Microsoft Azure Fundamentals AZ-900 (AZ-900) — Questions 9761031

1031 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQmedium

Which Azure service provides an enterprise messaging service with advanced features like topics, subscriptions, and dead-letter queues?

A.Azure Queue Storage
B.Azure Event Grid
C.Azure Service Bus
D.Azure Event Hubs
AnswerC

Service Bus provides enterprise messaging with topics, subscriptions, dead-letter queues, and FIFO guarantees.

Why this answer

Azure Service Bus is a fully managed enterprise message broker that supports advanced messaging patterns including topics (publish/subscribe), subscriptions (filtered message delivery), and dead-letter queues (for handling undeliverable messages). It is designed for reliable, ordered message delivery with features like sessions, transactions, and duplicate detection, making it the correct choice for this question.

Exam trap

The trap here is that candidates confuse Azure Service Bus with Azure Queue Storage because both offer queue-like functionality, but only Service Bus provides the advanced enterprise features (topics, subscriptions, dead-letter queues) explicitly mentioned in the question.

How to eliminate wrong answers

Option A is wrong because Azure Queue Storage is a simple, cost-effective message queue service that does not support topics, subscriptions, or dead-letter queues; it offers basic FIFO (best-effort) ordering and no pub/sub capabilities. Option B is wrong because Azure Event Grid is a serverless event routing service that uses event subscriptions and filters, but it does not provide message queues, topics, or dead-letter queues; it is designed for reactive event-driven architectures, not persistent messaging. Option D is wrong because Azure Event Hubs is a big data streaming platform and event ingestion service optimized for high-throughput telemetry and log data; it does not support topics, subscriptions, or dead-letter queues, and it lacks the broker-style features like sessions and transactions.

977
MCQhard

A company needs to ensure that all Azure resources in a subscription are created only in specific approved regions. Which Azure feature should they implement?

A.Azure Resource Locks
B.Azure RBAC
C.Azure Policy with 'Allowed locations' policy
D.Azure Blueprints
AnswerC

The 'Allowed locations' Azure Policy restricts resource creation to specified approved regions.

Why this answer

Azure Policy with the 'Allowed locations' policy definition is the correct choice because it enforces organizational compliance by restricting the Azure regions where resources can be deployed. This policy evaluates all resource creation requests against a defined list of approved regions and denies any request that does not match, ensuring that all resources in the subscription are created only in the specified approved locations.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure RBAC or Resource Locks, mistakenly thinking that access control or deletion protection can restrict resource locations, when in fact only Azure Policy provides the declarative enforcement rules for compliance like allowed regions.

How to eliminate wrong answers

Option A is wrong because Azure Resource Locks prevent accidental deletion or modification of resources but do not restrict the regions in which resources can be created. Option B is wrong because Azure RBAC (Role-Based Access Control) manages who has access to Azure resources and what actions they can perform, but it does not enforce location restrictions. Option D is wrong because Azure Blueprints orchestrate the deployment of resource templates, policies, and role assignments as a package, but the actual enforcement of allowed regions is done by Azure Policy definitions included within the blueprint, not by Blueprints themselves.

978
MCQeasy

Which Azure service enables you to synchronize your on-premises Active Directory with Azure Active Directory?

A.Azure AD Domain Services
B.Azure AD B2C
C.Azure AD Connect
D.Azure Multi-Factor Authentication
AnswerC

Azure AD Connect synchronizes on-premises Active Directory identities to Azure AD for hybrid identity.

Why this answer

Azure AD Connect is the correct service because it is specifically designed to synchronize on-premises Active Directory identities with Azure Active Directory, enabling hybrid identity scenarios. It handles password hash synchronization, pass-through authentication, and federation integration, ensuring users have a single identity for both on-premises and cloud resources.

Exam trap

The trap here is that candidates often confuse Azure AD Connect (synchronization tool) with Azure AD Domain Services (managed domain services), as both involve Active Directory, but they serve entirely different purposes.

How to eliminate wrong answers

Option A is wrong because Azure AD Domain Services provides managed domain services like group policy and domain join for Azure VMs, not synchronization of on-premises AD with Azure AD. Option B is wrong because Azure AD B2C is a customer identity and access management service for external users (e.g., social logins), not for synchronizing enterprise on-premises directories. Option D is wrong because Azure Multi-Factor Authentication is a security feature that adds an extra layer of authentication, not a directory synchronization tool.

979
MCQhard

A company uses Azure Policy to enforce encryption on storage accounts. They discover some existing storage accounts are non-compliant. They want to automatically enable encryption on these accounts without manual intervention. Which combination of policy effects should they use?

A.Audit and DeployIfNotExists
B.Deny and Audit
C.Append and Modify
D.Audit and Disabled
AnswerA

Correct. Audit reports non-compliance, and DeployIfNotExists automatically deploys a configuration (like enabling encryption) to bring the resource into compliance.

Why this answer

The correct combination is Audit and DeployIfNotExists. Audit logs non-compliant storage accounts without blocking them, while DeployIfNotExists automatically enables encryption on those accounts by deploying a remediation task. This ensures existing non-compliant resources are brought into compliance without manual intervention.

Exam trap

The trap here is that candidates confuse Deny (which only blocks new non-compliant resources) with DeployIfNotExists (which remediates existing ones), or assume Append/Modify can retroactively fix existing resources when they only apply during resource creation or update.

How to eliminate wrong answers

Option B (Deny and Audit) is wrong because Deny blocks the creation or update of non-compliant resources but does not remediate existing non-compliant storage accounts; Audit only logs them, so encryption would not be automatically enabled. Option C (Append and Modify) is wrong because Append adds fields to resources during creation or update (e.g., adding a tag) and Modify alters properties during creation or update, but neither effect triggers remediation on existing resources; they only act on new or updated deployments. Option D (Audit and Disabled) is wrong because Disabled turns off the policy effect entirely, meaning no evaluation or remediation occurs, and Audit alone only logs non-compliance without enabling encryption.

980
MCQmedium

A company migrates its on-premises infrastructure to Azure. The IT manager notes that Azure dynamically allocates and reallocates compute and storage resources across multiple customers based on demand, while ensuring each customer's data and workloads remain isolated from others. Which cloud computing characteristic does this describe?

A.Rapid elasticity
B.Resource pooling
C.Measured service
D.On-demand self-service
AnswerB

Resource pooling is the correct answer because the scenario explicitly mentions Azure allocating and reallocating compute and storage resources across multiple customers while maintaining isolation. This is the definition of resource pooling in the NIST cloud computing model.

Why this answer

Resource pooling is the cloud computing characteristic where the provider's computing resources are pooled to serve multiple customers using a multi-tenant model, with physical and virtual resources dynamically assigned and reassigned according to demand. This ensures each customer's data and workloads remain isolated while the provider can efficiently allocate compute and storage across tenants. The scenario directly describes this multi-tenant isolation and dynamic allocation, which is the essence of resource pooling.

Exam trap

The trap here is that candidates confuse 'resource pooling' with 'rapid elasticity' because both involve dynamic allocation, but resource pooling focuses on multi-tenant isolation and shared infrastructure, while rapid elasticity is about scaling speed and flexibility.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to the ability to quickly scale resources up or down, not the pooling and isolation of resources across multiple customers. Option C is wrong because measured service involves metering resource usage for billing and optimization, not the dynamic allocation and isolation described. Option D is wrong because on-demand self-service allows users to provision resources without human interaction, but does not cover the multi-tenant pooling or isolation aspect.

981
MCQeasy

A company uses Azure for multiple workloads. The finance team wants to identify virtual machines that are consistently underutilized (average CPU usage below 5%) so they can reduce costs by resizing or shutting down those VMs. They want a built-in Azure tool that automatically analyzes resource usage and provides actionable recommendations. Which Azure service should they use?

A.Azure Monitor
B.Azure Advisor
C.Azure Cost Management
D.Azure Policy
AnswerB

Azure Advisor analyzes your Azure resources and provides best practice recommendations, including cost optimization. It identifies underutilized VMs and suggests resizing or shutting them down to reduce costs.

Why this answer

Azure Advisor is the correct service because it is a built-in Azure tool that automatically analyzes resource usage and provides actionable recommendations to optimize costs, including identifying underutilized virtual machines. It specifically evaluates CPU usage patterns and suggests resizing or shutting down VMs with consistently low utilization (e.g., average CPU below 5%) to reduce costs without manual intervention.

Exam trap

The trap here is that candidates often confuse Azure Monitor's ability to view metrics with the automated, actionable recommendations that only Azure Advisor provides, leading them to select Azure Monitor instead of Azure Advisor.

How to eliminate wrong answers

Option A is wrong because Azure Monitor is a monitoring and diagnostics service that collects metrics and logs, but it does not automatically generate actionable cost optimization recommendations like resizing or shutting down VMs; it requires custom alert rules or dashboards to detect underutilization. Option C is wrong because Azure Cost Management focuses on budgeting, cost analysis, and invoice management, not on analyzing resource utilization patterns to provide specific VM resizing or shutdown recommendations. Option D is wrong because Azure Policy enforces compliance rules and governance standards (e.g., tagging or allowed VM sizes), but it does not analyze historical CPU usage or provide cost optimization recommendations for underutilized resources.

982
Matchingmedium

Match each Azure storage type to its use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Unstructured data like images and videos

SMB file shares for cloud or on-premises

Message queuing for asynchronous processing

NoSQL key-value store for structured data

Block-level storage for Azure VMs

Why these pairings

Azure provides multiple storage options optimized for different data types.

983
MCQmedium

A healthcare organization migrates its patient data management application to Azure. The organization's compliance team learns that Azure's underlying physical infrastructure, including servers and storage, is shared by many customers globally. The team is concerned about data leakage and wants to understand which fundamental cloud computing characteristic allows the provider to share physical hardware among multiple tenants while ensuring that each tenant's data and compute resources remain logically isolated and secure from one another.

A.Rapid elasticity
B.Resource pooling
C.Measured service
D.Broad network access
AnswerB

Resource pooling is the correct characteristic. It means the cloud provider's computing resources are pooled to serve multiple customers using a multi-tenant model, with strict logical isolation so that each tenant's data and processes are secure and private, even though they share the same physical hardware.

Why this answer

Resource pooling is the correct answer because it is the fundamental cloud computing characteristic that enables a provider to serve multiple customers (tenants) from the same physical hardware while maintaining logical isolation. In Azure, this is achieved through hypervisor-level virtualization (e.g., Hyper-V) where each tenant's virtual machines and data are isolated at the kernel and memory level, preventing cross-tenant data leakage even though the underlying servers and storage are shared.

Exam trap

The trap here is that candidates confuse resource pooling with security isolation mechanisms like encryption or firewalls, but the question specifically asks for the fundamental cloud characteristic that enables shared physical hardware with logical isolation, which is resource pooling, not a specific security feature.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to the ability to quickly scale resources up or down based on demand, not to multi-tenant isolation or data security. Option C is wrong because measured service involves metering and billing for resource usage (e.g., pay-as-you-go), which is unrelated to logical separation of tenant data on shared hardware. Option D is wrong because broad network access describes the ability to access cloud resources over standard network protocols (e.g., HTTPS, SSH) from various devices, not the mechanism for isolating tenant workloads on shared infrastructure.

984
MCQmedium

A company runs a critical transaction processing application on two Azure virtual machines. The infrastructure is designed so that if one virtual machine encounters a hardware failure and stops functioning, the other virtual machine continues to serve traffic without any interruption or loss of service. Which cloud computing characteristic does this design primarily address?

A.High availability
B.Fault tolerance
C.Disaster recovery
D.Scalability
AnswerB

Correct. Fault tolerance is the ability of a system to continue operating without interruption even when one or more components fail. The design where a failure of one VM causes no service disruption is a classic example of fault tolerance.

Why this answer

The design ensures that if one virtual machine fails due to a hardware failure, the other continues serving traffic without any interruption or loss of service. This is the definition of fault tolerance, which eliminates any single point of failure and maintains continuous operation even when a component fails. High availability reduces downtime but may allow brief interruptions during failover, whereas fault tolerance guarantees zero interruption.

Exam trap

The trap here is that candidates confuse high availability with fault tolerance, but high availability allows for brief downtime during failover, while fault tolerance guarantees zero interruption, which is the key distinction tested in this question.

How to eliminate wrong answers

Option A is wrong because high availability focuses on minimizing downtime through redundancy and automatic failover, but it typically allows a brief interruption (e.g., seconds to minutes) during the failover process, whereas the scenario explicitly states 'without any interruption or loss of service.' Option C is wrong because disaster recovery involves restoring systems and data after a major disaster (e.g., region-wide outage) from a secondary site, not maintaining continuous service during a local hardware failure. Option D is wrong because scalability refers to the ability to increase or decrease resources to handle varying load, not to maintain service continuity during a hardware failure.

985
Matchingmedium

Match each Azure networking service to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Distribute traffic across VMs

Layer 7 load balancer with WAF

DNS-based traffic routing across regions

Send encrypted traffic between networks

Dedicated private connection to Azure

Why these pairings

These services address different networking and load balancing needs.

986
MCQmedium

Which Azure service replicates on-premises virtual machines and physical servers to Azure for disaster recovery?

A.Azure Backup
B.Azure Site Recovery
C.Azure Migrate
D.Azure Archive Storage
AnswerB

Site Recovery continuously replicates on-premises VMs to Azure for disaster recovery with automated failover.

Why this answer

Azure Site Recovery (ASR) is the correct service because it is specifically designed for disaster recovery (DR) by orchestrating replication, failover, and failback of on-premises virtual machines and physical servers to Azure. It uses continuous replication to maintain data consistency and supports planned/unplanned failover, ensuring business continuity during outages.

Exam trap

The trap here is that candidates confuse Azure Backup (point-in-time backups) with Azure Site Recovery (continuous replication and failover), as both involve data protection but serve fundamentally different purposes in the Azure resilience portfolio.

How to eliminate wrong answers

Option A is wrong because Azure Backup is a backup service that creates point-in-time recovery copies of data, not a disaster recovery solution that replicates entire workloads for failover. Option C is wrong because Azure Migrate is a tool for assessing and migrating on-premises servers to Azure, not for ongoing replication and failover in a DR scenario. Option D is wrong because Azure Archive Storage is a low-cost storage tier for rarely accessed data, not a replication or recovery service for virtual machines or physical servers.

987
MCQmedium

A company is developing a custom web application that will be deployed to Azure. The development team wants to minimize operational overhead and avoid any responsibility for managing the underlying operating system, runtime, or middleware. They want to focus solely on writing application code and managing data. Which cloud service model should the company use for this application?

A.Infrastructure as a Service (IaaS)
B.Platform as a Service (PaaS)
C.Software as a Service (SaaS)
D.Functions as a Service (FaaS)
AnswerB

PaaS abstracts the underlying infrastructure, including the OS and runtime, so the team can focus on application code and data. Azure App Service is a common PaaS offering for web applications.

Why this answer

Platform as a Service (PaaS) is the correct model because it abstracts the underlying OS, runtime, and middleware, allowing developers to focus solely on writing application code and managing data. Azure App Service is a PaaS offering that provides automatic patching, load balancing, and scaling without any responsibility for the host OS or runtime environment. This directly matches the requirement to minimize operational overhead and avoid managing infrastructure layers.

Exam trap

The trap here is that candidates often confuse PaaS with IaaS because they think 'custom application' requires full control over the OS, but the question explicitly states the team wants to avoid managing the OS, runtime, or middleware, which is the defining characteristic of PaaS.

How to eliminate wrong answers

Option A (IaaS) is wrong because it provides virtualized computing resources (e.g., Azure VMs) where the customer is responsible for managing the OS, runtime, and middleware, including patching and configuration, which contradicts the goal of minimizing operational overhead. Option C (SaaS) is wrong because it delivers fully managed software applications (e.g., Office 365) where the customer does not write custom code or manage data at the application layer; the scenario explicitly requires developing a custom web application. Option D (FaaS) is wrong because it is a subset of serverless computing (e.g., Azure Functions) that focuses on event-driven, stateless code execution, but it still requires managing triggers, bindings, and scaling configurations, and does not provide a full runtime environment for a custom web application with persistent data management.

988
MCQmedium

A manufacturing company traditionally purchased and maintained its own servers, paying a large upfront capital expense (CapEx) for hardware that was expected to last five years. After migrating its workloads to Azure virtual machines, the company now receives a monthly invoice that reflects only the compute and storage resources actually consumed during that month. There are no upfront payments. This change in cost structure best illustrates which benefit of cloud computing?

A.Scalability to handle variable demand
B.High availability through geographic redundancy
C.Consumption-based pricing model
D.Resource pooling through multi-tenancy
AnswerC

This is the correct benefit. The cloud's consumption-based (pay-as-you-go) model eliminates large upfront capital expenses and replaces them with variable operational expenses based on actual resource usage.

Why this answer

The scenario describes a shift from a large upfront capital expenditure (CapEx) for hardware to a monthly invoice based on actual compute and storage consumption. This directly illustrates the consumption-based pricing model, where you pay only for the resources you use (e.g., VM hours, storage GB-months) with no upfront costs. This is a core financial benefit of cloud computing, enabling operational expenditure (OpEx) instead of CapEx.

Exam trap

The trap here is that candidates confuse the financial benefit of consumption-based pricing with the operational benefit of scalability, but the question explicitly contrasts upfront CapEx with monthly usage-based billing, making the pricing model the clear focus.

How to eliminate wrong answers

Option A is wrong because scalability refers to the ability to dynamically increase or decrease resources to handle variable demand, not the change in cost structure from upfront to pay-as-you-go. Option B is wrong because high availability through geographic redundancy involves replicating workloads across multiple Azure regions to ensure uptime, which is unrelated to the payment model described. Option D is wrong because resource pooling through multi-tenancy allows multiple customers to share the same physical infrastructure, driving cost efficiency for the provider, but the question focuses on the customer's billing model, not the provider's infrastructure sharing.

989
MCQmedium

Which Azure service enables you to securely connect remote users to Azure and on-premises resources using an SSL-based VPN?

A.Azure ExpressRoute
B.Azure Bastion
C.Azure VPN Gateway
D.Azure Application Gateway
AnswerC

VPN Gateway provides encrypted IPsec/SSL VPN connections for site-to-site and point-to-site connectivity.

Why this answer

Azure VPN Gateway supports site-to-site, point-to-site, and VNet-to-VNet connections. Point-to-site (P2S) VPN uses SSTP (Secure Socket Tunneling Protocol) or IKEv2 VPN, and when configured with SSTP, it provides an SSL-based VPN tunnel (TCP port 443) that allows remote users to securely connect to Azure and on-premises resources through the gateway.

Exam trap

The trap here is that candidates often confuse Azure VPN Gateway (which does support SSL-based P2S VPN) with Azure Application Gateway (a Layer 7 load balancer) or Azure Bastion (a secure RDP/SSH jump server), mistakenly thinking those services provide VPN connectivity.

How to eliminate wrong answers

Option A is wrong because Azure ExpressRoute provides a dedicated, private, high-bandwidth connection from on-premises to Azure using MPLS or similar Layer 2/3 technologies, not an SSL-based VPN. Option B is wrong because Azure Bastion is a fully managed PaaS service that provides secure RDP/SSH connectivity to virtual machines directly in the Azure portal over TLS, but it does not function as a VPN gateway for remote user connectivity to Azure or on-premises resources. Option D is wrong because Azure Application Gateway is a Layer 7 load balancer and web application firewall (WAF) that routes HTTP/HTTPS traffic, not a VPN service for remote user connectivity.

990
MCQeasy

Which Azure service provides a globally distributed, multi-model database service with single-digit millisecond read latency?

A.Azure SQL Database
B.Azure Database for MySQL
C.Azure Cosmos DB
D.Azure Cache for Redis
AnswerC

Cosmos DB is globally distributed, multi-model, with single-digit millisecond latency and 99.999% availability SLA.

Why this answer

Azure Cosmos DB is a globally distributed, multi-model database service that guarantees single-digit millisecond read latency at the 99th percentile, regardless of the region or consistency level. It supports multiple data models (document, key-value, graph, column-family) and provides turnkey global distribution across any number of Azure regions.

Exam trap

The trap here is that candidates often confuse Azure Cache for Redis (a low-latency cache) with a globally distributed multi-model database, but Redis is not a multi-model database and does not provide turnkey global distribution with multiple consistency models like Cosmos DB does.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database is a relational database service that does not natively support multi-model data or offer single-digit millisecond read latency globally; its latency depends on the region and query complexity. Option B is wrong because Azure Database for MySQL is a managed relational database service based on the MySQL engine, which is not multi-model and does not provide guaranteed single-digit millisecond read latency across global distributions. Option D is wrong because Azure Cache for Redis is an in-memory caching service based on the Redis engine, not a multi-model database; while it offers low latency, it is primarily a cache layer, not a fully managed globally distributed database with multiple data models.

991
MCQmedium

A company runs a web application on an Azure virtual machine. The application experiences periodic traffic surges during promotional campaigns. To handle the increased load, the IT team manually changes the VM size from Standard_D2s_v3 to Standard_D8s_v3 before each campaign and then changes it back after the campaign ends. Which cloud computing concept does this scenario exemplify?

A.Elasticity
B.Scalability
C.High availability
D.Disaster recovery
AnswerB

Scalability is the ability to allocate more or fewer resources to a workload as needed. The manual resizing of the VM to handle traffic surges and the subsequent reduction is a clear example of vertical scalability.

Why this answer

This scenario exemplifies scalability, specifically vertical scaling (scaling up), because the IT team manually increases the VM size to handle higher demand and then reduces it afterward. Scalability is the ability to adjust resources to meet changing workload demands, which is exactly what occurs when changing from Standard_D2s_v3 to Standard_D8s_v3.

Exam trap

The trap here is that candidates confuse manual scaling with elasticity, but elasticity specifically requires automatic, on-demand resource adjustment without human intervention.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the automatic, dynamic provisioning and de-provisioning of resources in response to real-time demand, whereas this scenario describes a manual, scheduled change. Option C is wrong because high availability ensures that applications remain accessible despite component failures through redundancy (e.g., multiple VMs in an availability set), not by resizing a single VM. Option D is wrong because disaster recovery involves restoring systems and data after a catastrophic failure (e.g., using Azure Site Recovery), not adjusting capacity for traffic surges.

992
MCQmedium

A company runs a web application on Azure. At the end of each month, the finance team reviews an invoice that itemizes charges by resource type, such as virtual machine compute hours, storage capacity used, and data transfer volume. The total cost directly corresponds to the exact quantity of resources consumed during the billing period. This capability is an example of which fundamental characteristic of cloud computing?

A.Rapid elasticity
B.Measured service
C.Resource pooling
D.On-demand self-service
AnswerB

Measured service means that cloud providers automatically meter and control resource usage, providing transparency for both provider and consumer. This allows a pay-per-use billing model where charges are based on exact consumption, exactly as described in the scenario.

Why this answer

Measured service is the correct answer because it refers to the cloud provider's ability to meter and bill customers based on actual resource consumption. In this scenario, the invoice itemizes charges by resource type (compute hours, storage, data transfer) and the total cost directly corresponds to the exact quantity consumed, which is the defining characteristic of measured service. This capability relies on metering telemetry (e.g., Azure Monitor metrics, usage logs) to track usage and generate a pay-per-use billing model.

Exam trap

The trap here is that candidates often confuse 'measured service' with 'on-demand self-service' because both involve user-driven actions, but measured service specifically focuses on the metering and billing of consumed resources, not the provisioning process.

How to eliminate wrong answers

Option A is wrong because rapid elasticity describes the ability to automatically scale resources up or down in response to demand, not the billing or metering of consumed resources. Option C is wrong because resource pooling refers to the provider's multi-tenant model where physical and virtual resources are dynamically assigned to serve multiple customers, not the itemized billing based on exact usage. Option D is wrong because on-demand self-service allows users to provision resources without human interaction (e.g., via Azure Portal or CLI), but does not cover the metering and billing aspect described in the question.

993
MCQmedium

A company wants to proactively identify Azure resources that are misconfigured and could lead to security vulnerabilities, such as virtual machines with open management ports or unencrypted storage accounts. They also need to get prioritized recommendations for remediating these issues. Which Azure service should the company use?

A.Microsoft Defender for Cloud (formerly Azure Security Center)
B.Azure Advisor
C.Azure Policy
D.Azure Blueprints
AnswerA

This service is designed specifically to assess and improve the security posture of Azure resources. It continuously monitors for misconfigurations (like open management ports, unencrypted data) and provides prioritized recommendations to remediate them.

Why this answer

Microsoft Defender for Cloud (formerly Azure Security Center) is the correct service because it continuously assesses the security posture of Azure resources, identifies misconfigurations such as open management ports (e.g., RDP/SSH) or unencrypted storage accounts, and provides prioritized, actionable recommendations for remediation. It integrates with Azure Policy to enforce security standards and offers a secure score to track improvement over time.

Exam trap

The trap here is that candidates often confuse Azure Advisor's general recommendations with Defender for Cloud's security-specific assessments, but Azure Advisor does not detect misconfigurations like open management ports or unencrypted storage—it focuses on cost, performance, and reliability instead.

How to eliminate wrong answers

Option B (Azure Advisor) is wrong because it provides general best-practice recommendations for cost, performance, reliability, and operational excellence, but it does not specialize in security misconfigurations or vulnerability detection like open ports or encryption status. Option C (Azure Policy) is wrong because it enforces compliance rules by creating, assigning, and managing policies (e.g., requiring encryption), but it does not proactively identify existing misconfigurations or provide prioritized security recommendations—it is a governance tool, not a security assessment service. Option D (Azure Blueprints) is wrong because it is used to define a repeatable set of Azure resources and policies for deploying environments (e.g., templates for compliance), but it does not perform ongoing security scanning or vulnerability identification.

994
MCQmedium

A company plans to deploy a three-tier web application in Azure. The application consists of web servers, application servers, and database servers. The company wants to protect the virtual machines (VMs) from planned maintenance events (e.g., OS updates) and unplanned hardware failures. They want to ensure that at least one VM in each tier remains available during such events. The solution should be deployed entirely within a single Azure region. What should the company use for the VMs?

A.Deploy the VMs across three Availability Zones (Zone 1, Zone 2, and Zone 3) within the region.
B.Create an Availability Set containing two VMs per tier, configured with two fault domains and five update domains.
C.Configure a single Virtual Machine Scale Set that includes all the VMs for all three tiers.
D.Use a Virtual Machine Scale Set with autoscale configured to always keep a minimum number of VMs running.
AnswerB

This is correct. An Availability Set protects VMs from failures within a single Azure datacenter by isolating them across fault domains (separate power and network) and update domains (sequential maintenance). Two fault domains ensure that not all VMs are affected by a single hardware failure. Five update domains ensure that only 20% of VMs are taken offline during planned maintenance. With two VMs per tier, at least one VM in each tier remains available during an event.

Why this answer

Option B is correct because an Availability Set with two fault domains and five update domains ensures that VMs are distributed across separate physical hardware (fault domains) and that planned maintenance (update domains) is staggered, so at least one VM per tier remains available during both planned and unplanned events. This meets the requirement of high availability within a single Azure region without needing multiple zones.

Exam trap

The trap here is that candidates often confuse Availability Zones (which protect against datacenter-level failures) with Availability Sets (which protect against rack-level failures within a single datacenter), and fail to recognize that the question explicitly limits the solution to a single Azure region, making Availability Sets the appropriate choice for the described planned and unplanned events.

How to eliminate wrong answers

Option A is wrong because deploying across three Availability Zones provides high availability but is typically used for region-level resilience against zone failures, not specifically optimized for the single-region, per-tier availability requirement described; it also introduces cross-zone latency and cost. Option C is wrong because a single Virtual Machine Scale Set (VMSS) would combine all tiers into one group, losing the tier-specific availability guarantees and making it impossible to ensure at least one VM per tier remains available independently. Option D is wrong because a VMSS with autoscale focuses on scaling based on load, not on protecting against planned maintenance or hardware failures through fault and update domain distribution; it does not inherently guarantee that at least one VM per tier stays available during such events.

995
MCQmedium

Which Azure identity feature automatically assigns permissions when a user joins a specific group, and removes them when they leave?

A.Azure AD Privileged Identity Management
B.Azure AD Dynamic Groups
C.Azure AD Conditional Access
D.Azure AD Identity Protection
AnswerB

Dynamic Groups automatically add/remove members based on attribute rules, enabling automatic permission assignment.

Why this answer

Azure AD Dynamic Groups automatically manage user membership based on rules defined using user or device attributes. When a user meets the rule criteria (e.g., department equals 'Sales'), they are added to the group and receive the associated permissions; when they no longer meet the criteria, they are removed, and permissions are revoked. This is the only Azure identity feature that directly ties group membership and permission assignment to attribute-based rules without manual intervention.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) with dynamic group membership because both involve 'automatic' actions, but PIM focuses on time-bound role activation, not attribute-driven group membership changes.

How to eliminate wrong answers

Option A is wrong because Azure AD Privileged Management (PIM) provides just-in-time privileged access and approval workflows for roles, not automatic permission assignment based on group membership changes. Option C is wrong because Azure AD Conditional Access enforces access policies (e.g., requiring MFA) at sign-in based on conditions like location or device state, not by assigning or removing permissions when joining or leaving a group. Option D is wrong because Azure AD Identity Protection detects and responds to identity risks (e.g., leaked credentials) using risk policies, but does not manage group membership or permission assignment.

996
MCQmedium

A company has a critical Azure resource group that contains all production virtual machines and databases. The IT security administrator wants to ensure that no user, including members of the 'Owner' role, can accidentally or intentionally delete this resource group. The solution must not prevent modification of resources inside the resource group. The administrator needs to apply a governance control at the resource group level. What should the administrator do?

A.Apply a 'ReadOnly' lock on the resource group.
B.Apply a 'CanNotDelete' lock on the resource group.
C.Assign a custom RBAC role that denies delete actions at the resource group scope.
D.Move the resource group to a separate subscription with billing separation.
AnswerB

A 'CanNotDelete' lock allows read and update operations but blocks delete operations on the resource group. This lock applies to all users, including those with the Owner role, making it the correct governance control to prevent accidental or intentional deletion while allowing modifications.

Why this answer

Option B is correct because applying a 'CanNotDelete' lock at the resource group level prevents any user, including those with the Owner role, from deleting the resource group while still allowing modifications (e.g., adding or updating resources) inside it. This lock overrides all RBAC permissions for delete operations, making it the appropriate governance control for this requirement.

Exam trap

The trap here is that candidates often confuse resource locks with RBAC roles, thinking a custom RBAC deny assignment is sufficient, but locks are the only mechanism that can prevent deletion even by Owners without requiring additional permission management.

How to eliminate wrong answers

Option A is wrong because a 'ReadOnly' lock prevents all modification and deletion of resources in the resource group, which violates the requirement that modifications inside the resource group must still be allowed. Option C is wrong because custom RBAC roles that deny delete actions at the resource group scope can be overridden by a user with elevated permissions (e.g., Owner) who can modify or remove the role assignment, whereas a lock is a higher-priority enforcement that cannot be bypassed by RBAC changes without first removing the lock.

997
MCQmedium

Which of the following BEST describes the concept of 'security' as a cloud benefit?

A.Cloud is inherently insecure because data is shared with other customers
B.Cloud providers invest in extensive security teams and technologies that most organizations can't match
C.Moving to cloud automatically makes you compliant with all regulations
D.Cloud security means you never need to patch your applications
AnswerB

Cloud security benefit comes from providers' massive security investment — threat intelligence, expert teams, and built-in controls exceed typical org capabilities.

Why this answer

Cloud providers like Microsoft invest heavily in physical and digital security — building teams of security experts, applying the latest threat intelligence, and maintaining compliance certifications. Most organizations cannot match this investment on-premises, making cloud security a net benefit for many customers.

998
MCQmedium

A company needs to share a set of files between multiple Azure VMs using the SMB protocol. They require a managed file share that can be mounted simultaneously by multiple VMs with permissions managed via Active Directory. Which Azure storage service should they use?

A.Azure Files
B.Azure Blob Storage
C.Azure Disk Storage
D.Azure NetApp Files
AnswerA

Correct. Azure Files offers managed SMB file shares that can be accessed concurrently by multiple VMs and supports Azure AD authentication.

Why this answer

Azure Files provides fully managed SMB file shares in the cloud that can be mounted concurrently by multiple Azure VMs. It supports Active Directory (AD) authentication and access control lists (ACLs), making it the correct choice for sharing files via SMB with AD-managed permissions.

Exam trap

The trap here is that candidates often confuse Azure Blob Storage's NFS support (which is not SMB) or Azure Disk Storage's ability to be attached to multiple VMs (which requires shared disks with specific configurations, not general-purpose file sharing), leading them to overlook Azure Files as the only managed SMB file share service.

How to eliminate wrong answers

Option B (Azure Blob Storage) is wrong because it is an object storage service designed for unstructured data (e.g., images, logs) and does not support the SMB protocol or simultaneous mounting as a file system; it uses REST APIs or NFS (preview) but not SMB. Option C (Azure Disk Storage) is wrong because it provides block-level storage volumes attached to a single VM (as a virtual disk) and cannot be shared simultaneously by multiple VMs; it is intended for OS/data disks, not shared file access.

999
MCQeasy

A company needs to store large amounts of unstructured data, such as images and videos, for a web application. They need to access data from anywhere via HTTP/HTTPS. Which Azure storage service should they use?

A.A) Azure Blob Storage
B.B) Azure File Storage
C.C) Azure Queue Storage
D.D) Azure Table Storage
AnswerA

Blob Storage is designed for unstructured data like images, videos, and documents, accessible via HTTP/HTTPS.

Why this answer

Azure Blob Storage is designed for storing large amounts of unstructured data, such as images and videos, and provides REST-based access over HTTP/HTTPS from anywhere. It supports scalable object storage with global accessibility, making it ideal for web application content delivery.

Exam trap

The trap here is that candidates may confuse Azure File Storage (which also supports HTTP/HTTPS via REST API) with Blob Storage, but File Storage is primarily for SMB-based file shares, not optimized for large-scale unstructured data like images and videos.

How to eliminate wrong answers

Option B (Azure File Storage) is wrong because it provides fully managed file shares accessible via SMB protocol, not optimized for unstructured data like images and videos, and is designed for lift-and-shift scenarios rather than HTTP/HTTPS-based web access. Option C (Azure Queue Storage) is wrong because it is a messaging service for asynchronous communication between application components, not for storing large unstructured data. Option D (Azure Table Storage) is wrong because it is a NoSQL key-value store for structured, semi-structured data, not for large binary objects like images and videos.

1000
MCQmedium

Which Azure service provides pre-built AI capabilities like language understanding, vision, and speech without requiring custom model training?

A.Azure Machine Learning
B.Azure Cognitive Services
C.Azure Databricks
D.Azure Bot Service
AnswerB

Cognitive Services offers pre-built AI capabilities (vision, speech, language, decision) via API without custom training.

Why this answer

Azure Cognitive Services is the correct answer because it provides a suite of pre-built, pre-trained AI models accessible via REST APIs and SDKs for tasks such as language understanding (e.g., LUIS), computer vision (e.g., Computer Vision API), and speech recognition (e.g., Speech-to-Text). These services require no custom model training or machine learning expertise, allowing developers to integrate AI capabilities directly into applications.

Exam trap

The trap here is that candidates may confuse Azure Machine Learning (a custom model training platform) with Cognitive Services (pre-built AI APIs), especially since both fall under the 'AI' umbrella, but the question explicitly requires 'without requiring custom model training'.

How to eliminate wrong answers

Option A is wrong because Azure Machine Learning is a platform for building, training, and deploying custom machine learning models, not for consuming pre-built AI capabilities. Option C is wrong because Azure Databricks is an Apache Spark-based analytics platform for big data processing and machine learning pipelines, not a service for pre-built AI APIs. Option D is wrong because Azure Bot Service is a framework for building conversational bots that can leverage Cognitive Services but does not itself provide pre-built AI capabilities like vision or speech.

1001
MCQmedium

A company runs a web application in two Azure regions: East US and West US. The company wants to route users automatically to the region that provides the lowest network latency. If one region becomes unavailable, all traffic should be rerouted to the healthy region. The company does not need to offload Transport Layer Security (TLS) or perform URL-based routing. Which Azure service should the company use to distribute traffic at the DNS level?

A.Azure Traffic Manager
B.Azure Load Balancer
C.Azure Application Gateway
D.Azure Front Door
AnswerA

Correct. Azure Traffic Manager is a DNS-based global traffic router that can direct users to the nearest region (performance routing) and automatically fail over to another region if one becomes unavailable.

Why this answer

Azure Traffic Manager operates at the DNS level, using DNS responses to direct user traffic to the region with the lowest network latency based on the Performance traffic-routing method. It also supports automatic failover: if a region becomes unavailable, Traffic Manager detects the endpoint health probe failure and reroutes all traffic to the healthy region. This matches the requirement exactly, as the company needs DNS-level distribution without TLS offloading or URL-based routing.

Exam trap

The trap here is that candidates often confuse Azure Traffic Manager (DNS-level, cross-region) with Azure Load Balancer (transport-level, single-region) or Azure Application Gateway (application-level, with TLS/URL features), failing to recognize that only Traffic Manager provides global latency-based routing at the DNS layer without requiring TLS offloading or URL path inspection.

How to eliminate wrong answers

Option B is wrong because Azure Load Balancer operates at Layer 4 (transport layer) and distributes traffic within a single region, not across multiple Azure regions, and it does not use DNS-level routing or latency-based cross-region failover. Option C is wrong because Azure Application Gateway operates at Layer 7 (application layer) and provides features like TLS offloading and URL-based routing, which the company explicitly does not need; it is also primarily designed for regional traffic distribution, not global DNS-level routing with latency-based steering.

1002
MCQmedium

Which Azure AI service provides the ability to search, query, and extract insights from large document collections using AI?

A.Azure Cognitive Services Text Analytics
B.Azure Cognitive Search
C.Azure Form Recognizer
D.Azure Machine Learning text classification
AnswerB

Cognitive Search indexes document collections with AI enrichment and provides fast, intelligent search with semantic ranking.

Why this answer

Azure Cognitive Search (now part of Azure AI Search) is the correct service because it is specifically designed to index, search, and extract insights from large document collections using built-in AI capabilities like OCR, entity recognition, key phrase extraction, and language detection. It integrates with Azure Cognitive Services to enrich documents during indexing, enabling powerful search and query experiences over unstructured data.

Exam trap

The trap here is that candidates confuse Azure Cognitive Search (a search/indexing service with AI enrichment) with Azure Cognitive Services Text Analytics (a pure text analysis API), because both involve AI and text, but only Cognitive Search provides the ability to search and query over large document collections.

How to eliminate wrong answers

Option A is wrong because Azure Cognitive Services Text Analytics is a pre-built API for extracting sentiment, key phrases, entities, and language from text, but it does not provide a search index or query engine for large document collections. Option C is wrong because Azure Form Recognizer is specialized for extracting structured data (e.g., key-value pairs, tables) from forms and documents, not for general-purpose search and query across large collections. Option D is wrong because Azure Machine Learning text classification is a custom model training service for classifying text into categories, not a search or indexing service for querying document collections.

1003
MCQmedium

A company uses Azure Policy to enforce governance rules across its Azure subscriptions. The security team wants to ensure that all virtual machines deployed in a subscription must be of an approved size from a predefined list. If a user attempts to deploy a virtual machine with a size not on the list, the deployment must be immediately blocked. Which Azure Policy effect should the company use in the policy definition?

A.Deny
B.Audit
C.DeployIfNotExists
D.Append
AnswerA

The 'Deny' effect prevents the creation or update of a resource that does not comply with the policy. This effect blocks the deployment of a disallowed VM size, fulfilling the security team's requirement.

Why this answer

The 'Deny' effect is correct because it actively blocks any deployment that violates the policy rule, such as deploying a virtual machine with a size not on the approved list. This effect evaluates the request during resource creation or update and denies it if the condition is met, ensuring immediate enforcement. In contrast, other effects like 'Audit' only log non-compliant resources without blocking them, which does not meet the security team's requirement to prevent unauthorized VM sizes.

Exam trap

The trap here is that candidates often confuse 'Deny' with 'Audit' because both deal with non-compliance, but 'Audit' only logs violations without blocking, which fails the explicit requirement to immediately block the deployment.

How to eliminate wrong answers

Option B (Audit) is wrong because it only logs non-compliant resources for monitoring and does not block the deployment, failing the requirement for immediate denial. Option C (DeployIfNotExists) is wrong because it deploys a resource (e.g., a remediation template) when a condition is not met, but it does not block the original deployment; it is used for post-deployment compliance. Option D (Append) is wrong because it adds fields or tags to a resource during creation or update but does not block the deployment; it modifies the request to make it compliant, which would not prevent an unauthorized VM size from being deployed.

1004
MCQhard

A company wants to prevent any Azure resource from being accidentally deleted by anyone, including subscription owners. Which Azure feature accomplishes this?

A.Azure Policy with Deny effect
B.Azure Resource Manager CanNotDelete lock
C.RBAC Reader role
D.Azure Blueprints
AnswerB

CanNotDelete lock prevents resource deletion by anyone, including owners — the lock must be explicitly removed before deletion.

Why this answer

The Azure Resource Manager CanNotDelete lock is the correct feature because it prevents any user, including subscription owners, from deleting a resource. This lock overrides all RBAC permissions, ensuring that even users with Owner or Contributor roles cannot delete the resource until the lock is removed. It is specifically designed for accidental deletion prevention at the resource, resource group, or subscription level.

Exam trap

The trap here is that candidates confuse Azure Policy (which governs compliance and creation/modification) with Azure Locks (which specifically prevent deletion), or they assume RBAC roles like Owner can always delete, forgetting that locks override RBAC.

How to eliminate wrong answers

Option A is wrong because Azure Policy with Deny effect prevents creation or modification of resources that violate policies, but it does not prevent deletion of existing resources; deletion is governed by locks. Option C is wrong because the RBAC Reader role only allows read access to resources, but it does not prevent deletion by users with higher permissions like Owner or Contributor; it is a role assignment, not a deletion prevention mechanism. Option D is wrong because Azure Blueprints is used for deploying and managing reusable templates and compliance artifacts, not for preventing deletion of individual resources.

1005
MCQeasy

What is the purpose of Azure Resource Manager (ARM)?

A.To provide virtual machine operating system management
B.To provide a unified deployment and management layer for all Azure resources
C.To monitor Azure resource performance
D.To replicate data across Azure regions
AnswerB

ARM is the backend that all Azure management tools use, providing consistent resource deployment, grouping, tagging, and access control.

Why this answer

Azure Resource Manager (ARM) is the native management layer that enables you to deploy, manage, and organize Azure resources as a single logical entity. It provides a consistent management plane for all Azure services through declarative templates (ARM templates), role-based access control (RBAC), and tagging, ensuring that resources are provisioned and governed uniformly across the entire subscription.

Exam trap

The trap here is that candidates confuse ARM with a specific resource type (like a virtual machine) or a monitoring tool, when in fact ARM is the overarching management layer that works across all Azure services.

How to eliminate wrong answers

Option A is wrong because virtual machine operating system management is handled by the guest OS itself or by tools like Azure Update Manager, not by ARM, which focuses on infrastructure orchestration. Option C is wrong because monitoring Azure resource performance is the role of Azure Monitor, which collects metrics and logs, while ARM provides the deployment and management layer. Option D is wrong because data replication across Azure regions is a feature of Azure Storage (e.g., geo-redundant storage) or Azure Site Recovery, not a function of ARM, which manages resource lifecycle and policies.

1006
MCQmedium

Which Azure service provides a way to automatically extract and load data from external SaaS applications like Salesforce and ServiceNow into Azure data stores?

A.Azure Logic Apps
B.Azure Data Factory
C.Azure Event Grid subscriptions
D.Azure Service Bus
AnswerB

Data Factory has 90+ connectors for extracting data from SaaS apps (Salesforce, ServiceNow) into Azure data stores.

Why this answer

Azure Data Factory (ADF) is the correct answer because it is a cloud-based ETL (Extract, Transform, Load) and data integration service specifically designed to ingest data from a wide variety of sources—including SaaS applications like Salesforce and ServiceNow—and load it into Azure data stores such as Azure SQL Database, Azure Data Lake Storage, or Azure Synapse Analytics. ADF provides built-in connectors for these SaaS platforms, enabling automated, scheduled, or event-triggered data movement without requiring custom code.

Exam trap

The trap here is that candidates confuse Azure Logic Apps (a workflow/API integration tool) with Azure Data Factory (a dedicated ETL service), because both use connectors and can automate tasks, but only ADF is purpose-built for large-scale data extraction and loading into data stores.

How to eliminate wrong answers

Option A is wrong because Azure Logic Apps is a workflow automation service focused on orchestrating business processes and integrating applications via connectors, but it is not designed for large-scale data extraction and loading into data stores; it lacks the native ETL capabilities and data movement orchestration of Azure Data Factory. Option C is wrong because Azure Event Grid is a serverless event routing service that handles event-driven architectures (e.g., reacting to blob storage events), not a tool for extracting and loading data from external SaaS applications into data stores. Option D is wrong because Azure Service Bus is a message broker for decoupling applications and handling reliable message queues or pub/sub patterns, not a data integration or ETL service for moving data from SaaS sources to Azure storage.

1007
MCQmedium

Which Azure feature allows administrators to set a maximum spending limit to prevent unexpected charges on a subscription?

A.Azure Policy
B.Azure Cost Management budgets
C.Azure Reservations
D.Azure Advisor cost recommendations
AnswerB

Cost Management budgets let you set spending thresholds and get alerts when costs approach or exceed limits.

Why this answer

Azure Cost Management budgets allow administrators to set spending limits and receive alerts when costs exceed thresholds, preventing unexpected charges. This feature directly controls subscription spending by defining budget amounts and actions, such as disabling resources or sending notifications, when the budget is reached.

Exam trap

The trap here is confusing governance features like Azure Policy (which enforces rules on resource properties) with cost control features, leading candidates to select Azure Policy instead of the correct budget functionality.

How to eliminate wrong answers

Option A is wrong because Azure Policy enforces organizational rules and compliance by evaluating resource configurations, not by setting spending limits or preventing charges. Option C is wrong because Azure Reservations provide discounted pricing for committing to specific services upfront, but they do not set a maximum spending limit or prevent unexpected charges. Option D is wrong because Azure Advisor cost recommendations offer suggestions to optimize spending, but they do not enforce a spending cap or block charges.

1008
MCQmedium

Which Azure storage redundancy option provides the highest durability by replicating data across two paired Azure regions?

A.Zone-Redundant Storage (ZRS)
B.Locally Redundant Storage (LRS)
C.Geo-Redundant Storage (GRS)
D.Geo-Zone-Redundant Storage (GZRS)
AnswerC

GRS replicates within the primary region (LRS) plus asynchronously to a secondary paired region for highest durability.

Why this answer

Geo-Redundant Storage (GRS) replicates data synchronously three times within a single primary region using LRS, then asynchronously copies that data to a paired secondary region, which is hundreds of kilometers away. This cross-region replication provides the highest durability among the listed options, as it protects against a complete regional outage by maintaining three additional replicas in the secondary region, achieving 16 nines (99.99999999999999%) durability over a given year.

Exam trap

The trap here is that candidates often confuse Geo-Redundant Storage (GRS) with Geo-Zone-Redundant Storage (GZRS), mistakenly thinking GZRS always provides higher durability, but the question explicitly asks for the option that replicates across two paired regions, and GRS is the fundamental cross-region replication tier that achieves the highest durability through that specific mechanism.

How to eliminate wrong answers

Option A is wrong because Zone-Redundant Storage (ZRS) replicates data synchronously across three Azure availability zones within a single region, protecting against zone-level failures but not against a full regional outage, so it does not provide the highest durability across paired regions. Option B is wrong because Locally Redundant Storage (LRS) replicates data three times within a single datacenter in a single region, offering the lowest durability (11 nines) and no protection against datacenter or regional failures. Option D is wrong because Geo-Zone-Redundant Storage (GZRS) combines ZRS within the primary region with asynchronous replication to a secondary region, but it is not the highest durability option listed; GRS is the baseline cross-region option, and while GZRS offers zone-level resilience in the primary region, the question specifically asks for the option that provides the highest durability by replicating across two paired regions, and GRS is the standard answer for that scenario.

1009
MCQmedium

A company runs a web application on Azure virtual machines. The application experiences unpredictable traffic patterns with occasional sharp spikes. The operations team wants to configure the infrastructure so that the number of running virtual machines automatically increases during spikes and decreases during low traffic periods, without manual intervention. Which cloud computing characteristic does this requirement describe?

A.High availability
B.Elasticity
C.Fault tolerance
D.Geographic distribution
AnswerB

Elasticity is the correct characteristic. It enables resources (such as virtual machines) to be automatically added or removed in response to changing workload demands, which matches the described requirement.

Why this answer

Elasticity is the cloud computing characteristic that enables resources to automatically scale out (increase) during demand spikes and scale in (decrease) during low traffic periods, matching capacity to workload in real time. In Azure, this is implemented via Virtual Machine Scale Sets with autoscale rules based on metrics like CPU or memory thresholds, allowing the number of VMs to adjust without manual intervention.

Exam trap

The trap here is that candidates confuse elasticity with high availability, thinking that automatically adding VMs during spikes is about keeping the app available, but high availability is about redundancy and failover, not dynamic capacity adjustment.

How to eliminate wrong answers

Option A is wrong because high availability focuses on ensuring applications remain accessible despite failures, typically through redundancy across availability zones or regions, not on dynamically adjusting capacity based on traffic patterns. Option C is wrong because fault tolerance is the ability of a system to continue operating without interruption when one or more components fail, often using redundant components in an active-active configuration, not the automatic scaling of resources up and down in response to load changes.

1010
MCQmedium

A startup frequently deploys identical environments for development, testing, and production. They want to ensure all deployments are consistent and follow best practices without manual configuration. They need a declarative JSON-based method to define the entire infrastructure (virtual machines, databases, networking) so that the same template can be reused across environments. Which Azure service should the startup use?

A.Azure Resource Manager templates
B.Azure PowerShell scripts
C.Azure CLI commands
D.Azure Blueprints
AnswerA

Correct. ARM templates are declarative JSON files that define the Azure resources to be deployed, enabling consistent and repeatable deployments across environments.

Why this answer

Azure Resource Manager (ARM) templates are the correct choice because they provide a declarative JSON-based syntax to define and deploy entire Azure infrastructures consistently. This allows the startup to reuse the same template across development, testing, and production environments, ensuring identical configurations without manual intervention. ARM templates also enforce idempotent deployments, meaning the same template can be applied repeatedly to achieve the same state.

Exam trap

The trap here is that candidates confuse Azure Blueprints (a governance/compliance wrapper) with the actual declarative JSON template (ARM template) that defines the infrastructure, leading them to choose Blueprints even though it is not the JSON-based method itself.

How to eliminate wrong answers

Option B is wrong because Azure PowerShell scripts are imperative, not declarative, and require manual coding of each step, which increases the risk of drift and inconsistency across environments. Option C is wrong because Azure CLI commands are also imperative and executed sequentially, lacking the declarative, repeatable infrastructure-as-code approach needed for consistent deployments. Option D is wrong because Azure Blueprints is a higher-level orchestration service that packages ARM templates, policies, and role assignments for compliance and governance, but it is not a JSON-based method for defining infrastructure; the core declarative definition is still done via ARM templates.

1011
MCQmedium

A company uses Azure Blob Storage to store archival backups of financial records. The company requires that the data is protected against a complete regional outage by replicating it to another Azure region. However, they do not need to access the replicated copy unless the primary region fails. The company wants to minimize storage costs while meeting this requirement. Which type of storage replication should the company configure?

A.Locally redundant storage (LRS)
B.Geo-redundant storage (GRS)
C.Zone-redundant storage (ZRS)
D.Read-access geo-redundant storage (RA-GRS)
AnswerB

GRS replicates data asynchronously to a paired secondary region. It provides protection against a complete regional outage without offering read access to the secondary copy, which keeps costs lower than RA-GRS. This meets the company's requirement.

Why this answer

Geo-redundant storage (GRS) replicates your data synchronously three times within the primary region using LRS, then asynchronously to a secondary region hundreds of miles away. This meets the requirement of protecting against a complete regional outage while minimizing costs, because the secondary copy is not accessible for reads unless Microsoft initiates a failover, and GRS is less expensive than RA-GRS which includes read-access to the secondary region.

Exam trap

The trap here is that candidates often confuse GRS with RA-GRS, assuming that geo-replication automatically provides read access to the secondary copy, but RA-GRS is a separate, more expensive SKU that enables continuous read access, which is not required when you only need failover capability.

How to eliminate wrong answers

Option A is wrong because Locally redundant storage (LRS) replicates data only within a single datacenter in the primary region, providing no protection against a complete regional outage. Option C is wrong because Zone-redundant storage (ZRS) replicates data across availability zones within the same region, which protects against zone failures but not against a full regional outage. Option D is wrong because Read-access geo-redundant storage (RA-GRS) provides the same geo-replication as GRS but additionally allows read access to the secondary region at all times, which increases cost and is unnecessary given the requirement to only access the replicated copy when the primary fails.

1012
MCQmedium

A company needs to run a large-scale batch processing job that runs daily for several hours. The job can tolerate interruptions if compute capacity is reclaimed. They want to minimize compute costs. Which Azure compute service is most cost-effective for this scenario?

A.Azure Virtual Machines
B.Azure Batch with low-priority VMs
C.Azure Functions
D.Azure Container Instances
AnswerB

Azure Batch is designed for batch processing and low-priority VMs provide deep discounts by using spare capacity, making it the most cost-effective option.

Why this answer

Azure Batch with low-priority VMs is the most cost-effective option because it allows you to run large-scale batch jobs using surplus Azure capacity at a significantly reduced cost (up to 80% less than dedicated VMs). The job can tolerate interruptions, and low-priority VMs can be preempted when Azure needs the capacity back, making this a perfect fit for the scenario.

Exam trap

The trap here is that candidates often choose Azure Functions thinking it is always the cheapest serverless option, but they overlook its execution time limits and unsuitability for long-running batch jobs, while Azure Batch with low-priority VMs is specifically designed for cost-effective, interruptible batch processing.

How to eliminate wrong answers

Option A is wrong because Azure Virtual Machines (standard VMs) are billed at full pay-as-you-go rates and do not offer the cost savings of low-priority VMs, making them less cost-effective for interruptible batch workloads. Option C is wrong because Azure Functions is a serverless compute service designed for event-driven, short-lived executions (typically under 10 minutes) and is not suitable for long-running batch processing jobs that run for several hours daily.

1013
MCQmedium

An IT administrator needs to query all Azure resources across multiple subscriptions to find all virtual machines that were created in the last 30 days. They want to use a powerful query language. Which Azure service should they use?

A.Azure Resource Graph
B.Azure Monitor
C.Azure Resource Manager
D.Azure CLI
AnswerA

Correct. Resource Graph enables complex queries across subscriptions using KQL, ideal for resource discovery.

Why this answer

Azure Resource Graph is the correct service because it provides a powerful, Kusto Query Language (KQL)-based query engine that can efficiently explore and query Azure resources across multiple subscriptions, resource groups, and locations. It is specifically designed for resource discovery and inventory scenarios, such as finding all virtual machines created in the last 30 days, by filtering on properties like `createdTime`.

Exam trap

The trap here is that candidates confuse Azure Monitor’s log querying capabilities (also using KQL) with Azure Resource Graph’s resource metadata querying, but Azure Monitor cannot query resource properties like creation time across subscriptions—it only queries telemetry data.

How to eliminate wrong answers

Option B is wrong because Azure Monitor is a monitoring and observability service focused on collecting metrics, logs, and alerts from Azure resources, not for querying resource metadata or inventory across subscriptions. Option C is wrong because Azure Resource Manager (ARM) is the deployment and management layer that handles resource provisioning and state, but it does not offer a powerful query language for cross-subscription resource discovery; it relies on REST API calls or SDKs for individual resource lookups.

1014
MCQeasy

A company pays a monthly subscription fee for cloud services based on the resources they consume, such as the number of virtual machines or amount of storage used. There are no upfront costs or fixed long-term commitments. This pricing model is known as:

A.Pay-as-you-go
B.Reserved instances
C.Spot pricing
D.Hybrid benefit
AnswerA

Correct. Pay-as-you-go allows you to pay for resources as you use them, with no upfront payment or long-term commitment.

Why this answer

Pay-as-you-go (also called consumption-based pricing) is the correct model because it charges the customer only for the actual resources consumed (e.g., VM hours, storage GBs) with no upfront payment or termination penalties. This aligns directly with the scenario of a monthly subscription fee based on resource usage without long-term commitments.

Exam trap

The trap here is that candidates often confuse 'pay-as-you-go' with 'reserved instances' because both involve monthly payments, but reserved instances require a fixed-term commitment (1 or 3 years) and upfront payment options, which the question explicitly excludes.

How to eliminate wrong answers

Option B (Reserved instances) is wrong because it requires a 1- or 3-year commitment in exchange for a discounted hourly rate, contradicting the 'no fixed long-term commitments' condition. Option C (Spot pricing) is wrong because it offers deeply discounted, interruptible compute capacity that can be terminated by Azure at any moment, not a simple monthly subscription based on consumption. Option D (Hybrid benefit) is wrong because it is a licensing discount program that allows customers to use on-premises Windows Server and SQL Server licenses with Software Assurance on Azure, not a pricing model for resource consumption.

1015
MCQmedium

A company has a policy that all Azure resources deployed to production subscriptions must be tagged with a 'CostCenter' tag. They want to automatically prevent the creation of any resource that does not include this tag. Which Azure Policy effect should they use in their policy definition?

A.Audit
B.Deny
C.DeployIfNotExists
D.Modify
AnswerB

Deny prevents the creation or update of a resource that does not include the required tag. This enforces the policy at deployment time.

Why this answer

The Deny effect is correct because it actively prevents the creation or deployment of any Azure resource that does not comply with the policy rule, such as missing the required 'CostCenter' tag. Unlike Audit, which only logs compliance violations without blocking the operation, Deny enforces the policy at the time of the resource creation request, ensuring non-compliant resources are never provisioned.

Exam trap

The trap here is that candidates often confuse the Audit effect (which only reports non-compliance) with the Deny effect (which actively blocks the operation), mistakenly thinking that logging alone is sufficient to enforce a policy.

How to eliminate wrong answers

Option A is wrong because the Audit effect only logs a compliance warning in the activity log when a resource is created without the required tag, but it does not block the creation, so it fails to meet the requirement to automatically prevent deployment. Option C is wrong because DeployIfNotExists is used to automatically remediate non-compliant resources after they are created (e.g., by deploying a missing tag via a remediation task), but it does not prevent the initial creation of the resource, which is the stated goal.

1016
MCQmedium

Which Azure service provides a managed Apache Kafka-compatible event streaming service for ingesting millions of events per second?

A.Azure Service Bus
B.Azure Event Grid
C.Azure Event Hubs
D.Azure Queue Storage
AnswerC

Event Hubs is the managed Kafka-compatible service for high-throughput event streaming at millions of events per second.

Why this answer

Azure Event Hubs is a fully managed, real-time data ingestion service that is natively compatible with Apache Kafka, allowing you to use existing Kafka clients and tooling to stream millions of events per second. It provides a partitioned consumer model, high throughput, and low-latency event ingestion, making it the correct choice for a managed Kafka-compatible event streaming service.

Exam trap

The trap here is that candidates often confuse Azure Event Hubs with Azure Service Bus because both handle messages, but Service Bus is a broker for enterprise messaging with features like dead-letter queues and sessions, whereas Event Hubs is a streaming platform optimized for high-throughput, Kafka-compatible event ingestion.

How to eliminate wrong answers

Option A is wrong because Azure Service Bus is a fully managed enterprise message broker that supports queues and publish-subscribe topics, but it is not Apache Kafka-compatible and is designed for reliable message delivery with features like sessions and transactions, not high-throughput event streaming. Option B is wrong because Azure Event Grid is a serverless event routing service that uses a publish-subscribe model for reacting to discrete events (e.g., resource state changes), but it does not support Apache Kafka protocol or provide a streaming buffer for ingesting millions of events per second. Option D is wrong because Azure Queue Storage is a simple, cost-effective message queue service for storing and retrieving messages via HTTP/HTTPS, but it lacks Kafka compatibility, high-throughput streaming capabilities, and is not designed for real-time event ingestion at scale.

1017
MCQeasy

Which Azure feature automatically turns off virtual machines at a scheduled time daily to reduce development costs?

A.Azure Policy VM power state enforcement
B.Azure VM Auto-Shutdown
C.Azure DevTest Labs cost controls
D.Azure Automation runbooks for VM shutdown
AnswerB

VM Auto-Shutdown schedules VMs to power off at a specific daily time, reducing compute costs for dev/test environments.

Why this answer

Azure VM Auto-Shutdown is a built-in feature that allows you to schedule automatic shutdown of virtual machines at a specified time daily, reducing costs by ensuring VMs are not running when not needed. It is configured directly on the VM blade in the Azure portal and requires no additional scripting or automation services.

Exam trap

The trap here is that candidates confuse Azure DevTest Labs cost controls (which also offer auto-shutdown) with the general Azure VM Auto-Shutdown feature, but DevTest Labs is a separate service for lab environments, not the built-in VM-level setting.

How to eliminate wrong answers

Option A is wrong because Azure Policy VM power state enforcement is used to audit or enforce compliance rules (e.g., preventing VMs from being started outside business hours), but it does not provide a scheduled daily shutdown feature—it relies on policy definitions and remediation tasks, not a simple time-based schedule. Option C is wrong because Azure DevTest Labs cost controls include auto-shutdown policies for lab VMs, but this is a feature within the DevTest Labs service, not a general Azure feature applicable to all VMs outside a lab environment. Option D is wrong because Azure Automation runbooks for VM shutdown require custom PowerShell or Python scripts and a schedule linked to a runbook, which is more complex and not a built-in, one-click feature like VM Auto-Shutdown.

1018
MCQmedium

Company A deploys several Linux virtual machines (VMs) across multiple Azure availability zones in the West US region. The VMs run a cluster application that needs to read and write data concurrently to a shared file system. The solution must support the Server Message Block (SMB) protocol and must be accessible from all zones with low latency. Which Azure storage service should the company use?

A.Azure Files
B.Azure Blob Storage
C.Azure Managed Disks
D.Azure Queue Storage
AnswerA

Azure Files offers fully managed file shares accessible via SMB, which can be mounted by multiple VMs concurrently across availability zones, meeting the requirement for shared access.

Why this answer

Azure Files provides fully managed file shares in the cloud that support the SMB protocol, making it the correct choice for a shared file system accessible from multiple Azure availability zones with low latency. It allows concurrent read/write access from Linux VMs across zones, meeting the cluster application's requirements.

Exam trap

The trap here is that candidates often confuse Azure Blob Storage with Azure Files because both are storage services, but Blob Storage does not support the SMB protocol or concurrent file-level access from multiple VMs.

How to eliminate wrong answers

Option B (Azure Blob Storage) is wrong because it is an object storage service that does not support the SMB protocol or a traditional file system interface; it uses REST APIs or SDKs for access. Option C (Azure Managed Disks) is wrong because it provides block-level storage volumes attached to a single VM, not a shared file system accessible concurrently from multiple VMs across zones. Option D (Azure Queue Storage) is wrong because it is a messaging service for asynchronous communication between application components, not a file storage solution.

1019
MCQeasy

A company is moving from an on-premises data center to the cloud. Previously, they paid a large upfront sum for hardware and then annual maintenance fees. Now they pay a monthly subscription based on actual usage of compute and storage. This shift represents moving from which type of expenditure to which?

A.From OpEx to CapEx
B.From CapEx to OpEx
C.From variable to fixed costs
D.From direct to indirect costs
AnswerB

The company is moving from capital expenditure (buying hardware) to operational expenditure (paying for usage). This is a common shift when adopting the cloud.

Why this answer

Option B is correct because the scenario describes a shift from paying a large upfront sum for hardware (a capital expenditure, or CapEx) to a monthly subscription based on actual usage (an operational expenditure, or OpEx). In cloud computing, CapEx involves significant upfront costs for physical infrastructure, while OpEx involves ongoing, pay-as-you-go costs for services like compute and storage. This transition is a fundamental benefit of cloud adoption, allowing organizations to avoid large initial investments and instead pay for what they consume.

Exam trap

The trap here is that candidates often confuse the direction of the expenditure shift, mistakenly thinking that moving to the cloud increases upfront costs (OpEx to CapEx), when in reality it reduces them by converting capital expenses into operational expenses.

How to eliminate wrong answers

Option A is wrong because it reverses the direction of the shift: moving from CapEx to OpEx, not from OpEx to CapEx. Option C is wrong because the scenario describes a change from fixed costs (large upfront hardware plus annual fees) to variable costs (monthly subscription based on usage), not from variable to fixed costs; the cloud model typically converts fixed capital expenses into variable operational expenses.

1020
MCQmedium

What is the key difference between capital expenditure (CapEx) and operational expenditure (OpEx) in the context of cloud computing?

A.CapEx is for cloud spending; OpEx is for on-premises spending
B.CapEx is upfront investment in owned infrastructure; OpEx is ongoing pay-as-you-go service costs
C.CapEx and OpEx are identical in cloud environments
D.OpEx covers hardware costs; CapEx covers software licensing costs
AnswerB

CapEx = upfront infrastructure investment (on-premises); OpEx = ongoing service consumption (cloud).

Why this answer

Option B is correct because capital expenditure (CapEx) involves a large upfront investment to purchase and own physical infrastructure (servers, storage, networking), while operational expenditure (OpEx) represents ongoing, consumption-based costs where you pay only for the resources you use (e.g., per-hour VM billing, per-GB storage fees). In cloud computing, the shift from CapEx to OpEx is a fundamental financial model change, enabling organizations to avoid large capital outlays and instead align costs with actual usage.

Exam trap

The trap here is that candidates confuse the financial classification with the deployment location, thinking CapEx is only for on-premises and OpEx only for cloud, when in reality both models can exist in either environment depending on the purchasing commitment (e.g., reserved instances are CapEx-like even in cloud).

How to eliminate wrong answers

Option A is wrong because CapEx and OpEx are not defined by deployment location (cloud vs. on-premises); both models can apply in either environment (e.g., reserved instances in cloud are CapEx-like, while on-premises managed services can be OpEx). Option C is wrong because CapEx and OpEx are fundamentally different financial models—CapEx involves ownership and depreciation, while OpEx involves consumption-based billing with no long-term asset. Option D is wrong because it incorrectly reverses the typical association: hardware costs are usually CapEx (purchased assets), while software licensing can be either CapEx (perpetual licenses) or OpEx (subscription-based SaaS), but the key distinction is the timing and nature of payment, not the type of cost.

1021
MCQmedium

Which Azure service allows developers to build, train, and deploy machine learning models at scale using a managed cloud environment?

A.Azure Cognitive Services
B.Azure Machine Learning
C.Azure Bot Service
D.Azure Databricks
AnswerB

Azure Machine Learning is the managed platform for the complete ML lifecycle: data prep, training, deployment, and monitoring.

Why this answer

Azure Machine Learning is the correct service because it provides a fully managed cloud environment specifically designed for the end-to-end machine learning lifecycle, including building, training, and deploying models at scale. It offers capabilities like automated ML, pipeline orchestration, and integration with MLOps tools, which are not available in the other listed services.

Exam trap

The trap here is that candidates often confuse Azure Cognitive Services (pre-built AI) with Azure Machine Learning (custom model building), or they mistakenly think Azure Databricks is the primary ML service because of its Spark MLlib capabilities, but Azure Machine Learning is the dedicated managed service for the full ML lifecycle.

How to eliminate wrong answers

Option A is wrong because Azure Cognitive Services provides pre-built AI APIs for vision, speech, language, and decision-making, but it does not allow developers to build and train custom machine learning models from scratch. Option C is wrong because Azure Bot Service is a platform for creating conversational AI bots, not for building or training machine learning models. Option D is wrong because Azure Databricks is an Apache Spark-based analytics platform focused on big data processing and data engineering, and while it can be used for ML workloads, it is not a managed environment dedicated to the full ML lifecycle like Azure Machine Learning.

1022
MCQmedium

An organization needs to ensure that all Azure resources comply with internal standards and automatically remediate non-compliant resources. Which Azure service provides this capability?

A.Azure Blueprints
B.Azure Policy with remediation tasks
C.Azure RBAC
D.Azure Security Center
AnswerB

Azure Policy with DeployIfNotExists and Modify effects automatically remediates non-compliant resources using remediation tasks.

Why this answer

Azure Policy with remediation tasks is the correct service because it allows organizations to define compliance rules for Azure resources and automatically remediate non-compliant resources using managed identities and policy effects like 'deployIfNotExists' or 'modify'. This ensures ongoing compliance with internal standards without manual intervention.

Exam trap

The trap here is that candidates often confuse Azure Blueprints (which can include policies but does not perform remediation) with Azure Policy's remediation tasks, or they think Azure Security Center handles all compliance, when in fact it focuses on security-specific compliance (e.g., CIS benchmarks) rather than general internal standards.

How to eliminate wrong answers

Option A is wrong because Azure Blueprints is used for orchestrating the deployment of resource templates, policies, and role assignments as a package, but it does not automatically remediate non-compliant resources after deployment. Option C is wrong because Azure RBAC (Role-Based Access Control) manages who has access to Azure resources and what actions they can perform, but it does not enforce resource configuration compliance or provide remediation capabilities. Option D is wrong because Azure Security Center (now Microsoft Defender for Cloud) provides security posture management and threat protection, but its primary focus is security vulnerabilities and threats, not general compliance with internal standards or automated remediation of non-compliant resources.

1023
MCQmedium

A company migrates its web application to Azure App Service (PaaS) and its data to Azure SQL Database (PaaS). The company wants to understand which security responsibilities it retains after the migration. According to the shared responsibility model, which of the following responsibilities remains the responsibility of the company (customer) when using these PaaS services?

A.Patching the operating system of the web server
B.Managing network security groups for the virtual network
C.Managing user access to the application and database
D.Physical security of the Azure data center
AnswerC

Correct. Identity and access management, including who can access the application and the data, is always the customer's responsibility, regardless of the service model. The customer must enforce authentication and authorization.

Why this answer

In the shared responsibility model for PaaS, the cloud provider manages the underlying infrastructure, including the OS and network security groups, while the customer retains responsibility for managing access to their application and data. For Azure App Service and Azure SQL Database, this means the customer must configure authentication, authorization, and user permissions (e.g., using Azure Active Directory or SQL logins) to control who can access the application and database.

Exam trap

The trap here is that candidates often confuse PaaS with IaaS, assuming they must manage OS patching or network security groups, when in fact PaaS shifts those responsibilities to the provider, leaving user access management as the key retained duty.

How to eliminate wrong answers

Option A is wrong because patching the operating system of the web server is the responsibility of Microsoft for PaaS services like Azure App Service, as the OS is part of the managed platform. Option B is wrong because managing network security groups for the virtual network is typically a customer responsibility in IaaS, but for PaaS services, network security is partially abstracted; however, in this context, the customer does not manage NSGs for the underlying virtual network—Microsoft handles the platform-level network controls. Option D is wrong because physical security of the Azure data center is entirely Microsoft's responsibility under the shared responsibility model, as the customer has no access to the physical infrastructure.

1024
MCQeasy

What is 'agility' in the context of cloud computing?

A.The ability to protect data from unauthorized access
B.The ability to quickly deploy and configure resources to meet business needs
C.The ability to run applications across multiple cloud providers
D.The ability to store data permanently without loss
AnswerB

Agility is rapid provisioning of cloud resources to respond quickly to changing business requirements.

Why this answer

Agility in cloud computing refers to the ability to rapidly provision, scale, and decommission resources (such as virtual machines, databases, or containers) to adapt to changing business demands. This is enabled by infrastructure-as-code (IaC) tools like Azure Resource Manager (ARM) templates, which allow you to deploy and configure resources in minutes rather than weeks, directly supporting business responsiveness.

Exam trap

The trap here is that candidates confuse 'agility' with other cloud benefits like scalability or elasticity, but agility specifically emphasizes the speed of deployment and configuration changes to meet business needs, not just the ability to scale resources.

How to eliminate wrong answers

Option A is wrong because it describes security (specifically data protection and access control), not agility; security is a separate pillar in the Microsoft Well-Architected Framework. Option C is wrong because it describes multi-cloud portability or interoperability, which is about running workloads across providers like Azure, AWS, and GCP, not the speed of resource deployment. Option D is wrong because it describes data durability or reliability (e.g., Azure Storage's 11 nines of durability), which ensures data persists without loss, not the ability to quickly adjust resources.

1025
MCQmedium

Which Azure service provides secure access to Azure virtual machines using an HTML5 browser-based RDP and SSH connection without requiring public IP addresses?

A.Azure VPN Gateway
B.Azure Bastion
C.Azure Private Link
D.Azure Active Directory Application Proxy
AnswerB

Bastion provides browser-based RDP/SSH to VMs via TLS without requiring public IP addresses on the VMs.

Why this answer

Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH connectivity to Azure virtual machines directly through the Azure portal using an HTML5-based browser. It eliminates the need for public IP addresses on the VMs, as the connection is established over TLS within the same virtual network, bypassing exposure to the internet.

Exam trap

The trap here is that candidates often confuse Azure Bastion with Azure VPN Gateway or Azure AD Application Proxy, assuming any remote access solution can provide browser-based RDP/SSH without public IPs, but only Bastion is designed specifically for this purpose within Azure.

How to eliminate wrong answers

Option A is wrong because Azure VPN Gateway creates an encrypted tunnel between an on-premises network and Azure over the public internet, but it does not provide browser-based RDP/SSH access and still requires VMs to have private IP reachability, not eliminating the need for public IPs. Option C is wrong because Azure Private Link enables private connectivity to Azure services via private endpoints, but it does not offer RDP/SSH session management or a browser-based interface for VM access. Option D is wrong because Azure Active Directory Application Proxy provides secure remote access to on-premises web applications, not to Azure VMs via RDP/SSH, and it relies on public endpoints for the proxy service.

1026
MCQmedium

Which Azure feature provides Just-In-Time (JIT) VM access to reduce the attack surface of management ports?

A.Azure Bastion
B.JIT VM Access in Microsoft Defender for Cloud
C.Azure AD Privileged Identity Management
D.Azure Key Vault Certificate access
AnswerB

JIT VM Access temporarily opens management ports only when needed, closing them automatically after the session.

Why this answer

Just-In-Time (JIT) VM access in Microsoft Defender for Cloud reduces the attack surface by locking down inbound traffic to VMs, only opening management ports (e.g., RDP port 3389 or SSH port 22) when requested and for a specific time window. This is the correct feature because it directly implements JIT access to management ports, as described in the question.

Exam trap

The trap here is confusing Azure Bastion (which provides persistent secure access) with JIT VM Access (which dynamically opens and closes ports on demand), as both relate to securing VM management but solve different problems.

How to eliminate wrong answers

Option A is wrong because Azure Bastion provides secure, seamless RDP/SSH connectivity to VMs over TLS without exposing public IP addresses, but it does not implement Just-In-Time access or dynamically open/close ports. Option C is wrong because Azure AD Privileged Identity Management (PIM) manages just-in-time privileged role assignments for Azure AD and Azure resources, not VM-level network port access. Option D is wrong because Azure Key Vault Certificate access manages certificate lifecycle and secrets, not network-level access control to VM management ports.

1027
MCQmedium

A multinational company has multiple Azure subscriptions managed by different teams. The compliance team requires that all new virtual machines deployed in any subscription must have a specific tag (e.g., 'CostCenter') and must be deployed in approved regions only. They also want to automatically enforce these requirements without manual intervention. Which Azure service should the compliance team use to achieve this?

A.Azure Policy
B.Azure Role-Based Access Control (RBAC)
C.Azure Blueprints
D.Azure Management Groups
AnswerA

Correct. Azure Policy allows you to create, assign, and manage policies that enforce rules and effects over your resources. In this scenario, a policy can automatically add a required tag and restrict allowed regions when virtual machines are created.

Why this answer

Azure Policy is correct because it enables the compliance team to create, assign, and manage policies that enforce rules (like requiring a 'CostCenter' tag and restricting VM deployment to approved regions) across all subscriptions. Policies are evaluated during resource creation and can automatically deny or audit non-compliant resources, ensuring enforcement without manual intervention.

Exam trap

The trap here is that candidates often confuse Azure Policy (which enforces rules on resources) with Azure Blueprints (which packages policies, RBAC, and resources for environment setup), but Blueprints does not enforce compliance on its own.

How to eliminate wrong answers

Option B is wrong because Azure RBAC controls who has permissions to perform actions (e.g., who can create VMs), but it cannot enforce resource-level configurations like required tags or approved regions. Option C is wrong because Azure Blueprints is used to orchestrate the deployment of repeatable environments (including policies, RBAC, and resource groups), but it does not itself enforce compliance—it relies on Azure Policy for enforcement. Option D is wrong because Azure Management Groups provide a hierarchical structure for managing access, policies, and compliance across multiple subscriptions, but they are a container for organizing subscriptions, not a service that directly enforces tagging or region restrictions.

1028
MCQmedium

A company's data engineering team needs to process CSV files that are uploaded to an Azure Blob Storage container. For each uploaded file, the team must run a custom Python script to clean and transform the data. The team wants a solution that automatically triggers the script upon file upload, does not require them to manage any virtual machines or containers, and charges only when code executes. Which Azure service should the team use?

A.Azure Logic Apps
B.Azure Functions
C.Azure Container Instances
D.Azure Batch
AnswerB

Azure Functions is a serverless compute service that supports multiple languages, including Python. It can be triggered by Azure Blob Storage events (e.g., a new blob created) to automatically run the function code. The consumption plan bills only for the execution time, and there is no infrastructure to manage. This matches all the requirements perfectly.

Why this answer

Azure Functions is the correct choice because it provides a serverless compute service that can be triggered directly by an HTTP request or a Blob Storage event (via an Event Grid subscription or a Blob trigger). This allows the custom Python script to execute automatically when a CSV file is uploaded, without provisioning or managing any virtual machines or containers. The consumption plan ensures you are charged only for the duration of code execution, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse Azure Logic Apps with Azure Functions because both can respond to blob uploads, but Logic Apps cannot natively execute arbitrary Python code without an intermediate service, and its pricing model charges per action execution rather than per compute time.

How to eliminate wrong answers

Option A is wrong because Azure Logic Apps is a workflow orchestration service that uses connectors and built-in actions; while it can trigger on blob uploads, it is not designed to run arbitrary custom Python scripts natively—you would need to call an Azure Function or another service to execute the script, adding complexity and cost. Option C is wrong because Azure Container Instances requires you to package your Python script into a container image and manage the container lifecycle; it does not provide a built-in blob trigger, and you are charged for the container's running time, not just when code executes, which contradicts the 'charge only when code executes' requirement.

1029
MCQmedium

A company has an Azure subscription that contains production resources. The IT manager is concerned that a user who has the Contributor role might accidentally delete the entire subscription. The company wants a solution that prevents anyone from deleting the subscription, even users with the Owner role, while still allowing modifications to the resources inside the subscription. What should the administrator configure?

A.Assign a custom role-based access control (RBAC) role that denies the delete action for all users.
B.Configure an Azure Policy with the 'Deny' effect to block deletion of the subscription.
C.Apply a resource lock of type 'Delete' at the subscription level.
D.Apply a resource lock of type 'ReadOnly' at the subscription level.
AnswerC

This is correct. A 'Delete' lock prevents the subscription from being deleted but allows read and update operations on the resources inside. Resource locks apply to all users, including Owners, and can be set at subscription, resource group, or resource level. This directly meets the requirement to protect against accidental deletion while still allowing modifications.

Why this answer

Option C is correct because a resource lock of type 'Delete' at the subscription level prevents any user, including those with the Owner role, from deleting the subscription. This lock overrides all RBAC permissions, ensuring that while modifications to resources inside the subscription are still allowed, the subscription itself cannot be removed. This directly addresses the IT manager's concern about accidental deletion.

Exam trap

The trap here is that candidates confuse Azure Policy (which governs resource configuration compliance) with resource locks (which protect against accidental deletion or modification at the management plane), leading them to choose Azure Policy instead of the correct lock type.

How to eliminate wrong answers

Option A is wrong because custom RBAC roles can deny specific actions, but they cannot override the Owner role's inherent permissions; an Owner can always modify or remove custom role assignments, making this solution ineffective. Option B is wrong because Azure Policy with the 'Deny' effect is designed to enforce compliance on resource properties (e.g., allowed locations, SKU sizes) and cannot block the subscription-level delete operation, which is a management action outside the scope of Azure Policy.

1030
MCQhard

A company plans to use Azure Site Recovery to replicate on-premises virtual machines to Azure for disaster recovery. Due to regulatory restrictions, they cannot use the paired region and must replicate to a specific Azure region in the same continent. Can they select this non-paired region as the recovery target?

A.Yes, you can select any Azure region as the target for replication.
B.No, replication is only allowed to the paired region.
C.Yes, but only if both regions are within the same availability zone.
D.No, only to regions that are within the same geography.
AnswerA

Correct. Azure Site Recovery does not restrict you to paired regions; you can choose any region as the recovery target.

Why this answer

Azure Site Recovery allows you to replicate on-premises virtual machines to any Azure region that supports the service, not just the paired region. The paired region is a default recommendation for cost and latency optimization, but it is not a mandatory requirement. Therefore, you can select a non-paired region as the recovery target as long as it is within the same continent and meets regulatory restrictions.

Exam trap

The trap here is that candidates often assume Azure's paired region is mandatory for disaster recovery replication, but Azure Site Recovery explicitly allows selection of any supported region, making paired regions a recommendation rather than a requirement.

How to eliminate wrong answers

Option B is wrong because Azure Site Recovery does not restrict replication to only the paired region; you can choose any supported Azure region. Option C is wrong because availability zones are within a single Azure region, not across different regions, and they are irrelevant to cross-region replication. Option D is wrong because replication is not limited to regions within the same geography; you can replicate to any Azure region globally, subject to data residency and compliance requirements.

1031
MCQmedium

A company's finance team uses Azure Cost Management + Billing to monitor cloud spending. They want to configure a rule that sends an email notification to the finance team's distribution list when the monthly cost for resources tagged with Department=Marketing exceeds $10,000. Which Azure Cost Management feature should they configure?

A.Budget
B.Invoice
C.Cost analysis
D.Recommendations
AnswerA

A budget in Azure Cost Management + Billing can include cost thresholds and alert rules. When the actual or forecasted cost exceeds the defined amount, an email notification is sent to the specified recipients.

Why this answer

Azure Budgets allow you to set cost or usage thresholds and configure alerts that trigger when spending reaches a specified percentage of the budget. In this scenario, the finance team can create a budget with a $10,000 threshold for the Department=Marketing tag, and configure an alert rule to send an email notification to the distribution list when costs exceed that amount.

Exam trap

The trap here is that candidates confuse the reporting capabilities of Cost analysis (which shows past spending) with the proactive alerting functionality of Budgets, leading them to select Cost analysis instead of Budget.

How to eliminate wrong answers

Option B (Invoice) is wrong because the Invoice feature provides a downloadable PDF of the monthly bill and does not support custom alerting rules based on tagged resource costs. Option C (Cost analysis) is wrong because while Cost analysis provides interactive views and filtering of historical cost data, it does not natively send proactive email notifications when a spending threshold is exceeded.

Page 13

Page 14 of 14