Sync or SMB mounting can provide similar performance benefits, when in fact Azure NetApp Files uses NFS and its read-only cache is the specific feature designed for reducing read latency.

How to eliminate wrong answers

Option A is wrong because migrating to Azure Files with Azure File Sync does not provide the same low-latency, high-performance characteristics as Azure NetApp Files, and Azure File Sync is designed for hybrid caching, not for reducing latency within Azure. Option C is wrong because disabling the export policy to allow all clients removes all access controls and security, which is a security risk and does not reduce latency. Option D is wrong because mounting the volume using SMB protocol is not supported for Azure NetApp Files with Linux VMs (it uses NFS), and SMB would introduce additional protocol overhead and compatibility issues, increasing latency rather than reducing it.

395
Drag & Dropmedium

Drag and drop the steps to implement Azure Traffic Manager for geographic routing into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create profile, add endpoints, configure mapping, update DNS, test.

396
MCQeasy

A company has multiple Azure subscriptions and on-premises data centers connected via ExpressRoute. They want to centralize connectivity to the internet and enforce a single web filtering and security policy for all outbound internet traffic from Azure VMs. Which Azure networking architecture should they implement?

A.Use a hub-spoke topology with Azure Firewall in the hub for all outbound traffic.
B.Use a single virtual network for all resources with a network virtual appliance.
C.Use an Azure Virtual WAN with security virtual WAN hub.
D.Use Azure Traffic Manager with Azure Firewall.
AnswerA

In a hub-spoke topology, the hub VNet contains shared services like Azure Firewall. Spoke VNets are peered to the hub, and UDRs in each spoke subnet route default internet-bound traffic (0.0.0.0/0) to the firewall. This ensures all outbound traffic is inspected by the firewall, providing centralized filtering.

Why this answer

Option A is correct because a hub-spoke topology with Azure Firewall in the hub provides a centralized point for routing all outbound internet traffic from Azure VMs. By using user-defined routes (UDRs) on the spoke subnets that point to the Azure Firewall as the default gateway (0.0.0.0/0 next hop), all outbound traffic is forced through the firewall, enabling consistent web filtering and security policy enforcement. This architecture also integrates seamlessly with ExpressRoute for on-premises connectivity, ensuring a single egress point for internet-bound traffic.

Exam trap

The trap here is that candidates often confuse Azure Virtual WAN with a simple hub-spoke topology, assuming Virtual WAN is required for centralized internet egress, but Virtual WAN is primarily for SD-WAN and branch connectivity, not for enforcing outbound web filtering from Azure VMs in a multi-subscription environment.

How to eliminate wrong answers

Option B is wrong because using a single virtual network for all resources with a network virtual appliance (NVA) does not scale well across multiple subscriptions and lacks the centralized management and isolation benefits of a hub-spoke model; it also introduces a single point of failure without built-in high availability. Option C is wrong because Azure Virtual WAN with a security virtual WAN hub is designed for large-scale branch-to-branch and branch-to-Azure connectivity, but it does not natively enforce a single web filtering policy for all outbound internet traffic from Azure VMs without additional configuration (e.g., routing all traffic to a firewall in the hub), and it is overkill for a scenario that does not require global branch connectivity. Option D is wrong because Azure Traffic Manager is a DNS-based traffic load balancer for distributing incoming traffic across endpoints, not for routing or filtering outbound internet traffic from Azure VMs; it cannot enforce web filtering or security policies on outbound connections.

397
MCQhard

Your company is designing a new cloud-native application on Azure that consists of multiple microservices running on Azure Kubernetes Service (AKS). The application must be accessible from the internet via a custom domain name (app.contoso.com) and must support SSL/TLS termination. You need to design a secure ingress solution that provides Web Application Firewall (WAF) capabilities, SSL offloading, and automatic scaling. The solution should also support path-based routing to different microservices (e.g., /api, /web). You have the following options: Option A: Deploy an Azure Application Gateway v2 with WAF in front of the AKS cluster. Configure Application Gateway Ingress Controller (AGIC) to route traffic to the services. Option B: Deploy an Azure Load Balancer with a public IP and install an NGINX ingress controller on AKS. Configure SSL termination on NGINX and use a third-party WAF. Option C: Deploy an Azure Front Door with WAF policy in front of the AKS cluster. Use Azure Private Link to connect Front Door to the internal load balancer of AKS. Option D: Deploy an Azure API Management instance with WAF and expose the microservices through API endpoints. Use Azure Application Gateway as a reverse proxy. Which option best meets the requirements for a high-performance, integrated, and managed solution with minimal operational overhead?

A.Deploy an Azure Front Door with WAF policy in front of the AKS cluster. Use Azure Private Link to connect Front Door to the internal load balancer of AKS.
B.Deploy an Azure Application Gateway v2 with WAF in front of the AKS cluster. Configure Application Gateway Ingress Controller (AGIC) to route traffic to the services.
C.Deploy an Azure Load Balancer with a public IP and install an NGINX ingress controller on AKS. Configure SSL termination on NGINX and use a third-party WAF.
D.Deploy an Azure API Management instance with WAF and expose the microservices through API endpoints. Use Azure Application Gateway as a reverse proxy.
AnswerB

Application Gateway v2 provides managed WAF, SSL termination, autoscaling, and path-based routing. AGIC simplifies ingress configuration.

Why this answer

Option A is correct because Azure Application Gateway v2 with WAF provides managed WAF, SSL offloading, automatic scaling, and path-based routing. AGIC simplifies integration with AKS. Option B involves more operational overhead (managing NGINX and third-party WAF).

Option C, Azure Front Door, is a global load balancer; it can work but introduces additional latency for regional traffic and requires Private Link, increasing complexity. Option D adds unnecessary complexity with API Management; the requirement does not include API management features.

398
MCQeasy

Refer to the exhibit. You are deploying an ARM template that assigns a policy to audit virtual machines not using managed disks. After deployment, you need to verify that the policy assignment is working. Which Azure CLI command should you run?

A.az policy assignment list --subscription 12345678-1234-1234-1234-123456789abc
B.az policy state list --resource-group myResourceGroup
C.az policy definition list --subscription 12345678-1234-1234-1234-123456789abc
D.az policy event list --subscription 12345678-1234-1234-1234-123456789abc
AnswerA

This lists policy assignments, including the one just deployed.

Why this answer

Option A is correct because the `az policy assignment list` command retrieves all policy assignments in the specified subscription, including the one deployed via the ARM template. This allows you to confirm that the policy assignment exists and is properly configured. To verify that the policy is actually evaluating resources and producing compliance states, you would then use `az policy state list` to see the compliance results, but the question specifically asks to verify that the assignment itself is working, which is done by listing assignments.

Exam trap

The trap here is that candidates confuse the command for listing policy assignments with the command for viewing compliance states, leading them to choose `az policy state list` (Option B) instead of `az policy assignment list` (Option A) when the question asks to verify that the assignment itself is working.

How to eliminate wrong answers

Option B is wrong because `az policy state list` shows the current compliance states of resources against a policy, not the existence or configuration of the policy assignment itself. Option C is wrong because `az policy definition list` retrieves the built-in or custom policy definitions, not the assignments of those definitions to a scope. Option D is wrong because `az policy event list` is not a valid Azure CLI command; the correct command for viewing policy events is `az policy state list` with the `--filter` parameter, and events are not used for verifying assignment existence.

399
MCQeasy

A company uses Microsoft Entra ID. They want to automatically detect sign-ins from anonymous IP addresses, sign-ins from unfamiliar locations, and other risky activities. When such a risk is detected, they want to block the sign-in or require multi-factor authentication. They also need a dashboard to review risk events. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Conditional Access
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID Privileged Identity Management (PIM)
D.Microsoft Entra ID Access Reviews
AnswerB

Identity Protection detects risky sign-ins, provides a risk dashboard, and allows automated remediation actions like blocking or requiring MFA when combined with Conditional Access.

Why this answer

Microsoft Entra ID Identity Protection is the correct feature because it is specifically designed to detect and respond to identity-based risks such as sign-ins from anonymous IP addresses, unfamiliar locations, and other risky activities. It provides a risk-based conditional access policy that can automatically block sign-ins or require multi-factor authentication (MFA) when a risk is detected, and it includes a dashboard for reviewing risk events and reports.

Exam trap

The trap here is that candidates often confuse Conditional Access (which enforces policies) with Identity Protection (which provides the risk detection signals), leading them to select Conditional Access as the answer when the question explicitly asks for the feature that detects risks and provides a dashboard.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Conditional Access is a policy engine that enforces access controls based on conditions (e.g., location, device state), but it does not itself detect risky sign-ins or provide a risk dashboard; it relies on Identity Protection to supply risk signals. Option C is wrong because Privileged Identity Management (PIM) focuses on just-in-time privileged role activation, approval workflows, and access reviews for administrative roles, not on detecting anonymous IP addresses or unfamiliar location sign-ins. Option D is wrong because Access Reviews are used for periodic recertification of group memberships or application access, not for real-time risk detection or automated blocking of risky sign-ins.

400
Matchingmedium

Match each Azure migration tool to its use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized hub for discovery, assessment, and migration

Migrate databases to Azure with minimal downtime

Physical device for offline data transfer

Replicate and migrate on-premises VMs to Azure

Ship hard drives to transfer large data volumes

Why these pairings

These tools facilitate different migration scenarios.

401
MCQeasy

You are designing a high-availability solution for a stateless web application running on Azure VMs. The solution must provide automatic failover to another region in the event of a regional outage. Which Azure service should you use to distribute traffic across regions?

A.Azure Application Gateway
B.Azure Load Balancer
C.Azure Front Door
D.Azure Traffic Manager
AnswerC

Azure Front Door provides global load balancing with automatic failover, SSL termination, and web application firewall.

Why this answer

Option C is correct because Azure Front Door provides global load balancing with automatic failover across regions. Option A is wrong because Azure Traffic Manager is DNS-based and can also do cross-region failover, but Front Door provides more features like SSL offload and WAF. Option B is wrong because Azure Load Balancer is for regional load balancing.

Option D is wrong because Application Gateway is regional.

402
MCQhard

A company deploys a multi-tier web application on Azure VMs across availability zones. The web tier must have SSL termination, session persistence, and health probe monitoring. Additionally, all traffic must be inspected by a central firewall for compliance. The solution must be highly available. Which combination of Azure services should they implement?

A.Azure Application Gateway (WAF) in front of web VMs, with Azure Firewall in a hub VNet for central inspection
B.Azure Load Balancer (Standard) in front of web VMs, with a third-party Network Virtual Appliance (NVA) for inspection
C.Azure Front Door in front of web VMs, with Azure Firewall for inspection
D.Azure Traffic Manager + Azure Application Gateway
AnswerA

Correct. Application Gateway handles web traffic with SSL and session persistence; Azure Firewall inspects all traffic centrally.

Why this answer

Option A is correct because Azure Application Gateway provides SSL termination, session persistence (via cookie-based affinity), and health probes at Layer 7, which are required for a web tier. Placing Azure Firewall in a hub VNet for central inspection ensures all traffic is inspected for compliance, and deploying the web VMs across availability zones meets the high-availability requirement.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming the Load Balancer can handle SSL termination and session persistence, or they overlook that Azure Front Door lacks session persistence and central inspection capabilities.

How to eliminate wrong answers

Option B is wrong because Azure Load Balancer operates at Layer 4 and cannot perform SSL termination or session persistence at the application layer; it also lacks native WAF capabilities, and using a third-party NVA introduces a single point of failure unless also deployed in a highly available manner. Option C is wrong because Azure Front Door is a global load balancer and CDN that does not support session persistence (sticky sessions) natively, and it cannot enforce central firewall inspection for all traffic as it terminates SSL at the edge, bypassing the central firewall. Option D is wrong because Azure Traffic Manager is a DNS-level load balancer that does not provide SSL termination, session persistence, or health probes at the application layer; combining it with Application Gateway adds unnecessary complexity without addressing the central firewall inspection requirement.

403
MCQmedium

A company is designing a serverless architecture for a real-time data processing pipeline. The pipeline ingests data from IoT devices, processes the data using Azure Functions, and stores the results in Azure Cosmos DB. The solution must scale automatically and minimize cold starts. Which Azure service should the company use to trigger the Azure Functions?

A.Azure Event Grid
B.Azure Queue Storage
C.Azure Event Hubs
D.Azure Service Bus
AnswerA

Event Grid provides low-latency, push-based event delivery to Functions, reducing cold starts.

Why this answer

Option A (Azure Event Grid) is a push-based event broker that can trigger Functions with low latency, minimizing cold starts. Option B (Azure Event Hubs) is for high-throughput data ingestion; Functions can be triggered from Event Hubs but cold starts can be higher. Option C (Azure Service Bus) is for messaging, not real-time IoT ingestion.

Option D (Azure Queue Storage) is for simple queuing, not ideal for real-time. The best answer is Event Grid because it directly triggers Functions with events from IoT devices (via IoT Hub).

404
MCQmedium

A media company needs to store large volumes of video files that are processed by an application. The files are accessed via REST APIs and are rarely accessed after the first few days. The company wants to minimize storage costs by automatically moving older files to a cheaper storage tier without any manual intervention. Which Azure storage solution should they use, and which feature should they configure?

A.Azure Blob Storage with lifecycle management policies
B.Azure Files with tiering
C.Azure NetApp Files with capacity pools
D.Azure Disk Storage with managed disks
AnswerA

Blob Storage provides REST API access and supports lifecycle management rules to automatically transition blobs from hot to cool to archive tiers, reducing costs as data ages.

Why this answer

Azure Blob Storage with lifecycle management policies is the correct solution because it allows you to define rules that automatically move blobs to cooler tiers (e.g., from Hot to Cool to Archive) based on age or last modification time, minimizing storage costs without manual intervention. The REST API access requirement is natively supported by Blob Storage via HTTPS, and the large video file workload fits well within its object storage capabilities.

Exam trap

The trap here is that candidates may confuse Azure Files tiering (which is for hybrid caching with Azure File Sync) with Blob Storage lifecycle management, or assume that any storage service with 'tiering' in its name provides automated cost-optimized tiering for REST-accessible data.

How to eliminate wrong answers

Option B is wrong because Azure Files uses the SMB protocol and does not support REST API access for video file processing; its tiering feature (Azure File Sync cloud tiering) is designed for on-premises caching, not automated cost-optimized tiering of rarely accessed files. Option C is wrong because Azure NetApp Files provides NFS/SMB volumes with capacity pools for high-performance workloads, but it lacks built-in automated lifecycle tiering to cheaper storage and is overkill for rarely accessed video files. Option D is wrong because Azure Disk Storage provides block-level managed disks for VMs, not REST API-accessible object storage, and has no lifecycle management feature to automatically move data to cheaper tiers.

405
MCQhard

A company is building a petabyte-scale data lake for analytics. They need a storage solution that supports a hierarchical namespace, POSIX-like permissions (ACLs), and is optimized for big data analytics workloads using Apache Spark and Hive. The data must be accessible over the Azure Blob Storage API. Which Azure data service should they use?

A.Azure Blob Storage (with flat namespace)
B.Azure Data Lake Storage Gen2
C.Azure NetApp Files
D.Azure HPC Cache
AnswerB

ADLS Gen2 combines Blob Storage with a hierarchical namespace and ACLs, enabling Hadoop-compatible access and high-performance analytics with Spark, Hive, and other tools.

Why this answer

Azure Data Lake Storage Gen2 (ADLS Gen2) is the correct choice because it combines a hierarchical namespace with POSIX-like ACLs and is natively optimized for big data analytics workloads like Apache Spark and Hive. It exposes data through the Azure Blob Storage API, meeting all stated requirements for petabyte-scale analytics.

Exam trap

The trap here is that candidates often confuse Azure Blob Storage (which is object storage with a flat namespace) with ADLS Gen2, not realizing that the hierarchical namespace and POSIX ACLs are exclusive to ADLS Gen2 and critical for big data analytics engines like Spark and Hive.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage with a flat namespace lacks a hierarchical namespace and POSIX-like ACLs, making it unsuitable for Hive and Spark workloads that rely on directory structures and fine-grained permissions. Option C is wrong because Azure NetApp Files provides NFS/SMB access with POSIX permissions but does not support the Azure Blob Storage API, which is a stated requirement. Option D is wrong because Azure HPC Cache is a caching layer for high-performance computing, not a persistent data lake storage service, and it does not provide a hierarchical namespace or native Blob API access.

406
MCQeasy

A company is deploying a web application that must scale out automatically based on CPU usage. The application runs on Azure App Service. Which Azure feature should they configure?

A.Autoscale rules
B.Azure Front Door
C.Azure Load Balancer
D.Azure Traffic Manager
AnswerA

Autoscale rules scale App Service based on metrics like CPU.

Why this answer

Autoscale rules in App Service can scale out based on CPU percentage. Option A is wrong because Azure Load Balancer distributes traffic but does not scale. Option B is wrong because Traffic Manager is for global routing.

Option C is wrong because Azure Front Door is for global load balancing with acceleration.

407
MCQeasy

A company has deployed Azure virtual machines without public IP addresses. They need to provide secure RDP and SSH access to these VMs for administrators from the corporate network (on-premises). The solution must integrate with Microsoft Entra ID for authentication and support multi-factor authentication (MFA). It must not require any public endpoint exposure on the VMs. Which Azure service should they use?

A.Azure Bastion
B.Point-to-Site VPN gateway
C.Azure ExpressRoute
D.Microsoft Entra ID Application Proxy
AnswerA

Azure Bastion provides secure RDP/SSH over SSL directly in the portal, without exposing public IPs on VMs. It supports Microsoft Entra ID authentication and MFA.

Why this answer

Azure Bastion provides secure RDP and SSH connectivity to Azure VMs directly from the Azure portal over TLS, without exposing any public IP addresses on the VMs. It integrates with Microsoft Entra ID for authentication and can enforce MFA through conditional access policies, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse Azure Bastion with a VPN solution (Point-to-Site or Site-to-Site) or a reverse proxy, but Bastion is specifically designed for browser-based RDP/SSH access without any public IP on the VM, while VPNs still expose a public endpoint and do not natively integrate with Entra ID for authentication.

How to eliminate wrong answers

Option B (Point-to-Site VPN gateway) is wrong because it requires the VMs to have private IP reachability but still exposes the VPN gateway's public endpoint, and it does not natively integrate with Microsoft Entra ID for authentication or MFA without additional components like Azure AD authentication for VPN. Option C (Azure ExpressRoute) is wrong because it provides a private, dedicated connection from on-premises to Azure but does not offer RDP/SSH brokering or Entra ID integration; it is a network connectivity service, not a secure access service for individual VMs. Option D (Microsoft Entra ID Application Proxy) is wrong because it is designed for publishing on-premises web applications, not for RDP/SSH access to Azure VMs, and it requires a connector installed on-premises, not in Azure.

408
MCQeasy

A small business is migrating its on-premises file server to Azure. The file server contains 2 TB of data that is accessed infrequently. The business wants to minimize costs and only pay for storage used. The solution must support SMB protocol and allow for on-premises caching to reduce latency. Which Azure storage solution should the business recommend?

A.Azure Files Standard tier with Azure File Sync
B.Azure Disk Storage Standard HDD with shared disks
C.Azure NetApp Files Standard tier with cross-region replication
D.Azure Blob Storage Cool tier with Azure Storage Explorer
AnswerA

SMB access and caching on-premises.

Why this answer

Option B is correct because Azure Files with Azure File Sync provides cloud storage with SMB access and on-premises caching via sync. Option A is wrong because Azure Blob Storage does not support SMB. Option C is wrong because Azure NetApp Files is more expensive.

Option D is wrong because Azure Disk Storage is not a file sharing solution.

409
MCQmedium

A gaming company stores player session data in Azure Cosmos DB. They need to handle sudden spikes in write traffic without throttling and ensure low-latency reads globally. Which configuration should they use?

A.Autoscale provisioned throughput
B.Serverless capacity mode
C.Multi-region writes
D.Manual provisioned throughput
AnswerA

Autoscale automatically scales RU/s to handle spikes without throttling.

Why this answer

Autoscale provisioned throughput (A) is correct because it allows Cosmos DB to automatically scale up to the maximum throughput (up to 10x the base RU/s) during sudden write spikes, preventing throttling (HTTP 429 errors). Combined with multi-region writes (which is a separate configuration), it ensures low-latency global reads by enabling writes to be accepted in any region and replicated asynchronously. This meets both the spike-handling and global read latency requirements.

Exam trap

The trap here is confusing 'multi-region writes' (which handles global write availability) with 'autoscale' (which handles traffic spikes), leading candidates to pick C because they think global writes are needed for low-latency reads, when in fact reads can be served from any region without multi-region writes.

How to eliminate wrong answers

Option B (Serverless capacity mode) is wrong because it is designed for intermittent or low-traffic workloads and cannot handle sudden spikes in write traffic; it has a maximum throughput cap of 5,000 RU/s per container and no autoscale capability, leading to throttling under heavy load. Option C (Multi-region writes) is wrong because it addresses global write availability and conflict resolution, not the ability to handle sudden traffic spikes; it does not prevent throttling if the provisioned throughput is insufficient. Option D (Manual provisioned throughput) is wrong because it requires manual adjustment to handle spikes, which is not feasible for sudden, unpredictable traffic; it will throttle requests if the fixed RU/s limit is exceeded.

410
MCQmedium

Your company has a critical application running on Azure Virtual Machines that processes financial transactions. You need to ensure that the application remains available during an Azure region failure. The application is stateless and can scale horizontally. What is the most cost-effective design to meet the availability requirement?

A.Deploy VMs in an active-active configuration across two Azure regions using Traffic Manager and Azure Front Door.
B.Deploy VMs in an availability zone in the primary region and use Azure Site Recovery to replicate to a secondary region.
C.Deploy VMs in an availability set in the primary region and use Azure Site Recovery to failover to a secondary region.
D.Deploy VMs in a single region using Virtual Machine Scale Sets with automatic scaling.
AnswerB

Active-passive with Site Recovery is cost-effective for stateless apps and provides region failover.

Why this answer

Option A is correct because deploying VMs across availability zones provides resilience within a region, but for region failure, you need a secondary region. Option B (active-passive with Azure Site Recovery) is cost-effective for stateless apps but incurs DR costs. Option C (active-active across regions) is more expensive.

Option D (single region with scale sets) does not protect against region failure.

411
MCQeasy

A company runs a critical web application on Azure VMs that uses Azure SQL Database. They need a disaster recovery solution that provides automatic failover to a secondary region with an RPO of 5 seconds and an RTO of 1 minute. The secondary region must also be able to serve read-only queries for reporting purposes. Which Azure SQL Database feature should they use?

A.Azure SQL Database with active geo-replication and an auto-failover group
B.Azure SQL Database with geo-restore
C.Azure SQL Database with a standby replica
D.Azure SQL Database with cross-region failover
AnswerA

This enables automatic failover with low RPO/RTO and allows the secondary to be used for read-only queries.

Why this answer

Active geo-replication with an auto-failover group is the correct choice because it provides automatic, asynchronous replication of data to a secondary region with an RPO of 5 seconds (typically under 5 seconds) and an RTO of 1 minute when the failover group is configured with a grace period. Additionally, the secondary replica can be used for read-only queries by connecting with ApplicationIntent=ReadOnly, meeting the reporting requirement.

Exam trap

The trap here is that candidates confuse 'geo-restore' (manual, backup-based) with 'active geo-replication' (continuous replication) or assume a 'standby replica' works across regions, when it is actually a single-region high-availability feature.

How to eliminate wrong answers

Option B is wrong because geo-restore is a manual, point-in-time recovery from geo-replicated backups, which has an RPO of 1 hour (backup frequency) and an RTO of hours, not meeting the 5-second RPO or 1-minute RTO. Option C is wrong because a standby replica (e.g., zone-redundant or local standby) is a high-availability feature within a single region, not a cross-region disaster recovery solution. Option D is wrong because 'cross-region failover' is not a specific Azure SQL Database feature; it is a generic term that could refer to active geo-replication or geo-restore, but without the auto-failover group, it does not guarantee automatic failover or the specified RPO/RTO.

412
MCQmedium

A company wants to migrate its on-premises file server to Azure. The application accesses files using the Server Message Block (SMB) protocol and requires identity-based access integrated with on-premises Active Directory Domain Services (AD DS). The solution must be fully managed and provide low latency for users within the same region. Which Azure solution should they choose?

A.Azure Files with Active Directory authentication and Azure File Sync.
B.Azure NetApp Files with SMB volumes.
C.Azure Blob Storage with NFS 3.0 support.
D.Azure Managed Disk with a file server VM.
AnswerA

Azure Files supports SMB protocol, can be domain-joined to on-premises AD DS for identity-based access, and is fully managed. Azure File Sync can optionally cache files on-premises but is not required for the migration.

Why this answer

Azure Files with Active Directory authentication and Azure File Sync is the correct choice because it provides a fully managed SMB file share that supports identity-based access using on-premises AD DS. Azure File Sync enables caching of frequently accessed files on-premises or in Azure, reducing latency for users in the same region while maintaining a single namespace. This solution meets all requirements: SMB protocol, identity-based access, fully managed service, and low latency.

Exam trap

The trap here is that candidates often choose Azure NetApp Files (Option B) because it supports SMB and AD DS, but they overlook that it is not fully managed and is more complex to deploy, whereas Azure Files with File Sync is the fully managed, lower-cost alternative that meets all stated requirements.

How to eliminate wrong answers

Option B is wrong because Azure NetApp Files is not fully managed; it requires provisioning and managing capacity pools and is more expensive, and while it supports SMB with AD DS, it is not the simplest fully managed solution for this scenario. Option C is wrong because Azure Blob Storage with NFS 3.0 does not support SMB protocol or identity-based access with AD DS; it uses NFS and requires Azure Active Directory Domain Services or other identity providers, not on-premises AD DS. Option D is wrong because Azure Managed Disk with a file server VM is not fully managed; it requires you to manage the VM, OS, and file server software, increasing operational overhead, and does not provide native SMB identity-based integration without additional configuration.

413
MCQeasy

A company wants to store log data from multiple applications for up to 30 days for analysis. The data is append-only, and queries are infrequent but need to be fast when run. Which Azure data storage solution should you recommend?

A.Azure Log Analytics Workspace
B.Azure Table Storage
C.Azure Data Lake Storage Gen2
D.Azure Blob Storage (archive tier)
AnswerA

Log Analytics is built for log data, fast queries, and configurable retention.

Why this answer

Azure Log Analytics Workspace is the correct choice because it is purpose-built for ingesting, storing, and querying log data from multiple sources. It supports append-only log ingestion, retains data for up to 30 days in its interactive retention tier (configurable), and provides fast Kusto Query Language (KQL) queries for infrequent analysis. The workspace integrates natively with Azure Monitor and other services, making it ideal for centralized log analysis.

Exam trap

The trap here is that candidates often choose Azure Blob Storage (archive tier) for cost savings, overlooking the explicit requirement for fast query performance, which the archive tier cannot provide due to its multi-hour rehydration latency.

How to eliminate wrong answers

Option B is wrong because Azure Table Storage is a NoSQL key-value store designed for structured, transactional data, not for log analytics; it lacks native query capabilities for time-series log data and does not support fast, ad-hoc queries across multiple log sources. Option C is wrong because Azure Data Lake Storage Gen2 is optimized for big data analytics on large volumes of unstructured or semi-structured data, not for low-latency, infrequent queries on append-only logs; it is better suited for batch processing and data lakes. Option D is wrong because Azure Blob Storage (archive tier) is designed for long-term, cold storage with high retrieval latency (hours), not for fast queries on recent log data; it is cost-effective for archival but violates the requirement for fast query performance.

414
MCQhard

Refer to the exhibit. A user reports they cannot access a secret in the vault 'vault-prod'. The user has a Contributor role at the subscription scope and a Key Vault Secrets User role at the specific vault scope. What is the most likely reason for the failure?

A.The user does not have write permissions on the vault.
B.The vault uses access policies instead of RBAC for authorization.
C.The Key Vault Secrets User role does not allow reading secrets.
D.The scope of the Key Vault Secrets User role is incorrect.
AnswerB

If the vault uses access policies, RBAC assignments are not effective; you need to grant access via an access policy.

Why this answer

Option D is correct because Key Vault has two permission models: RBAC and access policies. If the vault is using access policies, RBAC assignments are ignored unless the vault is configured for RBAC authorization. Option A is wrong because Contributor at subscription includes write access to vaults.

Option B is wrong because the user has the secrets user role. Option C is wrong because the scope is correct.

415
MCQeasy

A company uses Azure Backup to protect on-premises Windows servers. The backup data is stored in a Recovery Services vault. They want to ensure that backup data is protected even if the entire Azure region fails. What should they configure?

A.Configure backup replication across two Recovery Services vaults in different regions.
B.Enable geo-redundant storage (GRS) for the Recovery Services vault.
C.Use zone-redundant storage (ZRS) for the Recovery Services vault.
D.Enable Cross-region restore (CRR) for the Recovery Services vault.
AnswerD

Cross-region restore allows restoring backup data in a paired region during a regional outage.

Why this answer

Cross-region restore (CRR) enables restoring backup data in a paired region if the primary region fails. Option A is incorrect because GRS is the storage redundancy, but CRR is the feature that enables restore. Option C is incorrect because zone-redundant storage protects only within a region.

Option D is incorrect because replication across vaults is not a built-in feature.

416
MCQhard

Your company has multiple Azure subscriptions managed by different teams. You need to design a governance solution that ensures: 1) All subscriptions must have a consistent set of policies (e.g., allowed locations, allowed VM SKUs). 2) Compliance reports must be generated daily for each subscription. 3) Non-compliant resources must be automatically remediated where possible (e.g., add tags). 4) The solution must use a single management group hierarchy. What should you include in the design?

A.Create a management group hierarchy, assign Azure Policy at the root management group level with both 'audit' and 'deployIfNotExists' effects, and use a daily Logic App to query compliance via Azure Resource Graph and send reports.
B.Create a management group hierarchy and use Azure Blueprints to assign policies and role assignments per subscription.
C.Use Azure DevOps to deploy a pipeline that runs PowerShell scripts to enforce policies and generate reports.
D.Create a custom Azure Policy initiative with all required policies and assign it to each subscription individually.
AnswerA

Policy at root applies to all subscriptions; remediation task handles auto-fix; Logic App automates reporting.

Why this answer

Option A is correct because assigning Azure Policy at the root management group level ensures consistent policy enforcement across all subscriptions in the hierarchy. The 'deployIfNotExists' effect enables automatic remediation (e.g., adding missing tags), while a daily Logic App querying Azure Resource Graph can generate compliance reports without manual intervention. This design satisfies all requirements with a single management group hierarchy.

Exam trap

The trap here is that candidates may assume Azure Blueprints (Option B) are required for consistent governance, but Blueprints are for initial environment setup, not ongoing policy enforcement and automatic remediation, which is the core of this question.

How to eliminate wrong answers

Option B is wrong because Azure Blueprints assign policies per subscription or management group, but they do not provide built-in automatic remediation or daily compliance reporting; they are primarily for environment composition, not ongoing governance. Option C is wrong because using Azure DevOps with PowerShell scripts is a custom, non-native approach that lacks the automatic remediation capabilities of Azure Policy's 'deployIfNotExists' effect and requires manual pipeline maintenance. Option D is wrong because assigning a custom initiative to each subscription individually violates the requirement to use a single management group hierarchy and creates administrative overhead, failing to enforce consistency at the root level.

417
MCQmedium

A company is deploying a web application on Azure App Service. They need to guarantee that all traffic from the internet goes through a Web Application Firewall (WAF) before reaching the app. The solution must be cost-effective for a single application. Which Azure service should they place in front of the App Service?

A.Azure Application Gateway with WAF.
B.Azure Front Door with WAF policy.
C.Azure Firewall with application rules.
D.Azure Traffic Manager.
AnswerA

Application Gateway is a regional Layer 7 load balancer that integrates WAF. It can be placed directly in front of App Service to inspect all incoming traffic. This is a cost-effective solution for a single-region application.

Why this answer

Azure Application Gateway with WAF is the correct choice because it provides a regional, layer-7 load balancer with built-in Web Application Firewall capabilities, designed to protect web applications from common exploits and vulnerabilities. For a single application, it is more cost-effective than Azure Front Door, which is a global service with higher minimum costs and additional features not required here. Application Gateway can be deployed directly in front of App Service to inspect and filter all internet traffic before it reaches the app.

Exam trap

The trap here is that candidates often confuse Azure Front Door with Application Gateway, assuming Front Door is always the better choice for WAF, but the question's emphasis on cost-effectiveness for a single application points to the regional, lower-cost Application Gateway instead.

How to eliminate wrong answers

Option B is wrong because Azure Front Door is a global, multi-region load balancer and application delivery network; while it supports WAF policies, it is designed for multi-region deployments and incurs higher costs, making it less cost-effective for a single application. Option C is wrong because Azure Firewall is a network-layer firewall that filters traffic based on IP addresses, ports, and protocols, not at the application layer (HTTP/HTTPS), so it cannot provide Web Application Firewall capabilities to inspect and block web application attacks like SQL injection or cross-site scripting. Option D is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that routes traffic based on routing methods (e.g., performance, priority) but does not include any WAF or application-layer inspection capabilities.

418
MCQmedium

Your company is migrating a legacy on-premises application to Azure. The application requires persistent storage for configuration files that must be accessible from multiple virtual machines in a virtual network. The storage must be accessible only from within the virtual network and should not be exposed to the internet. Which Azure storage solution should you use?

A.Azure Disk Storage with shared disks
B.Azure NetApp Files with network security groups
C.Azure Blob Storage with a service endpoint
D.Azure Files with a private endpoint
AnswerD

Azure Files provides SMB file shares accessible from multiple VMs; private endpoints ensure the share is only accessible within the virtual network.

Why this answer

Azure Files shares can be mounted via SMB and accessed from multiple VMs simultaneously. Private endpoints ensure traffic stays within the virtual network, preventing internet exposure.

419
MCQhard

You are designing a business continuity solution for a globally distributed SaaS application that uses Azure Cosmos DB for its operational store. The application must survive a complete regional outage with zero data loss and automatic failover. What should you use?

A.Configure a single write region in Cosmos DB with eventual consistency and manual failover.
B.Configure Cosmos DB with a single write region, strong consistency, and enable automatic failover to a secondary region.
C.Enable multi-region writes in Cosmos DB with eventual consistency and automatic failover.
D.Use Azure SQL Database with active geo-replication and automatic failover.
AnswerB

Strong consistency ensures RPO=0, and automatic failover meets RTO.

Why this answer

Option D is correct because Cosmos DB multi-region writes with the strong consistency mode in a single-region write configuration ensures no data loss (RPO=0) and automatic failover via the service-managed failover policy. Option A is wrong because multi-region writes with eventual consistency can result in data loss. Option B is wrong because a single-region write with eventual consistency has an RPO > 0.

Option C is wrong because Azure SQL Database geo-replication is not the right service.

420
MCQeasy

A company uses Microsoft Entra ID and wants to allow users to sign in using their existing personal Microsoft accounts, Google, and Facebook identities. They also need custom sign-up and sign-in flows with collection of specific user attributes. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID B2B
B.Microsoft Entra ID B2C
C.Microsoft Entra ID Identity Protection
D.Microsoft Entra ID Conditional Access
AnswerB

Microsoft Entra ID B2C is a customer identity access management solution that supports multiple identity providers (Microsoft, Google, Facebook) and allows custom policies for sign-up/sign-in with custom attributes.

Why this answer

Microsoft Entra ID B2C (Business-to-Consumer) is the correct choice because it is specifically designed to support external identity providers like personal Microsoft accounts, Google, and Facebook, and it provides a customizable policy framework (user flows) for sign-up and sign-in that can collect custom user attributes. Unlike B2B, which focuses on business partner collaboration, B2C allows you to define attribute collection during registration via built-in or custom policies.

Exam trap

The trap here is that candidates often confuse Entra ID B2B with B2C, assuming B2B can handle consumer identities and custom sign-up flows, but B2B is strictly for business partner collaboration and lacks the user flow customization and social identity provider support that B2C provides.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID B2B is intended for business-to-business collaboration, allowing external users from partner organizations to access your apps using their work or school accounts, not personal Microsoft accounts, Google, or Facebook identities, and it does not support custom sign-up flows with attribute collection. Option C is wrong because Microsoft Entra ID Identity Protection is a security feature that detects and responds to identity-based risks (e.g., leaked credentials, sign-in anomalies) and does not provide federation with external identity providers or custom sign-up flows. Option D is wrong because Microsoft Entra ID Conditional Access is a policy engine that enforces access controls (e.g., MFA, device compliance) based on conditions like user, location, or risk, but it cannot configure external identity providers or custom sign-up/attribute collection.

421
MCQeasy

A company is using Azure SQL Database for a critical application. They need to ensure that the database is automatically backed up and that backups are retained for 35 days. What should they configure?

A.Enable long-term retention (LTR) for backups
B.Configure the point-in-time restore (PITR) retention to 35 days
C.Configure active geo-replication
D.Use Azure Backup to back up the SQL Database
AnswerB

PITR retention can be set up to 35 days for SQL Database.

Why this answer

Option A is correct because Azure SQL Database automatically performs full, differential, and transaction log backups with a default retention of 7 to 35 days depending on the service tier. Option B is incorrect because long-term retention is for longer periods. Option C is incorrect because geo-replication is for disaster recovery.

Option D is incorrect because Azure Backup is for VMs and files, not SQL Database.

422
Multi-Selectmedium

Which THREE Azure services can be used to monitor the performance of a web application? (Choose three.)

Select 3 answers
A.Azure Policy
B.Application Insights
C.Azure Monitor Metrics
D.Microsoft Defender for Cloud
E.Azure Monitor Logs
AnswersB, C, E

Application Insights provides application performance monitoring.

Why this answer

Application Insights is an Azure service specifically designed for monitoring the performance and usage of live web applications. It collects telemetry data such as request rates, response times, failure rates, and dependency tracking, enabling developers to detect and diagnose performance issues in real time.

Exam trap

The trap here is that candidates often confuse governance tools like Azure Policy or security tools like Defender for Cloud with performance monitoring, but the exam specifically tests the distinction between monitoring (Application Insights, Metrics, Logs) and management/security services.

423
MCQmedium

Your company uses Microsoft Entra ID and has a custom application that requires users to have specific roles assigned. You need to ensure that role assignments are reviewed quarterly and automatically remove assignments that are not approved. Which feature should you use?

A.Microsoft Entra Privileged Identity Management
B.Microsoft Entra Identity Protection
C.Microsoft Entra ID Governance access reviews
D.Microsoft Entra Conditional Access
AnswerC

Access reviews allow periodic review of role assignments and automatic removal.

Why this answer

Microsoft Entra ID Governance access reviews enable you to create recurring reviews of role assignments, with automatic removal of assignments that reviewers do not approve. This directly meets the requirement for quarterly reviews and automatic removal of unapproved assignments, making it the correct choice.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with access reviews, but PIM handles just-in-time activation and approval, not recurring reviews with automatic removal of unapproved assignments.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Privileged Identity Management (PIM) provides just-in-time role activation and approval workflows for privileged roles, but it does not natively support recurring access reviews with automatic removal of unapproved assignments. Option B is wrong because Microsoft Entra Identity Protection focuses on detecting and remediating identity-based risks (e.g., compromised credentials, sign-in anomalies) and does not manage role assignment reviews or removals. Option D is wrong because Microsoft Entra Conditional Access enforces access policies based on conditions like location or device state, but it does not provide periodic review or automatic removal of role assignments.

424
Drag & Dropmedium

Drag and drop the steps to deploy a web app using Azure App Service with a custom domain and SSL certificate into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create the app, map domain, upload cert, bind, then enforce HTTPS.

425
MCQeasy

Your company has a web application deployed on Azure App Service that experiences periodic traffic spikes. You need to ensure the application scales out quickly without manual intervention. The solution must minimize cost during low-traffic periods. What should you configure?

A.Enable pre-warming in the App Service plan
B.Configure Autoscale rules based on CPU or memory metrics
C.Deploy the app to a Virtual Machine Scale Set
D.Manually increase the instance count before expected spikes
AnswerB

Automatically adjusts instances.

Why this answer

Option B is correct because Autoscale rules with a metric-based trigger (e.g., CPU > 70%) automatically scale out during spikes and scale in during low traffic, minimizing cost. Option A is wrong because scale sets are for VMs, not App Service. Option C is wrong because manual scaling does not react automatically.

Option D is wrong because pre-warming is not a scaling configuration.

426
MCQmedium

You are designing a governance strategy for Azure resources. The company has multiple departments, each requiring separate cost tracking and policy enforcement. You need to organize resources to align with the departments while minimizing management overhead. What should you use?

A.Management groups
B.Azure Blueprints
C.Resource tags
D.Resource groups
AnswerA

Management groups can contain multiple subscriptions and allow hierarchical policy and cost management.

Why this answer

Management groups are the correct choice because they allow you to organize Azure subscriptions into a hierarchy that aligns with your organizational structure, enabling you to apply Azure Policy and cost management controls at scale across multiple departments. By placing each department's subscriptions into separate management groups, you can enforce department-specific policies and track costs without managing each subscription individually, minimizing administrative overhead.

Exam trap

The trap here is that candidates often confuse resource tags with a governance mechanism for policy enforcement and cost tracking, but tags are only metadata and cannot enforce policies or aggregate costs across subscriptions like management groups can.

How to eliminate wrong answers

Option B (Azure Blueprints) is wrong because Blueprints are used to define a repeatable set of Azure resources and policies for deploying compliant environments, not for organizing existing resources or subscriptions for cost tracking and policy enforcement across departments. Option C (Resource tags) is wrong because tags are metadata key-value pairs applied to resources for filtering and reporting, but they do not provide hierarchical policy enforcement or cost aggregation at the subscription or management group level. Option D (Resource groups) is wrong because resource groups are logical containers for resources within a single subscription, and they cannot span subscriptions or provide the cross-subscription policy and cost management needed for multiple departments.

427
MCQmedium

Refer to the exhibit. You attempt to create a new storage account with the property 'supportsHttpsTrafficOnly' set to false. What is the result?

A.The storage account is created and an audit log is generated.
B.The storage account creation is denied.
C.The storage account is created with HTTPS enforced automatically.
D.The storage account is created but encryption is disabled.
AnswerB

The policy denies creation when HTTPS is not enforced.

Why this answer

When you attempt to create a storage account with 'supportsHttpsTrafficOnly' set to false, Azure denies the creation because this property is deprecated and no longer accepted. As of late 2023, Azure Storage enforces HTTPS for all new storage accounts by default, and the property has been removed from the creation API. Setting it to false triggers a validation error, resulting in a denial of the creation request.

Exam trap

The trap here is that candidates assume the property still exists and can be set to false to disable HTTPS, but Azure has deprecated and removed it, causing the creation to be denied rather than silently ignoring the setting or allowing insecure traffic.

How to eliminate wrong answers

Option A is wrong because the creation is denied before any audit log is generated; the request fails validation at the Azure Resource Manager layer. Option C is wrong because the creation is denied entirely, so no storage account is created with any enforced setting. Option D is wrong because the creation is denied, and encryption settings are not evaluated or applied when the request is rejected.

428
MCQhard

You are designing an identity governance solution for a multinational company. The company uses Microsoft Entra ID and has a requirement to automatically remove user access to critical SaaS applications when the user leaves the organization or changes roles. You need to ensure that the access removal is audited and can be reversed within 30 days if needed. What should you implement?

A.Conditional Access policies to block access for inactive users
B.Azure Automation runbooks to delete user accounts upon termination
C.Microsoft Entra Privileged Identity Management (PIM) to require approval for access assignments
D.Microsoft Entra Access Reviews with automatic removal and a grace period
AnswerD

Access Reviews can automate removal and allow reversal within the review period.

Why this answer

Microsoft Entra Access Reviews allow you to automatically remove user access to SaaS applications when a user leaves or changes roles, with a configurable grace period (up to 30 days) for reversal. This meets the audit and reversal requirements because Access Reviews provide a full audit trail of decisions and can automatically revoke access, while the grace period allows administrators to restore access within the specified timeframe.

Exam trap

The trap here is confusing identity governance features: candidates often pick PIM (Option C) because it involves approvals and access, but PIM is for privileged roles, not for ongoing user access to SaaS applications, and it lacks the automatic removal and grace period required for non-privileged access.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies block access based on conditions like sign-in risk or location, but they do not automatically remove user assignments or provide a reversal mechanism; they only prevent sign-in. Option B is wrong because Azure Automation runbooks can delete user accounts, but this is irreversible and does not provide a built-in 30-day reversal or audit trail for access removal to SaaS applications. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role assignments, not the ongoing removal of user access to SaaS applications upon role changes or termination, and it does not offer a grace period for reversal.

429
MCQeasy

A company needs to store immutable audit logs for regulatory compliance. The logs must be stored in a write-once, read-many (WORM) state for 7 years. Which Azure storage feature should be used?

A.Azure Blob Storage immutable storage with time-based retention
B.Azure SQL Database temporal tables
C.Azure Blob Storage change feed
D.Azure Blob Storage soft delete
AnswerA

Enforces WORM for a specified retention period.

Why this answer

Azure Blob Storage immutable storage with time-based retention enforces a WORM (Write Once, Read Many) state, preventing logs from being modified or deleted for a specified retention period. This directly meets the regulatory requirement to store audit logs immutably for 7 years, as the policy locks the data at the container or blob level and cannot be removed until the retention interval expires.

Exam trap

The trap here is that candidates confuse soft delete or change feed with immutable storage, not realizing that only immutable storage enforces a true WORM state that prevents both deletion and overwriting, which is required for regulatory compliance.

How to eliminate wrong answers

Option B is wrong because Azure SQL Database temporal tables track historical changes to data but do not enforce WORM immutability; data can still be physically deleted or altered by privileged users. Option C is wrong because Azure Blob Storage change feed provides a transaction log of blob changes for processing, not a mechanism to prevent modifications or deletions. Option D is wrong because Azure Blob Storage soft delete only offers recovery from accidental deletion within a retention window, but does not prevent overwrites or enforce a write-once state.

430
MCQhard

Your company, Contoso Ltd., operates a global e-commerce platform hosted on Azure. The architecture consists of: (1) A web front-end running on Azure App Service in multiple regions (East US, West Europe, Southeast Asia). (2) A microservices backend running on Azure Kubernetes Service (AKS) in East US. (3) A SQL Database in East US with geo-replication to West Europe and Southeast Asia for read scaling. (4) Azure Redis Cache for session state. (5) Azure Front Door for global load balancing. The platform experiences periodic traffic spikes, and during a recent spike, users reported slow page loads and intermittent errors. The operations team observed that the SQL Database in East US reached 100% DTU consumption, causing timeouts. The geo-replicated databases in other regions were underutilized. The application logic is read-heavy but also writes to a separate write-only table. You need to design a solution to improve scalability and reduce database load. The solution must: minimize latency for users, ensure write consistency, and handle traffic spikes without over-provisioning. What should you do?

A.Upgrade the SQL Database in East US to a higher DTU tier and enable auto-scaling.
B.Configure read-only routing in the application connection string to use the geo-replicated databases for read queries, and keep writes directed to the primary.
C.Implement a second-level cache using Azure Cache for Redis with a local cache pattern in the web front-end.
D.Shard the database by customer region and deploy shards in each region.
AnswerB

This offloads read traffic to replicas, reducing primary load and improving read latency globally.

Why this answer

Option B is correct because it offloads read traffic to read replicas, which is the most effective way to reduce primary database load. Option A is wrong because increasing DTU is expensive and does not scale globally. Option C is wrong because Redis is already used for caching; further caching may help but does not address database read load as directly.

Option D is wrong because splitting the database into shards adds complexity and may not be necessary.

431
MCQhard

Refer to the exhibit. You are an Azure administrator. You assign this policy definition to a subscription. A developer attempts to deploy a virtual machine with SKU Standard_DS1_v2. What is the outcome?

A.The deployment succeeds because Standard_DS1_v2 is not explicitly denied.
B.The deployment is denied and a remediation task is created.
C.The deployment succeeds but is logged as non-compliant.
D.The deployment is denied because Standard_DS1_v2 is not in the allowed list.
AnswerD

The policy uses deny effect for SKUs not in the allowed list.

Why this answer

The policy denies any virtual machine deployment where the SKU is not in the allowed list. The allowed SKUs are Standard_DS2_v2, Standard_DS3_v2, Standard_DS4_v2. Standard_DS1_v2 is not in the list, so the deployment is denied.

Option A is incorrect because the policy denies non-compliant SKUs. Option C is incorrect because the effect is deny, not audit. Option D is incorrect because the policy does not create a remediation task.

432
MCQmedium

A company deploys a containerized application on Azure Kubernetes Service (AKS). They need to expose the application to the internet and provide TLS termination. The solution must also include a Web Application Firewall (WAF) to protect against common attacks. Which Azure service should they use as the ingress controller?

A.Azure Application Gateway
B.Azure Front Door
C.Azure Load Balancer
D.Azure Traffic Manager
AnswerA

Application Gateway can be deployed as an AKS ingress controller, providing TLS termination and WAF capabilities.

Why this answer

Azure Application Gateway is the correct choice because it is a layer-7 load balancer that can act as an ingress controller for AKS, providing TLS termination and a built-in Web Application Firewall (WAF) to protect against common attacks like SQL injection and cross-site scripting. It integrates directly with AKS via the Application Gateway Ingress Controller (AGIC) add-on, allowing it to route external HTTP/HTTPS traffic to containerized applications while offloading SSL/TLS processing and enforcing WAF policies at the edge.

Exam trap

The trap here is that candidates often confuse Azure Front Door with Application Gateway because both provide WAF and TLS termination, but Front Door is a global service for multi-region traffic distribution, not a direct AKS ingress controller that can route to pods within a single cluster.

How to eliminate wrong answers

Option B (Azure Front Door) is wrong because it is a global, multi-region load balancer and application delivery network that operates at layer 7, but it is not designed as an AKS ingress controller; it sits in front of the cluster and cannot directly route traffic to AKS pods without an additional ingress controller like Application Gateway or NGINX. Option C (Azure Load Balancer) is wrong because it operates at layer 4 (TCP/UDP) and cannot perform TLS termination or WAF inspection; it only distributes traffic at the network level without understanding HTTP/HTTPS protocols. Option D (Azure Traffic Manager) is wrong because it is a DNS-based traffic router that operates at layer 3/4 and does not provide TLS termination or WAF capabilities; it only directs traffic based on DNS resolution and health probes, not application-layer routing.

433
MCQmedium

Your organization has a hybrid identity infrastructure with Microsoft Entra ID Connect Sync. You plan to enable Microsoft Entra ID Seamless Single Sign-On (Seamless SSO) for domain-joined Windows devices. What is the minimum requirement for the on-premises Active Directory forest functional level?

A.Windows Server 2016
B.Windows Server 2012
C.Windows Server 2008
D.Windows Server 2003
AnswerC

Windows Server 2008 is the minimum required forest functional level for Seamless SSO.

Why this answer

Option B is correct because Microsoft Entra ID Seamless SSO requires the on-premises AD forest functional level to be Windows Server 2008 or higher. Option A is incorrect because Windows Server 2003 is too old. Option C (Windows Server 2012) and Option D (Windows Server 2016) are higher than necessary but would also work, but the question asks for the minimum.

434
MCQmedium

Refer to the exhibit. You are deploying NSG flow logs. After deployment, you notice that no logs are being written to the storage account. What is the most likely cause?

A.Network Watcher is not enabled in the region.
B.Retention policy is set to 0 days.
C.The storage account is in a different subscription.
D.The format version is incorrect.
AnswerA

NSG flow logs require Network Watcher to be enabled in the region.

Why this answer

NSG flow logs require Network Watcher to be enabled in the region where the NSG resides. If Network Watcher is not enabled, the flow logs cannot be written to the storage account because the logging pipeline depends on the Network Watcher agent to capture and forward flow data. Enabling Network Watcher in the region resolves this issue.

Exam trap

The trap here is that candidates often assume the retention policy (0 days) or storage account subscription mismatch is the root cause, but the actual issue is the missing regional Network Watcher dependency, which is a prerequisite for NSG flow logs to function.

How to eliminate wrong answers

Option B is wrong because a retention policy of 0 days means logs are deleted immediately after being written, but logs would still be written to the storage account initially. Option C is wrong because NSG flow logs support writing to a storage account in a different subscription as long as the appropriate RBAC permissions are configured. Option D is wrong because the format version (e.g., version 1 or 2) affects the schema of the logs but does not prevent logs from being written to the storage account.

435
Multi-Selecthard

Which THREE of the following are valid methods to secure access to Azure Storage accounts? (Choose three.)

Select 3 answers
A.Generate Shared Access Signatures (SAS) with limited permissions and expiry
B.Configure firewall rules and virtual network service endpoints
C.Enable Azure Front Door to authenticate requests
D.Use Azure AD RBAC to assign roles to users and applications
E.Use storage account access keys for authentication
AnswersA, B, D

SAS tokens allow time-limited, permission-restricted access.

Why this answer

Options A, B, and D are valid security methods. Option A (Azure AD RBAC) allows fine-grained access control. Option B (Shared Access Signatures) provide delegated access.

Option D (Firewall and virtual network service endpoints) restrict network access. Option C is incorrect because access keys provide full access and are not a security best practice. Option E is incorrect; Azure Front Door does not provide storage access control.

436
Multi-Selectmedium

A company is designing a backup and disaster recovery solution for an on-premises SQL Server database that will be migrated to Azure. The solution must meet the following requirements: 1) Point-in-time restore up to 30 days. 2) Cross-region restore in case of a regional disaster. 3) Long-term retention of backups for 7 years for compliance. Which THREE Azure services or features should the company use? (Choose three.)

Select 3 answers
A.Azure Backup Server
B.Azure Site Recovery
C.Azure Blob Storage
D.Azure Backup
E.Azure Recovery Services vault
AnswersB, D, E

Azure Site Recovery provides disaster recovery replication and failover.

Why this answer

Option A (Azure Backup) is the central service for backup, supporting point-in-time restore and long-term retention. Option B (Azure Site Recovery) provides disaster recovery but not backup. Option C (Azure Blob Storage) can be used as a target for backup, but not directly for point-in-time restore.

Option D (Azure Recovery Services vault) is the container for backup data and supports cross-region restore. Option E (Azure Backup Server) is for on-premises backup, not needed if using Azure Backup. The correct three are Azure Backup, Azure Recovery Services vault (which is part of Azure Backup), and Azure Blob Storage? Actually, Azure Backup uses its own storage, not directly Blob.

The requirement for long-term retention can be met by using Azure Backup's long-term retention feature. For cross-region restore, Azure Backup supports cross-region restore using GRS. So the three services could be: Azure Backup (for backup and restore), Azure Recovery Services vault (to store backups), and Azure Site Recovery? No, Site Recovery is for replication, not backup.

The best answer is A, C, D: Azure Backup (for backup), Azure Blob Storage (for storing long-term backups? Actually Azure Backup uses managed storage, not directly Blob), and Azure Recovery Services vault. But to meet cross-region restore, the vault must use geo-redundant storage. So the correct three are Azure Backup, Azure Recovery Services vault, and Azure Site Recovery? That doesn't fit.

Let's reconsider: The requirements are point-in-time restore, cross-region restore, and long-term retention. Azure Backup provides all three: point-in-time restore (up to 30 days), cross-region restore (if using GRS), and long-term retention (up to 99 years). So only Azure Backup is needed.

But the question asks for three services. Perhaps they want: Azure Backup (for backup), Azure Recovery Services vault (as the backup container), and Azure Blob Storage (for long-term retention using archive tier). But Azure Backup already supports archiving to Blob.

I think the intended correct answers are A, D, and E? No. Let's select A, D, and C? I'll go with A, D, and E: Azure Backup, Azure Recovery Services vault, and Azure Backup Server? That doesn't make sense. The correct answer: Azure Backup (A), Azure Recovery Services vault (D), and Azure Site Recovery (B) for cross-region DR? But the requirement specifically says 'backup and disaster recovery' and 'cross-region restore'.

Azure Backup itself can do cross-region restore if the vault is configured with geo-redundant storage. So maybe only two are needed. But the question says choose three.

I think the expected answer is Azure Backup, Azure Recovery Services vault, and Azure Blob Storage (for long-term retention archive). Actually, Azure Backup long-term retention uses the vault itself, not separate Blob. I'll correct: The question might be flawed.

I'll choose A, D, and B (Azure Site Recovery), because Site Recovery provides replication for DR, while backup provides point-in-time restore. But the question says 'backup and disaster recovery', so both are needed. So A, B, and D: Azure Backup (backup), Azure Site Recovery (DR), and Azure Recovery Services vault (common storage).

That seems plausible.

437
MCQeasy

A company is migrating on-premises applications to Azure. They require that all traffic between Azure resources and on-premises resources traverse a private connection. They also want to reduce the attack surface by eliminating exposure of management endpoints over the internet. Which solution should they implement?

A.Azure Firewall
B.Azure Front Door
C.Azure ExpressRoute with Private Link for Azure services
D.Azure VPN Gateway
AnswerC

ExpressRoute provides a private connection; Private Link secures access to services.

Why this answer

Option D is correct because Azure ExpressRoute provides a private, dedicated connection, and when combined with Private Link, it allows accessing Azure services over a private endpoint. Option A is incorrect because VPN Gateway is encrypted but traverses the internet. Option B is incorrect because Azure Firewall does not provide a private connection.

Option C is incorrect because Azure Front Door is for web traffic and not a private connection.

438
MCQeasy

You need to design a storage solution for a new application that requires low-latency access to frequently accessed data and also needs to archive data that is older than 90 days to the most cost-effective storage tier. Which Azure storage account type and tier configuration should you recommend?

A.Premium block blob storage account.
B.General-purpose v1 account with cool tier.
C.BlockBlobStorage account with hot tier.
D.General-purpose v2 account with hot tier and a lifecycle management policy to move to cool tier after 90 days.
AnswerD

GPv2 supports tiering and lifecycle management.

Why this answer

Option B is correct because a general-purpose v2 account supports both hot and cool tiers, and lifecycle management can move blobs to the cool tier after 90 days. Option A is wrong because BlockBlobStorage does not support lifecycle management to cool. Option C is wrong because general-purpose v1 does not support tiering.

Option D is wrong because premium block blob is for high-performance but not cost-effective for archiving.

439
MCQmedium

A company uses Microsoft Entra ID. They want to allow users to sign in to partner applications using their Microsoft Entra ID credentials. The partner applications support SAML 2.0 and OpenID Connect. They also need to customize the appearance of the sign-in pages. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID B2C
B.Microsoft Entra ID Application Proxy
C.Microsoft Entra ID Enterprise Application with SAML-based SSO
D.Microsoft Entra ID Conditional Access
AnswerC

Enterprise Applications in Microsoft Entra ID support SAML/OpenID Connect SSO for partner apps and allow customization of sign-in pages.

Why this answer

Microsoft Entra ID Enterprise Application with SAML-based SSO is the correct feature because it allows you to register partner applications that support SAML 2.0 or OpenID Connect, enabling federated single sign-on using existing Microsoft Entra ID credentials. Additionally, you can customize the branding (logo, sign-in page text, etc.) for each enterprise application, meeting the requirement to customize the appearance of sign-in pages.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID B2C (designed for external customers) with the Enterprise Application gallery (designed for partner/SaaS apps), but the requirement to use existing corporate credentials and customize sign-in pages points directly to Enterprise Application SSO, not B2C.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID B2C is designed for customer-facing identity management with social and local accounts, not for enabling partner applications to use existing corporate Microsoft Entra ID credentials. Option B is wrong because Microsoft Entra ID Application Proxy provides secure remote access to on-premises web applications, not federation or SSO for partner SaaS apps. Option D is wrong because Microsoft Entra ID Conditional Access is a policy engine for enforcing access controls (e.g., MFA, location) after authentication, not a feature for configuring SSO or customizing sign-in pages.

440
MCQhard

A company is designing a hub-spoke network topology across multiple Azure regions. They plan to deploy a third-party network virtual appliance (NVA) in the hub for traffic inspection. They require that all traffic between spokes in different regions must be routed through the hub NVA, and they want to minimize the number of peered connections. Which solution should they implement?

A.VNet peering with user-defined routes (UDRs) in each spoke pointing to the NVA IP in the hub
B.Azure Virtual WAN with a secured hub using Azure Firewall
C.Azure VNet-to-VNet VPN gateways between all spokes
D.Azure ExpressRoute with private peering
AnswerA

UDRs enforce traffic routing through the hub NVA; each spoke peers only to the hub, minimizing peering connections.

Why this answer

Option A is correct because VNet peering combined with user-defined routes (UDRs) allows traffic between spokes in different regions to be forced through the NVA in the hub for inspection. By configuring UDRs in each spoke with the next hop set to the NVA's private IP, you ensure inter-spoke traffic traverses the hub without requiring a full mesh of peering connections. This minimizes the number of peered connections (only hub-to-spoke peering is needed) while meeting the routing requirement.

Exam trap

The trap here is that candidates often assume Virtual WAN (Option B) is the only way to simplify hub-spoke routing, but it does not support custom third-party NVAs for traffic inspection without complex workarounds, making VNet peering with UDRs the correct choice for this specific requirement.

How to eliminate wrong answers

Option B is wrong because Azure Virtual WAN with a secured hub using Azure Firewall introduces a managed service that may not support a third-party NVA for traffic inspection; it is designed for Azure Firewall or third-party security providers via integrated partners, not a custom NVA. Option C is wrong because Azure VNet-to-VNet VPN gateways between all spokes would create a full mesh of VPN connections, increasing complexity and cost, and it does not force traffic through the hub NVA unless additional routing is configured, which still requires more connections than hub-spoke peering. Option D is wrong because Azure ExpressRoute with private peering provides a dedicated private connection to on-premises networks, not routing between spokes in different regions; it does not address inter-spoke traffic inspection or minimize peered connections.

441
MCQhard

You are reviewing a recovery plan for Azure Site Recovery. The exhibit shows a snippet of the recovery plan configuration. What is the purpose of the script action defined in the exhibit?

A.To run a custom script on the recovered VMs after they boot up during test and unplanned failover.
B.To run a script before the VMs shut down during failover.
C.To update the Azure DNS records after failover.
D.To run a script only during planned failover from the primary to the recovery region.
AnswerA

The script action is defined in the Boot group and applies to TestFailover and UnplannedFailover types.

Why this answer

The script action runs a PowerShell script after the VMs boot (during the Boot group) for test and unplanned failovers. This script is typically used to perform post-failover tasks such as updating DNS records or configuring application settings. Option A is incorrect because the script runs after boot, not before shutdown.

Option C is incorrect because the script runs only for specific failover directions. Option D is incorrect because the script is not limited to planned failover.

442
Multi-Selecthard

Your organization has multiple Azure subscriptions and uses Azure Blueprints to enforce governance. You need to design a blueprint that includes role assignments, policy assignments, and resource groups. Which THREE components can be included in an Azure Blueprint? (Choose three.)

Select 3 answers
A.Management group
B.Role assignments
C.Policy assignment
D.Subscription
E.ARM template
AnswersB, C, E

Blueprints can include role assignments to assign RBAC roles.

Why this answer

Azure Blueprints allow you to define a repeatable set of Azure resources that adhere to your organization's standards, patterns, and requirements. Role assignments (B) are a core artifact that can be included to grant specific Azure RBAC roles at the blueprint scope, ensuring consistent access control. Policy assignments (C) are also a native blueprint artifact, enabling you to enforce compliance rules across the environment.

ARM templates (E) can be included as an artifact to deploy infrastructure as code, making them a valid component of a blueprint definition.

Exam trap

The trap here is that candidates often confuse the target scope (management group or subscription) with the artifacts that can be included in the blueprint definition, leading them to incorrectly select management group or subscription as valid blueprint components.

443
MCQhard

A company is designing a data storage solution for an IoT pipeline that ingests time-series data from millions of devices. The data is append-only and queried by time range. The solution must support low-latency queries and automated retention policies. Which Azure data store should they choose?

A.Azure SQL Database
B.Azure Cosmos DB
C.Azure Data Explorer (ADX)
D.Azure Blob Storage with Azure Data Lake Storage Gen2
AnswerC

ADX is purpose-built for time-series and IoT data, with fast ingestion and querying.

Why this answer

Azure Data Explorer (ADX) is purpose-built for interactive analytics on large volumes of streaming, time-series data. It supports append-only ingestion, low-latency queries over time ranges via its Kusto Query Language (KQL), and native automated retention policies (e.g., soft-delete and hard-delete periods) without manual management.

Exam trap

The trap here is that candidates often confuse Cosmos DB's low-latency individual item access with the need for time-series range queries, overlooking that Cosmos DB lacks native time-series indexing and automated retention policies, while ADX is the only Azure service explicitly designed for high-throughput append-only time-series analytics with built-in lifecycle management.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database is a relational OLTP store optimized for transactional workloads with frequent updates, not for high-throughput append-only time-series ingestion or time-range queries at scale. Option B is wrong because Azure Cosmos DB is a multi-model NoSQL database designed for globally distributed, low-latency reads/writes on individual items, but it lacks native time-series optimization, efficient range scans over massive append-only streams, and built-in automated retention policies for time-series data. Option D is wrong because Azure Blob Storage with Azure Data Lake Storage Gen2 provides cheap, scalable object storage for raw data but does not offer low-latency interactive querying or native time-series analytics; it requires additional compute engines (e.g., Azure Synapse) to query, adding latency and complexity.

444
MCQmedium

Your organization plans to migrate a legacy on-premises application that uses a proprietary authentication mechanism to Azure. The application must run as a virtual machine and must not require any code changes. You need to design an identity solution that integrates with the application without modifying it. What should you use?

A.Azure VPN Gateway
B.Microsoft Entra Application Proxy with Kerberos Constrained Delegation
C.Microsoft Entra Domain Services
D.Azure Bastion
AnswerB

Application Proxy publishes on-premises apps without code changes and supports Kerberos Constrained Delegation for legacy authentication.

Why this answer

Option C is correct because Application Proxy with Kerberos Constrained Delegation allows legacy apps using Kerberos authentication to be published without code changes. Option A is wrong because Azure VPN Gateway provides network connectivity, not identity integration. Option B is wrong because Microsoft Entra Domain Services provides domain services but does not directly proxy legacy authentication.

Option D is wrong because Azure Bastion provides secure RDP/SSH access, not application-level authentication.

445
MCQeasy

Your company uses Microsoft Entra ID for identity management. You need to ensure that users can access corporate resources without passwords while maintaining a high level of security. Which feature should you implement?

A.Azure AD B2C
B.Conditional Access policies
C.Passwordless authentication
D.Multifactor authentication (MFA)
AnswerC

Passwordless methods allow users to sign in without a password, using biometrics or FIDO2 keys.

Why this answer

Passwordless authentication (Option C) is correct because it allows users to access corporate resources without entering a password, using methods like Windows Hello for Business, FIDO2 security keys, or the Microsoft Authenticator app. This eliminates password-related risks (e.g., phishing, credential theft) while maintaining strong security through cryptographic key pairs or biometric verification, aligning with the requirement for both password-free access and high security.

Exam trap

The trap here is that candidates confuse 'passwordless' with 'multifactor authentication' (MFA), assuming MFA alone removes the password requirement, but MFA still requires a password as the first factor unless explicitly combined with a passwordless method.

How to eliminate wrong answers

Option A is wrong because Azure AD B2C is a customer-facing identity service for external users (e.g., social logins), not for internal corporate resource access without passwords. Option B is wrong because Conditional Access policies enforce access controls (e.g., requiring MFA or location checks) but do not eliminate passwords; they still rely on a password as the primary authentication factor unless combined with passwordless methods. Option D is wrong because Multifactor Authentication (MFA) adds a second factor (e.g., SMS, app notification) but still requires a password as the first factor, so it does not achieve passwordless access.

446
MCQhard

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to implement a solution that automatically detects identity-related risks such as leaked credentials, impossible travel, and sign-ins from anonymous IP addresses. They want to generate reports summarizing risk events and integrate the risk data with their existing Security Information and Event Management (SIEM) system via API. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Conditional Access
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID Privileged Identity Management (PIM)
D.Microsoft Entra ID Entitlement Management
AnswerB

Identity Protection detects identity risks, provides detailed reports, and offers API (Microsoft Graph) to retrieve risk events for SIEM integration. It is the primary service for risk detection and reporting.

Why this answer

Microsoft Entra ID Identity Protection is the correct feature because it is specifically designed to automatically detect identity-related risks such as leaked credentials, impossible travel, and sign-ins from anonymous IP addresses. It provides risk event reports and integrates with SIEM systems via the Microsoft Graph API, enabling automated risk data export for centralized monitoring.

Exam trap

The trap here is that candidates often confuse Conditional Access (which enforces policies) with Identity Protection (which detects risks), but Conditional Access relies on Identity Protection's risk signals and cannot generate risk events on its own.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Conditional Access is a policy engine that enforces access controls based on signals (e.g., risk level from Identity Protection), but it does not detect or generate risk events itself. Option C is wrong because Privileged Identity Management (PIM) focuses on just-in-time privileged role activation and access reviews, not on detecting identity risks like leaked credentials or impossible travel. Option D is wrong because Entitlement Management handles access packages and lifecycle management for external users and groups, not risk detection or SIEM integration.

447
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to grant specific IT administrators just-in-time (JIT) access to Azure virtual machines for troubleshooting. The access must be time-bound, require approval from a senior manager, and be automatically revoked after the granted time period. The company also needs an audit log of all access requests and assignments. Which Azure service or feature should they use?

A.Azure Bastion
B.Microsoft Entra ID Privileged Identity Management (PIM) for Azure resources
C.Just-in-Time VM access (Microsoft Defender for Cloud)
D.Microsoft Entra ID Application Proxy
AnswerB

PIM for Azure resources enables just-in-time, time-bound access with approval workflows and automatic revocation. It provides full audit trail, meeting all requirements.

Why this answer

Microsoft Entra ID Privileged Identity Management (PIM) for Azure resources provides just-in-time (JIT) access with time-bound activation, approval workflows, and automatic revocation. It also includes full audit logging of all requests and assignments, meeting all the specified requirements for granting temporary access to Azure VMs.

Exam trap

The trap here is that candidates confuse Just-in-Time VM access in Microsoft Defender for Cloud (which is network-level JIT) with PIM for Azure resources (which is role-level JIT), but only PIM supports the required approval workflow and audit logging for role assignments.

How to eliminate wrong answers

Option A is wrong because Azure Bastion provides secure RDP/SSH connectivity to VMs over TLS without public IPs, but it does not offer time-bound JIT access, approval workflows, or automatic revocation. Option C is wrong because Just-in-Time VM access in Microsoft Defender for Cloud provides time-bound network-level access (NSG rules) to VMs, but it lacks the built-in approval workflow from a senior manager and does not integrate with Entra ID PIM for role-based access control. Option D is wrong because Microsoft Entra ID Application Proxy enables secure remote access to on-premises web applications via pre-authentication, not to Azure VMs, and it does not provide JIT access, approval workflows, or automatic revocation.

448
MCQmedium

A database workload has an RPO of 15 minutes and an RTO of 4 hours. Cost is more important than near-zero data loss. Which design is usually more appropriate than synchronous multi-region replication?

A.Use scheduled backups or asynchronous replication aligned to the RPO/RTO.
B.Use synchronous replication across every Azure region.
C.Run the database on a single VM with no backups.
D.Use a public DNS CNAME only.
AnswerA

The requirement does not justify the cost and complexity of synchronous multi-region replication.

Why this answer

Option A is correct because the workload's RPO of 15 minutes and RTO of 4 hours, combined with a cost-sensitive requirement that deprioritizes near-zero data loss, makes synchronous multi-region replication overkill. Scheduled backups (e.g., every 15 minutes using Azure SQL Database automated backups with point-in-time restore) or asynchronous replication (e.g., Azure SQL Database active geo-replication with a recovery point objective of up to 5 seconds, but here we can tune it to meet 15 minutes) provide sufficient protection at a lower cost, avoiding the latency and expense of synchronous replication across regions.

Exam trap

The trap here is that candidates often assume synchronous replication is always the best choice for business continuity, but the question explicitly prioritizes cost over near-zero data loss, making asynchronous replication or scheduled backups the more appropriate and cost-effective design.

How to eliminate wrong answers

Option B is wrong because synchronous replication across every Azure region would incur high latency, significant cost, and unnecessary complexity for a workload that tolerates up to 15 minutes of data loss and 4 hours of downtime; it is designed for near-zero RPO scenarios, which the question explicitly de-emphasizes. Option C is wrong because running the database on a single VM with no backups provides no recovery point or recovery time guarantee, violating the stated RPO of 15 minutes and RTO of 4 hours entirely. Option D is wrong because a public DNS CNAME only provides DNS-level redirection, not any database replication, backup, or failover capability, so it cannot meet the RPO or RTO requirements.

449
MCQeasy

You are designing a web application that will be hosted on Azure App Service. The application must authenticate users from your company's Microsoft Entra ID tenant. You need to implement authentication without writing any authentication code. What should you use?

A.Azure API Management with OAuth 2.0 policy
B.Microsoft Authentication Library (MSAL) integrated into the application code
C.App Service Authentication (EasyAuth)
D.Azure Front Door with authentication rules
AnswerC

EasyAuth enables authentication at the App Service platform level with Entra ID without requiring application code changes.

Why this answer

Option B is correct because EasyAuth (App Service Authentication) provides built-in authentication with Entra ID without requiring code changes. Option A is wrong because Microsoft Authentication Library (MSAL) requires code changes. Option C is wrong because Azure API Management can add authentication but requires configuration and may still need code.

Option D is wrong because Azure Front Door does not provide authentication.

450
MCQhard

A company is designing a data lake for analytics. The data includes personally identifiable information (PII) that must be anonymized before analysts access it. Which Azure service should they use to automate the anonymization process?

A.Azure Policy
B.Azure SQL Database dynamic data masking
C.Azure Key Vault
D.Microsoft Purview data policies
AnswerD

Automates classification and masking for data lakes.

Why this answer

Microsoft Purview data policies allow you to define and enforce data access policies that can automatically anonymize or mask sensitive data, such as PII, when accessed by analysts. This service integrates with Azure data lake storage and provides a centralized way to manage data governance and compliance, making it the correct choice for automating anonymization in a data lake scenario.

Exam trap

The trap here is that candidates often confuse Azure SQL Database dynamic data masking (Option B) with a general-purpose anonymization solution, but it only works for relational databases, not for data lakes, and does not automate the process across heterogeneous file formats.

How to eliminate wrong answers

Option A is wrong because Azure Policy is used to enforce organizational standards and assess compliance across Azure resources, not to automate data-level anonymization or masking within a data lake. Option B is wrong because Azure SQL Database dynamic data masking applies masking at the database query level for SQL databases, but it is not designed for data lake storage (e.g., Azure Data Lake Storage Gen2) and does not automate anonymization for file-based analytics. Option C is wrong because Azure Key Vault is a service for securely storing and managing secrets, keys, and certificates, not for applying data anonymization or masking transformations.

Page 5

Page 6 of 14

Page 7