CCNA Describe Azure management and governance Questions

28 of 328 questions · Page 5/5 · Describe Azure management and governance · Answers revealed

301
MCQmedium

A company has a root management group that contains all Azure subscriptions. A centralized governance team needs to create and assign Azure Policy definitions and set initiatives that apply to all subscriptions. Which built-in role should be assigned to the governance team at the root management group scope to grant the minimum required permissions?

A.Owner
B.Contributor
C.Policy Contributor
D.Security Admin
AnswerC

Policy Contributor is designed specifically for managing Azure Policy resources. It allows creating, updating, and deleting policy definitions, initiatives, and assignments. At the root management group scope, this role enables policy governance across all subscriptions without granting broader management capabilities.

Why this answer

The Policy Contributor built-in role grants the minimum required permissions to create and assign Azure Policy definitions and initiatives, including the ability to read policy assignments and manage policy resources, without granting full write access to all resources. Assigning this role at the root management group scope ensures the governance team can apply policies across all subscriptions while adhering to the principle of least privilege.

Exam trap

The trap here is that candidates often confuse the Contributor role (which can manage resources but not policies) with the Policy Contributor role, or assume that Owner is required because policy assignments affect all resources, but Azure provides a dedicated built-in role specifically for policy management to enforce least privilege.

How to eliminate wrong answers

Option A is wrong because the Owner role grants full administrative access to all resources, including the ability to delete or modify any resource, which far exceeds the minimum permissions needed for policy management and violates least privilege. Option B is wrong because the Contributor role allows creating and managing all types of Azure resources but does not include the specific permissions required to create or assign Azure Policy definitions and initiatives, such as Microsoft.Authorization/policyAssignments/write.

302
MCQmedium

A company has an Azure subscription that contains hundreds of virtual machines (VMs) across multiple resource groups. The security team needs to enforce two governance rules: 1) All VMs must use managed disks. 2) All VMs must be deployed only in the East US region. The team wants to assign a single governance artifact that combines both rules so that the compliance state is evaluated as a group. The solution must not require assigning each rule individually. Which Azure feature should the team use to define and assign this combined set of rules?

A.Azure Policy initiative (policy set) definition
B.Azure Policy group definition
C.Azure Blueprints artifact
D.Azure compliance bundle
AnswerA

An Azure Policy initiative definition is the correct feature for grouping multiple policy definitions into a single set for assignment and compliance evaluation as a group.

Why this answer

Azure Policy initiative (policy set) definitions allow you to group multiple individual policy definitions into a single, combined set of rules. By assigning the initiative, both the managed disks requirement and the East US region restriction are evaluated together as a single compliance artifact, meeting the requirement to avoid assigning each rule individually.

Exam trap

The trap here is that candidates often confuse Azure Blueprints (which can include policy assignments) with the native grouping mechanism of Azure Policy initiatives, failing to recognize that Blueprints is an orchestration tool, not the dedicated artifact for combining policy rules into a single compliance evaluation unit.

How to eliminate wrong answers

Option B is wrong because there is no such feature as 'Azure Policy group definition' in Azure; the correct grouping mechanism is called an initiative (policy set). Option C is wrong because Azure Blueprints artifacts are used to deploy and orchestrate resources (including policies, role assignments, and resource templates) as a package, but they are not the feature designed to combine and assign multiple policy rules as a single compliance evaluation unit; Blueprints would still require defining the policies within an initiative or individually.

303
MCQmedium

What is the purpose of Azure Resource Graph?

A.To visualize the network topology of Azure virtual networks
B.To query and explore Azure resource inventory and properties at scale using KQL
C.To create visual diagrams of Azure architectural deployments
D.To track changes in Azure subscription billing
AnswerB

Resource Graph enables efficient KQL-based queries across all Azure resources in multiple subscriptions.

Why this answer

Azure Resource Graph is a service in Azure designed to enable efficient querying and exploration of resource inventory and properties across subscriptions at scale. It uses Kusto Query Language (KQL) to allow complex filtering, grouping, and aggregation of resource data, making it ideal for governance, compliance, and operational audits. This capability is distinct from visualization, diagramming, or billing tools.

Exam trap

The trap here is that candidates confuse Azure Resource Graph with a visualization or diagramming tool, when it is actually a query and exploration service using KQL for resource inventory at scale.

How to eliminate wrong answers

Option A is wrong because visualizing network topology is the purpose of Azure Network Watcher's topology feature, not Azure Resource Graph. Option C is wrong because creating visual diagrams of architectural deployments is done by tools like Microsoft Visio or Azure Architecture Center diagrams, not by Azure Resource Graph. Option D is wrong because tracking changes in Azure subscription billing is handled by Azure Cost Management + Billing, not by Azure Resource Graph.

304
MCQeasy

Which Azure support plan provides 24/7 access to technical support engineers by phone and email for production workloads?

A.Azure Free support
B.Azure Developer support
C.Azure Standard support
D.Community forums only
AnswerC

Standard support (and higher tiers) provides 24/7 access to technical support engineers by phone and email for production issues.

Why this answer

Azure Standard support is the lowest-tier plan that provides 24/7 access to technical support engineers via phone and email for production workloads. It includes unlimited severity A incidents with a 1-hour response time, making it suitable for production environments. Lower tiers like Developer or Basic support do not offer 24/7 phone support or are limited to non-production scenarios.

Exam trap

The trap here is that candidates often confuse Azure Developer support (which includes some email access) with 24/7 phone support, but Developer support is limited to business hours and non-production use, making Standard the correct choice for production workloads.

How to eliminate wrong answers

Option A is wrong because Azure Free support (included with subscription) only provides access to community forums and Microsoft documentation, with no 24/7 phone or email access to technical support engineers. Option B is wrong because Azure Developer support is designed for non-production environments (trial, dev/test) and offers only email-based support during business hours, not 24/7 phone access. Option D is wrong because Community forums only is not a paid support plan; it is the default self-help option that provides no direct access to Microsoft support engineers via phone or email.

305
MCQeasy

A company has 10 Azure subscriptions used by different departments. The finance team wants to receive automated, prioritized recommendations to reduce cloud costs. Specifically, they want suggestions for identifying idle virtual machines and rightsizing underutilized resources across all subscriptions. Which Azure service should the finance team use to get these recommendations?

A.Azure Advisor
B.Azure Cost Management + Billing
C.Azure Policy
D.Azure Monitor
AnswerA

Correct. Azure Advisor is a free service that continuously analyzes resource usage and provides personalized recommendations to optimize costs, security, reliability, performance, and operational excellence. It includes specific cost recommendations such as identifying idle VMs and rightsizing underutilized resources.

Why this answer

Azure Advisor is the correct service because it provides personalized, prioritized recommendations across Azure subscriptions, including cost optimization suggestions such as identifying idle virtual machines and rightsizing underutilized resources. It analyzes resource usage and configuration to deliver actionable insights, making it ideal for the finance team's needs.

Exam trap

The trap here is that candidates confuse Azure Cost Management + Billing's cost analysis and budgeting features with the proactive, recommendation-driven cost optimization capabilities of Azure Advisor, leading them to select the wrong service for identifying idle VMs and rightsizing.

How to eliminate wrong answers

Option B is wrong because Azure Cost Management + Billing focuses on monitoring, analyzing, and optimizing cloud spending through budgets, cost analysis, and invoice management, but it does not generate specific recommendations for identifying idle VMs or rightsizing resources—that is the role of Azure Advisor. Option C is wrong because Azure Policy enforces organizational standards and compliance by applying rules to resources (e.g., restricting VM sizes), but it does not provide automated cost optimization recommendations; it is a governance tool, not an advisory service.

306
MCQmedium

An Azure administrator needs to review all changes made to Azure resources over the past 90 days, including who made each change and when. Which Azure service provides this information?

A.Azure Monitor Metrics
B.Azure Activity Log
C.Azure Resource Health
D.Azure Policy compliance reports
AnswerB

Activity Log records all control-plane operations on Azure resources including who made changes, when, and the operation performed.

Why this answer

The Azure Activity Log is a platform log in Azure that provides insight into subscription-level events. It records all control-plane operations (e.g., creating, modifying, or deleting resources) and includes details such as who initiated the operation, what the operation was, and when it occurred. The log retains this data for 90 days by default, making it the correct service for reviewing changes over that period.

Exam trap

The trap here is that candidates often confuse the Activity Log with Azure Monitor Metrics, thinking that metrics also track user actions, but metrics are purely performance counters and do not capture identity or operation details.

How to eliminate wrong answers

Option A is wrong because Azure Monitor Metrics collects numerical time-series data (e.g., CPU usage, request counts) from resources, not operational audit logs of who made changes. Option C is wrong because Azure Resource Health reports on the current and historical health of Azure resources (e.g., availability and downtime), not on administrative actions or user identity. Option D is wrong because Azure Policy compliance reports show whether resources comply with assigned policies (e.g., tagging rules or allowed locations), not a chronological record of who made changes and when.

307
MCQmedium

A company has multiple Azure subscriptions for different departments. They want to receive budget alerts when spending in any subscription exceeds 80% of the allocated amount. Which Azure feature enables them to set up these alerts?

A.Azure Cost Management + Billing budgets
B.Azure Advisor
C.Azure Monitor
D.Azure Policy
AnswerA

Budgets in Azure Cost Management allow you to set spending limits and configure alerts when thresholds are exceeded.

Why this answer

Azure Cost Management + Billing budgets allow you to create budget alerts based on actual or forecasted costs. You can set a budget amount and configure alerts to trigger when costs reach a specified percentage (e.g., 80%) of that budget. This directly meets the requirement to receive alerts when spending in any subscription exceeds 80% of the allocated amount.

Exam trap

The trap here is that candidates often confuse Azure Monitor alerts (which handle performance and health metrics) with budget alerts, but budget alerts are exclusively managed through Azure Cost Management + Billing, not through Azure Monitor.

How to eliminate wrong answers

Option B is wrong because Azure Advisor provides personalized recommendations for cost optimization, security, reliability, and performance, but it does not create or send budget alerts based on spending thresholds. Option C is wrong because Azure Monitor collects and analyzes telemetry data (metrics, logs) and can trigger alerts on performance or health conditions, but it is not designed for budget-based cost alerts; budget alerts are a native feature of Azure Cost Management + Billing.

308
MCQmedium

A multinational company has a strict data residency requirement: all Azure virtual machines must be deployed only in the East US or West Europe Azure regions. The IT governance team wants to enforce this rule automatically so that any attempt to create a virtual machine in any other region is blocked immediately at the time of deployment. Users must receive a clear error message if they try to create a VM in a disallowed region. Which Azure feature should the governance team configure to meet this requirement?

A.Create a resource lock on the subscription to prevent all resource creation.
B.Configure an Azure Policy with the Deny effect assigned to the subscription scope.
C.Assign an Azure RBAC role that denies create permissions for VMs in disallowed regions.
D.Set up a budget alert in Cost Management to notify when a VM is created in a disallowed region.
AnswerB

Azure Policy with the Deny effect evaluates resource creation or update requests and denies them if they do not comply with the policy rules (e.g., VM location). The denial includes a clear error message explaining which policy prevented the action. This is the standard method to enforce location restrictions proactively.

Why this answer

Azure Policy with the Deny effect is the correct choice because it enforces organizational rules by evaluating resource properties during deployment and blocking any non-compliant request. In this scenario, a policy can be defined to deny virtual machine creation in any region other than East US or West Europe, and the Deny effect ensures the deployment fails with a clear error message, meeting the real-time enforcement requirement.

Exam trap

The trap here is that candidates confuse Azure Policy (which enforces rules on resource properties) with Azure RBAC (which controls user permissions), leading them to incorrectly choose RBAC when the requirement is about restricting specific resource configurations rather than user actions.

How to eliminate wrong answers

Option A is wrong because a resource lock prevents deletion or modification of existing resources but does not block creation of new resources in disallowed regions. Option C is wrong because Azure RBAC roles control who can perform actions (e.g., deny VM creation entirely) but cannot deny based on specific resource properties like region; RBAC lacks the granularity to allow VM creation only in certain regions. Option D is wrong because a budget alert in Cost Management only provides notification after a VM is created, not real-time blocking at deployment, and does not enforce data residency rules.

309
Drag & Dropmedium

Sequence the steps to implement Azure Policy to enforce compliance.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Policy implementation involves definition, assignment, compliance review, and remediation.

310
MCQmedium

Which Azure service allows customers to extend Azure management and governance to non-Azure resources, including on-premises servers and other cloud providers?

A.Azure Stack Hub
B.Azure Arc
C.Azure ExpressRoute
D.Azure VPN Gateway
AnswerB

Azure Arc projects non-Azure resources into Azure Resource Manager, enabling Azure governance for on-premises and multi-cloud resources.

Why this answer

Azure Arc is the correct answer because it is specifically designed to extend Azure's management plane and governance policies (such as Azure Policy and Azure RBAC) to resources outside of Azure, including on-premises servers, Kubernetes clusters, and other cloud providers like AWS or GCP. It does this by installing the Azure Connected Machine agent on non-Azure machines, which registers them as Azure resources and enables consistent management through the Azure portal, CLI, and APIs.

Exam trap

The trap here is that candidates confuse Azure Arc with Azure Stack Hub, assuming both are for on-premises Azure services, but Arc is about managing existing non-Azure resources while Stack Hub is about running Azure services locally.

How to eliminate wrong answers

Option A is wrong because Azure Stack Hub is an on-premises extension of Azure that runs Azure services in a customer's datacenter, but it does not manage existing non-Azure resources or other cloud providers; it is a separate Azure environment. Option C is wrong because Azure ExpressRoute is a dedicated private network connection from on-premises to Azure, not a management or governance service for non-Azure resources. Option D is wrong because Azure VPN Gateway provides encrypted site-to-site or point-to-site connectivity over the public internet, but it does not offer any management, policy, or governance capabilities for resources outside Azure.

311
MCQeasy

A company wants to ensure that all Azure resources are tagged with a 'CostCenter' tag at creation time. If a resource is created without the tag, it should be automatically denied. Which Azure Policy effect should they use?

A.A) deny
B.B) audit
C.C) append
D.D) deployIfNotExists
AnswerA

The deny effect prevents resources from being created if they do not comply with the policy condition.

Why this answer

The 'deny' effect is correct because it actively blocks any resource creation request that does not include the required 'CostCenter' tag. Azure Policy with the 'deny' effect evaluates the resource against the policy rule at creation or update time and rejects the request if the condition is not met, ensuring compliance before the resource is provisioned.

Exam trap

The trap here is that candidates often confuse 'deny' with 'audit' or 'append', thinking that logging or auto-tagging is sufficient to enforce compliance, but only 'deny' actively prevents the resource from being created in the first place.

How to eliminate wrong answers

Option B (audit) is wrong because it only generates a warning log entry when a resource is created without the tag, but does not prevent the creation from happening. Option C (append) is wrong because it adds the missing tag automatically during creation or update, but it does not deny the request; it modifies the resource to comply. Option D (deployIfNotExists) is wrong because it deploys a remediation resource (like a Logic App) to fix non-compliant resources after they are created, but it does not block the initial creation.

312
MCQmedium

Which Azure service provides a SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution?

A.Microsoft Defender for Cloud
B.Azure Monitor
C.Microsoft Sentinel
D.Azure Security Center
AnswerC

Microsoft Sentinel is the cloud-native SIEM and SOAR, collecting security data, detecting threats with AI, and automating response.

Why this answer

Microsoft Sentinel is the correct answer because it is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution. It provides intelligent security analytics and threat intelligence across the enterprise, enabling security teams to collect data at cloud scale, detect threats, investigate incidents, and automate responses.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (or its predecessor Azure Security Center) with a SIEM solution, but it is primarily a security posture management and workload protection tool, not a full SIEM/SOAR platform like Microsoft Sentinel.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) that provides security recommendations and threat protection for cloud workloads, but it does not offer the full SIEM and SOAR capabilities of collecting, correlating, and analyzing logs from multiple sources across the entire enterprise. Option B is wrong because Azure Monitor is a monitoring service for collecting, analyzing, and acting on telemetry from Azure and on-premises environments, focusing on performance and availability metrics, logs, and alerts, not on security event correlation and automated incident response. Option D is wrong because Azure Security Center (now integrated into Microsoft Defender for Cloud) is a unified infrastructure security management system that strengthens the security posture of data centers and provides advanced threat protection for hybrid workloads, but it lacks the dedicated SIEM log management and SOAR automation features that Microsoft Sentinel provides.

313
MCQhard

A company needs to ensure that all Azure resources in a subscription are created only in specific approved regions. Which Azure feature should they implement?

A.Azure Resource Locks
B.Azure RBAC
C.Azure Policy with 'Allowed locations' policy
D.Azure Blueprints
AnswerC

The 'Allowed locations' Azure Policy restricts resource creation to specified approved regions.

Why this answer

Azure Policy with the 'Allowed locations' policy definition is the correct choice because it enforces organizational compliance by restricting the Azure regions where resources can be deployed. This policy evaluates all resource creation requests against a defined list of approved regions and denies any request that does not match, ensuring that all resources in the subscription are created only in the specified approved locations.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure RBAC or Resource Locks, mistakenly thinking that access control or deletion protection can restrict resource locations, when in fact only Azure Policy provides the declarative enforcement rules for compliance like allowed regions.

How to eliminate wrong answers

Option A is wrong because Azure Resource Locks prevent accidental deletion or modification of resources but do not restrict the regions in which resources can be created. Option B is wrong because Azure RBAC (Role-Based Access Control) manages who has access to Azure resources and what actions they can perform, but it does not enforce location restrictions. Option D is wrong because Azure Blueprints orchestrate the deployment of resource templates, policies, and role assignments as a package, but the actual enforcement of allowed regions is done by Azure Policy definitions included within the blueprint, not by Blueprints themselves.

314
MCQhard

A company uses Azure Policy to enforce encryption on storage accounts. They discover some existing storage accounts are non-compliant. They want to automatically enable encryption on these accounts without manual intervention. Which combination of policy effects should they use?

A.Audit and DeployIfNotExists
B.Deny and Audit
C.Append and Modify
D.Audit and Disabled
AnswerA

Correct. Audit reports non-compliance, and DeployIfNotExists automatically deploys a configuration (like enabling encryption) to bring the resource into compliance.

Why this answer

The correct combination is Audit and DeployIfNotExists. Audit logs non-compliant storage accounts without blocking them, while DeployIfNotExists automatically enables encryption on those accounts by deploying a remediation task. This ensures existing non-compliant resources are brought into compliance without manual intervention.

Exam trap

The trap here is that candidates confuse Deny (which only blocks new non-compliant resources) with DeployIfNotExists (which remediates existing ones), or assume Append/Modify can retroactively fix existing resources when they only apply during resource creation or update.

How to eliminate wrong answers

Option B (Deny and Audit) is wrong because Deny blocks the creation or update of non-compliant resources but does not remediate existing non-compliant storage accounts; Audit only logs them, so encryption would not be automatically enabled. Option C (Append and Modify) is wrong because Append adds fields to resources during creation or update (e.g., adding a tag) and Modify alters properties during creation or update, but neither effect triggers remediation on existing resources; they only act on new or updated deployments. Option D (Audit and Disabled) is wrong because Disabled turns off the policy effect entirely, meaning no evaluation or remediation occurs, and Audit alone only logs non-compliance without enabling encryption.

315
MCQeasy

A company uses Azure for multiple workloads. The finance team wants to identify virtual machines that are consistently underutilized (average CPU usage below 5%) so they can reduce costs by resizing or shutting down those VMs. They want a built-in Azure tool that automatically analyzes resource usage and provides actionable recommendations. Which Azure service should they use?

A.Azure Monitor
B.Azure Advisor
C.Azure Cost Management
D.Azure Policy
AnswerB

Azure Advisor analyzes your Azure resources and provides best practice recommendations, including cost optimization. It identifies underutilized VMs and suggests resizing or shutting them down to reduce costs.

Why this answer

Azure Advisor is the correct service because it is a built-in Azure tool that automatically analyzes resource usage and provides actionable recommendations to optimize costs, including identifying underutilized virtual machines. It specifically evaluates CPU usage patterns and suggests resizing or shutting down VMs with consistently low utilization (e.g., average CPU below 5%) to reduce costs without manual intervention.

Exam trap

The trap here is that candidates often confuse Azure Monitor's ability to view metrics with the automated, actionable recommendations that only Azure Advisor provides, leading them to select Azure Monitor instead of Azure Advisor.

How to eliminate wrong answers

Option A is wrong because Azure Monitor is a monitoring and diagnostics service that collects metrics and logs, but it does not automatically generate actionable cost optimization recommendations like resizing or shutting down VMs; it requires custom alert rules or dashboards to detect underutilization. Option C is wrong because Azure Cost Management focuses on budgeting, cost analysis, and invoice management, not on analyzing resource utilization patterns to provide specific VM resizing or shutdown recommendations. Option D is wrong because Azure Policy enforces compliance rules and governance standards (e.g., tagging or allowed VM sizes), but it does not analyze historical CPU usage or provide cost optimization recommendations for underutilized resources.

316
Matchingmedium

Match each Azure storage type to its use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Unstructured data like images and videos

SMB file shares for cloud or on-premises

Message queuing for asynchronous processing

NoSQL key-value store for structured data

Block-level storage for Azure VMs

Why these pairings

Azure provides multiple storage options optimized for different data types.

317
MCQmedium

A company has a critical Azure resource group that contains all production virtual machines and databases. The IT security administrator wants to ensure that no user, including members of the 'Owner' role, can accidentally or intentionally delete this resource group. The solution must not prevent modification of resources inside the resource group. The administrator needs to apply a governance control at the resource group level. What should the administrator do?

A.Apply a 'ReadOnly' lock on the resource group.
B.Apply a 'CanNotDelete' lock on the resource group.
C.Assign a custom RBAC role that denies delete actions at the resource group scope.
D.Move the resource group to a separate subscription with billing separation.
AnswerB

A 'CanNotDelete' lock allows read and update operations but blocks delete operations on the resource group. This lock applies to all users, including those with the Owner role, making it the correct governance control to prevent accidental or intentional deletion while allowing modifications.

Why this answer

Option B is correct because applying a 'CanNotDelete' lock at the resource group level prevents any user, including those with the Owner role, from deleting the resource group while still allowing modifications (e.g., adding or updating resources) inside it. This lock overrides all RBAC permissions for delete operations, making it the appropriate governance control for this requirement.

Exam trap

The trap here is that candidates often confuse resource locks with RBAC roles, thinking a custom RBAC deny assignment is sufficient, but locks are the only mechanism that can prevent deletion even by Owners without requiring additional permission management.

How to eliminate wrong answers

Option A is wrong because a 'ReadOnly' lock prevents all modification and deletion of resources in the resource group, which violates the requirement that modifications inside the resource group must still be allowed. Option C is wrong because custom RBAC roles that deny delete actions at the resource group scope can be overridden by a user with elevated permissions (e.g., Owner) who can modify or remove the role assignment, whereas a lock is a higher-priority enforcement that cannot be bypassed by RBAC changes without first removing the lock.

318
MCQmedium

A company uses Azure Policy to enforce governance rules across its Azure subscriptions. The security team wants to ensure that all virtual machines deployed in a subscription must be of an approved size from a predefined list. If a user attempts to deploy a virtual machine with a size not on the list, the deployment must be immediately blocked. Which Azure Policy effect should the company use in the policy definition?

A.Deny
B.Audit
C.DeployIfNotExists
D.Append
AnswerA

The 'Deny' effect prevents the creation or update of a resource that does not comply with the policy. This effect blocks the deployment of a disallowed VM size, fulfilling the security team's requirement.

Why this answer

The 'Deny' effect is correct because it actively blocks any deployment that violates the policy rule, such as deploying a virtual machine with a size not on the approved list. This effect evaluates the request during resource creation or update and denies it if the condition is met, ensuring immediate enforcement. In contrast, other effects like 'Audit' only log non-compliant resources without blocking them, which does not meet the security team's requirement to prevent unauthorized VM sizes.

Exam trap

The trap here is that candidates often confuse 'Deny' with 'Audit' because both deal with non-compliance, but 'Audit' only logs violations without blocking, which fails the explicit requirement to immediately block the deployment.

How to eliminate wrong answers

Option B (Audit) is wrong because it only logs non-compliant resources for monitoring and does not block the deployment, failing the requirement for immediate denial. Option C (DeployIfNotExists) is wrong because it deploys a resource (e.g., a remediation template) when a condition is not met, but it does not block the original deployment; it is used for post-deployment compliance. Option D (Append) is wrong because it adds fields or tags to a resource during creation or update but does not block the deployment; it modifies the request to make it compliant, which would not prevent an unauthorized VM size from being deployed.

319
MCQhard

A company wants to prevent any Azure resource from being accidentally deleted by anyone, including subscription owners. Which Azure feature accomplishes this?

A.Azure Policy with Deny effect
B.Azure Resource Manager CanNotDelete lock
C.RBAC Reader role
D.Azure Blueprints
AnswerB

CanNotDelete lock prevents resource deletion by anyone, including owners — the lock must be explicitly removed before deletion.

Why this answer

The Azure Resource Manager CanNotDelete lock is the correct feature because it prevents any user, including subscription owners, from deleting a resource. This lock overrides all RBAC permissions, ensuring that even users with Owner or Contributor roles cannot delete the resource until the lock is removed. It is specifically designed for accidental deletion prevention at the resource, resource group, or subscription level.

Exam trap

The trap here is that candidates confuse Azure Policy (which governs compliance and creation/modification) with Azure Locks (which specifically prevent deletion), or they assume RBAC roles like Owner can always delete, forgetting that locks override RBAC.

How to eliminate wrong answers

Option A is wrong because Azure Policy with Deny effect prevents creation or modification of resources that violate policies, but it does not prevent deletion of existing resources; deletion is governed by locks. Option C is wrong because the RBAC Reader role only allows read access to resources, but it does not prevent deletion by users with higher permissions like Owner or Contributor; it is a role assignment, not a deletion prevention mechanism. Option D is wrong because Azure Blueprints is used for deploying and managing reusable templates and compliance artifacts, not for preventing deletion of individual resources.

320
MCQeasy

What is the purpose of Azure Resource Manager (ARM)?

A.To provide virtual machine operating system management
B.To provide a unified deployment and management layer for all Azure resources
C.To monitor Azure resource performance
D.To replicate data across Azure regions
AnswerB

ARM is the backend that all Azure management tools use, providing consistent resource deployment, grouping, tagging, and access control.

Why this answer

Azure Resource Manager (ARM) is the native management layer that enables you to deploy, manage, and organize Azure resources as a single logical entity. It provides a consistent management plane for all Azure services through declarative templates (ARM templates), role-based access control (RBAC), and tagging, ensuring that resources are provisioned and governed uniformly across the entire subscription.

Exam trap

The trap here is that candidates confuse ARM with a specific resource type (like a virtual machine) or a monitoring tool, when in fact ARM is the overarching management layer that works across all Azure services.

How to eliminate wrong answers

Option A is wrong because virtual machine operating system management is handled by the guest OS itself or by tools like Azure Update Manager, not by ARM, which focuses on infrastructure orchestration. Option C is wrong because monitoring Azure resource performance is the role of Azure Monitor, which collects metrics and logs, while ARM provides the deployment and management layer. Option D is wrong because data replication across Azure regions is a feature of Azure Storage (e.g., geo-redundant storage) or Azure Site Recovery, not a function of ARM, which manages resource lifecycle and policies.

321
MCQmedium

Which Azure feature allows administrators to set a maximum spending limit to prevent unexpected charges on a subscription?

A.Azure Policy
B.Azure Cost Management budgets
C.Azure Reservations
D.Azure Advisor cost recommendations
AnswerB

Cost Management budgets let you set spending thresholds and get alerts when costs approach or exceed limits.

Why this answer

Azure Cost Management budgets allow administrators to set spending limits and receive alerts when costs exceed thresholds, preventing unexpected charges. This feature directly controls subscription spending by defining budget amounts and actions, such as disabling resources or sending notifications, when the budget is reached.

Exam trap

The trap here is confusing governance features like Azure Policy (which enforces rules on resource properties) with cost control features, leading candidates to select Azure Policy instead of the correct budget functionality.

How to eliminate wrong answers

Option A is wrong because Azure Policy enforces organizational rules and compliance by evaluating resource configurations, not by setting spending limits or preventing charges. Option C is wrong because Azure Reservations provide discounted pricing for committing to specific services upfront, but they do not set a maximum spending limit or prevent unexpected charges. Option D is wrong because Azure Advisor cost recommendations offer suggestions to optimize spending, but they do not enforce a spending cap or block charges.

322
MCQmedium

An IT administrator needs to query all Azure resources across multiple subscriptions to find all virtual machines that were created in the last 30 days. They want to use a powerful query language. Which Azure service should they use?

A.Azure Resource Graph
B.Azure Monitor
C.Azure Resource Manager
D.Azure CLI
AnswerA

Correct. Resource Graph enables complex queries across subscriptions using KQL, ideal for resource discovery.

Why this answer

Azure Resource Graph is the correct service because it provides a powerful, Kusto Query Language (KQL)-based query engine that can efficiently explore and query Azure resources across multiple subscriptions, resource groups, and locations. It is specifically designed for resource discovery and inventory scenarios, such as finding all virtual machines created in the last 30 days, by filtering on properties like `createdTime`.

Exam trap

The trap here is that candidates confuse Azure Monitor’s log querying capabilities (also using KQL) with Azure Resource Graph’s resource metadata querying, but Azure Monitor cannot query resource properties like creation time across subscriptions—it only queries telemetry data.

How to eliminate wrong answers

Option B is wrong because Azure Monitor is a monitoring and observability service focused on collecting metrics, logs, and alerts from Azure resources, not for querying resource metadata or inventory across subscriptions. Option C is wrong because Azure Resource Manager (ARM) is the deployment and management layer that handles resource provisioning and state, but it does not offer a powerful query language for cross-subscription resource discovery; it relies on REST API calls or SDKs for individual resource lookups.

323
MCQmedium

A company has a policy that all Azure resources deployed to production subscriptions must be tagged with a 'CostCenter' tag. They want to automatically prevent the creation of any resource that does not include this tag. Which Azure Policy effect should they use in their policy definition?

A.Audit
B.Deny
C.DeployIfNotExists
D.Modify
AnswerB

Deny prevents the creation or update of a resource that does not include the required tag. This enforces the policy at deployment time.

Why this answer

The Deny effect is correct because it actively prevents the creation or deployment of any Azure resource that does not comply with the policy rule, such as missing the required 'CostCenter' tag. Unlike Audit, which only logs compliance violations without blocking the operation, Deny enforces the policy at the time of the resource creation request, ensuring non-compliant resources are never provisioned.

Exam trap

The trap here is that candidates often confuse the Audit effect (which only reports non-compliance) with the Deny effect (which actively blocks the operation), mistakenly thinking that logging alone is sufficient to enforce a policy.

How to eliminate wrong answers

Option A is wrong because the Audit effect only logs a compliance warning in the activity log when a resource is created without the required tag, but it does not block the creation, so it fails to meet the requirement to automatically prevent deployment. Option C is wrong because DeployIfNotExists is used to automatically remediate non-compliant resources after they are created (e.g., by deploying a missing tag via a remediation task), but it does not prevent the initial creation of the resource, which is the stated goal.

324
MCQeasy

Which Azure feature automatically turns off virtual machines at a scheduled time daily to reduce development costs?

A.Azure Policy VM power state enforcement
B.Azure VM Auto-Shutdown
C.Azure DevTest Labs cost controls
D.Azure Automation runbooks for VM shutdown
AnswerB

VM Auto-Shutdown schedules VMs to power off at a specific daily time, reducing compute costs for dev/test environments.

Why this answer

Azure VM Auto-Shutdown is a built-in feature that allows you to schedule automatic shutdown of virtual machines at a specified time daily, reducing costs by ensuring VMs are not running when not needed. It is configured directly on the VM blade in the Azure portal and requires no additional scripting or automation services.

Exam trap

The trap here is that candidates confuse Azure DevTest Labs cost controls (which also offer auto-shutdown) with the general Azure VM Auto-Shutdown feature, but DevTest Labs is a separate service for lab environments, not the built-in VM-level setting.

How to eliminate wrong answers

Option A is wrong because Azure Policy VM power state enforcement is used to audit or enforce compliance rules (e.g., preventing VMs from being started outside business hours), but it does not provide a scheduled daily shutdown feature—it relies on policy definitions and remediation tasks, not a simple time-based schedule. Option C is wrong because Azure DevTest Labs cost controls include auto-shutdown policies for lab VMs, but this is a feature within the DevTest Labs service, not a general Azure feature applicable to all VMs outside a lab environment. Option D is wrong because Azure Automation runbooks for VM shutdown require custom PowerShell or Python scripts and a schedule linked to a runbook, which is more complex and not a built-in, one-click feature like VM Auto-Shutdown.

325
MCQmedium

An organization needs to ensure that all Azure resources comply with internal standards and automatically remediate non-compliant resources. Which Azure service provides this capability?

A.Azure Blueprints
B.Azure Policy with remediation tasks
C.Azure RBAC
D.Azure Security Center
AnswerB

Azure Policy with DeployIfNotExists and Modify effects automatically remediates non-compliant resources using remediation tasks.

Why this answer

Azure Policy with remediation tasks is the correct service because it allows organizations to define compliance rules for Azure resources and automatically remediate non-compliant resources using managed identities and policy effects like 'deployIfNotExists' or 'modify'. This ensures ongoing compliance with internal standards without manual intervention.

Exam trap

The trap here is that candidates often confuse Azure Blueprints (which can include policies but does not perform remediation) with Azure Policy's remediation tasks, or they think Azure Security Center handles all compliance, when in fact it focuses on security-specific compliance (e.g., CIS benchmarks) rather than general internal standards.

How to eliminate wrong answers

Option A is wrong because Azure Blueprints is used for orchestrating the deployment of resource templates, policies, and role assignments as a package, but it does not automatically remediate non-compliant resources after deployment. Option C is wrong because Azure RBAC (Role-Based Access Control) manages who has access to Azure resources and what actions they can perform, but it does not enforce resource configuration compliance or provide remediation capabilities. Option D is wrong because Azure Security Center (now Microsoft Defender for Cloud) provides security posture management and threat protection, but its primary focus is security vulnerabilities and threats, not general compliance with internal standards or automated remediation of non-compliant resources.

326
MCQmedium

A multinational company has multiple Azure subscriptions managed by different teams. The compliance team requires that all new virtual machines deployed in any subscription must have a specific tag (e.g., 'CostCenter') and must be deployed in approved regions only. They also want to automatically enforce these requirements without manual intervention. Which Azure service should the compliance team use to achieve this?

A.Azure Policy
B.Azure Role-Based Access Control (RBAC)
C.Azure Blueprints
D.Azure Management Groups
AnswerA

Correct. Azure Policy allows you to create, assign, and manage policies that enforce rules and effects over your resources. In this scenario, a policy can automatically add a required tag and restrict allowed regions when virtual machines are created.

Why this answer

Azure Policy is correct because it enables the compliance team to create, assign, and manage policies that enforce rules (like requiring a 'CostCenter' tag and restricting VM deployment to approved regions) across all subscriptions. Policies are evaluated during resource creation and can automatically deny or audit non-compliant resources, ensuring enforcement without manual intervention.

Exam trap

The trap here is that candidates often confuse Azure Policy (which enforces rules on resources) with Azure Blueprints (which packages policies, RBAC, and resources for environment setup), but Blueprints does not enforce compliance on its own.

How to eliminate wrong answers

Option B is wrong because Azure RBAC controls who has permissions to perform actions (e.g., who can create VMs), but it cannot enforce resource-level configurations like required tags or approved regions. Option C is wrong because Azure Blueprints is used to orchestrate the deployment of repeatable environments (including policies, RBAC, and resource groups), but it does not itself enforce compliance—it relies on Azure Policy for enforcement. Option D is wrong because Azure Management Groups provide a hierarchical structure for managing access, policies, and compliance across multiple subscriptions, but they are a container for organizing subscriptions, not a service that directly enforces tagging or region restrictions.

327
MCQmedium

A company has an Azure subscription that contains production resources. The IT manager is concerned that a user who has the Contributor role might accidentally delete the entire subscription. The company wants a solution that prevents anyone from deleting the subscription, even users with the Owner role, while still allowing modifications to the resources inside the subscription. What should the administrator configure?

A.Assign a custom role-based access control (RBAC) role that denies the delete action for all users.
B.Configure an Azure Policy with the 'Deny' effect to block deletion of the subscription.
C.Apply a resource lock of type 'Delete' at the subscription level.
D.Apply a resource lock of type 'ReadOnly' at the subscription level.
AnswerC

This is correct. A 'Delete' lock prevents the subscription from being deleted but allows read and update operations on the resources inside. Resource locks apply to all users, including Owners, and can be set at subscription, resource group, or resource level. This directly meets the requirement to protect against accidental deletion while still allowing modifications.

Why this answer

Option C is correct because a resource lock of type 'Delete' at the subscription level prevents any user, including those with the Owner role, from deleting the subscription. This lock overrides all RBAC permissions, ensuring that while modifications to resources inside the subscription are still allowed, the subscription itself cannot be removed. This directly addresses the IT manager's concern about accidental deletion.

Exam trap

The trap here is that candidates confuse Azure Policy (which governs resource configuration compliance) with resource locks (which protect against accidental deletion or modification at the management plane), leading them to choose Azure Policy instead of the correct lock type.

How to eliminate wrong answers

Option A is wrong because custom RBAC roles can deny specific actions, but they cannot override the Owner role's inherent permissions; an Owner can always modify or remove custom role assignments, making this solution ineffective. Option B is wrong because Azure Policy with the 'Deny' effect is designed to enforce compliance on resource properties (e.g., allowed locations, SKU sizes) and cannot block the subscription-level delete operation, which is a management action outside the scope of Azure Policy.

328
MCQmedium

A company's finance team uses Azure Cost Management + Billing to monitor cloud spending. They want to configure a rule that sends an email notification to the finance team's distribution list when the monthly cost for resources tagged with Department=Marketing exceeds $10,000. Which Azure Cost Management feature should they configure?

A.Budget
B.Invoice
C.Cost analysis
D.Recommendations
AnswerA

A budget in Azure Cost Management + Billing can include cost thresholds and alert rules. When the actual or forecasted cost exceeds the defined amount, an email notification is sent to the specified recipients.

Why this answer

Azure Budgets allow you to set cost or usage thresholds and configure alerts that trigger when spending reaches a specified percentage of the budget. In this scenario, the finance team can create a budget with a $10,000 threshold for the Department=Marketing tag, and configure an alert rule to send an email notification to the distribution list when costs exceed that amount.

Exam trap

The trap here is that candidates confuse the reporting capabilities of Cost analysis (which shows past spending) with the proactive alerting functionality of Budgets, leading them to select Cost analysis instead of Budget.

How to eliminate wrong answers

Option B (Invoice) is wrong because the Invoice feature provides a downloadable PDF of the monthly bill and does not support custom alerting rules based on tagged resource costs. Option C (Cost analysis) is wrong because while Cost analysis provides interactive views and filtering of historical cost data, it does not natively send proactive email notifications when a spending threshold is exceeded.

← PreviousPage 5 of 5 · 328 questions total

Ready to test yourself?

Try a timed practice session using only Describe Azure management and governance questions.