Microsoft Azure Solutions Architect Expert AZ-305 (AZ-305) — Questions 451525

999 questions total · 14pages · All types, answers revealed

Page 6

Page 7 of 14

Page 8
451
MCQmedium

An on-premises datacenter must connect privately to Azure with predictable bandwidth and avoid traversal of the public internet. Which connectivity option should be recommended?

A.Azure Bastion
B.Point-to-site VPN
C.Site-to-site VPN only
D.ExpressRoute
AnswerD

ExpressRoute provides private dedicated connectivity to Microsoft cloud services through a connectivity provider.

Why this answer

ExpressRoute provides a dedicated private connection from on-premises to Azure, bypassing the public internet entirely. It offers predictable bandwidth, low latency, and high reliability through a Layer 3 MPLS or direct fiber link from a connectivity provider. This meets the requirement for a private, consistent network path without internet traversal.

Exam trap

The trap here is that candidates may confuse Site-to-site VPN (which also provides a private IP tunnel) as meeting the 'private' requirement, but it still traverses the public internet and cannot guarantee predictable bandwidth like ExpressRoute.

How to eliminate wrong answers

Option A is wrong because Azure Bastion is a managed PaaS service for secure RDP/SSH access to Azure VMs over TLS, not a connectivity option for on-premises datacenters. Option B is wrong because Point-to-site VPN uses SSTP or IKEv2 over the public internet, which cannot guarantee predictable bandwidth and does traverse the internet. Option C is wrong because Site-to-site VPN only uses IPsec tunnels over the public internet, which introduces variable latency and bandwidth due to internet routing, failing the requirement for predictable bandwidth and no public internet traversal.

452
MCQhard

Refer to the exhibit. The JSON snippet shows the properties of a replication-protected item in Azure Site Recovery. What is the MOST LIKELY reason for the replication health being 'Critical'?

A.The replication storage account is misconfigured
B.There is a network connectivity issue between the on-premises site and Azure
C.A planned failover was completed, stopping replication
D.A test failover was initiated but not cleaned up
AnswerC

After a planned failover, replication stops, causing critical health until replication is resumed.

Why this answer

Option B is correct because the 'currentProtectionState' is 'PlannedFailoverCompleted', which means a planned failover has been executed and the replication from on-premises to Azure has stopped. After a planned failover, replication is no longer active, leading to a critical health state. Option A is wrong because a pending test failover would show a different state (e.g., 'TestFailoverInitiated' or 'TestFailoverCompleted').

Option C is wrong because network connectivity issues would likely show a different state like 'InitialReplicationPending' or 'ReplicationNotStarting'. Option D is wrong because a storage account misconfiguration would cause replication errors, not a completed planned failover state.

453
MCQeasy

Your company requires that all administrative actions in Azure subscriptions be logged and retained for seven years. Which service should you use to collect and store these logs?

A.Azure Monitor Metrics
B.Azure Resource Health
C.Azure Activity Log
D.Microsoft Entra ID audit logs
AnswerC

Activity Log captures all control-plane operations and can be retained for 7 years.

Why this answer

The Azure Activity Log (now part of Azure Monitor) records all control-plane operations (create, update, delete) on Azure resources and can be retained for up to seven years by configuring a diagnostic setting to stream the logs to a Log Analytics workspace or Azure Storage. This meets the requirement for logging and long-term retention of administrative actions.

Exam trap

The trap here is that candidates confuse the Azure Activity Log (control-plane) with Microsoft Entra ID audit logs (identity-plane), or mistakenly think Azure Monitor Metrics can store long-term administrative logs instead of numerical performance data.

How to eliminate wrong answers

Option A is wrong because Azure Monitor Metrics stores numerical time-series data (e.g., CPU usage, request counts) with a default retention of 93 days, not administrative action logs for seven years. Option B is wrong because Azure Resource Health provides real-time status of resource availability and service issues, not a historical log of administrative actions. Option D is wrong because Microsoft Entra ID audit logs capture user sign-ins and directory changes, not Azure resource-level administrative actions (control-plane operations).

454
Multi-Selectmedium

Which THREE Azure services can be used to implement a disaster recovery plan for Azure Virtual Desktop (AVD) that meets an RTO of 2 hours and an RPO of 30 minutes? (Select THREE.)

Select 3 answers
A.Azure Database for MySQL
B.Azure Migrate
C.Azure Site Recovery
D.Azure Backup
E.Azure Files with geo-redundant storage
AnswersC, D, E

Replicates session host VMs cross-region.

Why this answer

Options A, C, and E are correct. Azure Site Recovery can replicate AVD session host VMs. Azure Files can store FSLogix profiles in a geo-redundant storage account.

Azure Backup can back up the AVD configuration and user data. Options B and D are wrong: Azure Migrate is for migration, not DR; Azure Database for MySQL is not typically part of AVD.

455
MCQhard

Refer to the exhibit. You are deploying a Log Analytics workspace using an ARM template with the parameters shown. Your compliance team requires that all log data be retained for at least 2 years. Which parameter value should you modify?

A.retentionInDays
B.workspaceName
C.sku
D.dailyQuotaGb
AnswerA

Retention is set to 365 days; must be changed to 730 or more to meet 2-year requirement.

Why this answer

The `retentionInDays` parameter controls how long log data is retained in a Log Analytics workspace. To meet the compliance requirement of at least 2 years (730 days), you must set this value to 730 or higher. The default retention is 30 days for free tiers and up to 730 days for paid tiers, but the parameter must be explicitly modified to enforce the 2-year retention.

Exam trap

The trap here is that candidates often confuse `sku` with retention capabilities, assuming that upgrading the SKU automatically extends retention, when in fact `retentionInDays` is an independent parameter that must be explicitly set to meet compliance requirements.

How to eliminate wrong answers

Option B is wrong because `workspaceName` only defines the name of the Log Analytics workspace and has no impact on data retention policies. Option C is wrong because `sku` determines the pricing tier (e.g., PerGB2018, Standalone) and affects features like ingestion costs and retention limits, but does not directly set the retention period; retention is configured separately via `retentionInDays`. Option D is wrong because `dailyQuotaGb` sets a cap on daily data ingestion to control costs, not the retention duration of stored logs.

456
MCQeasy

A company plans to store operational logs from Azure App Services in a scalable and cost-effective way. The logs must be retained for 90 days and then automatically deleted. Which Azure data storage solution should you recommend?

A.Azure Blob Storage with lifecycle management
B.Azure SQL Database with retention policy
C.Azure Log Analytics Workspace
D.Azure Cosmos DB with TTL
AnswerC

Log Analytics Workspace is optimized for log data with retention policies and query capabilities.

Why this answer

Option B is correct because Azure Log Analytics Workspace is designed for storing and analyzing logs with built-in retention policies. Option A is wrong because Blob Storage is for unstructured data but lacks native log querying. Option C is wrong because Azure SQL Database is for relational data and less cost-effective for logs.

Option D is wrong because Cosmos DB is for NoSQL workloads and overpriced for logs.

457
Multi-Selectmedium

Which TWO Azure services can be used to host a MongoDB-compatible database with global distribution? (Select two.)

Select 2 answers
A.Azure SQL Database
B.Azure Cosmos DB API for MongoDB
C.Azure Database for PostgreSQL
D.Azure Database for MongoDB (MongoDB Atlas on Azure)
E.Azure Cache for Redis
AnswersB, D

Cosmos DB API for MongoDB provides MongoDB compatibility with global distribution.

Why this answer

Azure Cosmos DB API for MongoDB is correct because it provides a MongoDB-compatible API layer over Cosmos DB's globally distributed, multi-model database engine. This allows you to use standard MongoDB drivers and tools while benefiting from Cosmos DB's turnkey global distribution, multi-region writes, and 99.999% availability SLA.

Exam trap

The trap here is that candidates may assume only one service can host a MongoDB-compatible database, overlooking that both a native MongoDB service (Atlas) and a protocol-compatible alternative (Cosmos DB API for MongoDB) are valid, and that Azure SQL Database or PostgreSQL are relational databases that cannot serve MongoDB workloads.

458
Multi-Selectmedium

A hub-and-spoke Azure network must centralize outbound inspection and still allow spokes to resolve private endpoint DNS names. Which two components are commonly required? (Choose 2.)

Select 2 answers
A.User-defined routes from spoke subnets to the firewall or NVA.
B.Private DNS zones linked to the VNets or resolved through a central DNS design.
C.A public IP address on every private endpoint.
D.Basic SKU load balancers in each spoke.
AnswersA, B

UDRs steer traffic through the inspection point.

Why this answer

Option A is correct because user-defined routes (UDRs) on spoke subnets force all outbound traffic (including internet-bound traffic) to the central firewall or network virtual appliance (NVA) in the hub, enabling centralized inspection. Without UDRs, spoke VMs would bypass the firewall and use default outbound internet access, breaking the inspection requirement.

Exam trap

The trap here is that candidates often assume private endpoints require public IPs for DNS resolution, but Azure Private DNS zones resolve FQDNs to private IPs, and UDRs handle traffic routing without needing public exposure.

459
MCQmedium

A company runs a critical application that uses Azure SQL Managed Instance in the West Europe region. They need to ensure that the database remains available if a regional failure occurs. The solution must provide automatic failover with an RPO of less than 5 seconds and an RTO of less than 1 minute. The secondary region must also be able to serve read-only queries for reporting purposes. Which Azure service should they use?

A.Configure Azure SQL Managed Instance with an auto-failover group to a secondary instance in North Europe.
B.Enable read-access geo-redundant storage (RA-GRS) on the storage account hosting the database files.
C.Deploy SQL Server Always On Availability Groups with a synchronous replica in North Europe.
D.Use Azure Site Recovery to replicate the SQL Managed Instance to a secondary region as a virtual machine.
AnswerA

Auto-failover groups provide synchronous replication with automatic failover, low RPO/RTO, and allow read-only queries on the secondary.

Why this answer

Azure SQL Managed Instance supports auto-failover groups, which enable automatic, synchronous replication of databases to a secondary instance in a paired region (North Europe). This provides an RPO of less than 5 seconds (synchronous commit) and an RTO of under 1 minute, while the secondary can be used for read-only queries by adding the `-AllowReadOnlyFailoverToSecondary` parameter or using the listener's read-only endpoint. This meets all stated requirements for regional failover, low RPO/RTO, and read-only reporting.

Exam trap

The trap here is that candidates often confuse Azure SQL Managed Instance's auto-failover groups with SQL Server Always On Availability Groups on IaaS VMs, or mistakenly think storage-level replication (RA-GRS) can provide database-level failover with sub-minute RTO.

How to eliminate wrong answers

Option B is wrong because RA-GRS is a storage redundancy option for Azure Blob Storage or Azure Files, not for SQL Managed Instance databases; it does not provide automatic failover for the database engine or meet the sub-5-second RPO requirement. Option C is wrong because SQL Server Always On Availability Groups with synchronous replicas require manual configuration and management on virtual machines, not on Azure SQL Managed Instance, and the RTO would exceed 1 minute due to manual failover steps. Option D is wrong because Azure Site Recovery replicates the entire VM, not the SQL Managed Instance service directly, and it introduces RTOs typically measured in minutes to hours, not under 1 minute, and does not support read-only query routing to the secondary.

460
MCQhard

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to enforce that all users accessing the company's internal application from mobile devices must be compliant with device management policies (e.g., require a PIN and encryption). The application does not support modern authentication. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Conditional Access
B.Microsoft Entra ID Application Proxy
C.Microsoft Entra ID Identity Protection
D.Microsoft Entra ID Privileged Identity Management
AnswerB

Application Proxy publishes the legacy app to the cloud, adds Microsoft Entra ID authentication, and allows Conditional Access policies to enforce device compliance.

Why this answer

Microsoft Entra ID Application Proxy is the correct choice because it enables secure remote access to on-premises web applications that do not support modern authentication. By publishing the internal application through Application Proxy, you can enforce device compliance policies (e.g., requiring a PIN and encryption) via Conditional Access policies applied to the Application Proxy service, even though the application itself uses legacy authentication.

Exam trap

The trap here is that candidates often assume Conditional Access alone can enforce device compliance on any application, but they miss the critical requirement that the application must support modern authentication; Application Proxy is the bridge that enables Conditional Access to work with legacy apps.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Conditional Access is a policy engine that enforces access controls, but it cannot directly enforce device compliance on an application that does not support modern authentication; it requires the application to support modern authentication protocols (e.g., OAuth 2.0, OpenID Connect) to evaluate device state. Option C is wrong because Microsoft Entra ID Identity Protection is focused on detecting and responding to identity-based risks (e.g., leaked credentials, anomalous sign-ins), not on enforcing device management policies or enabling legacy app access. Option D is wrong because Microsoft Entra ID Privileged Identity Management is designed for managing, controlling, and monitoring privileged roles and just-in-time access, not for enforcing device compliance or proxying legacy applications.

461
Multi-Selecteasy

Which TWO Microsoft Entra ID editions include Conditional Access? (Choose two.)

Select 2 answers
A.Microsoft Entra ID P1
B.Microsoft Entra ID P2
C.Azure AD Basic (legacy)
D.Microsoft 365 Business Basic
E.Microsoft Entra ID Free
AnswersA, B

P1 includes Conditional Access.

Why this answer

Microsoft Entra ID P1 includes Conditional Access, which allows organizations to enforce access policies based on signals like user, location, device, and application. This edition provides the core Conditional Access capabilities needed for most enterprise scenarios, such as requiring multi-factor authentication or blocking access from untrusted locations.

Exam trap

The trap here is that candidates often confuse Microsoft 365 Business Basic (which includes only Azure AD Free) with a higher-tier license that includes Conditional Access, or mistakenly think legacy Azure AD Basic still supports Conditional Access.

462
MCQmedium

Refer to the exhibit. You are reviewing an ARM template that deploys a virtual network with two subnets. Subnet-b includes a delegation to Microsoft.Web/serverFarms. What is the purpose of this delegation?

A.It allows subnet-b to use a different address space
B.It configures a firewall policy for subnet-b
C.It creates a peering connection to another virtual network
D.It enables Azure App Service instances to be deployed into subnet-b
AnswerD

Delegation gives control of the subnet to the specified service, here App Service.

Why this answer

Delegation to Microsoft.Web/serverFarms indicates that the subnet is intended for use by Azure App Service (App Service Plan). Option A is incorrect because the delegation does not define address space. Option C is incorrect because firewall policies are not configured via delegation.

Option D is incorrect because VNet peering is unrelated.

463
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to grant temporary administrative roles to users for specific tasks. The process must require approval from a designated approver, and the access must automatically expire after a defined period. The company also needs audit logs of all role assignments and activations. Which Microsoft Entra ID feature should they implement?

A.Microsoft Entra ID Privileged Identity Management (PIM)
B.Microsoft Entra ID Entitlement Management
C.Microsoft Entra ID Identity Protection
D.Microsoft Entra ID Conditional Access
AnswerA

PIM provides just-in-time (JIT) privileged access to Microsoft Entra ID roles and Azure resources. It supports approval workflows, time-bound role assignments, automatic expiration, and detailed audit logging.

Why this answer

Microsoft Entra ID Privileged Identity Management (PIM) is the correct choice because it provides just-in-time (JIT) privileged access, requiring approval from designated approvers and automatically expiring role assignments after a defined duration. PIM also generates detailed audit logs for all role activations and assignments, meeting the compliance and monitoring requirements.

Exam trap

The trap here is confusing Entitlement Management (which handles access packages and reviews) with PIM (which specifically handles privileged role activation and approval workflows), leading candidates to pick Option B for its 'approval' and 'expiration' keywords.

How to eliminate wrong answers

Option B is wrong because Entitlement Management focuses on automating access requests and reviews for groups, apps, and sites, not on granting temporary administrative roles with approval workflows and automatic expiration. Option C is wrong because Identity Protection is designed to detect and remediate identity-based risks (e.g., compromised credentials, sign-in anomalies), not to manage role-based access or approvals. Option D is wrong because Conditional Access enforces policies based on signals (e.g., location, device state) at sign-in, but does not handle role activation, approval workflows, or automatic expiration of administrative roles.

464
MCQeasy

A company wants to store raw data from IoT devices, social media feeds, and transactional databases for analytics. They need a storage solution that supports a hierarchical namespace for organizing data into directories and allows fine-grained access control at the directory and file level. They also need to query the data using Azure Synapse Analytics in-place. Which Azure storage solution should they use?

A.A
B.B
C.C
D.D
AnswerB

Azure Data Lake Storage Gen2 provides a hierarchical namespace, ACL-based permissions, and seamless integration with Azure Synapse Analytics for in-place querying.

Why this answer

Azure Data Lake Storage Gen2 (ADLS Gen2) is the correct choice because it provides a hierarchical namespace that organizes data into directories and subdirectories, supports POSIX-like fine-grained access control at the directory and file level via ACLs, and can be queried in-place by Azure Synapse Analytics using its built-in serverless SQL pool or dedicated SQL pool. This combination of hierarchical namespace, granular security, and direct analytics integration makes it ideal for the described raw data storage and analytics scenario.

Exam trap

The trap here is that candidates often confuse Azure Blob Storage (flat namespace, no directory ACLs) with ADLS Gen2 (hierarchical namespace, full ACL support) because both are built on the same underlying storage platform, but only ADLS Gen2 enables the directory-level organization and fine-grained access control required for enterprise analytics workloads.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage does not natively support a hierarchical namespace or fine-grained directory/file-level ACLs; it uses a flat namespace and container-level access policies, which cannot meet the directory organization and granular access control requirements. Option C is wrong because Azure Files provides SMB file shares with directory structure and ACLs, but it is not designed for in-place querying by Azure Synapse Analytics and lacks the scale-out performance and analytics integration needed for big data workloads. Option D is wrong because Azure Cosmos DB is a NoSQL database optimized for transactional and real-time workloads with its own query API (SQL, MongoDB, etc.), not a storage solution for raw data with a hierarchical namespace, and it cannot be queried in-place by Azure Synapse Analytics as a storage layer.

465
MCQmedium

A company runs critical Azure virtual machines (VMs) in the West US region. They need a disaster recovery solution that replicates VMs to East US. The recovery point objective (RPO) must be 15 minutes and the recovery time objective (RTO) must be 2 hours. The VMs use managed disks and the application requires consistent state across multiple VMs. They want to test failover without impacting production. Which Azure service should they use?

A.Azure Backup with backup policies set to 15-minute frequency
B.Azure Site Recovery with crash-consistent replication
C.Azure Site Recovery with app-consistent replication
D.Azure Backup with application-consistent snapshot
AnswerC

App-consistent replication ensures data integrity across VMs, meets the 15-minute RPO, and supports test failover without impact.

Why this answer

Azure Site Recovery with app-consistent replication (Option C) is correct because it meets the RPO of 15 minutes and RTO of 2 hours while ensuring consistent state across multiple VMs. App-consistent replication uses Volume Shadow Copy Service (VSS) to quiesce applications and flush memory writes to disk, guaranteeing that the recovered VMs are in a crash-consistent state at the application level. This is essential for multi-VM applications that require transaction consistency, and Azure Site Recovery supports planned and unplanned failover testing without impacting production via isolated test failover networks.

Exam trap

The trap here is that candidates confuse Azure Backup (which is for point-in-time backups with longer RTO) with Azure Site Recovery (which is for continuous replication and failover), and they may incorrectly assume crash-consistent replication is sufficient for multi-VM application consistency when app-consistent replication is explicitly required.

How to eliminate wrong answers

Option A is wrong because Azure Backup with a 15-minute frequency is designed for backup and restore, not replication for disaster recovery; it cannot achieve the required RTO of 2 hours for multi-VM failover and does not support orchestrated failover across VMs. Option B is wrong because Azure Site Recovery with crash-consistent replication only guarantees that the VM is in a state as if it had crashed, which does not ensure application-consistent state across multiple VMs, violating the requirement for consistent state. Option D is wrong because Azure Backup with application-consistent snapshot is a backup solution, not a replication service; it does not provide continuous replication or the ability to failover to a secondary region with the required RPO and RTO, and it lacks the orchestration for multi-VM consistency.

466
Multi-Selectmedium

Which TWO Azure services provide native support for Azure Active Directory (now Entra ID) authentication for accessing data? (Choose two.)

Select 2 answers
A.Azure Blob Storage.
B.Azure Files (SMB).
C.Azure SQL Database.
D.Azure Cache for Redis.
E.Azure Cosmos DB.
AnswersA, C

Supports Microsoft Entra ID authentication for blobs.

Why this answer

Options A and C are correct. Azure SQL Database supports Microsoft Entra ID authentication. Azure Storage supports Microsoft Entra ID authentication for blobs and queues.

Option B is wrong because Azure Cosmos DB uses keys or tokens, not native Entra ID. Option D is wrong because Azure Cache for Redis uses access keys. Option E is wrong because Azure Files supports Entra ID for SMB but not for REST; however, the question likely expects storage and SQL.

Azure Files does support Entra ID for SMB, so it could be considered, but it's less common. The best answers are SQL and Storage.

467
MCQmedium

A healthcare analytics platform stores semi-structured JSON documents and requires globally distributed low-latency reads with tunable consistency. Which Azure data platform should be recommended?

A.Azure Cosmos DB
B.Azure Files premium shares
C.Azure Data Factory
D.Azure SQL Managed Instance
AnswerA

Cosmos DB provides globally distributed NoSQL APIs, tunable consistency, and low-latency reads.

Why this answer

Azure Cosmos DB is the correct choice because it natively supports semi-structured JSON documents, offers globally distributed multi-region writes and reads with low-latency (typically <10 ms at the 99th percentile), and provides tunable consistency levels (from strong to eventual) via its multi-master replication protocol. This directly matches the requirements for a healthcare analytics platform needing global distribution and flexible consistency.

Exam trap

The trap here is that candidates often confuse Azure SQL Managed Instance's JSON support (which can store JSON as text but lacks native document indexing and global distribution) with a true document database, or they mistakenly think Azure Files can serve as a document store because it supports file-based access, ignoring the need for queryable semi-structured data and tunable consistency.

How to eliminate wrong answers

Option B is wrong because Azure Files premium shares provide SMB/NFS file shares with low latency but are not designed for semi-structured JSON document storage or globally distributed low-latency reads with tunable consistency; they are a file-level service, not a document database. Option C is wrong because Azure Data Factory is a cloud-based ETL and data integration service, not a data store; it cannot serve low-latency reads or provide tunable consistency for stored documents. Option D is wrong because Azure SQL Managed Instance is a relational database engine (SQL Server) that stores data in a structured, tabular format, not semi-structured JSON documents natively, and its global distribution capabilities are limited to failover groups with eventual consistency, lacking the tunable consistency levels of Cosmos DB.

468
MCQmedium

A company uses Microsoft Entra ID. They want to integrate their security operations with a third-party SIEM tool. They need to export all Microsoft Entra ID sign-in logs and audit logs to the SIEM for analysis. The solution should be automated and near real-time. Which Azure service should they configure?

A.Azure Event Hubs
B.Azure Logic Apps
C.Azure Monitor
D.Azure Storage
AnswerA

Event Hubs can receive log streams from Microsoft Entra ID diagnostic settings and forward to SIEM tools.

Why this answer

Azure Event Hubs is the correct service because it provides a high-throughput, low-latency data ingestion platform that can receive streaming diagnostic data from Microsoft Entra ID. By configuring diagnostic settings in Entra ID to stream sign-in and audit logs to an Event Hubs namespace, you enable near real-time export to a third-party SIEM tool via the Event Hubs-compatible endpoint, typically using the AMQP or HTTPS protocol.

Exam trap

The trap here is that candidates often confuse Azure Monitor's log collection capability with real-time streaming, not realizing that Monitor itself cannot natively push logs to external SIEMs without Event Hubs as the intermediary pipeline.

How to eliminate wrong answers

Option B (Azure Logic Apps) is wrong because Logic Apps is an orchestration and workflow service, not a streaming data ingestion platform; it would introduce latency and complexity for continuous, near real-time log export. Option C (Azure Monitor) is wrong because Azure Monitor is a monitoring and alerting service that can collect logs but does not natively stream them to external SIEM tools in near real-time; it relies on Event Hubs as a pipeline for such exports. Option D (Azure Storage) is wrong because Azure Storage is a batch-oriented, blob/table storage service that does not support real-time streaming; logs exported there would require additional processing and polling, breaking the near real-time requirement.

469
MCQmedium

You are designing a monitoring solution for a global e-commerce application hosted on Azure. The application experiences intermittent performance degradation that is difficult to reproduce. You need to ensure that you can capture detailed diagnostic data when the degradation occurs, without permanently storing large amounts of data. Which Azure feature should you use?

A.Use Application Insights continuous export to send all telemetry to a storage account.
B.Implement an Azure Monitor Data Collection Rule with a schedule-based filter to capture detailed logs during degradation.
C.Configure a Log Analytics workspace to collect all performance counters and IIS logs.
D.Enable Azure Metrics for the application to monitor performance in real-time.
AnswerB

DCRs allow conditional data collection, enabling targeted troubleshooting.

Why this answer

Option B is correct because Azure Monitor Data Collection Rules (DCRs) allow you to define a schedule-based filter that triggers detailed log collection only during specific conditions, such as when performance degradation is detected. This enables capturing granular diagnostic data exactly when needed without permanently storing large volumes of telemetry, aligning with the requirement to avoid persistent high storage costs.

Exam trap

The trap here is that candidates often confuse continuous data collection (options A, C, D) with conditional data capture, overlooking that Data Collection Rules can be dynamically enabled or disabled via schedule or alert triggers to meet the 'capture only when needed' requirement.

How to eliminate wrong answers

Option A is wrong because Application Insights continuous export sends all telemetry to a storage account continuously, resulting in permanent storage of large amounts of data, which contradicts the requirement to avoid permanently storing large volumes. Option C is wrong because configuring a Log Analytics workspace to collect all performance counters and IIS logs would continuously ingest and store all data, leading to high storage costs and not addressing the need for selective capture during degradation. Option D is wrong because Azure Metrics provides real-time monitoring but lacks the ability to capture detailed diagnostic logs on a conditional or scheduled basis; it is designed for lightweight, high-frequency metric data, not verbose diagnostic data.

470
MCQeasy

Your company uses Azure Resource Manager templates for infrastructure deployment. You need to ensure that all deployments are validated against organizational policies before resources are provisioned. Which Azure service should you use?

A.Azure RBAC
B.Management Groups
C.Azure Policy
D.Azure Blueprints
AnswerC

Azure Policy with deny effect can prevent non-compliant resource creation during deployment.

Why this answer

Option B is correct because Azure Policy can be used with a 'deny' effect to prevent non-compliant deployments. Option A is wrong because Azure Blueprints bundles artifacts but does not enforce policies. Option C is wrong because RBAC controls access but not resource compliance.

Option D is wrong because Management Groups organize subscriptions but do not validate deployments.

471
Multi-Selecthard

A company is designing a hybrid network architecture that connects an on-premises data center to Azure. The requirements include high availability (99.99% SLA), low latency, and the ability to use existing MPLS connections. Which THREE Azure connectivity options should be considered?

Select 3 answers
A.Azure VPN Gateway (active-active)
B.Azure Virtual WAN with ExpressRoute
C.Azure ExpressRoute
D.Azure Traffic Manager
E.Azure Private Link
AnswersA, B, C

Active-active VPN Gateway provides high availability and low latency by using multiple tunnels; it can be used with internet-based VPN.

Why this answer

Azure ExpressRoute provides dedicated private connections with high SLA and low latency; VPN Gateway with active-active configuration provides redundant IPsec tunnels; and ExpressRoute with ExpressRoute Global Reach extends connectivity across regions. All can use MPLS or existing circuits.

472
Multi-Selecthard

You are designing a business continuity solution for a global SaaS application that runs on Azure Kubernetes Service (AKS) with Azure Cosmos DB as the database. The solution must support multi-region writes and automatic failover with zero data loss. Which THREE components should you include in your design? (Choose three.)

Select 3 answers
A.Deploy Azure Cache for Redis Enterprise with active geo-replication.
B.Deploy Azure Front Door with origin groups for the AKS clusters.
C.Use Azure Traffic Manager to route traffic to the primary region.
D.Configure Azure Cosmos DB with multiple write regions.
E.Use Azure SQL Database with failover groups for the database tier.
AnswersA, B, D

Active geo-replication for Redis Enterprise supports multi-region writes and automatic failover for cache data.

Why this answer

Option A, Option C, and Option D are correct. Azure Cosmos DB with multi-region writes supports zero data loss during failover. Azure Front Door provides global load balancing and automatic failover for the AKS clusters.

Azure Cache for Redis Enterprise with active geo-replication provides low-latency cache with multi-region writes. Option B is wrong because Azure Traffic Manager is not required when using Front Door. Option E is wrong because Azure SQL Database does not support multi-region writes natively like Cosmos DB.

473
MCQhard

You execute the above PowerShell script to create a Windows VM in Azure. After the script completes, you try to RDP to the public IP address but the connection fails. What is the most likely reason?

A.The network interface is not attached to the VM.
B.The public IP address is not assigned correctly.
C.The NSG rule blocks RDP traffic.
D.The VM size does not support RDP.
AnswerA

The script does not add the NIC to the VM configuration before creation.

Why this answer

Option C is correct. The script creates an NSG with an inbound rule allowing RDP (port 3389) but the VM is created with the -Windows parameter, which should enable RDP. However, the script does not add any data disks or configure boot diagnostics.

The most likely issue is that the script does not associate the NIC with the VM configuration properly. The New-AzVM cmdlet uses the -VM parameter, but the NIC is not added to the VM config. The script should include Add-AzVMNetworkInterface.

Option A is wrong because the NSG rule allows RDP. Option B is wrong because the public IP is static. Option D is wrong because the VM size supports RDP.

474
MCQeasy

Your organization has a large number of virtual machines running in Azure. You need to centrally manage backup policies, monitor backup jobs, and ensure compliance with retention requirements. Which Azure service should you use?

A.Azure Policy
B.Azure Site Recovery
C.Azure Backup Center
D.Azure Monitor
AnswerC

Backup Center provides unified backup management and monitoring.

Why this answer

Option B is correct. Azure Backup Center provides a single pane of glass for managing backups across Azure VMs, SQL in VMs, SAP HANA, and Azure Files. Option A is wrong because Azure Site Recovery is for disaster recovery, not backup.

Option C is wrong because Azure Policy can enforce backup policies but does not provide monitoring and management. Option D is wrong because Azure Monitor can monitor backup jobs but does not manage policies.

475
Multi-Selecthard

Which THREE components are required to implement a disaster recovery solution for Azure Virtual Desktop (AVD) using active-passive model?

Select 3 answers
A.Configure Azure Files geo-replication for the profile share.
B.Replicate FSLogix profile containers using Azure File Sync.
C.Deploy AVD host pool in the primary region only.
D.Deploy an AVD host pool in the secondary region.
E.Configure Azure Backup for the AVD session hosts.
AnswersA, B, D

Geo-replication ensures profile data is available in secondary.

Why this answer

Options A (FSLogix profile container replication), C (AVD host pool in secondary region), and E (Azure Files geo-replication) are required. Option B (single region) not. Option D (Azure Backup) not primary.

476
Multi-Selectmedium

Your organization is migrating a legacy application to Azure that requires Windows authentication and a fixed IP address. The application will run on an Azure VM. You need to design a networking solution that ensures the VM retains its IP address even after a reboot and that the application can be reached by on-premises users using its hostname. Which TWO actions should you take? (Choose two.)

Select 2 answers
A.Assign a static private IP address to the VM's NIC
B.Assign a static public IP address to the VM
C.Configure Azure Firewall to forward DNS requests
D.Create an Azure DNS private zone and add an A record for the VM
E.Connect to the VM using Azure Bastion for name resolution
AnswersA, D

Static private IP persists across reboots and ensures the application has a fixed IP.

Why this answer

Options A and D are correct. A static private IP ensures the IP does not change after reboot. Azure DNS private zone allows custom DNS resolution for the hostname.

Option B (public IP) is not required for internal access. Option C (Azure Bastion) is for management access, not name resolution. Option E (Azure Firewall) is not needed for this scenario.

477
MCQeasy

A company requires all users to use multi-factor authentication (MFA) when accessing cloud applications. However, they want to exempt users from MFA when they connect from the company's headquarters, which has a trusted IP range. They want to enforce this policy centrally. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Conditional Access
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID Privileged Identity Management
D.Microsoft Entra ID Self-Service Password Reset
AnswerA

Conditional Access policies can include location conditions to require MFA for all access except from trusted IP ranges.

Why this answer

Microsoft Entra ID Conditional Access is the correct feature because it allows administrators to create policies that enforce MFA based on conditions such as user location, device state, and application sensitivity. By configuring a Conditional Access policy with a 'trusted location' condition (defined via named locations with specific IP ranges), the company can require MFA for all cloud app access except when users connect from the headquarters' trusted IP range. This provides centralized, granular control over authentication requirements without needing to modify individual user settings.

Exam trap

The trap here is that candidates often confuse Identity Protection (which handles risk-based MFA prompts) with Conditional Access (which handles location-based MFA exemptions), leading them to select Identity Protection because it also deals with MFA, but it lacks the trusted IP range exclusion capability.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Identity Protection is designed to detect and respond to identity-based risks (e.g., leaked credentials, anonymous IP addresses) and can trigger automated remediation like requiring MFA on risky sign-ins, but it does not natively support exempting users based on trusted IP ranges; its primary focus is risk-based policies, not location-based conditional access. Option C is wrong because Microsoft Entra ID Privileged Identity Management (PIM) manages just-in-time privileged role activation, approval workflows, and access reviews for elevated roles, not general user MFA enforcement or location-based exemptions. Option D is wrong because Microsoft Entra ID Self-Service Password Reset (SSPR) allows users to reset their own passwords without administrator intervention, but it does not enforce or exempt MFA based on network location; it is a password management feature, not an authentication policy engine.

478
MCQmedium

You are designing a disaster recovery solution for a tier-1 application that runs on Azure SQL Managed Instance. The application has a Recovery Time Objective (RTO) of 30 seconds and a Recovery Point Objective (RPO) of 10 seconds. The solution must also support failover during planned maintenance. What should you recommend?

A.Configure auto-failover groups with a readable secondary in another region for Azure SQL Database.
B.Implement Azure Site Recovery to replicate the SQL Managed Instance to a secondary region.
C.Use active geo-replication for Azure SQL Managed Instance with a secondary in another region.
D.Set up a failover group for Azure SQL Managed Instance between two regions with a secondary replica.
AnswerD

Failover groups for SQL Managed Instance provide synchronous replication, RPO of 0, and RTO of about 10 seconds, meeting the requirements.

Why this answer

Option B is correct because failover groups for Azure SQL Managed Instance provide automatic failover with RPO of 0 (no data loss) and RTO of about 10 seconds, meeting the strict requirements. Option A is wrong because auto-failover groups for SQL Database are different and not for Managed Instance. Option C is wrong because active geo-replication is for SQL Database, not Managed Instance.

Option D is wrong because Azure Site Recovery does not replicate SQL Managed Instance natively and cannot meet the low RPO/RTO.

479
Multi-Selecthard

Which THREE capabilities are provided by Microsoft Entra ID Identity Governance? (Select THREE.)

Select 3 answers
A.Entitlement management
B.Access reviews
C.Privileged Identity Management
D.Conditional Access
E.Identity Protection
AnswersA, B, C

Manages access packages and requests.

Why this answer

Microsoft Entra ID Identity Governance is a suite of capabilities designed to help organizations manage and govern access to resources. Entitlement management (A) enables the creation of access packages to automate access requests, approvals, and assignments. Access reviews (B) allow periodic recertification of group memberships and application access to ensure only the right users have access.

Privileged Identity Management (C) provides just-in-time privileged access and role activation workflows for Azure AD roles and Azure resources, directly supporting governance of elevated access.

Exam trap

The trap here is that candidates often confuse Conditional Access and Identity Protection (which are security-focused features) with Identity Governance capabilities, but the exam specifically tests that governance includes entitlement management, access reviews, and PIM as the three core pillars.

480
MCQhard

You are designing a business continuity solution for a critical application that uses Azure Cosmos DB with multiple write regions. The application is deployed in the East US and West Europe regions. The business requires that if one region fails, the application can continue to serve writes in the remaining region with no data loss. Which consistency level should you use?

A.Strong
B.Eventual
C.Session
D.Bounded staleness
AnswerA

Strong consistency ensures no data loss.

Why this answer

Option A is correct because strong consistency guarantees linearizability and no data loss during regional failover. However, it may affect write performance. Option B is wrong because bounded staleness can lose data if the staleness window is exceeded.

Option C is wrong because session consistency may lose data. Option D is wrong because eventual consistency can lose data.

481
MCQhard

Refer to the exhibit. You are reviewing the properties of an Azure Storage account. The encryption section shows keySource as Microsoft.Keyvault and infrastructureEncryption enabled. What does infrastructureEncryption mean in this context?

A.It enforces HTTPS for all data in transit
B.It automatically rotates the encryption key daily
C.It encrypts the encryption key stored in Key Vault
D.It enables double encryption of data at rest
AnswerD

Infrastructure encryption applies a second layer of encryption using platform-managed keys.

Why this answer

Infrastructure encryption provides an additional layer of encryption at the infrastructure level, encrypting data twice. Option A is incorrect because it does not refer to the key vault itself. Option C is incorrect because TLS is separate.

Option D is incorrect because it is not about automatically rotating keys.

482
MCQeasy

You need to design a data storage solution for a mobile app that requires low-latency reads and writes globally. The data is JSON documents with varying schemas. Which Azure service should you choose?

A.Azure Cache for Redis
B.Azure Cosmos DB
C.Azure SQL Database
D.Azure Table Storage
AnswerB

Cosmos DB is a globally distributed NoSQL database with native JSON support and low-latency.

Why this answer

Azure Cosmos DB is the correct choice because it provides native global distribution with multi-region writes and single-digit-millisecond latency at the 99th percentile, making it ideal for a mobile app requiring low-latency reads and writes worldwide. It natively supports JSON documents with varying schemas through its document model and offers multiple consistency levels to balance performance and data integrity.

Exam trap

The trap here is that candidates often choose Azure Cache for Redis because they associate 'low-latency' with caching, but they overlook that the requirement is for a durable, globally distributed primary data store with varying JSON schemas, which Redis as a cache cannot fulfill as a persistent, globally writable database.

How to eliminate wrong answers

Option A is wrong because Azure Cache for Redis is an in-memory cache, not a primary data store, and it does not natively support global distribution with write replication or schema-variant JSON documents as a durable persistence layer. Option C is wrong because Azure SQL Database requires a fixed relational schema and does not natively handle varying JSON schemas without complex workarounds, nor does it offer the same low-latency global write distribution as Cosmos DB. Option D is wrong because Azure Table Storage is a key-value store that stores data as entities with a fixed schema (partition key and row key), not as flexible JSON documents, and it lacks native global distribution with multi-region writes.

483
MCQhard

Your company has a hybrid identity environment using Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory. You need to design a solution that allows users to authenticate to Azure services using their on-premises credentials and enforce conditional access policies for sensitive applications. The solution must support multi-factor authentication (MFA) using the Microsoft Authenticator app. Which components should you include?

A.Microsoft Entra Connect Health, Microsoft Entra ID with cloud sync, and Azure AD Identity Protection.
B.Microsoft Entra Connect Sync, Microsoft Entra ID, and Conditional Access policies with MFA.
C.Active Directory Federation Services (AD FS), Web Application Proxy, and Azure AD Conditional Access.
D.Azure AD Pass-through Authentication, Azure AD Application Proxy, and Azure AD Identity Protection.
AnswerB

Connect Sync syncs identities; Entra ID provides authentication and conditional access can require MFA via Authenticator.

Why this answer

Option C is correct because Microsoft Entra Connect Sync synchronizes identities, Entra ID provides authentication, and conditional access policies enforce MFA. Option A is wrong because Pass-through Authentication does not support MFA via Authenticator app. Option B is wrong because AD FS is an additional component that adds complexity.

Option D is wrong because Microsoft Entra Connect Health is for monitoring, not authentication.

484
Multi-Selecteasy

Which TWO Azure storage replication options provide durability for data in the event of a regional disaster? (Select two.)

Select 2 answers
A.Geo-zone-redundant storage (GZRS)
B.Geo-redundant storage (GRS)
C.Read-access geo-redundant storage (RA-GRS)
D.Zone-redundant storage (ZRS)
E.Locally redundant storage (LRS)
AnswersA, B

GZRS combines ZRS and GRS for maximum durability.

Why this answer

Options B and D are correct. Geo-redundant storage (GRS) replicates data to a secondary region. Geo-zone-redundant storage (GZRS) combines zone-redundancy with geo-redundancy.

Option A is wrong because LRS only protects within a single datacenter. Option C is wrong because ZRS protects within a region only. Option E is wrong because RA-GRS provides read access but same durability as GRS.

485
MCQmedium

A company uses Microsoft Entra ID and wants to enforce that all users must use multi-factor authentication (MFA) when accessing sensitive applications. However, they want to exclude users when connecting from the corporate office IP range and only allow access from devices that are compliant with Intune policies. Which Microsoft Entra ID feature should they use to create this policy?

A.Microsoft Entra ID Identity Protection
B.Microsoft Entra ID Privileged Identity Management
C.Microsoft Entra ID Conditional Access
D.Microsoft Entra ID Identity Governance
AnswerC

Conditional Access policies allow you to specify conditions (e.g., IP location, device compliance) and controls (e.g., require MFA, block access). This enables the described scenario: require MFA for sensitive apps, but exclude corporate IP range and require compliant device.

Why this answer

C is correct because Microsoft Entra ID Conditional Access is the feature specifically designed to enforce granular access policies based on conditions such as user, location, device compliance, and application sensitivity. By configuring a Conditional Access policy, you can require MFA for sensitive applications, exclude the corporate office IP range, and restrict access to Intune-compliant devices, all within a single policy.

Exam trap

The trap here is that candidates often confuse Conditional Access with Identity Protection, thinking risk-based policies can enforce location or device compliance, but Identity Protection only triggers actions based on risk scores, not static conditions like IP ranges or Intune compliance.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) and can trigger MFA based on risk level, but it cannot enforce device compliance or exclude specific IP ranges directly. Option B is wrong because Microsoft Entra ID Privileged Identity Management manages just-in-time privileged role activation and access reviews, not general user access policies for sensitive applications. Option D is wrong because Microsoft Entra ID Identity Governance handles access lifecycle, entitlement management, and certification campaigns, not real-time access enforcement based on location or device compliance.

486
MCQhard

A multinational corporation is designing a hub-spoke network topology in Azure to connect multiple on-premises sites and Azure regions. The hub contains Azure Firewall and Azure Bastion. Spokes are in different regions and need to communicate with each other through the hub. The solution must minimize latency and cost. What should you configure?

A.Connect spokes via ExpressRoute Global Reach
B.Deploy Azure Virtual WAN with secured hub
C.Use VNet peering to hub and UDRs to force traffic through Azure Firewall
D.Create VNet peering between spokes directly
AnswerC

Allows inspection with minimal cost and latency.

Why this answer

Option D is correct because VNet peering with traffic forced through the hub firewall using user-defined routes (UDRs) allows spoke-to-spoke traffic to be inspected, minimizing additional cost. Option A is wrong because ExpressRoute Global Reach bypasses the hub firewall. Option B is wrong because Azure Virtual WAN is more expensive and complex.

Option C is wrong because spoke-to-spoke direct peering bypasses the hub firewall.

487
MCQhard

A manufacturing company is designing an IoT solution to monitor equipment in real-time. Thousands of sensors send telemetry data every second. The data must be ingested, processed, and stored for analysis. The solution must handle high throughput and provide low-latency analytics. Additionally, the company wants to use Azure Machine Learning to predict equipment failures based on historical data. You need to design a data pipeline that meets these requirements. What should you include in the design?

A.Use Azure IoT Hub to ingest data, Azure Stream Analytics for real-time processing, and Azure Blob Storage for long-term storage.
B.Use Azure IoT Hub to ingest data, Azure Cosmos DB for storage, and Azure Functions for processing.
C.Use Azure IoT Hub to ingest data, Azure Data Lake Storage for storage, and Azure Stream Analytics for processing.
D.Use Azure Event Hubs to ingest data, Azure Databricks for processing, and Azure Blob Storage for storage.
AnswerA

IoT Hub, Stream Analytics, and Blob Storage form a scalable real-time pipeline.

Why this answer

Option A is correct because Azure IoT Hub ingests sensor data, Azure Stream Analytics processes the stream in real-time with low latency, and Azure Blob Storage stores the data for historical analysis. Option B is wrong because Azure Data Lake Storage is for big data analytics, not real-time processing. Option C is wrong because Azure Cosmos DB is a NoSQL database, but the primary processing should be with Stream Analytics.

Option D is wrong because Azure Event Hubs is for ingestion, but Azure Databricks is overkill for simple real-time analytics.

488
MCQmedium

Your organization uses Microsoft Purview to govern data assets across Azure SQL Database, Azure Data Lake Storage, and on-premises SQL Server. You need to ensure that sensitive data such as credit card numbers are automatically detected and classified. What should you configure in Microsoft Purview?

A.Data share
B.Data catalog
C.Data lineage mapping
D.Data classification rules
AnswerD

Data classification rules automatically detect sensitive data using pattern matching.

Why this answer

Option D is correct because Microsoft Purview's data classification system uses built-in and custom classification rules to automatically detect sensitive data like credit card numbers via pattern matching. Option A (Data lineage) tracks data movement, not classification. Option B (Data share) is for sharing data, not classification.

Option C (Data catalog) organizes metadata but requires manual or automated classification to detect sensitive data.

489
Multi-Selecthard

Which THREE of the following are required to collect Windows security events into Microsoft Sentinel?

Select 3 answers
A.Log Analytics workspace
B.Data collection rule (DCR)
C.Azure Policy
D.Azure Monitor Agent (AMA)
E.Microsoft Defender for Cloud
AnswersA, B, D

The workspace stores the collected logs.

Why this answer

A Log Analytics workspace is required because Microsoft Sentinel is built on top of it; all security events collected by Sentinel are stored in the workspace's tables, and Sentinel uses the workspace as its data repository for analytics, alerting, and investigation.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a security management service) with a data collection agent, or think Azure Policy can be used to collect logs, when in fact only the combination of a Log Analytics workspace, a DCR, and the AMA fulfills the requirement.

490
MCQmedium

Your company is deploying a web application on Azure App Service. The application must be able to read secrets from Azure Key Vault without storing credentials in application code. Which feature should you enable?

A.Key Vault access policies
B.Azure AD Application Registration with client secret
C.Managed Identity
D.App Service Authentication / Authorization
AnswerC

Managed Identity provides an automatically managed identity for the app to authenticate to Key Vault.

Why this answer

Option C is correct because Managed Identity allows the App Service to authenticate to Key Vault without storing credentials. Option A is wrong because App Service authentication is for user authentication. Option B is wrong because Azure AD Application Registration requires client secrets.

Option D is wrong because Key Vault access policies are authorization, not authentication.

491
MCQeasy

You are designing identity governance for a company that uses Microsoft Entra ID. The company wants to grant external partners access to an internal application for 90 days. After 90 days, access must be automatically removed. Additionally, the application requires that users have multi-factor authentication (MFA) and a compliant device. You need to design a solution that meets these requirements with minimal administrative effort. What should you do?

A.Create an access package in Microsoft Entra entitlement management with a 90-day policy and conditional access policies for MFA and device compliance.
B.Manually create guest user accounts, assign app, and set calendar reminder to delete after 90 days.
C.Create a dynamic group in Microsoft Entra ID that includes partners and assign the app; use a scheduled script to remove membership after 90 days.
D.Use Microsoft Entra Privileged Identity Management to grant just-in-time access for 90 days.
AnswerA

Entitlement management automates access lifecycle and policy enforcement.

Why this answer

Option A is correct because Microsoft Entra entitlement management allows you to create an access package that automatically grants external partners access to the application for exactly 90 days, after which access is automatically removed via an expiration policy. Additionally, you can enforce multi-factor authentication (MFA) and device compliance by configuring conditional access policies that are applied to the access package, meeting all requirements with minimal administrative effort through automation.

Exam trap

The trap here is that candidates may confuse Privileged Identity Management (PIM) with entitlement management, thinking PIM's time-limited role activation can be applied to application access, but PIM is for Azure AD roles and Azure resource roles, not for granting external user access to applications with conditional access enforcement.

How to eliminate wrong answers

Option B is wrong because manually creating guest accounts and setting a calendar reminder is not automated, requires ongoing administrative effort, and does not enforce MFA or device compliance policies. Option C is wrong because using a dynamic group with a scheduled script to remove membership after 90 days is not a native, automated solution; dynamic groups are based on user attributes, not time-based expiration, and scripting adds complexity and potential failure points. Option D is wrong because Microsoft Entra Privileged Identity Management (PIM) is designed for just-in-time privileged role activation, not for granting time-limited access to applications for external partners, and it does not natively enforce MFA or device compliance for application access.

492
MCQeasy

Your organization uses Microsoft Azure and has a subscription with multiple resource groups. You need to ensure that only users in the Finance department can access storage accounts in the 'Finance' resource group. The solution must use role-based access control (RBAC). What should you assign?

A.Assign the Contributor role to the Finance users at the management group scope
B.Assign the Storage Blob Data Reader role to the Finance users at the Finance resource group scope
C.Assign the Reader role to the Finance users at the subscription scope
D.Assign the Storage Account Contributor role to the Finance users at each storage account scope
AnswerB

This assignment grants read access to blob data in all storage accounts within the Finance resource group.

Why this answer

Option B is correct because assigning the Storage Blob Data Reader role at the Finance resource group scope grants Finance users read access to blob data within all storage accounts in that resource group, using RBAC. This meets the requirement of restricting access to only the Finance department while leveraging Azure RBAC's built-in data plane role for storage.

Exam trap

The trap here is that candidates often confuse management plane roles (like Contributor or Storage Account Contributor) with data plane roles (like Storage Blob Data Reader), mistakenly thinking Contributor grants data access, when in fact it only grants management access unless combined with a data plane role.

How to eliminate wrong answers

Option A is wrong because assigning the Contributor role at the management group scope would grant full management access to all resources across multiple subscriptions, far exceeding the requirement to restrict access to only storage accounts in the Finance resource group. Option C is wrong because the Reader role at the subscription scope provides read-only access to all resources in the subscription, including non-Finance resource groups, violating the principle of least privilege. Option D is wrong because assigning the Storage Account Contributor role at each storage account scope grants management access to the storage account itself (e.g., configuration, networking) but not necessarily data access (e.g., blobs), and it requires individual assignments per account, which is less efficient than a single resource group scope assignment.

493
MCQhard

Your company stores sensitive customer data in Azure Blob Storage. You must ensure that data is encrypted at rest using customer-managed keys (CMK) and that key rotation is automated. You also need to prevent data from being accessed by any Microsoft administrator. Which solution should you implement?

A.Use Azure Key Vault (Standard) to store customer-managed keys and enable automatic key rotation.
B.Use Azure Disk Encryption with customer-managed keys stored in Azure Key Vault.
C.Use Azure Key Vault Managed HSM with customer-managed keys and enable double encryption with infrastructure encryption.
D.Enable Azure Storage Service Encryption with platform-managed keys.
AnswerC

Managed HSM provides tenant-controlled keys and isolation; double encryption adds an additional layer.

Why this answer

Option C is correct because Azure Key Vault Managed HSM provides FIPS 140-2 Level 3 validated hardware security modules (HSMs) for storing customer-managed keys (CMK), supports automated key rotation, and enables double encryption via infrastructure encryption. This ensures that data is encrypted at rest with a customer-controlled key, and the use of Managed HSM prevents Microsoft administrators from accessing the key material, as the HSM is isolated and Microsoft has no export or visibility permissions.

Exam trap

The trap here is that candidates often confuse Azure Key Vault (Standard) with Managed HSM, assuming both provide the same level of isolation and security, but only Managed HSM offers FIPS 140-2 Level 3 HSM-backed keys and prevents Microsoft administrator access, which is critical for sensitive customer data scenarios.

How to eliminate wrong answers

Option A is wrong because Azure Key Vault (Standard) uses software-backed keys (not HSM-backed) and does not provide the same level of isolation to prevent Microsoft administrators from accessing key material; it also does not support double encryption with infrastructure encryption. Option B is wrong because Azure Disk Encryption is designed for encrypting virtual machine disks, not Azure Blob Storage data, and it does not address the requirement to prevent Microsoft administrator access to the keys. Option D is wrong because Azure Storage Service Encryption with platform-managed keys uses Microsoft-managed keys, not customer-managed keys, and thus does not meet the CMK requirement or provide isolation from Microsoft administrators.

494
Multi-Selecthard

An enterprise wants just-in-time elevation for Azure administrators and periodic validation that privileged users still require access. Which two Microsoft Entra features should you recommend? (Choose 2.)

Select 2 answers
A.Microsoft Entra Privileged Identity Management.
B.Microsoft Entra access reviews.
C.Microsoft Entra Domain Services.
D.Azure Policy guest configuration.
AnswersA, B

PIM supports eligible assignments, approvals, MFA, and time-bound activation.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) provides just-in-time (JIT) elevation by allowing time-bound and approval-based activation of privileged roles, such as Global Administrator. This ensures administrators only gain elevated permissions when needed and for a limited duration, directly addressing the requirement for JIT elevation.

Exam trap

The trap here is confusing Microsoft Entra Domain Services (a legacy domain join service) with identity governance features, or assuming Azure Policy guest configuration can manage user access reviews instead of VM configuration compliance.

495
MCQeasy

A company wants to migrate its on-premises file server to Azure with minimal application changes. The application accesses files over the SMB protocol and requires identity-based access using the existing on-premises Active Directory Domain Services (AD DS). They need the solution to be fully managed with low latency. Which Azure storage solution should they choose?

A.Azure Files
B.Azure NetApp Files
C.Azure Blob Storage with NFS 3.0
D.Azure Disk Storage
AnswerA

Azure Files provides fully managed SMB file shares with on-premises AD DS authentication, ideal for lift-and-shift migration.

Why this answer

Azure Files is the correct choice because it provides fully managed SMB file shares that can be accessed over the SMB protocol with identity-based authentication using on-premises AD DS via Azure Files AD DS integration. This allows the application to connect with minimal changes, as it continues to use SMB and existing domain credentials, while Azure Files offers low-latency access when deployed in the same region as the application.

Exam trap

The trap here is that candidates often confuse Azure NetApp Files with Azure Files, assuming that because NetApp Files supports SMB and AD DS, it is the best choice, but they overlook the 'fully managed' requirement and the fact that Azure Files is the simpler, more cost-effective PaaS solution for standard file server migrations.

How to eliminate wrong answers

Option B is wrong because Azure NetApp Files is a high-performance, enterprise-grade file service that supports SMB and AD DS, but it is not fully managed in the same sense as Azure Files (it requires provisioning of capacity pools and has a different pricing model); it also introduces unnecessary complexity for a standard file server migration. Option C is wrong because Azure Blob Storage with NFS 3.0 does not support the SMB protocol, and it lacks native identity-based access with on-premises AD DS, requiring different authentication mechanisms. Option D is wrong because Azure Disk Storage provides block-level storage attached to a VM, not a shared file service; it would require the application to be rewritten or run on a VM with a file server role, increasing management overhead and not meeting the fully managed requirement.

496
MCQmedium

Your company runs a critical web application on Azure Virtual Machines in a single region. You need to design a disaster recovery solution that meets a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 1 hour. The solution must be cost-effective for a planned failover test. What should you do?

A.Configure Azure Site Recovery (ASR) with replication to a paired secondary region and perform regular test failovers.
B.Create a read-only replica of the VMs in another region using Azure SQL Database geo-replication.
C.Deploy the VMs across two Azure Availability Zones within the same region.
D.Use Azure Backup with daily backups to a Recovery Services vault in a paired region.
AnswerA

ASR supports low RPO and RTO, and test failovers are cost-effective.

Why this answer

Option C is correct because Azure Site Recovery with replication intervals as low as 30 seconds can meet the RPO of 15 minutes, and with pre-staged resources, the RTO of 1 hour is achievable. It is cost-effective for testing because replication can be paused and test failover uses isolated networks without affecting production. Option A is wrong because Azure Backup's typical RPO is 1 day and RTO is hours.

Option B is wrong because Availability Zones protect within a region, not across regions. Option D is wrong because read-only replicas do not provide failover capability for compute.

497
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically review and remove guest accounts that have not signed in for 90 days. They also need to generate reports for auditors. Which Microsoft Entra ID feature should they use?

A.Identity Protection
B.Access Reviews
C.Privileged Identity Management
D.Conditional Access
AnswerB

Access Reviews allow periodic review of guest access, automated removal based on criteria like no sign-in activity, and generate audit reports.

Why this answer

Access Reviews in Microsoft Entra ID allow administrators to create recurring reviews of guest users' access. By configuring a review with a 'days since last sign-in' condition (e.g., 90 days), Entra ID automatically flags and can remove guest accounts that have not authenticated within that period. The review process also generates detailed audit logs and reports suitable for auditor compliance, directly meeting the stated requirements.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Access Reviews because both involve 'reviewing' access, but PIM is strictly for privileged roles, not for reviewing inactive guest accounts.

How to eliminate wrong answers

Option A is wrong because Identity Protection is designed to detect and respond to identity-based risks (e.g., leaked credentials, anomalous sign-ins) and does not provide scheduled, automated access reviews or removal of inactive guest accounts. Option C is wrong because Privileged Identity Management (PIM) focuses on just-in-time privileged role activation and approval workflows for administrators, not on reviewing or removing standard guest user accounts based on inactivity. Option D is wrong because Conditional Access enforces policies during sign-in (e.g., requiring MFA, blocking locations) but cannot perform scheduled reviews or automatically remove guest accounts that have not signed in for a specific period.

498
MCQmedium

You are designing a solution to provide high availability for a critical application running on Azure Virtual Machines. The virtual machines must be placed on physically separate hardware and have guaranteed availability during Azure maintenance events. Which option meets these requirements?

A.Deploy VMs in an Availability Set
B.Deploy VMs in a Proximity Placement Group
C.Deploy VMs in different Availability Zones
D.Deploy VMs in a Virtual Machine Scale Set
AnswerC

Availability Zones are physically separate datacenters within a region, providing high availability.

Why this answer

Availability Zones provide physically separate locations within an Azure region, protecting against datacenter failures. Option A (Availability Set) spreads VMs across fault domains but not across separate physical facilities. Option C (Scale Set) is for auto-scaling, not high availability.

Option D (Proximity Placement Group) is for low latency, not HA.

499
Multi-Selectmedium

You are designing a solution to monitor a hybrid environment consisting of Azure VMs and on-premises servers. The solution must provide centralized log analytics, security threat detection, and the ability to run custom queries across all logs. Which TWO Azure services should you include? (Choose two.)

Select 2 answers
A.Azure Monitor Agent
B.Azure Log Analytics workspace
C.Microsoft Sentinel
D.Azure Arc
E.Azure Update Manager
AnswersB, C

Central log repository with KQL queries.

Why this answer

Options B and C are correct. Azure Log Analytics workspace is the central repository for logs and supports KQL queries. Microsoft Sentinel provides security threat detection and SIEM capabilities.

Option A is wrong because Azure Monitor Agent is a data collection mechanism, not a central analytics service. Option D is wrong because Azure Update Manager is for patching, not monitoring. Option E is wrong because Azure Arc is for management, not log analytics.

500
MCQeasy

Your company plans to use Microsoft Sentinel for security information and event management (SIEM). You need to ingest security logs from multiple Azure resources and on-premises servers. Which data connector should you use for Windows servers on-premises?

A.Azure Monitor Agent
B.Log Analytics agent
C.Microsoft Defender for Cloud agent
D.Azure Arc agent
AnswerA

AMA is the current agent for collecting logs and forwarding to Sentinel.

Why this answer

The Azure Monitor Agent (AMA) is the correct choice because it is the current, recommended data collection agent for Microsoft Sentinel, replacing the legacy Log Analytics agent. It supports collecting security logs from Windows servers on-premises via the Windows Security Events via AMA connector, which uses data collection rules (DCRs) for flexible, scalable log ingestion. AMA is optimized for Sentinel's SIEM requirements and provides better performance, security, and manageability than its predecessor.

Exam trap

The trap here is that candidates often confuse the Azure Monitor Agent with the Log Analytics agent, assuming the older agent is still the primary choice for Sentinel, when in fact Microsoft has deprecated the Log Analytics agent and now mandates the Azure Monitor Agent for all new deployments.

How to eliminate wrong answers

Option B (Log Analytics agent) is wrong because it is the legacy agent that Microsoft is deprecating in favor of the Azure Monitor Agent; it lacks support for newer Sentinel features and data collection rules. Option C (Microsoft Defender for Cloud agent) is wrong because it is designed for vulnerability assessment and security posture monitoring, not for general SIEM log ingestion into Sentinel; it does not collect Windows Security Event logs directly. Option D (Azure Arc agent) is wrong because it is used for managing on-premises servers as Azure Arc-enabled resources (e.g., policy, extensions), but it does not natively collect and forward security logs to Sentinel; you still need the Azure Monitor Agent for log ingestion.

501
MCQmedium

A company uses Microsoft Entra ID and wants to automate the lifecycle management of user accounts in their SaaS applications, such as Salesforce and ServiceNow. The solution should automatically create, update, and deactivate accounts when users join, move, or leave the organization. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Provisioning
B.Microsoft Entra ID Connect
C.Microsoft Entra ID Application Proxy
D.Microsoft Entra ID Entitlement Management
AnswerA

Microsoft Entra ID Provisioning automates user account creation, update, and deactivation in SaaS applications via SCIM or built-in connectors.

Why this answer

Microsoft Entra ID Provisioning (specifically, HR-driven provisioning) automates the creation, update, and deactivation of user accounts in SaaS applications like Salesforce and ServiceNow based on changes in the organization's HR system or directory. It uses SCIM (System for Cross-domain Identity Management) protocol to synchronize identity lifecycle events, ensuring accounts are automatically created when users join, updated when they move, and deactivated when they leave.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID Connect (which syncs to Entra ID) with provisioning to external SaaS apps, or they mistakenly think Entitlement Management handles account creation when it only manages access rights, not identity lifecycle.

How to eliminate wrong answers

Option B (Microsoft Entra ID Connect) is wrong because it is designed for synchronizing on-premises Active Directory objects to Microsoft Entra ID, not for provisioning user accounts into third-party SaaS applications. Option C (Microsoft Entra ID Application Proxy) is wrong because it provides secure remote access to on-premises web applications via reverse proxy, not lifecycle management of user accounts. Option D (Microsoft Entra ID Entitlement Management) is wrong because it manages access packages and approval workflows for resource access, not the automated creation, update, and deactivation of user accounts in SaaS apps.

502
Drag & Dropmedium

Drag and drop the steps to migrate an on-premises SQL Server database to Azure SQL Database using the Data Migration Assistant (DMA) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Install DMA, assess, fix issues, then migrate and monitor.

503
Multi-Selecteasy

Your company is developing an application that will store transactional data in Azure SQL Database. The application has a Recovery Point Objective (RPO) of 5 seconds and a Recovery Time Objective (RTO) of 30 seconds. Which TWO Azure features should you recommend? (Choose two.)

Select 2 answers
A.Use Azure Site Recovery to replicate the SQL Database to a secondary region.
B.Create an auto-failover group with a readable secondary in another Azure region.
C.Deploy the Azure SQL Database across availability zones in the primary region.
D.Perform Azure SQL Database backups every 5 seconds using Azure Backup.
E.Configure active geo-replication for the Azure SQL Database.
AnswersB, E

Auto-failover groups provide automatic failover with synchronous replication, achieving RPO of 0 and RTO of about 30 seconds.

Why this answer

Option A and Option D are correct. Auto-failover groups with active geo-replication provide synchronous replication with RPO of 0 and RTO of about 30 seconds. Option B is wrong because Azure Backup has an RPO of 5 minutes for SQL Database (full backup frequency).

Option C is wrong because Azure Site Recovery does not replicate SQL Database natively. Option E is wrong because zone-redundant availability zones protect against datacenter failures, not regional failures, and RTO is not guaranteed.

504
MCQmedium

Your organization needs to share large files (up to 100 GB) with external partners securely. The solution must allow partners to access files for a limited time and track who accessed which file. Which Azure solution should you use?

A.Azure Data Box.
B.Azure Blob Storage with shared access signatures (SAS).
C.Azure Files with SMB protocol.
D.Azure Blob Storage with public access.
AnswerB

SAS provides time-limited access; logs track access.

Why this answer

Option B is correct because Azure Storage shared access signatures (SAS) with expiration and access logging provide time-limited access and tracking. Option A is wrong because Azure Files with SMB requires domain join. Option C is wrong because Azure Data Box is for physical data transfer.

Option D is wrong because Azure Blob Storage with public access does not provide time-limited control.

505
MCQhard

Your organization has a hybrid identity environment with Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory. You need to design a solution that allows users to access cloud applications using their on-premises credentials, and also enables single sign-on (SSO) for legacy on-premises applications that do not support modern authentication protocols. What should you recommend?

A.Deploy Azure Active Directory Domain Services and domain-join the legacy application servers.
B.Use Azure Active Directory B2B collaboration for internal users.
C.Implement Azure AD Connect with password hash synchronization and Azure AD Application Proxy.
D.Configure Azure AD Seamless SSO and use Azure AD Connect with pass-through authentication.
AnswerC

Password hash sync enables cloud authentication; Application Proxy allows SSO to legacy apps.

Why this answer

Option A is correct because Azure AD Application Proxy provides SSO to legacy on-premises apps without modifying them. Azure AD Connect with PHS enables cloud authentication. Option B (Azure AD DS) is for domain-joined VMs.

Option C (Azure AD B2B) is for external users. Option D (Azure AD Seamless SSO) only works for browser-based apps.

506
MCQmedium

Refer to the exhibit. You run this PowerShell script in an Azure subscription. The script executes successfully. What is the outcome?

A.All existing tags are replaced with 'Environment'='Unknown'.
B.All resources without tags get the tag 'Environment' with value 'Unknown'.
C.All resources in the subscription get the tag 'Environment' with value 'Unknown'.
D.The script fails because Update-AzTag does not support merge.
AnswerB

The script filters resources with no tags and adds the tag via merge.

Why this answer

The `Update-AzTag` cmdlet with the `-Operation Merge` parameter merges the specified tags into existing resource tags without removing any existing tags. When a resource already has tags, only the specified tag is added or updated; when a resource has no tags, the specified tag is applied. This matches option B: all resources without tags get the tag 'Environment' with value 'Unknown'.

Exam trap

The trap here is that candidates often assume `Update-AzTag` with Merge behaves like a full replacement (Option A) or applies to all resources (Option C), when in fact Merge only adds or updates the specified tags and only targets resources that match the resource ID pipeline input — in this case, resources without tags due to the `Where-Object` filter.

How to eliminate wrong answers

Option A is wrong because `-Operation Merge` does not replace existing tags; it only adds or updates the specified tags, leaving all other existing tags intact. Option C is wrong because the script targets only resources without tags, not all resources in the subscription; resources that already have tags are not affected unless they lack the 'Environment' tag. Option D is wrong because `Update-AzTag` does support the `Merge` operation; the script executes successfully, proving the operation is valid.

507
Matchingmedium

Match each Azure disaster recovery feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Orchestrates replication and failover of VMs

Cloud-based backup for Azure and on-premises workloads

Physically separate datacenter within a region

Logical grouping for fault and update domains

Another Azure region for cross-region replication

Why these pairings

These are key concepts for business continuity and disaster recovery.

508
MCQhard

A global e-commerce company deploys its web application on Azure Kubernetes Service (AKS) clusters in multiple Azure regions. They need a single global endpoint for users, with SSL offloading, web application firewall (WAF) protection, and URL path-based routing to the nearest healthy AKS cluster. Which Azure service should they use?

A.Azure Front Door
B.Azure Traffic Manager
C.Azure Application Gateway
D.Azure Load Balancer
AnswerA

Front Door offers global load balancing, SSL offloading, WAF, and URL path-based routing. It can direct users to the nearest healthy backend using anycast and health probes.

Why this answer

Azure Front Door is the correct choice because it provides a single global endpoint with SSL offloading, WAF protection, and URL path-based routing. It uses Anycast-based routing to direct traffic to the nearest healthy AKS cluster, ensuring low latency and high availability across multiple regions.

Exam trap

The trap here is that candidates often confuse Azure Traffic Manager (DNS-level) with Azure Front Door (application-layer), overlooking the need for SSL offloading, WAF, and path-based routing that only Front Door provides.

How to eliminate wrong answers

Option B (Azure Traffic Manager) is wrong because it operates at the DNS level and does not support SSL offloading, WAF, or URL path-based routing; it only provides DNS-based traffic distribution. Option C (Azure Application Gateway) is wrong because it is a regional load balancer that cannot provide a single global endpoint across multiple Azure regions; it lacks global Anycast routing. Option D (Azure Load Balancer) is wrong because it operates at Layer 4 (TCP/UDP) and does not support SSL offloading, WAF, or URL path-based routing; it is designed for regional traffic distribution within a single region.

509
Drag & Dropmedium

Drag and drop the steps to configure an Azure Application Gateway with end-to-end TLS encryption into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First, have the certificate. Upload it, configure the backend, set up HTTP settings with TLS, then create the rule.

510
MCQhard

A company is deploying a multi-tier web application on Azure. The web tier must be accessible from the internet. The application tier and database tier must be isolated within the virtual network and not directly accessible from the internet. The solution must provide SSL termination, URL-based routing, and Web Application Firewall (WAF) capabilities. Which Azure service should they use to expose the web tier?

A.Azure Application Gateway
B.Azure Load Balancer
C.Azure Traffic Manager
D.Azure Front Door
AnswerA

Application Gateway offers layer-7 features including SSL termination, URL path-based routing, and integrated WAF.

Why this answer

Azure Application Gateway is a layer-7 load balancer that provides SSL termination, URL-based routing, and a built-in Web Application Firewall (WAF). It can expose the web tier to the internet while keeping the application and database tiers isolated within the virtual network, as it routes traffic to backend pools using HTTP/HTTPS rules without exposing those backends directly.

Exam trap

The trap here is that candidates often confuse Azure Front Door with Application Gateway because both offer layer-7 features, but Front Door is a global load balancer that does not provide VNet-level isolation for backends, whereas Application Gateway is regionally scoped and integrates directly with virtual networks for internal tier isolation.

How to eliminate wrong answers

Option B (Azure Load Balancer) is wrong because it operates at layer 4 (TCP/UDP) and cannot perform SSL termination, URL-based routing, or WAF capabilities. Option C (Azure Traffic Manager) is wrong because it is a DNS-based traffic router that directs traffic at the domain level, not a proxy or gateway; it does not terminate SSL, route based on URL paths, or provide WAF. Option D (Azure Front Door) is wrong because, although it offers SSL termination, URL-based routing, and WAF, it is a global, multi-region service designed for internet-facing applications at the edge; it does not isolate backends within a single virtual network and is not the correct choice for a single-region deployment requiring VNet integration for the application and database tiers.

511
MCQmedium

You need to design a disaster recovery strategy for Azure SQL Database. The primary region is East US. The database must be available within 1 hour of a regional outage with no data loss. Which solution meets the requirements?

A.Configure a failover group with automatic failover to a secondary in West US
B.Perform regular backups to Azure Blob Storage in a secondary region
C.Configure active geo-replication and manually initiate failover
D.Use geo-restore from geo-redundant backups
AnswerA

Failover groups provide zero data loss and automatic failover within 1 hour.

Why this answer

A failover group with automatic failover to a secondary in West US meets the 1-hour RTO and zero data loss (RPO=0) requirement because Azure SQL Database failover groups use synchronous replication within the same region or asynchronous replication across regions. For a regional outage, the secondary must be in a paired region (West US) and configured with automatic failover policy; the database will be available within minutes, well under 1 hour, and with no data loss because all committed transactions are replicated synchronously before acknowledgment.

Exam trap

The trap here is that candidates confuse active geo-replication (which requires manual failover) with failover groups (which support automatic failover), and they overlook the strict RPO=0 requirement that eliminates any backup-based solution (B and D) because backups always have a non-zero RPO.

How to eliminate wrong answers

Option B is wrong because performing regular backups to Azure Blob Storage in a secondary region does not guarantee zero data loss (RPO can be up to the backup frequency, e.g., 1 hour for differential backups) and restoring from backups typically takes longer than 1 hour (RTO can be hours). Option C is wrong because active geo-replication requires manual failover initiation, which cannot guarantee a 1-hour RTO if the administrator is unavailable or delayed, and the requirement specifies automatic failover. Option D is wrong because geo-restore from geo-redundant backups (RA-GRS) has an RPO of at least 1 hour (backup frequency) and an RTO that can exceed 1 hour due to the time needed to restore a large database from a backup copy.

512
MCQeasy

A company runs a critical application on Azure VMs. They need to ensure that if an entire Azure region fails, the application can be recovered in another region with minimal data loss. They have a recovery point objective (RPO) of 1 hour and a recovery time objective (RTO) of 4 hours. What should they implement?

A.Azure Traffic Manager
B.Azure Front Door
C.Azure Site Recovery
D.Azure Backup
AnswerC

Provides VM replication with low RPO and RTO.

Why this answer

Option A is correct because Azure Site Recovery provides VM replication to a secondary region with an RPO of as low as 5 minutes and RTO of a few hours, meeting the 1-hour RPO and 4-hour RTO. Option B is wrong because Azure Backup has an RPO of at least 12 hours. Option C is wrong because Azure Traffic Manager does not replicate data.

Option D is wrong because Azure Front Door is for global load balancing, not VM replication.

513
MCQeasy

A company wants to back up on-premises SQL Server databases to Azure and be able to restore them to an on-premises server in case of a disaster. The backup must be encrypted and retained for 7 years for compliance. Which Azure service should they use?

A.Azure Backup with the MARS agent.
B.Azure Site Recovery.
C.Azure Database Migration Service.
D.Azure Storage with incremental snapshots.
AnswerA

The MARS agent can back up on-premises SQL Server databases to a Recovery Services vault in Azure. It supports encryption with a user-provided passphrase and allows long-term retention (7 years is easily configurable). Restores can be done to the original or alternate on-premises server.

Why this answer

Azure Backup with the MARS agent is the correct choice because it is specifically designed to back up on-premises SQL Server databases directly to Azure, supports encryption at rest using a passphrase, and allows long-term retention (up to 99 years) to meet the 7-year compliance requirement. The MARS agent performs file- and application-consistent backups and can restore data to an on-premises server, fulfilling the disaster recovery scenario.

Exam trap

The trap here is that candidates often confuse Azure Site Recovery (a replication/failover tool) with Azure Backup (a backup/restore tool), overlooking that Site Recovery does not support long-term retention or granular database restore to on-premises servers.

How to eliminate wrong answers

Option B (Azure Site Recovery) is wrong because it is a disaster recovery service that replicates entire workloads for failover, not a backup solution; it does not support long-term retention for compliance or granular database restore to on-premises. Option C (Azure Database Migration Service) is wrong because it is designed for migrating databases to Azure, not for ongoing backup and restore operations, and it does not provide encryption or retention policies for backups. Option D (Azure Storage with incremental snapshots) is wrong because while it can store backup files, it lacks native integration with SQL Server for application-consistent backups, does not provide built-in encryption management for compliance, and requires custom scripting to manage retention and restore processes.

514
Multi-Selectmedium

Which TWO services should you use to design a highly available and scalable web application on Azure that runs on Linux containers and requires automatic scaling based on HTTP traffic? (Choose two.)

Select 2 answers
A.Azure Load Balancer
B.Azure Web App for Containers
C.Azure Application Gateway
D.Azure Kubernetes Service (AKS)
E.Azure Container Instances (ACI)
AnswersC, D

Application Gateway provides HTTP load balancing and can route to AKS.

Why this answer

A and D are correct. Azure Kubernetes Service (AKS) orchestrates containers and supports horizontal pod autoscaling based on HTTP traffic. Azure Application Gateway acts as a load balancer and can route traffic to AKS.

B is wrong because Azure Container Instances is for simple container deployments without orchestration. C is wrong because Azure Load Balancer is for TCP/UDP traffic, not HTTP-specific scaling. E is wrong because Azure Web App for Containers does not support automatic scaling based on HTTP traffic as granularly as AKS.

515
MCQeasy

You need to design a virtual network architecture for a three-tier application in Azure. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. Which combination of Azure services should you use?

A.Use Azure Front Door, service endpoints, and Azure SQL Database with firewall rules.
B.Use Azure Application Gateway with WAF, network security groups (NSGs) on subnets, and Azure Private Endpoints for the database.
C.Use Azure Load Balancer, Azure Firewall, and Azure SQL Database with public endpoint.
D.Use a single virtual network with three subnets, no NSGs, and Azure SQL Database with VNet injection.
AnswerB

Application Gateway provides internet-facing WAF and path-based routing; NSGs restrict traffic between tiers; Private Endpoints keep database traffic private.

Why this answer

Option A is correct because it uses Azure Application Gateway for inbound internet traffic with WAF, NSGs to restrict traffic between tiers, and Private Endpoints for database access. Option B is wrong because Azure Load Balancer does not provide WAF or path-based routing. Option C is wrong because Azure Front Door is a global service, not for internal VNet traffic.

Option D is wrong because placing all VMs in same subnet violates security.

516
MCQeasy

Refer to the exhibit. You are creating a role assignment in Azure. The role definition ID is for the Contributor role. What is the effect of this assignment?

A.The principal can manage all resources in resource group RG1.
B.The principal can read all resources in resource group RG1.
C.The principal can manage all resources in the subscription.
D.The principal can manage access to resource group RG1.
AnswerA

Contributor role at RG scope grants full management of that RG.

Why this answer

The Contributor role in Azure provides full management access to all resources within the assigned scope, but it cannot grant access to other users (role assignments). Since the scope is resource group RG1, the principal can manage all resources in that resource group, including creating, deleting, and modifying them, but cannot manage access to the resource group itself.

Exam trap

The trap here is that candidates often confuse the Contributor role with the Owner role, mistakenly thinking Contributor can manage access (role assignments), or they overlook the scope and assume the assignment applies to the entire subscription.

How to eliminate wrong answers

Option B is wrong because the Contributor role includes write and delete permissions, not just read; the Reader role provides read-only access. Option C is wrong because the scope is explicitly resource group RG1, not the subscription; assigning the Contributor role at the resource group scope limits management to that resource group only. Option D is wrong because managing access (role assignments) requires the Owner role or a custom role with Microsoft.Authorization/roleAssignments/write permission, which the Contributor role does not include.

517
MCQmedium

Refer to the exhibit. You run the Azure Resource Graph query shown. A colleague asks why the query returns no results even though there are VMs in the subscription. The VMs use managed disks with Premium_LRS. What is the most likely reason for the empty result set?

A.The storage account type is incorrectly specified; it should be 'Premium_ZRS'
B.The resource type string is case-sensitive; it should be 'Microsoft.Compute/virtualMachines'
C.The 'limit 10' clause restricts too many results; remove the limit
D.The 'name' property does not exist; use 'properties.name' instead
AnswerB

Azure Resource Graph queries are case-sensitive for resource type strings.

Why this answer

Option B is correct because the query specifies 'microsoft.compute/virtualmachines' (all lowercase), but the correct casing includes capital letters: 'Microsoft.Compute/virtualMachines'. Option A is wrong because Premium_LRS is a valid storage account type. Option C is wrong because the query limits to 10 results, which is fine.

Option D is wrong because the query does not filter by name.

518
MCQmedium

Your organization has a containerized application running on Azure Kubernetes Service (AKS). You need to design a solution to securely store and manage secrets (e.g., database passwords, API keys) that the application consumes. The solution must integrate with AKS and support automatic rotation of secrets. What should you use?

A.Azure Key Vault with the Secrets Store CSI driver
B.Azure App Configuration
C.Azure Managed Identity
D.Azure Container Registry
AnswerA

Key Vault securely stores secrets; the CSI driver mounts them into AKS pods and supports rotation without pod restart.

Why this answer

Option C is correct because Azure Key Vault with the Secrets Store CSI driver integrates with AKS to mount secrets as volumes and supports rotation. Option A is wrong because Azure Container Registry stores container images, not secrets. Option B is wrong because Azure App Configuration stores configuration, not secrets, and does not support automatic rotation.

Option D is wrong because Azure Managed Identity provides identity, not secret storage.

519
MCQeasy

A company deploys a stateless web application on Azure VMs in a single region. They need to distribute incoming HTTP traffic across multiple VMs and perform health checks. The solution should be highly available within the region. Which Azure load balancing solution should they use?

A.Azure Load Balancer (Standard) with HTTP health probe.
B.Azure Application Gateway v2.
C.Azure Traffic Manager.
D.Azure Front Door.
AnswerA

A Standard Load Balancer distributes incoming TCP traffic (HTTP uses TCP) across backend VMs. It supports HTTP health probes and availability zones, meeting the requirements for high availability within a region.

Why this answer

Azure Load Balancer (Standard) operates at Layer 4 (TCP/UDP) and can distribute HTTP traffic across VMs in a single region while performing health checks via HTTP health probes. It provides high availability within a region by distributing traffic across availability zones or availability sets, meeting the requirement for a stateless web application without needing Layer 7 features.

Exam trap

The trap here is that candidates often choose Azure Application Gateway v2 because they assume HTTP traffic requires a Layer 7 load balancer, but Azure Load Balancer can handle HTTP traffic at Layer 4 with HTTP health probes, making it the simpler and more cost-effective choice for a stateless web application within a single region.

How to eliminate wrong answers

Option B is wrong because Azure Application Gateway v2 is a Layer 7 load balancer with features like SSL termination, URL-based routing, and WAF, which are unnecessary for a stateless web application that only needs basic HTTP traffic distribution and health checks, adding cost and complexity. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic routing solution that operates across regions, not within a single region, and does not perform health checks on individual VMs or distribute incoming HTTP traffic directly. Option D is wrong because Azure Front Door is a global Layer 7 load balancer and CDN that routes traffic across regions, not within a single region, and includes features like SSL offload and WAF that are not required for this scenario.

520
MCQmedium

A company is building a new application that requires a fully managed relational database. The application has varying workloads across different databases. The company wants to pool resources to optimize cost and allow each database to scale as needed. They also need automated backups with point-in-time restore and geo-replication for disaster recovery. Which Azure data service should they use?

A.Azure SQL Database
B.Azure SQL Managed Instance
C.Azure Database for MySQL
D.Azure Database for PostgreSQL
AnswerA

Azure SQL Database supports elastic pools for resource sharing among databases, automated backups, point-in-time restore, and active geo-replication for disaster recovery.

Why this answer

Azure SQL Database is a fully managed relational database service that supports elastic pools, which allow you to pool resources across multiple databases to optimize cost and enable each database to scale independently based on demand. It also provides automated backups with point-in-time restore (PITR) and active geo-replication for disaster recovery, meeting all the stated requirements.

Exam trap

The trap here is that candidates often confuse Azure SQL Database with Azure SQL Managed Instance, assuming Managed Instance also supports elastic pools, but it does not—elastic pools are exclusive to Azure SQL Database.

How to eliminate wrong answers

Option B (Azure SQL Managed Instance) is wrong because it is designed for lift-and-shift migrations requiring near 100% SQL Server compatibility and does not support elastic pools for resource pooling across databases; it uses a fixed resource model per instance. Option C (Azure Database for MySQL) is wrong because it is a fully managed MySQL service but does not support elastic pools or the same geo-replication capabilities as Azure SQL Database; its geo-replication is limited to read replicas in paired regions without active failover. Option D (Azure Database for PostgreSQL) is wrong because it is a fully managed PostgreSQL service but lacks elastic pool functionality and its geo-replication is based on read replicas, not active geo-replication with automatic failover.

521
MCQhard

You are designing a hybrid identity solution for a company with 5,000 on-premises users. The company wants to use Microsoft Entra ID for single sign-on and self-service password reset. They also need to synchronize user passwords to the cloud. Which feature should you enable to ensure password changes on-premises are immediately propagated to Microsoft Entra ID?

A.Federation with AD FS
B.Pass-through Authentication
C.Password Hash Synchronization
D.Microsoft Entra Cloud Sync
AnswerC

Password Hash Sync syncs password changes on-premises to Microsoft Entra ID in near real-time.

Why this answer

Option A is correct because Password Hash Synchronization with Microsoft Entra Connect synchronizes password hashes and can be configured for immediate sync on change. Option B is wrong because Pass-through Authentication does not synchronize passwords. Option C is wrong because Federation uses AD FS and does not sync passwords.

Option D is wrong because Microsoft Entra Cloud Sync is for syncing objects but password sync is a feature of Connect.

522
MCQeasy

A company runs a stateless web application on multiple Azure VMs behind a load balancer. They want to ensure that if a VM fails, traffic is automatically redirected to healthy VMs. Which Azure service provides this functionality with health probes?

A.Azure Traffic Manager
B.Azure Front Door
C.Azure Application Gateway
D.Azure Load Balancer
AnswerD

Load Balancer uses health probes to route traffic only to healthy VMs.

Why this answer

Option A is correct because Azure Load Balancer uses health probes to detect unhealthy backend instances and stops sending traffic to them. Option B is wrong because Azure Traffic Manager is DNS-based and does not use health probes in the same way. Option C is wrong because Azure Front Door is an application delivery controller but is more suited for global scenarios.

Option D is wrong because Azure Application Gateway also supports health probes, but the question specifies 'load balancer' and the simplest correct answer is Azure Load Balancer.

523
MCQmedium

Refer to the exhibit. You are reviewing the replication health of an on-premises Hyper-V VM replicated to Azure using Azure Site Recovery. The JSON output shows the properties of the replicated item. The replication health is 'Normal', but the last recovery point is from 2 hours ago. You need to ensure the Recovery Point Objective (RPO) of 15 minutes is met. What is the most likely cause of the issue?

A.The VM's application-consistent snapshot is failing.
B.The target region is not correctly configured in the recovery plan.
C.The Hyper-V host is not registered with the Recovery Services vault.
D.The replication frequency is set to 30 minutes or more.
AnswerD

The 2-hour old recovery point suggests replication is not running at the required frequency; the setting likely exceeds 15 minutes.

Why this answer

Option B is correct because the 'currentRecoveryPoint' timestamp being 2 hours old indicates that replication is not occurring frequently enough. Azure Site Recovery for Hyper-V VMs uses a replication frequency that can be set to 30 seconds, 5 minutes, or 15 minutes. If the last recovery point is 2 hours old, the replication frequency is likely set to a longer interval or there is a connectivity issue.

Option A is wrong because the replication health is Normal, so provider registration is fine. Option C is wrong because a failed snapshot would show a different health status. Option D is wrong because the exhibit shows the recovery site is EastUS, indicating configuration is set.

524
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to ensure that users who access sensitive cloud applications from untrusted networks (e.g., public Wi-Fi) are prompted for multi-factor authentication (MFA). Which Microsoft Entra ID feature should they configure?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Microsoft Entra ID B2C
AnswerA

Conditional Access policies evaluate conditions like network location and can require MFA when accessing from untrusted networks.

Why this answer

Conditional Access policies in Microsoft Entra ID allow administrators to define conditions (e.g., network location, device state) under which access to cloud applications is granted. By configuring a policy that targets sensitive applications and requires MFA when the user's IP address is from an untrusted network (such as public Wi-Fi), the company can enforce MFA only when the risk condition is met, without affecting access from trusted corporate networks.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based MFA with Conditional Access's location-based MFA, but Identity Protection alone cannot enforce MFA based solely on network location—it requires a Conditional Access policy to act on the risk signal.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it focuses on detecting and remediating identity risks (e.g., leaked credentials, sign-ins from anonymous IPs) and can trigger MFA via risk-based Conditional Access, but it is not the feature that directly configures network-location-based MFA prompts; it requires integration with Conditional Access. Option C (Privileged Identity Management) is wrong because it manages just-in-time privileged role activation and approval workflows, not network-based access controls for all users. Option D (Microsoft Entra ID B2C) is wrong because it is a customer-facing identity service for external users (e.g., social logins) and does not apply to internal corporate users accessing sensitive cloud apps.

525
MCQmedium

Your company has an Azure subscription that contains several virtual machines (VMs) running Windows Server. You need to ensure that all VMs are compliant with a baseline security policy that includes specific registry key settings. The solution must automatically remediate non-compliant settings without manual intervention. What should you use?

A.Azure Automation State Configuration (DSC)
B.Azure Policy with Guest Configuration
C.Microsoft Defender for Cloud with custom recommendations
D.Microsoft Intune
AnswerB

Guest Configuration extends Azure Policy to audit and remediate settings inside VMs, including registry keys, with automatic remediation.

Why this answer

Azure Policy with guest configuration can audit and remediate settings inside VMs, including registry keys, using built-in or custom policies.

Page 6

Page 7 of 14

Page 8