Microsoft Azure Solutions Architect Expert AZ-305 (AZ-305) — Questions 601675

999 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQhard

An Azure SQL Database supports a customer-facing application. The company requires automatic failover to a paired region with minimal administrative action. Which feature should be recommended?

A.Zone-redundant storage only
B.Auto-failover group
C.SQL elastic pool only
D.Azure Backup vault only
AnswerB

Auto-failover groups provide geo-replication and listener endpoints for failover across regions.

Why this answer

Auto-failover groups in Azure SQL Database enable automatic, synchronous or asynchronous replication of databases to a paired region, with a built-in listener endpoint that handles transparent failover. This meets the requirement for minimal administrative action because failover can be triggered automatically based on the built-in grace period and health monitoring, without manual intervention.

Exam trap

The trap here is that candidates often confuse zone-redundant storage (which protects against zone failures within a region) with cross-region failover, or mistakenly think an elastic pool provides disaster recovery capabilities when it is only a management unit for performance and cost.

How to eliminate wrong answers

Option A is wrong because zone-redundant storage only protects against an availability zone failure within a single region, not a full regional outage, and does not provide automatic failover to a paired region. Option C is wrong because an SQL elastic pool is a resource management construct for scaling and managing multiple databases within a single server, not a disaster recovery or failover feature. Option D is wrong because Azure Backup vault is used for long-term backup retention and point-in-time restore, not for automatic failover or continuous replication to a paired region.

602
MCQmedium

You are designing a governance solution for a Microsoft Azure environment that contains multiple subscriptions. You need to ensure that all resources are compliant with corporate security policies. The solution must automatically remediate non-compliant resources. What should you include in the design?

A.Azure RBAC custom roles
B.Azure Policy with DeployIfNotExists effect
C.Azure Resource Graph queries
D.Azure Blueprints
AnswerB

Azure Policy with DeployIfNotExists can automatically remediate non-compliant resources.

Why this answer

Azure Policy with the DeployIfNotExists effect is the correct choice because it automatically remediates non-compliant resources by triggering a deployment (e.g., via a template) when a resource is created or updated and does not meet the policy condition. This ensures continuous compliance with corporate security policies without manual intervention, as the effect can also be assigned a remediation task to fix existing resources.

Exam trap

The trap here is that candidates often confuse Azure Policy's audit-only effects (like AuditIfNotExists) with the automatic remediation capability, or they mistakenly think Azure Blueprints can handle ongoing compliance enforcement, when in fact Blueprints are a one-time deployment orchestration tool and do not provide continuous remediation.

How to eliminate wrong answers

Option A is wrong because Azure RBAC custom roles control who can access and manage resources (authorization), not what configurations those resources must comply with (governance), and they cannot automatically remediate non-compliant resources. Option C is wrong because Azure Resource Graph queries are used for exploring and querying resources across subscriptions at scale, but they are read-only and cannot enforce or remediate compliance. Option D is wrong because Azure Blueprints are used to orchestrate the deployment of resource groups, policies, role assignments, and ARM templates as a package, but they do not automatically remediate non-compliant resources after deployment; remediation requires Policy effects like DeployIfNotExists.

603
Multi-Selectmedium

Which TWO Azure services can be used to provide a fully managed DNS solution that supports custom domains and DNSSEC?

Select 1 answer
A.Azure Front Door
B.Azure DNS
C.Azure Traffic Manager
D.Azure App Service
E.Azure Public IP address
AnswersB

Azure DNS is a fully managed DNS service that supports DNSSEC and custom domains.

Why this answer

Azure DNS provides managed DNS with DNSSEC support (if enabled for certain zones). Azure Traffic Manager uses DNS to route traffic but does not manage DNS zones directly. Azure Front Door uses custom domains but does not provide DNS hosting or DNSSEC.

Azure App Service provides custom domains but not DNS management. Azure Public IP does not provide DNS. Therefore, only Azure DNS supports DNSSEC and custom domains.

604
MCQmedium

A company runs a legacy application on Azure Virtual Machines. The application uses a SQL Server database that requires 50,000 IOPS consistently. It also uses a shared file system for storing documents. They plan to migrate from on-premises where they used a SAN for block storage and NAS for file shares. Which combination of Azure storage should they use to meet performance requirements?

A.Premium SSD v2 disks for the database and Azure Files premium tier for the file share.
B.Premium SSD (non-v2) for the database and Azure NetApp Files for the file share.
C.Ultra Disk for the database and Azure Files standard tier for the file share.
D.Standard SSD for the database and Azure Blob Storage for the file share.
AnswerA

Premium SSD v2 can achieve 50,000 IOPS with a 320 GiB disk (which gives 4,000 IOPS per GiB, 320*4000=1,280,000? No, let's check: Premium SSD v2 IOPS scales linearly to 80,000 at 1 TiB, but smaller disks can still achieve high IOPS. It is designed for high-performance databases. Azure Files Premium offers low latency and high throughput for file sharing, suitable for a shared file system.

Why this answer

Premium SSD v2 disks can deliver up to 80,000 IOPS per disk, easily meeting the 50,000 IOPS requirement for the SQL Server database. Azure Files premium tier uses SSD-backed storage and provides consistent low-latency performance suitable for a shared file system, replacing the on-premises NAS. This combination directly maps the SAN (block) and NAS (file) workloads to Azure's highest-performance managed disks and file shares.

Exam trap

The trap here is that candidates often assume Premium SSD (non-v2) or Ultra Disk are the only high-IOPS options, overlooking that Premium SSD v2 is the only managed disk tier that can deliver 50,000 IOPS on a single disk without requiring disk striping or large disk sizes.

How to eliminate wrong answers

Option B is wrong because Premium SSD (non-v2) has a maximum IOPS of 20,000 per disk (for P50 size), which cannot meet the 50,000 IOPS requirement; Azure NetApp Files is a valid file share solution but is overkill and not the most cost-effective choice when Azure Files premium tier suffices. Option C is wrong because Ultra Disk can meet the IOPS requirement, but Azure Files standard tier uses HDD-based storage with much lower IOPS and higher latency, failing the consistent performance needed for the file share. Option D is wrong because Standard SSD maxes out at 6,000 IOPS per disk, far below 50,000 IOPS, and Azure Blob Storage is object storage, not a shared file system (it lacks SMB protocol support for file shares).

605
MCQhard

Refer to the exhibit. You are reviewing an Azure Policy definition. Which virtual machines will be denied?

A.No virtual machines because the condition is invalid
B.All virtual machines regardless of SKU
C.Only virtual machines with SKU Standard_DS2_v2
D.All virtual machines except those with SKU Standard_DS2_v2
AnswerD

The deny effect applies when the SKU is not equal to Standard_DS2_v2.

Why this answer

The Azure Policy definition uses a 'deny' effect with a condition that checks if the virtual machine's SKU field is not equal to 'Standard_DS2_v2'. This means any VM whose SKU does not match 'Standard_DS2_v2' will be denied. Only VMs with the exact SKU 'Standard_DS2_v2' will be allowed, making option D correct.

Exam trap

The trap here is that candidates may misinterpret 'notEquals' as denying the specified SKU, when in fact it denies everything except that SKU, leading them to incorrectly choose option C.

How to eliminate wrong answers

Option A is wrong because the condition 'notEquals' is a valid Azure Policy condition operator, so the policy is not invalid. Option B is wrong because the policy specifically denies VMs that do not match the specified SKU, not all VMs. Option C is wrong because the policy denies VMs that are not 'Standard_DS2_v2', not only those with that SKU; it actually allows VMs with that SKU.

606
MCQeasy

A company runs a global e-commerce application that needs to store product catalog data. The data is JSON documents with variable schemas. The application requires single-digit millisecond read and write latencies at any scale and must support automatic synchronous replication across multiple Azure regions for high availability and low latency reads from any region. Which Azure data service should they choose?

A.Azure SQL Database with active geo-replication
B.Azure Cosmos DB with multi-region writes
C.Azure Table Storage
D.Azure Database for PostgreSQL with read replicas
AnswerB

Cosmos DB natively supports globally distributed data with multi-region writes, automatic and synchronous replication, and guaranteed single-digit millisecond latency at the 99th percentile for reads and writes. It also handles JSON documents with variable schemas.

Why this answer

Azure Cosmos DB with multi-region writes is the correct choice because it natively supports JSON documents with variable schemas, guarantees single-digit millisecond read and write latencies at any scale via its multi-homing API, and provides automatic synchronous replication across multiple Azure regions with active-active configurations. This ensures high availability and low-latency reads from any region without manual failover or data loss.

Exam trap

The trap here is that candidates often confuse 'automatic synchronous replication' with 'active geo-replication' or 'read replicas,' assuming that any multi-region database service provides synchronous writes, whereas only Cosmos DB with multi-region writes offers true synchronous replication across regions for both reads and writes.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database with active geo-replication uses asynchronous replication, which cannot guarantee synchronous multi-region writes and may introduce latency or data loss during failover, and it requires a fixed relational schema, not variable JSON documents. Option C is wrong because Azure Table Storage is a NoSQL key-value store that does not support JSON documents natively, lacks automatic synchronous multi-region replication, and typically offers higher latencies (tens of milliseconds) compared to Cosmos DB's single-digit millisecond guarantees. Option D is wrong because Azure Database for PostgreSQL with read replicas uses asynchronous replication for read scaling, not synchronous multi-region writes, and its relational schema cannot handle variable JSON documents as efficiently as a native document database.

607
MCQmedium

Your company plans to migrate on-premises file servers to Azure. The solution must support SMB protocol and integrate with Microsoft Entra ID for authentication. You need to choose a service that provides fully managed file shares accessible from multiple Azure regions. Which Azure service should you use?

A.Azure Disk Storage
B.Azure Files
C.Azure NetApp Files
D.Azure Blob Storage
AnswerB

Azure Files provides fully managed SMB file shares with Microsoft Entra ID integration and multi-region access.

Why this answer

Option A is correct because Azure Files offers fully managed SMB file shares that can be accessed from multiple regions using Azure File Sync or through public endpoints. It also supports Microsoft Entra ID authentication. Option B (Azure NetApp Files) is for high-performance NFS/SMB but is more expensive.

Option C (Azure Blob Storage) does not support SMB natively (only NFS for premium). Option D (Azure Disk Storage) is for VM disks, not file shares.

608
MCQhard

A company is designing a disaster recovery solution for its on-premises SQL Server databases that are critical for business operations. The databases are approximately 500 GB each. The solution must meet the following requirements: - Replicate data to Azure with minimal data loss (RPO of 15 minutes). - Automatically failover to Azure in case of an on-premises outage. - Use existing SQL Server licenses to minimize costs. Which Azure service should the company use?

A.Azure Site Recovery with SQL Server replication
B.Azure Database Migration Service (DMS)
C.Azure SQL Managed Instance with managed instance link
D.Azure SQL Database Managed Instance with transaction replication
AnswerC

Provides near-real-time replication and automatic failover using existing licenses.

Why this answer

Option D is correct because Azure SQL Managed Instance supports managed instance link for near-real-time replication with RPO of 15 minutes and automatic failover using distributed availability groups. Option A is wrong because Azure Database Migration Service is for one-time migration, not ongoing replication. Option B is wrong because Azure Site Recovery replicates at the VM level, not database-level with SQL-specific consistency.

Option C is wrong because Azure SQL Database Managed Instance does not support Azure Hybrid Benefit for SQL Server licenses in the same way as Azure SQL Managed Instance.

609
MCQmedium

A company runs a critical SQL Server database on Azure Virtual Machines in a single region. They need a disaster recovery solution across regions with a recovery point objective (RPO) of zero. The database is update-intensive with frequent writes. Which configuration should they implement?

A.SQL Server Always On Availability Group with asynchronous commit.
B.SQL Server Always On Availability Group with synchronous commit across regions.
C.Azure Site Recovery to another region.
D.Deploy the VMs in a different availability zone within the same region.
AnswerB

Synchronous commit ensures all transactions are committed on both the primary and secondary replicas before acknowledging the commit to the application. If configured across regions, this provides zero data loss (RPO=0). But network latency can affect write performance.

Why this answer

SQL Server Always On Availability Group with synchronous commit across regions ensures zero data loss because transactions are committed on both the primary and secondary replicas before the primary acknowledges the commit. This meets the RPO of zero, even though it introduces latency due to cross-region synchronization. For an update-intensive workload, synchronous commit is the only option that guarantees no data loss at the cost of increased write latency.

Exam trap

The trap here is that candidates often choose asynchronous commit (Option A) thinking it is sufficient for DR, but the RPO of zero explicitly requires synchronous commit, despite the performance trade-off.

How to eliminate wrong answers

Option A is wrong because asynchronous commit does not guarantee zero data loss; it allows transactions to be committed on the primary without waiting for the secondary, so the secondary can lag behind, violating the RPO of zero. Option C is wrong because Azure Site Recovery replicates at the VM level using crash-consistent or app-consistent snapshots, which cannot achieve an RPO of zero for a high-write database due to replication intervals and potential data loss between snapshots. Option D is wrong because deploying in different availability zones within the same region does not provide cross-region disaster recovery; it only protects against zonal failures within the same region, not a regional outage.

610
MCQeasy

A company deploys a web application on Azure VMs. They need to distribute incoming HTTP and HTTPS traffic based on the URL path: requests to /api/* go to one VM pool, requests to /images/* go to another pool. They also need to offload SSL/TLS termination. Which Azure load balancing solution should they use?

A.Azure Load Balancer
B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerB

Application Gateway is a Layer 7 web traffic load balancer that provides URL path-based routing, SSL termination, and session persistence.

Why this answer

Azure Application Gateway is a layer-7 load balancer that can route traffic based on URL path (e.g., /api/* vs /images/*) and provides SSL/TLS termination at the gateway, offloading the decryption from the backend VMs. This matches both requirements exactly, whereas other solutions either lack layer-7 path-based routing or are designed for global traffic distribution.

Exam trap

The trap here is that candidates often confuse Azure Application Gateway (regional layer-7 routing) with Azure Front Door (global layer-7 routing) or Azure Load Balancer (layer-4), failing to recognize that only Application Gateway provides both URL path-based routing and SSL termination for a single-region deployment.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at layer 4 (TCP/UDP) and cannot route based on URL path or perform SSL/TLS termination; it only distributes traffic by IP and port. Option C is wrong because Azure Traffic Manager is a DNS-based global traffic load balancer that routes based on DNS queries, not URL paths, and does not offload SSL/TLS termination. Option D is wrong because Azure Front Door is a global layer-7 service that can route by URL path and offload SSL, but it is designed for global distribution across regions, not for routing within a single region to VM pools; Application Gateway is the correct regional solution for this scenario.

611
MCQhard

You are designing an identity solution for a multinational company that uses Microsoft Entra ID. The company has a requirement that all users must authenticate using biometrics or FIDO2 security keys. Which Entra ID feature should you configure?

A.Passwordless authentication
B.Identity Protection
C.Entra Verified ID
D.Conditional Access policies
AnswerD

Conditional Access can require FIDO2 or Windows Hello for Business.

Why this answer

Option D is correct because Conditional Access policies in Microsoft Entra ID allow you to enforce authentication strength requirements, such as requiring biometrics or FIDO2 security keys, by targeting specific user groups or applications. This is achieved by configuring a Conditional Access policy with the 'Require multifactor authentication' control and integrating with authentication methods like Windows Hello for Business or FIDO2 security keys, ensuring that only passwordless authentication methods meeting the company's biometric or FIDO2 requirement are permitted.

Exam trap

The trap here is that candidates confuse the authentication method itself (passwordless authentication) with the policy mechanism (Conditional Access) that enforces its use, leading them to select Option A instead of D.

How to eliminate wrong answers

Option A is wrong because Passwordless authentication is a category of authentication methods (e.g., Windows Hello, FIDO2, Microsoft Authenticator) but not a feature that enforces a requirement; it must be combined with Conditional Access policies to mandate its use. Option B is wrong because Identity Protection is a risk-based detection and remediation service (e.g., detecting leaked credentials or risky sign-ins) and does not enforce specific authentication methods like biometrics or FIDO2. Option C is wrong because Entra Verified ID is a decentralized identity solution for verifiable credentials (e.g., digital IDs for employees or customers) and is unrelated to enforcing authentication method requirements.

612
MCQeasy

Your company needs to store configuration data (key-value pairs) for applications in a highly scalable and low-latency manner. The data is accessed frequently. Which Azure service should you choose?

A.Azure Cosmos DB.
B.Azure Cache for Redis.
C.Azure SQL Database.
D.Azure Table Storage.
AnswerB

In-memory, low-latency, scalable.

Why this answer

Option C is correct because Azure Cache for Redis provides in-memory key-value storage with low latency and high scalability. Option A is wrong because Azure Table Storage is slower. Option B is wrong because Azure Cosmos DB is overkill for simple key-value.

Option D is wrong because Azure SQL Database is relational and has higher latency.

613
MCQhard

You are designing a backup strategy for Azure VMs running critical business applications. The solution must support application-consistent backups and allow for restoration to a different region. Which Azure service and configuration should you use?

A.Azure Backup with application-consistent backup policy and geo-redundant storage
B.Azure Disk Encryption with Azure Backup
C.Azure Snapshot with cross-region copy
D.Azure Site Recovery with replication to secondary region
AnswerA

Azure Backup supports application-consistent VSS backups and geo-restore to paired regions.

Why this answer

Option A is correct because Azure Backup with application-consistent backups and geo-restore meets the requirements. Option B is wrong because Azure Site Recovery is for disaster recovery, not backups. Option C is wrong because Azure Snapshot is not application-consistent.

Option D is wrong because Azure Disk Encryption encrypts disks but does not provide backups.

614
MCQeasy

A company plans to deploy a web application on Azure virtual machines. They want to protect against a datacenter failure within a region. The VMs must be distributed across multiple physically separate locations with independent power, cooling, and networking. Which deployment option should they use?

A.Availability Set
B.Availability Zones
C.Virtual Machine Scale Set
D.Proximity Placement Group
AnswerB

Availability Zones are distinct physical locations within a region, each with independent power, cooling, and networking. Deploying VMs across zones ensures resilience to a datacenter failure.

Why this answer

Availability Zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. By deploying VMs across multiple zones, the application is protected against a single datacenter failure, meeting the requirement for fault isolation at the datacenter level.

Exam trap

The trap here is that candidates often confuse Availability Sets (which protect against rack-level failures within a single datacenter) with Availability Zones (which protect against entire datacenter failures), leading them to select the wrong option when the question explicitly requires physically separate locations with independent infrastructure.

How to eliminate wrong answers

Option A is wrong because an Availability Set protects against failures within a single datacenter (rack-level faults) by distributing VMs across update and fault domains, not across physically separate datacenters. Option C is wrong because a Virtual Machine Scale Set is primarily for auto-scaling and managing identical VMs; while it can use Availability Zones, the scale set itself is not a deployment option that guarantees distribution across physically separate locations without explicit zone configuration. Option D is wrong because a Proximity Placement Group is designed to reduce network latency by co-locating VMs close together, which is the opposite of distributing them across physically separate locations.

615
MCQhard

A company runs a critical application on Azure VMs in a single region. They need to implement disaster recovery using Azure Site Recovery (ASR) with a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 2 hours. The database VMs have a very high data change rate, and the company wants to minimize replication costs. They also need to ensure that in the recovery plan, database VMs start before application VMs, and a script updates DNS records after failover. Which combination of ASR configurations should they use?

A.Enable multi-VM consistency groups and use recovery plans with manual ordering.
B.Enable app-consistent replication and use deployment plans with pre- and post-actions.
C.Enable replication with high churn protection and use recovery plans with availability groups.
D.Enable crash-consistent replication and use recovery plans with pre- and post-actions.
AnswerD

Crash-consistent replication meets the RPO and reduces costs. Recovery plans support pre-actions to control VM startup order and post-actions to run scripts after failover.

Why this answer

Option D is correct because crash-consistent replication is the most cost-effective ASR option for VMs with high data change rates, as it replicates only the data that has changed since the last snapshot without requiring application-level consistency. The RPO of 15 minutes and RTO of 2 hours can be met with crash-consistent replication, and recovery plans with pre- and post-actions allow you to specify that database VMs start before application VMs and run a script to update DNS records after failover.

Exam trap

The trap here is that candidates often assume app-consistent replication is always required for database VMs, but the question explicitly prioritizes minimizing replication costs and only requires a 15-minute RPO, making crash-consistent replication the correct choice despite the high data change rate.

How to eliminate wrong answers

Option A is wrong because multi-VM consistency groups are used to ensure crash-consistent or app-consistent replication across multiple VMs, but they do not address the need to minimize replication costs for high-churn VMs; they also do not provide the ability to run scripts after failover. Option B is wrong because app-consistent replication requires application-level snapshots (e.g., using VSS on Windows), which increases replication overhead and cost, and is not necessary for meeting a 15-minute RPO with high data change rates; deployment plans are not a valid ASR feature. Option C is wrong because 'high churn protection' is not a standard ASR configuration; ASR does not have a specific setting for high churn, and availability groups are a SQL Server feature, not an ASR recovery plan feature.

616
MCQmedium

A company is planning to migrate its on-premises data center to Azure. The company has 50 virtual machines (VMs) running Windows Server and Linux, along with several physical servers hosting legacy applications. The company wants to minimize administrative overhead and use Azure-native services as much as possible. The migration must be performed with minimal downtime and the company wants to assess the readiness of their on-premises environment. They also need to replicate data to Azure for disaster recovery. Which combination of Azure services should the company use to assess, migrate, and replicate?

A.Azure Backup
B.Azure Database Migration Service
C.Azure Migrate
D.Azure Site Recovery
AnswerC

Azure Migrate provides assessment, migration, and integrates with Azure Site Recovery for replication, covering all requirements.

Why this answer

Option A (Azure Migrate) provides assessment and migration capabilities for VMs and physical servers. Option B (Azure Site Recovery) provides replication for disaster recovery. Option C (Azure Backup) provides backup, not real-time replication.

Option D (Azure Database Migration Service) is for databases only. The correct approach is to use Azure Migrate for assessment and migration, and Azure Site Recovery for disaster recovery replication. However, the question asks for a combination in a single answer.

The best answer is Option A: Azure Migrate alone can perform assessment and migration, and it integrates with Azure Site Recovery for replication. But among the options, Option A is the most comprehensive. Option B is only for replication.

Option C is for backup. Option D is for databases. So the correct answer is Azure Migrate.

617
MCQmedium

Your company has an Azure subscription with multiple virtual networks connected via VNet peering. You need to design a solution to allow VMs in different peered VNets to resolve each other's private IP addresses using custom DNS suffixes. The solution must minimize administrative overhead. What should you implement?

A.Deploy custom DNS servers on Azure VMs and configure VNets to use those servers.
B.Configure Azure DNS to use a custom domain name and update each VM's DNS suffix.
C.Use Azure Firewall as a DNS proxy with custom DNS settings.
D.Create an Azure Private DNS Zone linked to each VNet with auto-registration enabled.
AnswerD

Private DNS Zone with auto-registration automatically manages DNS records for VMs across peered VNets.

Why this answer

Option D is correct because Azure Private DNS Zones with auto-registration automatically register and resolve VMs across peered VNets. Option A is wrong because Azure DNS does not support custom DNS suffixes for private IPs. Option B is wrong because custom DNS servers require manual configuration and maintenance.

Option C is wrong because Azure Firewall is not a DNS resolver.

618
MCQeasy

A company is deploying a new application on Azure Kubernetes Service (AKS). The application requires persistent storage that can be dynamically provisioned and accessed by multiple pods simultaneously. Which Azure storage solution should the company use?

A.Azure Blob Storage
B.Azure Files
C.Azure Disk
D.Azure NetApp Files
AnswerB

Azure Files supports ReadWriteMany and can be dynamically provisioned via CSI driver.

Why this answer

Option A (Azure Disk) can only be mounted on a single pod as ReadWriteOnce. Option B (Azure Files) supports ReadWriteMany and can be accessed by multiple pods. Option C (Azure Blob Storage) is object storage not directly mountable as a volume.

Option D (Azure NetApp Files) supports ReadWriteMany but is more expensive and complex. The simplest and most cost-effective solution is Azure Files.

619
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to automate the process of granting users access to a specific application only during business hours and revoking it automatically. The access should be based on a request-approval workflow. Which Microsoft Entra ID feature should they use?

A.Privileged Identity Management (PIM)
B.Conditional Access
C.Access Reviews
D.Entitlement Management
AnswerD

Entitlement Management enables creation of access packages with policies for time-limited access, approval workflows, and automatic revocation, meeting all requirements.

Why this answer

Entitlement Management (D) is correct because it provides automated access lifecycle management through access packages, which can include time-bound assignments (e.g., business hours) and require approval workflows. This allows you to define policies that grant access to the application only during specified hours and automatically revoke it when the policy expires or conditions change, without manual intervention.

Exam trap

The trap here is confusing Conditional Access (which controls access at authentication time) with Entitlement Management (which provisions and deprovisions access over time), leading candidates to pick B because they focus on the 'business hours' condition rather than the automated lifecycle workflow.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation (e.g., Global Administrator) and does not support time-bound access to non-privileged applications or request-approval workflows for standard users. Option B is wrong because Conditional Access enforces real-time access policies based on signals (e.g., location, device state) but cannot automate granting or revoking access through a request-approval workflow; it is a gate, not a provisioning mechanism. Option C is wrong because Access Reviews only provide periodic attestation of existing access (e.g., recertification) and do not automate the initial granting or time-bound revocation of access based on a request-approval process.

620
MCQmedium

A company is designing a containerized application on Azure Kubernetes Service (AKS). They need to ensure that the control plane is managed by Microsoft and that the worker nodes are isolated to a single tenant. They also require that the worker nodes be automatically patched for security updates. Which AKS node pool type should they use?

A.System node pools
B.Spot node pools
C.User node pools
D.Virtual nodes (serverless)
AnswerA

System node pools are managed and automatically patched.

Why this answer

Option C is correct because system node pools are managed by Azure and provide automatic patching. Option A is incorrect because serverless nodes are for on-demand pods, not managed nodes. Option B is incorrect because user node pools are for user workloads but require manual patching.

Option D is incorrect because spot nodes are for non-critical workloads.

621
MCQhard

A company deploys Azure VNets in multiple regions and has on-premises data centers. They need to connect all VNets to each other and to on-premises sites using the Microsoft global network for optimal routing. They also want to simplify management by using a single orchestration interface. Which Azure service should they use?

A.Azure Virtual Network peering
B.Azure VPN Gateway with multi-site connections
C.Azure ExpressRoute Gateway
D.Azure Virtual WAN
AnswerD

Correct. Virtual WAN connects VNets and on-premises sites over the Microsoft backbone, with centralized routing and management.

Why this answer

Azure Virtual WAN (D) is correct because it provides a hub-and-spoke architecture that connects VNets across multiple regions and on-premises sites using the Microsoft global network for optimal routing. It offers a single orchestration interface (the Virtual WAN portal/API) to manage all connectivity, including site-to-site VPN, ExpressRoute, and VNet-to-VNet traffic, simplifying management and ensuring traffic traverses Microsoft's backbone rather than the public internet.

Exam trap

The trap here is that candidates often confuse Azure Virtual WAN with a simple VPN gateway or peering solution, overlooking that Virtual WAN is specifically designed for large-scale, multi-region, multi-site connectivity with a single management plane, while the other options are point solutions that require complex manual configuration to achieve the same result.

How to eliminate wrong answers

Option A is wrong because Azure Virtual Network peering only connects two VNets directly and does not provide a single orchestration interface for multiple VNets and on-premises sites; it also does not inherently use the Microsoft global network for routing between peered VNets in different regions (traffic may traverse the internet unless ExpressRoute or VPN is added). Option B is wrong because Azure VPN Gateway with multi-site connections can connect multiple on-premises sites to a single VNet, but it does not connect multiple VNets to each other natively (requires additional VPN gateways or peering) and lacks a unified orchestration interface for all connectivity. Option C is wrong because Azure ExpressRoute Gateway provides dedicated private connectivity to on-premises but only connects a single VNet to on-premises; it does not interconnect multiple VNets across regions or offer a single management interface for multi-site and multi-VNet topologies.

622
Multi-Selectmedium

You are designing a monitoring solution for a multi-region application deployed on Azure Virtual Machines and Azure SQL Database. The solution must provide a unified view of metrics and logs from all resources, detect anomalies using machine learning, and send alerts to the operations team. Which TWO capabilities should you include in the design?

Select 2 answers
A.Azure Service Health
B.Azure Application Insights
C.Azure Security Center
D.Azure Monitor
E.Azure Log Analytics
AnswersB, D

Application Insights, part of Azure Monitor, provides application performance monitoring and anomaly detection.

Why this answer

Azure Monitor is the core platform for collecting, analyzing, and acting on telemetry from Azure resources, including metrics and logs from VMs and SQL Database. Application Insights extends Azure Monitor with application performance management (APM) and built-in machine learning anomaly detection (e.g., Smart Detection) for proactive alerting. Together, they provide a unified monitoring view with ML-driven insights.

Exam trap

The trap here is that candidates often confuse Azure Log Analytics as a separate monitoring service rather than recognizing it as a component of Azure Monitor, leading them to select it as an independent capability instead of Azure Monitor itself.

623
Multi-Selecthard

A company is designing hub-and-spoke networking. Spoke VNets must use a central Azure Firewall for outbound internet traffic. Which two configurations are required?

Select 2 answers
A.Enable public IP addresses on all workload VMs
B.Peer each spoke VNet with the hub VNet
C.Associate a route table to spoke subnets with a default route to the firewall private IP
D.Deploy a NAT gateway in every spoke subnet
AnswersB, C

VNet peering provides private connectivity between hub and spokes.

Why this answer

B is correct because VNet peering is required to establish connectivity between the spoke VNets and the hub VNet, enabling traffic to flow through the central Azure Firewall. Without peering, the spoke VNets would be isolated and unable to route traffic to the hub. C is correct because a route table with a default route (0.0.0.0/0) pointing to the firewall's private IP ensures that all outbound internet traffic from spoke subnets is forced through the firewall for inspection and control.

Exam trap

The trap here is that candidates often assume a NAT gateway or public IPs on VMs are needed for outbound internet, but the correct design forces all traffic through the firewall using UDRs and peering, not direct egress.

624
MCQhard

Your company plans to store sensitive customer data in Azure Blob Storage. The data must be encrypted at rest and in transit. Additionally, access must be audited and restricted based on user identity. Which configuration meets these requirements?

A.Use shared access signatures (SAS) for access control.
B.Use Azure RBAC for access and Azure Monitor logs for auditing.
C.Configure network firewalls and use private endpoints.
D.Enable customer-managed keys (CMK) and use SAS.
AnswerB

RBAC provides identity-based access; logs provide auditing.

Why this answer

Option C is correct because Azure Storage provides encryption at rest (SSE) by default, HTTPS ensures encryption in transit, and Azure RBAC with Azure Monitor logs provides identity-based access and auditing. Option A is wrong because SAS tokens do not use user identity. Option B is wrong because customer-managed keys are optional and not required for encryption at rest.

Option D is wrong because firewall rules do not provide identity-based access control.

625
MCQeasy

A company needs to connect its on-premises data center to Azure for hybrid workloads. The connection must be private, dedicated, and provide guaranteed bandwidth. Which Azure service should they use?

A.Azure VPN Gateway
B.Azure ExpressRoute
C.Azure Virtual WAN
D.Azure Peering Service
AnswerB

Correct. ExpressRoute offers a dedicated, private connection with bandwidth guarantees and higher reliability than VPN.

Why this answer

Azure ExpressRoute provides a private, dedicated connection from on-premises to Azure, bypassing the public internet. It offers guaranteed bandwidth, higher reliability, and lower latency compared to VPN-based solutions, making it ideal for hybrid workloads requiring consistent performance.

Exam trap

The trap here is that candidates often confuse Azure VPN Gateway's 'dedicated tunnel' concept with true dedicated bandwidth, overlooking that VPNs still traverse the public internet and cannot guarantee performance, while ExpressRoute provides a physically isolated connection with contractual bandwidth guarantees.

How to eliminate wrong answers

Option A is wrong because Azure VPN Gateway uses encrypted tunnels over the public internet, which cannot provide dedicated bandwidth or guaranteed performance. Option C is wrong because Azure Virtual WAN is a networking orchestration service that can aggregate VPN, ExpressRoute, and SD-WAN connections, but it does not itself provide a dedicated, private connection with guaranteed bandwidth. Option D is wrong because Azure Peering Service is designed to optimize connectivity to Microsoft cloud services over the internet via partner ISPs, not to provide a dedicated private link with guaranteed bandwidth.

626
MCQmedium

A company has two on-premises data centers and an Azure subscription. They need to connect each data center to Azure with a private, high-bandwidth, and reliable connection. They also want a low-cost backup connection for each data center in case the primary connection fails. Which combination of connectivity options should they recommend?

A.A
B.B
C.C
D.D
AnswerA

Deploy an ExpressRoute circuit for each data center as the primary connection, and a site-to-site VPN as the backup connection for each. This provides high bandwidth and reliability with a cost-effective failover.

Why this answer

Azure ExpressRoute provides a private, high-bandwidth, and reliable connection from on-premises data centers to Azure, bypassing the public internet. To meet the low-cost backup requirement, Azure VPN Gateway (Site-to-Site VPN) offers a secure, encrypted connection over the internet as a failover path, which is significantly cheaper than a second ExpressRoute circuit. This combination ensures primary connectivity via ExpressRoute and cost-effective redundancy via VPN.

Exam trap

The trap here is that candidates often assume two ExpressRoute circuits are needed for redundancy, overlooking the cost-effective VPN backup option that still meets the 'low-cost' requirement while providing private connectivity only for the primary link.

How to eliminate wrong answers

Option B is wrong because using two ExpressRoute circuits for primary and backup is not low-cost; it doubles the recurring expense and is unnecessary for a backup path. Option C is wrong because using two Site-to-Site VPN connections for both primary and backup does not provide the high-bandwidth, reliable, private connection required; VPNs are internet-based and subject to latency and bandwidth limitations. Option D is wrong because using a single ExpressRoute circuit without any backup fails the requirement for a backup connection in case of failure.

627
MCQmedium

A company deploys a web application on Azure virtual machines (VMs) across multiple availability zones. The application needs to automatically distribute incoming HTTPS traffic, offload SSL/TLS termination, and provide session persistence. Additionally, the solution must include a Web Application Firewall (WAF) to protect against common web vulnerabilities. Which Azure load balancing solution should they use?

A.Azure Load Balancer
B.Azure Traffic Manager
C.Azure Application Gateway
D.Azure Front Door
AnswerC

Application Gateway is a Layer 7 load balancer that supports SSL termination, cookie-based session affinity, and includes a built-in Web Application Firewall for protection against web attacks.

Why this answer

Azure Application Gateway is the correct choice because it is a Layer 7 load balancer that can route HTTPS traffic, offload SSL/TLS termination, and provide session persistence (cookie-based affinity). It also natively integrates a Web Application Firewall (WAF) to protect against common web vulnerabilities like SQL injection and cross-site scripting.

Exam trap

The trap here is that candidates often confuse Azure Front Door with Application Gateway because both offer WAF and SSL offload, but Front Door is optimized for global multi-region traffic management, not for intra-region zone-resilient load balancing with session persistence, which is the specific requirement in this question.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot perform SSL/TLS termination, session persistence based on application cookies, or provide a WAF. Option B is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that routes traffic at the DNS level (Layer 3/4) and does not handle SSL/TLS termination, session persistence, or WAF capabilities. Option D is wrong because Azure Front Door is a global Layer 7 load balancer and CDN that can offload SSL and provide WAF, but it is designed for global HTTP(S) traffic distribution across regions, not for intra-region multi-zone distribution with session persistence; Application Gateway is the appropriate choice for regional, zone-resilient deployments.

628
MCQmedium

Your company operates in a highly regulated industry and must retain all sign-in logs for 7 years. The logs must be immutable and cannot be modified or deleted by administrators. You need to design a monitoring solution that stores sign-in logs in a cost-effective manner while meeting compliance requirements. The solution should also allow for real-time analysis of sign-in activity. What should you include in the design?

A.Stream sign-in logs to Log Analytics for real-time analysis and simultaneously archive them to an Azure Storage account with immutable blob policy (WORM).
B.Stream sign-in logs to Azure Event Hubs and then to cold storage in Azure Blob with lifecycle management.
C.Stream sign-in logs to Log Analytics workspace with 7-year retention and use Azure Policy to restrict deletion.
D.Use Azure Data Explorer to store logs for 7 years and configure a purge policy to prevent deletion.
AnswerA

Log Analytics provides real-time query; immutable storage ensures compliance.

Why this answer

Option A is correct because it meets both compliance and real-time analysis requirements. Streaming sign-in logs to Log Analytics enables real-time monitoring and querying, while simultaneously archiving them to an Azure Storage account with an immutable blob policy (WORM) ensures the logs cannot be modified or deleted for the required 7-year retention period. This combination provides cost-effective long-term storage (Azure Blob is cheaper than Log Analytics for long-term retention) and satisfies regulatory immutability mandates.

Exam trap

The trap here is that candidates often assume Log Analytics retention alone suffices for compliance, but Log Analytics does not provide immutable storage, and Azure Policy cannot prevent data modification within the workspace; the correct approach requires separate immutable archival in Azure Storage.

How to eliminate wrong answers

Option B is wrong because Azure Event Hubs is a real-time ingestion service, but cold storage in Azure Blob with lifecycle management does not provide immutability; lifecycle management can delete blobs based on rules, which violates the requirement that logs cannot be modified or deleted by administrators. Option C is wrong because Log Analytics workspace retention of 7 years does not guarantee immutability; Azure Policy can restrict deletion of the workspace but cannot prevent data modification or deletion within the workspace itself, and Log Analytics does not natively support WORM (Write Once, Read Many) compliance. Option D is wrong because Azure Data Explorer (ADX) is designed for interactive analytics, not long-term immutable archival; a purge policy is used to delete data, not to prevent deletion, and ADX does not provide WORM capabilities required for regulatory compliance.

629
MCQmedium

Your organization is implementing a zero-trust security model. You need to ensure that all access to corporate resources from mobile devices is conditional based on device compliance, user risk, and location. Which Microsoft Entra ID feature should you use?

A.Identity Protection
B.Microsoft Intune
C.Conditional Access policies
D.Microsoft Defender XDR
AnswerC

Conditional Access integrates with Intune compliance and Identity Protection to enforce granular access policies.

Why this answer

Conditional Access policies in Microsoft Entra ID are the correct choice because they allow you to enforce access controls based on conditions such as device compliance (via integration with Microsoft Intune), user risk (via integration with Identity Protection), and location (via IP ranges or named locations). This directly supports the zero-trust principle of 'never trust, always verify' by evaluating signals before granting access to corporate resources.

Exam trap

The trap here is that candidates often confuse Microsoft Intune (which manages device compliance) with the policy engine that enforces access decisions, failing to realize that Conditional Access is the orchestration layer that consumes compliance, risk, and location signals to enforce zero-trust access.

How to eliminate wrong answers

Option A is wrong because Identity Protection is a feature within Entra ID that detects and responds to identity-based risks (e.g., leaked credentials, anonymous IP addresses), but it does not itself enforce access decisions or combine multiple conditions like device compliance and location—it only provides risk signals that Conditional Access policies can consume. Option B is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service that manages device compliance policies (e.g., requiring encryption, PIN), but it does not evaluate user risk or location, nor does it enforce conditional access decisions at the authentication gateway—it only reports device compliance status to Entra ID. Option D is wrong because Microsoft Defender XDR is a unified security incident and response platform that correlates alerts across endpoints, email, and identities, but it does not enforce real-time access control policies based on device compliance, user risk, or location at the authentication layer—it focuses on threat detection and response, not conditional access enforcement.

630
MCQeasy

Your company has an Azure subscription with a single virtual network. You need to design a solution to back up Azure VMs to meet a 7-day retention policy. The backup data must be stored in a separate region for compliance. What should you use?

A.Azure Backup with cross-region restore (CRR) enabled
B.Azure Site Recovery with replication to a secondary region
C.Azure File Share snapshots stored in a different region
D.Azure Backup with default geo-redundant storage (GRS) in the same region
AnswerA

CRR stores backup metadata and data in the secondary region.

Why this answer

Option D is correct because Azure Backup can be configured with cross-region restore (CRR) to store backup data in a paired region. Option A is wrong because Azure Site Recovery is for replication, not backup. Option B is wrong because Azure Backup's default is geo-redundant storage (GRS) which replicates to a paired region.

Option C is wrong because Azure Files snapshots are for file shares, not VMs.

631
MCQmedium

A company uses Microsoft Entra ID. They want to block all access to corporate applications from devices that are not managed by their organization. They require that only devices enrolled in Microsoft Intune and compliant with company policies can access company resources. Which Microsoft Entra ID feature should they use?

A.Conditional Access policy requiring device compliance
B.Identity Protection with user risk policy
C.Privileged Identity Management (PIM)
D.Microsoft Entra ID Join process
AnswerA

Correct. Conditional Access evaluates device compliance (from Intune) and can block or grant access accordingly.

Why this answer

Option A is correct because Conditional Access policies in Microsoft Entra ID can enforce device compliance as a condition for granting access. By configuring a policy that requires devices to be marked as compliant in Microsoft Intune, only devices enrolled and meeting company policies can access corporate applications, effectively blocking unmanaged devices.

Exam trap

The trap here is that candidates may confuse Identity Protection's user risk policies with device-based controls, or assume that simply joining a device to Entra ID (Option D) is sufficient to enforce compliance, when in fact a Conditional Access policy is required to block non-compliant devices.

How to eliminate wrong answers

Option B is wrong because Identity Protection with user risk policy focuses on detecting and responding to risky user behavior (e.g., leaked credentials, anonymous IP addresses) rather than evaluating device management or compliance status. Option C is wrong because Privileged Identity Management (PIM) provides just-in-time privileged access and role activation controls, not device-level access restrictions. Option D is wrong because Microsoft Entra ID Join is a device identity registration process that enables devices to authenticate with Entra ID, but it does not by itself enforce compliance policies or block non-compliant devices; it must be combined with a Conditional Access policy to achieve the described requirement.

632
MCQmedium

You are designing a solution to store sensitive documents in Azure Blob Storage. The data must be encrypted at rest and access must be audited. You need to ensure that the encryption keys are managed by your organization and that access to the keys is logged. Which combination of Azure services should you use?

A.Azure Storage encryption with customer-managed keys in Azure Key Vault and Azure Monitor
B.Azure Disk Encryption with Azure Key Vault
C.Azure Storage encryption with Microsoft-managed keys and Azure Monitor
D.Azure Information Protection and Azure Sentinel
AnswerA

Customer-managed keys provide control and key access logging via Key Vault diagnostics.

Why this answer

Option B is correct because using customer-managed keys (CMK) with Azure Key Vault allows you to control encryption keys and enable logging for key access. Azure Storage encryption with CMK requires Key Vault for key storage. Option A uses Microsoft-managed keys, which do not provide key control.

Option C uses Azure Information Protection, which is for classification, not storage encryption. Option D uses Azure Disk Encryption, which is for VM disks, not Blob Storage.

633
MCQeasy

A company runs a critical application on Azure virtual machines (VMs) in the West US region. They need a disaster recovery solution that replicates the VMs to East US with a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 2 hours. The application consists of multiple VMs, and the company needs to be able to fail over a single VM without impacting others during an actual disaster. They also want to periodically test the recovery process without affecting the production environment. Which Azure Site Recovery feature should they use to enable non-disruptive testing?

A.Recovery Plans
B.Planned failover
C.Test failover
D.Network mapping
AnswerC

Test failover creates an isolated copy of replicated VMs in a separate virtual network for validation purposes, without affecting ongoing replication or production. It is designed exactly for non-disruptive disaster recovery drills.

Why this answer

Test failover (Option C) is the correct feature because it allows you to validate your disaster recovery process by creating an isolated copy of your replicated VMs in a separate test network, without impacting the ongoing replication or the production environment. This directly meets the requirement for periodic, non-disruptive testing while maintaining the RPO of 15 minutes and RTO of 2 hours.

Exam trap

The trap here is that candidates often confuse 'Test failover' with 'Planned failover' or 'Recovery Plans,' mistakenly thinking that any failover action must impact production, when in fact Test failover is specifically designed to be isolated and non-disruptive.

How to eliminate wrong answers

Option A is wrong because Recovery Plans are used to orchestrate the failover sequence of multiple VMs and run custom scripts, but they do not provide a mechanism for non-disruptive testing; they are executed during actual failover or test failover, not as a testing feature themselves. Option B is wrong because Planned failover is designed for zero-data-loss migration or maintenance scenarios where both sites are healthy and no data loss is tolerated, but it requires stopping production VMs and is not a testing mechanism—it disrupts production. Option D is wrong because Network mapping defines how source and target networks correspond for failover, but it is a configuration prerequisite, not a feature for executing a non-disruptive test.

634
MCQhard

You are designing a monitoring solution for a hybrid environment with on-premises servers and Azure VMs. You need to collect performance data from all servers and visualize it in a single dashboard. Which Azure service should you use?

A.Azure Service Health
B.Azure Workbooks
C.Azure Arc
D.Azure Monitor
AnswerD

Azure Monitor can collect data from hybrid environments and create dashboards.

Why this answer

Azure Monitor is the correct service because it provides a unified platform for collecting, analyzing, and visualizing performance data from both on-premises servers and Azure VMs. By deploying the Azure Monitor agent on all servers, you can send metrics and logs to a single Log Analytics workspace and then use Azure Workbooks or Metrics Explorer to create a consolidated dashboard.

Exam trap

The trap here is that candidates often confuse Azure Workbooks (a visualization tool) with a monitoring solution, forgetting that Workbooks are just a presentation layer and require a data source like Azure Monitor to function.

How to eliminate wrong answers

Option A is wrong because Azure Service Health is a service that provides personalized alerts and guidance for Azure service issues and planned maintenance, not for collecting or visualizing server performance data. Option B is wrong because Azure Workbooks is a visualization tool that can create rich dashboards, but it is not a data collection service; it relies on data already in Azure Monitor (e.g., Log Analytics or Metrics). Option C is wrong because Azure Arc extends Azure management and governance to on-premises and multi-cloud resources, but it does not itself collect performance data or provide a dashboard; it can enable Azure Monitor agents on those servers, but the monitoring and visualization are still done by Azure Monitor.

635
MCQmedium

A company runs a file server on Azure VMs using Windows Server. The server stores business-critical documents. You need to design a backup strategy that meets a recovery point objective (RPO) of 1 hour and recovery time objective (RTO) of 4 hours. The solution must be cost-effective. Which backup solution should you use?

A.Azure Site Recovery
B.Azure Backup for Azure Blobs
C.Azure Backup for Azure VMs
D.Azure File Sync
AnswerC

Azure Backup provides VM-level backups with customizable frequency and retention.

Why this answer

Option D is correct because Azure Backup for Azure VMs provides application-consistent backups with a frequency of up to every hour, meeting RPO of 1 hour, and RTO of a few hours for file-level restore. Option A (Azure Site Recovery) is for replication, more costly. Option B (Azure File Sync) syncs files, not backup.

Option C (Azure Backup for blobs) is for blobs, not VMs.

636
MCQmedium

A company deploys a web application on Azure VMs. The application stores session state and frequently accessed product data. They need a low-latency, in-memory cache to reduce database load and improve response times. The cache must be managed and support data persistence with replication across availability zones within the region. Which Azure service and tier should they choose?

A.Azure Cache for Redis (Premium tier)
B.Azure Cache for Redis (Basic tier)
C.Azure Cache for Redis (Standard tier)
D.Azure Cache for Redis (Enterprise tier)
AnswerA

The Premium tier of Azure Cache for Redis provides features like data persistence (RDB/AOF), clustering, and zone redundancy with replication across availability zones for high availability. It is fully managed.

Why this answer

Azure Cache for Redis Premium tier is the correct choice because it supports data persistence (RDB/AOF), replication across availability zones via zone redundancy, and provides low-latency, in-memory caching for session state and product data. The Basic tier lacks replication and persistence, Standard tier offers replication but not zone redundancy or persistence, and Enterprise tier is overkill for this scenario, adding unnecessary cost and complexity.

Exam trap

The trap here is that candidates often confuse the Standard tier's replication (which is within a single datacenter) with zone redundancy, or assume Enterprise tier is always better for persistence, when Premium tier specifically offers both persistence and zone redundancy at a lower cost.

How to eliminate wrong answers

Option B (Basic tier) is wrong because it provides no replication, no data persistence, and no SLA, making it unsuitable for high-availability or durable caching needs. Option C (Standard tier) is wrong because while it offers replication within a single datacenter, it does not support zone redundancy across availability zones or built-in data persistence (RDB/AOF). Option D (Enterprise tier) is wrong because it is designed for advanced scenarios like active geo-replication and Redis modules (RediSearch, RedisBloom), which are not required here, and it incurs higher cost without providing additional benefit for basic session state and product caching.

637
MCQeasy

Your company uses Azure Policy to enforce tagging standards. You need to ensure that any new resource group automatically inherits the 'CostCenter' tag from its subscription. Which Azure Policy effect should you use?

A.modify
B.deny
C.audit
D.append
AnswerA

Modify effect can add or update tags, including inheriting from subscription.

Why this answer

The 'modify' effect is correct because it enables Azure Policy to add, update, or remove tags on resources and resource groups during creation or update. When combined with a 'deployIfNotExists' policy that targets resource groups, the 'modify' effect can automatically apply the 'CostCenter' tag from the subscription to any new resource group at creation time, ensuring inheritance without manual intervention.

Exam trap

The trap here is that candidates often confuse 'append' with 'modify', assuming 'append' can dynamically inherit tags, but 'append' only adds static values and cannot reference the subscription's tag or trigger remediation tasks.

How to eliminate wrong answers

Option B is wrong because 'deny' blocks the creation or update of a resource that does not comply with the policy, but it does not automatically add or inherit tags; it only prevents non-compliant resources from being created. Option C is wrong because 'audit' only logs non-compliant resources for evaluation without taking any automatic remediation action, so tags would not be inherited. Option D is wrong because 'append' adds fields to a resource during creation or update but cannot modify existing tags or handle complex inheritance logic; it is limited to adding new properties and does not support the 'deployIfNotExists' remediation task required for tag inheritance.

638
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to allow external business partners to request access to a specific application. The access must be time-limited and require approval from the partner's manager. Additionally, access must automatically expire after the defined period. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Privileged Identity Management (PIM)
B.Microsoft Entra ID Entitlement Management
C.Microsoft Entra ID Identity Protection
D.Microsoft Entra ID Access Reviews
AnswerB

Entitlement Management allows administrators to create catalogs of access packages, which can include external users, with approval workflows and automatic expiration and removal.

Why this answer

Microsoft Entra ID Entitlement Management enables organizations to manage access for external business partners through access packages. These packages can enforce time-limited access, require manager approval, and automatically expire access after a defined period, directly meeting all the stated requirements.

Exam trap

The trap here is that candidates often confuse Entitlement Management with PIM because both involve time-limited access, but PIM is strictly for privileged roles within the organization, not for external partner application access with manager approval.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and oversight, not for granting time-limited access to applications for external partners. Option C is wrong because Identity Protection focuses on detecting and responding to identity-based risks, such as compromised credentials or suspicious sign-ins, not on managing access requests or approvals. Option D is wrong because Access Reviews are used to periodically audit and confirm existing access assignments, not to handle initial access requests with manager approval and automatic expiration.

639
Multi-Selecthard

You are designing a backup and disaster recovery strategy for a SQL Server database hosted on an Azure virtual machine. The database is critical and has a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 4 hours. Which THREE services should you include in the solution?

Select 3 answers
A.Azure Backup
B.Azure SQL Database backup
C.Azure Files
D.Azure Site Recovery
E.Azure SQL Database auto-failover groups
AnswersA, B, D

Provides backup of SQL Server on Azure VM.

Why this answer

Options B, C, and D are correct. Azure Backup can back up the VM and database with application-consistent backups. Azure Site Recovery replicates the VM to another region for DR.

Azure SQL Database auto-failover groups are for PaaS, not IaaS. Option A is wrong because Azure SQL Database is a different service; for SQL Server on VM, you need IaaS solutions. Option E is wrong because Azure Files is for file shares, not SQL.

640
MCQmedium

Your company has a Microsoft Entra ID tenant with 10,000 users. You are designing an identity governance solution to automate user access reviews for critical applications. The compliance team requires that access reviews be conducted quarterly and that any reviewer who does not respond within 7 days have their decisions auto-approved. You need to implement the solution using Microsoft Entra ID Governance. What should you do?

A.Use Microsoft Entra Privileged Identity Management (PIM) to require activation for access to critical applications.
B.Create an access review with 'Auto deny' after 7 days of no response.
C.Create a recurring campaign in Microsoft Purview Compliance Manager.
D.Create an access review with 'Auto approve' after 7 days of no response.
AnswerD

Auto-approve meets the requirement to approve if no response within 7 days.

Why this answer

Option B is correct because access reviews with auto-approve after 7 days meets the requirement. Option A is wrong because auto-deny would revoke access, not approve. Option C is wrong because PIM is for privileged roles, not general access reviews.

Option D is wrong because recurring campaigns in Microsoft Purview are for data classification, not access reviews.

641
MCQhard

An organization is designing a storage solution for Azure VMs running a database that requires low latency and high IOPS. The data is critical and must be durable with automatic replication across multiple datacenters in the same region. Which Azure managed disk type and redundancy option should they choose?

A.Standard SSD with GRS
B.Premium SSD with ZRS
C.Ultra Disk with LRS
D.Premium SSD v2 with LRS
AnswerB

Premium SSD with ZRS provides high IOPS and replicates across multiple datacenters within a region.

Why this answer

Premium SSD v2 managed disks with locally-redundant storage (LRS) provide high IOPS and low latency with synchronous replication within a datacenter, but LRS is not multi-datacenter. For multi-datacenter within a region, zone-redundant storage (ZRS) is needed, but Premium SSD v2 does not support ZRS. The correct choice is Premium SSD with ZRS to meet durability across datacenters.

Option A is wrong because Premium SSD v2 with LRS is not multi-datacenter. Option C is wrong because Standard SSD is lower performance. Option D is wrong because Ultra Disk with LRS is single-datacenter.

642
MCQmedium

You are deploying an Azure SQL Database using the ARM template snippet above. Which of the following describes the resulting database configuration?

A.Standard tier with 100 DTUs
B.Zone-redundant deployment
C.Maximum size of 10 GB
D.Premium tier with 100 DTUs
AnswerA

S3 corresponds to Standard tier with 100 DTUs.

Why this answer

The ARM template snippet specifies `requestedServiceObjectiveName: "S0"`, which maps to the Standard service tier with 100 DTUs. The S0 performance level in Azure SQL Database provides 100 DTUs and a maximum database size of 250 GB, making option A correct.

Exam trap

The trap here is that candidates often confuse the maximum size limits between tiers (e.g., assuming S0 has a 10 GB limit like Basic) or mistakenly associate the DTU count (100) with the Premium tier, overlooking that the `requestedServiceObjectiveName` value explicitly defines the tier and performance level.

How to eliminate wrong answers

Option B is wrong because zone-redundant deployment is only available for the Premium and Business Critical service tiers, not the Standard tier, and the template does not include any zone-redundant configuration property. Option C is wrong because the Standard S0 tier has a maximum size of 250 GB, not 10 GB; the 10 GB limit applies to the Basic tier (B). Option D is wrong because the template specifies `requestedServiceObjectiveName: "S0"`, which is a Standard tier objective, not a Premium tier; Premium tiers use objectives like P1, P2, etc., and offer higher DTUs and features like zone redundancy.

643
MCQeasy

A company needs to store and analyze petabytes of IoT telemetry data. The data is append-only and rarely updated. They require SQL-based querying and columnar storage for fast analytics. Which Azure storage solution should you choose?

A.Azure Cosmos DB with analytical store
B.Azure SQL Database with columnstore indexes
C.Azure Blob Storage with Azure Cognitive Search
D.Azure Data Lake Storage Gen2 with Azure Synapse SQL pool
AnswerD

Data Lake Storage Gen2 provides scalable storage and Synapse SQL pool enables SQL over Parquet.

Why this answer

Azure Data Lake Storage Gen2 (ADLS Gen2) provides hierarchical namespace and petabyte-scale storage optimized for big data analytics. When combined with Azure Synapse SQL pool (formerly SQL DW), it enables SQL-based querying over columnar storage (using PolyBase or CETAS) for fast analytics on append-only IoT telemetry data. This combination supports massive data volumes, append-only workloads, and columnar storage for high-performance analytical queries.

Exam trap

The trap here is that candidates often choose Azure SQL Database with columnstore indexes (Option B) because they focus on the 'SQL-based querying and columnar storage' requirement without considering the petabyte-scale constraint, which exceeds Azure SQL Database's maximum storage capacity.

How to eliminate wrong answers

Option A is wrong because Azure Cosmos DB with analytical store is designed for globally distributed, multi-model NoSQL data with automatic indexing, not for petabyte-scale append-only IoT telemetry requiring SQL-based columnar analytics; its analytical store uses Azure Synapse Link but is optimized for operational data, not bulk append-only streams. Option B is wrong because Azure SQL Database with columnstore indexes is a relational OLTP database with a maximum size of 4 TB (or 128 TB with Hyperscale), which cannot handle petabytes of data, and columnstore indexes are best for read-mostly workloads but the service lacks the distributed scale-out architecture needed for petabyte-scale analytics. Option C is wrong because Azure Blob Storage with Azure Cognitive Search provides object storage and full-text search capabilities, not SQL-based querying or columnar storage; Cognitive Search is for indexing and searching unstructured text, not for analytical queries on structured IoT data.

644
Multi-Selectmedium

Which TWO Azure services can be used together to provide a disaster recovery solution for an on-premises SQL Server database with an RPO of 5 minutes and an RTO of 30 minutes? (Select TWO.)

Select 2 answers
A.Azure SQL Database failover groups
B.Azure Backup for SQL Server
C.Azure SQL Managed Instance failover groups
D.SQL Server Log Shipping to Azure
E.Azure Site Recovery
AnswersA, C

Provides automatic geo-replication and failover.

Why this answer

Options A and D are correct. Azure SQL Managed Instance has a failover group feature that can replicate the database to a secondary region with automatic failover, meeting RPO/RTO. Alternatively, SQL Server Stretch Database is outdated; the correct answer is Azure SQL Database Managed Instance failover groups.

Option B is wrong because Azure Site Recovery replicates VMs, not databases directly. Option C is wrong because Azure Backup has a higher RPO. Option E is wrong because Log Shipping is an on-premises feature.

645
MCQmedium

A company wants to automatically detect sign-in attempts from anonymous IP addresses and sign-ins from unfamiliar locations. When such a risk is detected, they want to require multi-factor authentication (MFA) or block the sign-in in real time. Additionally, they need a dashboard that shows risk events and allows generating weekly risk reports. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Identity Protection
B.Microsoft Entra ID Conditional Access
C.Microsoft Entra ID Privileged Identity Management
D.Microsoft Entra ID Identity Governance
AnswerA

Identity Protection detects risky sign-ins and user behavior and allows automated responses (MFA, block) along with risk reporting.

Why this answer

Microsoft Entra ID Identity Protection is the correct feature because it specifically detects sign-in risks such as anonymous IP addresses and unfamiliar locations, and it can automatically enforce conditional access policies like requiring MFA or blocking sign-ins in real time. It also provides a dashboard for risk events and supports generating weekly risk reports, directly matching all stated requirements.

Exam trap

The trap here is that candidates often confuse Conditional Access as the detection mechanism, but it is only the enforcement layer; Identity Protection is the service that actually detects the risks and provides the risk signals that Conditional Access uses.

How to eliminate wrong answers

Option B is wrong because Conditional Access is a policy engine that enforces access controls based on conditions, but it does not itself detect risks like anonymous IPs or unfamiliar locations; it relies on Identity Protection to provide risk signals. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role assignments and access reviews, not risk detection or sign-in anomaly monitoring. Option D is wrong because Identity Governance focuses on access lifecycle management, entitlement reviews, and compliance, not real-time risk detection or MFA enforcement during sign-in.

646
MCQmedium

You are designing a backup and disaster recovery strategy for an Azure SQL Database instance that runs a critical business application. The database is 500 GB and experiences high transaction rates. The recovery point objective (RPO) is 1 minute and recovery time objective (RTO) is 1 hour. What should you recommend?

A.Enable geo-redundant backup storage and use geo-restore in the secondary region.
B.Configure automated backups with locally-redundant storage (LRS) and enable point-in-time restore.
C.Configure active geo-replication to a secondary region in the same Azure geography.
D.Export the database to a bacpac file daily and store it in Azure Blob Storage.
AnswerC

Active geo-replication provides RPO of seconds and RTO of minutes with automatic failover.

Why this answer

Option D is correct because active geo-replication provides RPO < 1 minute and RTO < 1 hour with automatic failover. Option A (auto backup with LRS) has RPO > 1 minute. Option B (geo-restore) has RTO > 1 hour.

Option C (export to blob) has high RTO.

647
MCQhard

A company runs a large-scale write-intensive application that requires a horizontally scalable relational database. They need to distribute data across multiple nodes to handle high write throughput while supporting SQL queries, including joins and transactions. The solution must be fully managed and provide elastic scaling. Which Azure database service should they choose?

A.Azure SQL Database Hyperscale
B.Azure Cosmos DB
C.Azure Database for PostgreSQL Hyperscale (Citus)
D.Azure SQL Managed Instance
AnswerC

Citus distributes data across multiple nodes, allowing horizontal scaling for write-heavy workloads. It supports full SQL, joins, and transactions, meeting the relational database requirements.

Why this answer

Azure Database for PostgreSQL Hyperscale (Citus) is the correct choice because it provides horizontal scaling (sharding) across multiple worker nodes using the Citus extension, which distributes data and parallelizes SQL queries. It supports full SQL, including joins and transactions, while offering elastic scaling for write-intensive workloads. This makes it ideal for large-scale relational databases that need high write throughput and horizontal scalability.

Exam trap

The trap here is that candidates often confuse 'horizontal scaling' with 'hyperscale' or 'managed instance' options, assuming any 'scalable' database service supports distributed writes, but only Citus provides true horizontal sharding for relational workloads with full SQL and transaction support.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database Hyperscale is designed for read-intensive workloads with fast scaling of compute and storage, but it does not distribute data across multiple nodes for horizontal write scaling; it uses a single primary node with page servers for storage. Option B is wrong because Azure Cosmos DB is a NoSQL database that does not support full relational SQL features like joins and transactions across multiple documents in the same way a relational database does; it is schema-agnostic and not a relational database. Option D is wrong because Azure SQL Managed Instance is a fully managed instance of SQL Server that provides vertical scaling but not horizontal scaling across multiple nodes; it is limited to a single instance and does not distribute data across nodes for high write throughput.

648
MCQmedium

You are reviewing a PowerShell script for Azure SQL Database. The exhibit shows the script that sets backup retention. What is the effect of running this script?

A.It sets the short-term backup retention to 7 days, enabling point-in-time restore within that period.
B.It enables geo-redundant backups for the database.
C.It sets the long-term retention (LTR) backup policy to 7 days.
D.It increases the backup retention from 7 to 35 days.
AnswerA

Short-term retention applies to point-in-time restore backups.

Why this answer

The script sets the short-term backup retention policy to 7 days for the database 'mydb'. This means point-in-time restore (PITR) backups are retained for 7 days. Option A is incorrect because it says 14 days.

Option D is incorrect because it only affects short-term retention.

649
MCQmedium

A company has multiple Azure virtual networks (VNets) in different regions connected via VNet peering. They also have an on-premises data center connected to Azure via ExpressRoute. They need to provide internet-bound traffic from all Azure VNets through a single, centralized network virtual appliance (NVA) in the hub VNet for security inspection. They also need to ensure that traffic between VNets and on-premises is routed optimally without going through the internet. Which Azure solution should they implement?

A.Implement VNet peering with user-defined routes (UDRs) to force traffic through the NVA
B.Use Azure Firewall in each VNet to inspect traffic locally
C.Deploy an Azure Virtual WAN with a secured hub (Azure Firewall) and route traffic through it
D.Use Azure Route Server to propagate routes to all VNets
AnswerC

Virtual WAN provides automatic transitive routing, centralized security, and integrates with ExpressRoute, meeting all requirements.

Why this answer

Option C is correct because Azure Virtual WAN with a secured hub (Azure Firewall) provides a centralized, managed routing architecture that meets all requirements. It automatically routes internet-bound traffic from all VNets through the Azure Firewall in the hub for security inspection, while also ensuring optimal routing between VNets and on-premises via ExpressRoute without traversing the internet. This solution eliminates the need for manual UDRs and complex NVA management, as Virtual WAN handles routing and security centrally.

Exam trap

The trap here is that candidates often confuse Azure Virtual WAN with simple VNet peering or assume that Azure Route Server alone can provide centralized security inspection, but Virtual WAN is the only solution that combines centralized routing, security, and automatic propagation across multiple regions.

How to eliminate wrong answers

Option A is wrong because VNet peering with UDRs to force traffic through an NVA requires complex manual route management and does not scale well across multiple regions; it also does not inherently optimize on-premises routing without additional configuration. Option B is wrong because deploying Azure Firewall in each VNet inspects traffic locally, not centrally, which violates the requirement for a single, centralized inspection point and increases operational overhead. Option D is wrong because Azure Route Server propagates routes between NVAs and VNets but does not provide centralized internet-bound traffic inspection or force traffic through a single NVA; it is designed for dynamic route exchange, not security inspection.

650
MCQeasy

A company has a disaster recovery plan that requires testing failover of Azure VMs regularly without impacting the production environment. Which feature of Azure Site Recovery should they use?

A.Planned failover
B.Test failover
C.Unplanned failover
D.Failback
AnswerB

Test failover creates a non-production copy for validation.

Why this answer

Test failover (also known as drill) allows you to validate your disaster recovery plan without affecting production. Option A is incorrect because planned failover is for actual migration. Option C is incorrect because unplanned failover is for actual disasters.

Option D is incorrect because failback is for returning to primary after failover.

651
MCQeasy

A company wants to ensure that their Azure SQL Database can continue to serve read-write traffic if the primary region becomes unavailable. They require minimal data loss. What should they implement?

A.Use Azure Backup with cross-region restore
B.Deploy the database across two Availability Zones
C.Configure an auto-failover group with a secondary in another region
D.Read-scale replicas in the same region
AnswerC

Auto-failover groups provide automated failover.

Why this answer

Option C is correct because an auto-failover group with active geo-replication provides automated failover with minimal data loss. Option A is wrong because read-scale replicas are for read-only. Option B is wrong because Azure SQL Database does not use Availability Zones for cross-region DR.

Option D is wrong because Azure Backup does not provide failover.

652
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID) for identity management. They want to enforce that only devices compliant with security policies (e.g., BitLocker enabled, antivirus running) can access corporate cloud applications (Microsoft 365 and custom SaaS apps). They also need a dashboard to monitor device compliance status. Which Microsoft Entra ID feature(s) should they configure?

A.Conditional Access policies with device compliance conditions, and Microsoft Intune for compliance management
B.Microsoft Entra ID Identity Protection with user risk policies
C.Microsoft Entra ID Access Reviews
D.Microsoft Entra ID Device Registration only
AnswerA

Conditional Access enforces device compliance for access. Intune defines and monitors compliance policies. The Intune console provides compliance dashboards.

Why this answer

Option A is correct because Conditional Access policies in Microsoft Entra ID can enforce device compliance as a condition for granting access to cloud applications, while Microsoft Intune provides the device compliance policies (e.g., BitLocker, antivirus) and the dashboard to monitor compliance status. Together, they ensure only compliant devices can access corporate resources and provide visibility into device health.

Exam trap

The trap here is that candidates often confuse Identity Protection (user risk) with device compliance, or assume Device Registration alone is sufficient, missing the need for Intune to define and monitor compliance policies.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Identity Protection focuses on user and sign-in risk (e.g., leaked credentials, anonymous IP addresses), not device compliance status or enforcement. Option C is wrong because Microsoft Entra ID Access Reviews are used for periodic attestation of group memberships, application access, and role assignments, not for device compliance monitoring or conditional access based on device state. Option D is wrong because Microsoft Entra ID Device Registration only registers devices in the directory, but without Intune or Conditional Access, it cannot enforce compliance policies or provide a compliance dashboard.

653
Drag & Dropmedium

Drag and drop the steps to implement Azure Backup for an Azure virtual machine into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create vault, define policy, assign VM, enable backup, test.

654
MCQeasy

A company deploys a web application on Azure VMs across availability zones. They need to distribute HTTPS traffic, offload SSL termination, and maintain session persistence. They do not require traffic inspection. Which Azure load balancing solution should they use?

A.Azure Application Gateway v2.
B.Azure Load Balancer (Standard).
C.Azure Traffic Manager.
D.Azure Front Door.
AnswerA

Application Gateway supports HTTPS termination, cookie-based session persistence, and health probes, all at layer 7. It is designed for web traffic within a region and can be deployed across availability zones.

Why this answer

Azure Application Gateway v2 is the correct choice because it is a Layer 7 load balancer that supports HTTPS traffic distribution, SSL termination (offloading the decryption burden from backend VMs), and session persistence via cookie-based affinity. It meets all requirements without needing traffic inspection, which is optional and can be disabled.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming any load balancer can handle SSL termination, but only Layer 7 solutions like Application Gateway or Front Door can offload SSL and maintain session persistence at the application layer.

How to eliminate wrong answers

Option B (Azure Load Balancer Standard) is wrong because it operates at Layer 4 (TCP/UDP) and cannot perform SSL termination or application-layer session persistence; it only distributes traffic based on IP and port. Option C (Azure Traffic Manager) is wrong because it is a DNS-based global traffic router that does not handle HTTPS traffic directly, SSL termination, or session persistence at the application layer. Option D (Azure Front Door) is wrong because it is a global Layer 7 service with built-in WAF and traffic inspection capabilities, which is unnecessary here and adds complexity; it also requires a custom domain for SSL termination, whereas Application Gateway v2 is a regional solution better suited for this scenario.

655
MCQmedium

You are designing a disaster recovery solution for an Azure IaaS workload. The application runs on Azure VMs in a single region and requires a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 4 hours. Which of the following is the most cost-effective approach to meet these requirements?

A.Configure geo-redundant storage (GRS) for the VM disks and manually attach them to new VMs in the secondary region.
B.Use Azure Front Door with a back-end pool containing VMs in both regions, and configure health probes to route traffic on failure.
C.Deploy Azure Site Recovery to replicate VMs to the secondary region with a replication policy that meets the RPO and RTO.
D.Use Azure Backup to back up VMs to a Recovery Services vault in the secondary region and perform restore during failover.
AnswerC

Azure Site Recovery offers continuous replication with RPO as low as 30 seconds and automated failover minutes, meeting both requirements cost-effectively.

Why this answer

Option C is correct because Azure Site Recovery provides replication with RPO as low as 30 seconds to another region, easily meeting 15 minutes, and automated failover within minutes, meeting 4-hour RTO. Option A is wrong because geo-redundant storage applies to storage accounts, not VMs, and doesn't provide automated failover. Option B is wrong because backing up to a secondary region via Azure Backup has an RPO of 1-2 hours and RTO of hours to days.

Option D is wrong because Azure Front Door is for web traffic load balancing, not VM failover.

656
MCQhard

Refer to the exhibit. You assign this Azure Policy to a management group. A user creates a new virtual machine without any tags. What will happen?

A.The policy is not evaluated because the resource is new.
B.The virtual machine is created with the 'Environment' tag automatically added.
C.The virtual machine creation is denied.
D.The virtual machine is created without the tag, and a compliance alert is generated.
AnswerB

The 'modify' effect adds the tag during resource creation.

Why this answer

The Azure Policy in the exhibit uses the 'DeployIfNotExists' effect, which automatically deploys a tag (e.g., 'Environment') to resources that lack it during creation or update. Since the policy is assigned at the management group level, it applies to all child subscriptions and resources, including new virtual machines. When a user creates a VM without tags, the policy evaluates the resource and adds the missing tag without denying the creation or requiring manual intervention.

Exam trap

The trap here is that candidates confuse 'DeployIfNotExists' with 'Deny' or 'Audit', assuming a missing tag will block creation or only generate an alert, rather than understanding that 'DeployIfNotExists' automatically remediates the non-compliance.

How to eliminate wrong answers

Option A is wrong because Azure Policy evaluates all resources, including new ones, at creation time; the 'DeployIfNotExists' effect specifically triggers on new resources. Option C is wrong because the policy uses 'DeployIfNotExists', not 'Deny', so the VM creation is allowed and the tag is added automatically. Option D is wrong because the policy does not generate a compliance alert; it actively remediates the missing tag by deploying it, and compliance is reported as non-compliant until remediation completes.

657
MCQeasy

A company deploys a web application on multiple Azure virtual machines (VMs) in a single region. The application receives HTTP and HTTPS traffic. They need to distribute the traffic across the VMs, offload SSL/TLS termination, and ensure that client requests from the same user session are always sent to the same backend VM (session persistence). Additionally, they need to route requests based on URL paths (e.g., /api/* to one pool, /images/* to another). Which Azure load balancing solution should they use?

A.Azure Load Balancer
B.Azure Application Gateway
C.Azure Front Door
D.Azure Traffic Manager
AnswerB

Application Gateway is a layer-7 load balancer that supports SSL termination, cookie-based session affinity, and URL path-based routing to multiple backend pools.

Why this answer

Azure Application Gateway is the correct choice because it is a layer-7 load balancer that supports SSL/TLS termination, URL path-based routing, and session persistence (sticky sessions) via cookies. These features directly match the requirements for distributing HTTP/HTTPS traffic, offloading SSL, routing requests based on URL paths, and maintaining user session affinity to the same backend VM.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (layer 4) with Application Gateway (layer 7), assuming any load balancer can handle SSL termination and URL routing, but only layer-7 solutions like Application Gateway provide these application-level features.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at layer 4 (TCP/UDP) and cannot perform SSL/TLS termination, URL path-based routing, or session persistence based on HTTP cookies. Option C is wrong because Azure Front Door is a global layer-7 load balancer and CDN designed for multi-region traffic distribution, not for routing within a single region, and it does not support URL path-based routing to separate backend pools in the same region. Option D is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that operates at layer 3/4 and cannot offload SSL/TLS, route based on URL paths, or provide session persistence.

658
MCQhard

A company uses Microsoft Entra ID (Microsoft Entra ID) Premium P2. They need to automatically detect users whose credentials have been leaked and require them to reset their password at their next sign-in. Additionally, they want to block sign-ins from anonymous IP addresses (e.g., Tor network). Which combination of Microsoft Entra ID features should they enable to meet both requirements?

A.Conditional Access with MFA policy and Identity Protection sign-in risk policy
B.Identity Protection user risk policy and sign-in risk policy
C.Privileged Identity Management and Conditional Access
D.Microsoft Entra ID Connect Health and Identity Protection
AnswerB

Identity Protection user risk policy can detect leaked credentials and force password change on sign-in. The sign-in risk policy can block sign-ins from anonymous IP addresses, meeting both requirements.

Why this answer

Option B is correct because Identity Protection user risk policy can automatically detect leaked credentials and force a password reset at next sign-in, while the sign-in risk policy can block sign-ins from anonymous IP addresses (e.g., Tor). These two policies together address both requirements without needing additional Conditional Access or MFA policies.

Exam trap

The trap here is that candidates confuse Conditional Access with Identity Protection risk policies, not realizing that leaked credential detection and anonymous IP blocking are native Identity Protection risk policies, not Conditional Access controls.

How to eliminate wrong answers

Option A is wrong because Conditional Access with MFA policy does not detect leaked credentials or block anonymous IPs; it only enforces MFA based on conditions, not risk. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged access and does not detect leaked credentials or block anonymous IPs; Conditional Access alone cannot detect leaked credentials without Identity Protection. Option D is wrong because Microsoft Entra ID Connect Health monitors synchronization health and does not provide user risk or sign-in risk policies for leaked credentials or anonymous IP blocking.

659
Multi-Selecthard

Which THREE considerations are important when designing a data storage solution for a high-throughput IoT ingestion pipeline in Azure?

Select 3 answers
A.Network latency between devices and Azure
B.Ingestion throughput limits of the storage service
C.Data retention and archival policies
D.Partitioning strategy to distribute load
E.Data consistency levels required by downstream consumers
AnswersB, C, D

Must ensure the service can handle the peak ingestion rate.

Why this answer

Option B is correct because Azure Storage services like Blob Storage and Event Hubs have defined ingestion throughput limits (e.g., up to 20 MB/s per partition or 1 MB/s per ingress for standard-tier Event Hubs). Exceeding these limits causes throttling (HTTP 429 errors) and data loss, making throughput capacity a critical design consideration for high-throughput IoT pipelines.

Exam trap

The trap here is confusing network-level considerations (latency, bandwidth) with storage-level design constraints (throughput limits, partitioning), leading candidates to select Option A instead of focusing on the storage service's inherent ingestion capacity.

660
MCQeasy

A company runs a web application on Azure VMs in a single region. The application must scale out automatically based on CPU utilization. The VMs are behind an Azure Load Balancer. Which Azure service should they use to automatically add or remove VMs based on demand?

A.Azure Virtual Machine Scale Sets
B.Azure App Service
C.Azure Functions
D.Azure Batch
AnswerA

Correct: VMSS provides autoscaling based on metrics and integrates with Azure Load Balancer.

Why this answer

Azure Virtual Machine Scale Sets (VMSS) is the correct service because it provides automatic scaling of identical VM instances based on metrics like CPU utilization. When you configure an autoscale rule on a VMSS, it automatically adds or removes VM instances behind the Azure Load Balancer, ensuring the application scales out or in based on demand without manual intervention.

Exam trap

The trap here is that candidates often confuse Azure App Service's autoscale feature (which scales the number of App Service instances, not VMs) with the requirement to scale VMs behind a load balancer, leading them to select App Service instead of VMSS.

How to eliminate wrong answers

Option B (Azure App Service) is wrong because it is a platform-as-a-service (PaaS) offering for web apps, not a service that manages VMs behind a load balancer; it does not allow you to run custom VMs with full control over the OS. Option C (Azure Functions) is wrong because it is a serverless compute service for event-driven code, not designed for long-running web applications on VMs, and it does not integrate with Azure Load Balancer for VM-level scaling. Option D (Azure Batch) is wrong because it is a job-scheduling and compute-management service for large-scale parallel and HPC workloads, not for automatically scaling VMs behind a load balancer based on CPU utilization.

661
MCQmedium

Your organization has multiple Azure subscriptions. You need to create a central view of policy compliance across all subscriptions. What should you use?

A.Azure Monitor
B.Azure Policy compliance dashboard
C.Azure Resource Graph
D.Azure Blueprints
AnswerB

The compliance dashboard shows policy compliance across subscriptions.

Why this answer

Option B is correct because Azure Policy compliance dashboard shows compliance across subscriptions. Option A is wrong because Azure Monitor is for telemetry. Option C is wrong because Azure Resource Graph is for querying resources.

Option D is wrong because Azure Blueprints is for deploying environments.

662
Multi-Selectmedium

A company is migrating a legacy application that uses Oracle Database to Azure. They want to minimize code changes and maintain compatibility with Oracle PL/SQL. Which TWO Azure data services should they consider?

Select 2 answers
A.Azure SQL Database
B.Azure SQL Managed Instance with Oracle compatibility
C.Azure Database for PostgreSQL with Oracle compatibility extension
D.Azure Cosmos DB
E.Azure Database for MySQL
AnswersB, C

Supports Oracle features like PL/SQL.

Why this answer

Azure SQL Managed Instance with Oracle compatibility (option B) provides a high degree of PL/SQL compatibility through its 'Oracle compatibility mode,' which supports stored procedures, triggers, and functions written in PL/SQL with minimal changes. This service also offers a fully managed SQL Server engine that can run Oracle workloads with near-zero code modifications, making it ideal for legacy application migration.

Exam trap

The trap here is that candidates often assume only a single service can provide Oracle compatibility, but the question explicitly asks for TWO options, and the PostgreSQL extension is a valid second choice that many overlook because they focus solely on SQL Server-based solutions.

663
MCQhard

Refer to the exhibit. You need to enable public access to the storage account for a specific IP address while keeping the default action as Deny. What should you do?

A.Set the bypass to None to allow all traffic.
B.Set the networkAcls to an empty list to remove restrictions.
C.Add an IP rule with the specific IP address to the ipRules array.
D.Change the defaultAction to Allow and remove the Deny rule.
AnswerC

Adding an IP rule allows that IP while defaultAction remains Deny.

Why this answer

Option C is correct because the Azure Storage account firewall allows you to create IP rules that grant access to specific public IP addresses or ranges while keeping the default action as Deny. By adding an IP rule with the specific IP address to the `ipRules` array, you explicitly allow that IP through the firewall, and all other traffic is denied by the default rule. This is the standard method to enable selective public access without changing the default deny behavior.

Exam trap

The trap here is that candidates often think they must change the default action to Allow and then add a Deny rule, but Azure Storage firewall does not support explicit Deny rules for IP addresses—only Allow rules—so the correct approach is to keep the default as Deny and add an Allow rule for the specific IP.

How to eliminate wrong answers

Option A is wrong because setting the bypass to 'None' would not allow all traffic; it would actually prevent any Azure services from bypassing the firewall, but it does not affect IP-based access rules and would still require explicit IP rules to allow traffic. Option B is wrong because setting the `networkAcls` to an empty list would remove all network ACL rules, including any IP rules, leaving only the default action (Deny) in effect, which would block all traffic including the specific IP address. Option D is wrong because changing the `defaultAction` to Allow would permit all public traffic, which violates the requirement to keep the default action as Deny and only allow the specific IP address.

664
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to generate periodic reports of user sign-ins and audit activities for compliance. They want to store the logs for 1 year. Which Azure service should they use?

A.Microsoft Entra ID sign-in logs and audit logs with retention set to 1 year in the Azure portal
B.Azure Monitor Log Analytics workspace with Microsoft Entra ID diagnostic settings
C.Azure Storage account with lifecycle management
D.Azure Event Hubs for streaming
AnswerB

Diagnostic settings send logs to Log Analytics, which allows configurable retention up to 2 years (or more).

Why this answer

Option B is correct because Microsoft Entra ID sign-in and audit logs are retained for only 30 days by default. To store them for 1 year, you must route the logs via diagnostic settings to an Azure Monitor Log Analytics workspace, which allows configurable retention up to 2 years (or more with a commitment tier). This is the only native Azure service that supports long-term retention of Entra ID logs for compliance reporting.

Exam trap

The trap here is that candidates assume the Azure portal's retention slider for Entra ID logs can be extended beyond 30 days, but Microsoft intentionally limits it to 30 days to force the use of diagnostic settings and Log Analytics for long-term retention.

How to eliminate wrong answers

Option A is wrong because the Azure portal's retention setting for Entra ID sign-in and audit logs only allows a maximum of 30 days; you cannot set it to 1 year directly in the portal. Option C is wrong because while an Azure Storage account with lifecycle management can store logs for 1 year, it does not support querying or generating periodic compliance reports—it is a cold storage solution, not a reporting tool. Option D is wrong because Azure Event Hubs is a real-time streaming service for log ingestion, not a storage or reporting solution; it cannot retain logs for 1 year or generate periodic reports.

665
Multi-Selecthard

A company needs to design a data storage solution for a global SaaS application that requires multi-region writes with conflict resolution. The data model includes both structured and unstructured data. Which THREE Azure data services should they consider?

Select 3 answers
A.Azure Blob Storage
B.Azure SQL Database with active geo-replication
C.Azure Cache for Redis
D.Azure Table Storage
E.Azure Cosmos DB
AnswersA, B, E

For unstructured data.

Why this answer

Azure Blob Storage is correct because it provides globally scalable, object-based storage for unstructured data (such as images, videos, and documents) that can be accessed from anywhere via HTTP/HTTPS. It supports geo-redundant storage options (e.g., GRS, RA-GRS) and can be integrated with Azure Front Door or Traffic Manager to enable multi-region read access, though it does not natively handle multi-region writes with conflict resolution—this is why it is paired with Cosmos DB for structured data.

Exam trap

The trap here is that candidates often assume Azure SQL Database with active geo-replication supports multi-region writes, but it only supports a single writable primary with readable secondaries, not true multi-region writes with conflict resolution.

666
MCQhard

Refer to the exhibit. You are reviewing a Bicep template for a storage account. You need to ensure that the storage account is only accessible via HTTPS and uses TLS 1.2. Which property validates this requirement?

A.type: Microsoft.Storage/storageAccounts
B.accessTier: Hot
C.supportsHttpsTrafficOnly: true and minimumTlsVersion: TLS1_2
D.name: stprod001
AnswerC

These properties enforce HTTPS and TLS 1.2.

Why this answer

Option C is correct because the `supportsHttpsTrafficOnly` property enforces that all traffic to the storage account must use HTTPS, and the `minimumTlsVersion` property set to `TLS1_2` ensures that only TLS 1.2 or higher is accepted. Together, these two properties satisfy the requirement of HTTPS-only access with TLS 1.2, as defined in the Azure Storage security baseline.

Exam trap

The trap here is that candidates often confuse `supportsHttpsTrafficOnly` with a simple boolean toggle and forget that `minimumTlsVersion` is a separate, required property to enforce the specific TLS version, leading them to select an option that only partially addresses the requirement.

How to eliminate wrong answers

Option A is wrong because the `type` property only declares the resource provider and type (`Microsoft.Storage/storageAccounts`), not any security settings for HTTPS or TLS. Option B is wrong because `accessTier: Hot` controls the storage tier (Hot, Cool, Archive) for blob data, not transport security protocols. Option D is wrong because the `name` property simply assigns the storage account name (`stprod001`) and has no effect on HTTPS or TLS enforcement.

667
MCQeasy

A company deploys a critical multi-tier application on Azure VMs. The application includes a database tier that must be recovered to the same point in time as the application tier after a disaster. They use Azure Site Recovery (ASR) for disaster recovery to a secondary region. They also need to run a custom script after failover to update connection strings. Which ASR feature should they use?

A.Recovery plans with pre-actions and post-actions
B.Replication policies with application-consistent snapshots
C.Multi-VM consistency groups
D.Azure Backup with cross-region restore
AnswerA

Recovery plans enable ordering of VM groups and execution of scripts via pre- and post-actions.

Why this answer

Recovery plans in Azure Site Recovery allow you to define pre-actions and post-actions, which can run custom scripts (e.g., PowerShell) after failover to update connection strings. This ensures the application tier can connect to the recovered database tier, meeting the requirement for a custom script execution after failover. The other options do not provide the ability to run custom scripts as part of the failover sequence.

Exam trap

The trap here is that candidates often confuse multi-VM consistency groups (which ensure crash-consistent recovery across VMs) with the ability to run post-failover scripts, but only recovery plans provide the orchestration layer for custom actions like updating connection strings.

How to eliminate wrong answers

Option B is wrong because replication policies with application-consistent snapshots ensure data consistency for crash-consistent recovery but do not allow running custom scripts after failover. Option C is wrong because multi-VM consistency groups ensure all VMs in a group fail over to a consistent point in time, but they do not provide a mechanism to execute post-failover scripts. Option D is wrong because Azure Backup with cross-region restore provides backup-based recovery, not real-time replication, and does not support custom script execution as part of a failover orchestration.

668
MCQeasy

A company plans to migrate on-premises SQL Server databases to Azure. They need to minimize changes to existing applications and want to use the latest features of SQL Server. Which Azure data service should they use?

A.SQL Server on Azure Virtual Machines
B.Azure SQL Managed Instance
C.Azure SQL Database
D.Azure Cosmos DB
AnswerB

Managed Instance offers high compatibility with on-premises SQL Server and latest features.

Why this answer

Option A is correct because Azure SQL Managed Instance provides near 100% compatibility with SQL Server, minimizing application changes, and supports the latest SQL Server features. Option B is wrong because Azure SQL Database requires application changes for database-level compatibility. Option C is wrong because SQL Server on Azure VMs requires management of OS and SQL Server.

Option D is wrong because Azure Cosmos DB is NoSQL, not compatible with SQL Server.

669
MCQmedium

You are designing a solution to securely store and manage secrets for multiple applications deployed in Azure. The solution must support automated rotation of secrets and provide audit logging. Which Azure service should you use?

A.Microsoft Entra ID application registration
B.Azure App Service Key Vault references
C.Azure Key Vault with managed identity and rotation policy
D.Azure Automation with PowerShell runbooks
AnswerC

Supports automated rotation and audit logging.

Why this answer

Option C is correct because Azure Key Vault with managed identities and rotation policies provides automated secret rotation and audit logging. Option A is wrong because Azure App Service Key Vault references are for referencing secrets, not managing rotation. Option B is wrong because Azure Automation can rotate secrets but is more complex.

Option D is wrong because Microsoft Entra ID is for identity, not secret storage.

670
MCQhard

You manage a globally distributed application using Azure Cosmos DB. You need to design a business continuity strategy that ensures zero data loss and automatic failover in case of a regional outage. The application must continue to serve reads and writes during a region failure. What should you recommend?

A.Use Azure Cosmos DB accounts with a single write region and enable service-managed failover.
B.Use Azure Cosmos DB accounts with multi-region writes but disable automatic failover and rely on manual failover.
C.Configure single-region writes with strong consistency and enable automatic failover.
D.Configure multi-region writes with eventual consistency and enable automatic failover.
AnswerD

Multi-region writes with automatic failover provide zero data loss and continuous availability for both reads and writes.

Why this answer

Azure Cosmos DB multi-region writes with automatic failover ensures zero data loss and continuous availability for both reads and writes. Option A is incorrect because single-region writes with eventual consistency may result in data loss. Option B is incorrect because it does not guarantee zero data loss.

Option D is incorrect because manual failover does not meet automatic failover requirement.

671
MCQhard

Contoso Ltd. runs a mission-critical application on Azure VMs in the West US region. They require an RPO of 15 minutes and an RTO of 1 hour in case of a regional disaster. They plan to use Azure Site Recovery. The application stores data on managed disks and uses a Premium SSD v2 disk for the database. The application also uses Azure SQL Database for some transactional data. What should Contoso do to meet the recovery objectives for the entire solution?

A.Configure Azure Site Recovery for the VMs with Premium SSD v2 disks and configure active geo-replication with auto-failover groups for Azure SQL Database.
B.Use Azure Backup for the VMs and configure long-term retention for the Azure SQL Database backups.
C.Configure Azure Site Recovery for the VMs and also for the Azure SQL Database by adding it to the replication group.
D.Deploy the application across two Azure regions using Azure Front Door and active geo-replication for Azure SQL Database.
AnswerA

ASR supports Premium SSD v2 disks; Azure SQL Database active geo-replication with auto-failover groups meets the RPO/RTO.

Why this answer

Option D is correct because Azure Site Recovery supports Premium SSD v2 disks for replication, and for Azure SQL Database, active geo-replication with a failover group can achieve RPO of 5 seconds and RTO of 1 hour. Option A is wrong because Azure SQL Database replication is not part of ASR; ASR does not replicate Azure SQL Database. Option B is wrong because Azure Backup is for data backup, not replication with the required RPO/RTO.

Option C is wrong because the application requires both VM and database recovery; only focusing on one component fails the overall solution.

672
MCQmedium

A company plans to deploy a multi-tier application on Azure. The web tier requires SSL termination and health probes. The application tier must be isolated from the internet. The database tier requires high availability. They want to minimize administrative overhead and use Azure native services. Which architecture should they recommend?

A.Azure Application Gateway for web tier, Azure Load Balancer (internal) for application tier, and Azure SQL Database with active geo-replication
B.Azure Front Door for web tier, Azure Load Balancer for database tier, and SQL Server on Azure VMs with Always On
C.Azure Traffic Manager for web tier, Azure Application Gateway for database tier, and Azure SQL Database with failover groups
D.Azure Application Gateway for web tier, Azure Load Balancer (internal) for application tier, and Azure SQL Database with geo-restore
AnswerA

Application Gateway handles SSL termination and probes; internal Load Balancer keeps app tier private; SQL Database active geo-replication provides HA.

Why this answer

Option A is correct because Azure Application Gateway provides SSL termination and health probes for the web tier, an internal Azure Load Balancer isolates the application tier from the internet, and Azure SQL Database with active geo-replication offers high availability with automatic failover, minimizing administrative overhead by using PaaS services.

Exam trap

The trap here is that candidates often confuse Azure Front Door or Traffic Manager with Application Gateway for SSL termination and health probes, or assume that geo-restore provides the same automatic high availability as active geo-replication, leading them to choose options that either lack required features or increase administrative overhead.

How to eliminate wrong answers

Option B is wrong because Azure Front Door is a global load balancer for web traffic, but it does not natively provide SSL termination for a single-region web tier, and using Azure Load Balancer for the database tier is inappropriate as it does not offer database-level high availability; SQL Server on Azure VMs with Always On requires significant administrative overhead. Option C is wrong because Azure Traffic Manager is a DNS-based traffic router that does not perform SSL termination or health probes for the web tier, and Azure Application Gateway is not designed for the database tier; Azure SQL Database with failover groups is a valid HA option but the web tier architecture is incorrect. Option D is wrong because Azure SQL Database with geo-restore does not provide automatic high availability; it requires manual restore from a geo-redundant backup, which does not meet the requirement for minimal administrative overhead and active failover.

673
MCQeasy

You need to design a solution to monitor the performance of an Azure SQL Database. You want to create a dashboard that shows the top 10 queries by CPU usage over the last hour. What should you use?

A.Azure Monitor Workbooks
B.Power BI
C.Azure SQL Analytics
D.Log Analytics
AnswerC

Azure SQL Analytics provides pre-built performance monitoring dashboards.

Why this answer

Azure SQL Analytics is a dedicated monitoring solution for Azure SQL Database that provides built-in views and dashboards for top queries by CPU, duration, and other performance metrics. It leverages the Query Store and DMVs to surface the top 10 queries by CPU usage over the last hour without requiring custom queries or additional configuration.

Exam trap

The trap here is that candidates confuse Azure SQL Analytics (a dedicated monitoring solution) with Log Analytics (the underlying data platform) or Azure Monitor Workbooks (a general-purpose dashboard tool), assuming any of them can provide the same pre-built top queries view without additional effort.

How to eliminate wrong answers

Option A is wrong because Azure Monitor Workbooks are customizable, interactive dashboards but do not provide pre-built, out-of-the-box views for top queries by CPU; they require manual configuration of KQL queries to extract that data. Option B is wrong because Power BI is a business analytics service for creating reports from various data sources, not a native Azure SQL monitoring tool, and it would require complex data export and transformation to replicate the built-in top queries view. Option D is wrong because Log Analytics is the underlying data store and query engine for Azure Monitor logs, but it does not offer a ready-made dashboard for top queries by CPU; you would need to write custom KQL queries and build visualizations from scratch.

674
MCQmedium

You are designing a monitoring solution for a hybrid environment with on-premises servers and Azure VMs. You need to collect security events and performance data centrally, and create custom alerts. The solution must use the same agent for both environments. Which agent should you deploy?

A.Log Analytics agent (MMA)
B.Azure Monitor Agent
C.Microsoft Dependency Agent
D.Azure Diagnostics extension
AnswerB

Unified agent for all environments, collects security and performance data.

Why this answer

Azure Monitor Agent (AMA) is the correct choice because it is the next-generation agent that replaces the legacy Log Analytics agent (MMA) and supports both Windows and Linux machines in hybrid and Azure environments. It collects security events and performance data into a single Log Analytics workspace and enables custom alert rules via data collection rules (DCRs), all with a single agent deployment.

Exam trap

The trap here is that candidates often confuse the Log Analytics agent (MMA) as the 'standard' hybrid agent, not realizing it is being replaced by Azure Monitor Agent, which is the only agent that meets the 'same agent for both environments' requirement with unified data collection rules.

How to eliminate wrong answers

Option A is wrong because the Log Analytics agent (MMA) is legacy and will be deprecated by August 2024; it requires separate agents for different data types and does not support the same unified data collection rules as Azure Monitor Agent. Option C is wrong because the Microsoft Dependency Agent is used exclusively for service map and VM insights topology data, not for general security event or performance data collection, and it must be paired with another agent (MMA or AMA) to function. Option D is wrong because the Azure Diagnostics extension is designed for Azure VMs only, collecting boot diagnostics and guest OS metrics to Azure Storage or Event Hubs, not for hybrid on-premises servers, and it does not support custom alerts via Log Analytics workspaces.

675
Multi-Selectmedium

You are designing a disaster recovery solution for a multi-tier web application on Azure VMs. The solution must meet an RPO of 15 minutes and an RTO of 1 hour. The application includes a SQL Server database. Which THREE actions should you take? (Choose THREE.)

Select 3 answers
A.Use Azure Backup for the SQL Server database with 1-hour backup frequency.
B.Use Azure Premium SSD managed disks for the VMs to ensure low latency replication.
C.Configure SQL Server Always On Availability Groups with synchronous commit between regions.
D.Deploy read-scale replicas of the SQL Server in the secondary region.
E.Configure Azure Site Recovery to replicate the web and app tier VMs to a secondary region.
AnswersB, C, E

Premium disks support higher IOPS and lower latency for replication.

Why this answer

Options A, C, and E are correct. Azure Site Recovery can replicate the VMs with low RPO. For SQL Server, Always On Availability Groups provide automatic failover with minimal data loss.

Using premium storage ensures performance. Option B is wrong because Azure Backup has a higher RPO. Option D is wrong because read-scale replicas do not provide failover.

Page 8

Page 9 of 14

Page 10