Microsoft Azure Fundamentals AZ-900 (AZ-900) — Questions 301375

1031 questions total · 14pages · All types, answers revealed

Page 4

Page 5 of 14

Page 6
301
MCQmedium

A manufacturing company is building a web-based dashboard to display real-time production metrics from sensors. The development team wants to deploy the application without managing the underlying infrastructure, including the web server and operating system. The application uses ASP.NET Core. Which Azure service should they use?

A.Azure Functions
B.Azure App Service
C.Azure Kubernetes Service (AKS)
D.Azure Virtual Machines
AnswerB

Azure App Service is a fully managed PaaS service that runs web applications, REST APIs, and mobile backends. It supports ASP.NET Core out of the box, handles patching of the OS and web server, and provides built-in scaling and load balancing, meeting the requirement of not managing infrastructure.

Why this answer

Azure App Service is the correct choice because it provides a fully managed platform for hosting web applications, including ASP.NET Core, without requiring the user to manage the underlying web server or operating system. It supports continuous deployment, auto-scaling, and built-in load balancing, making it ideal for a real-time dashboard that needs high availability and minimal operational overhead.

Exam trap

The trap here is that candidates often confuse Azure Functions with a general-purpose web host, but Functions is optimized for stateless, event-driven triggers and lacks the persistent HTTP session and WebSocket support needed for a real-time dashboard.

How to eliminate wrong answers

Option A is wrong because Azure Functions is a serverless compute service designed for event-driven, short-lived tasks (e.g., processing sensor data), not for hosting a persistent web-based dashboard with real-time updates. Option C is wrong because Azure Kubernetes Service (AKS) is a container orchestration platform that still requires management of the Kubernetes cluster and node infrastructure, contradicting the requirement to avoid managing underlying infrastructure. Option D is wrong because Azure Virtual Machines provide IaaS-level control, requiring the user to manage the OS, web server, and all patches, which directly violates the 'without managing the underlying infrastructure' requirement.

302
MCQmedium

What does the Azure 'Reliability' pillar of the Well-Architected Framework focus on?

A.Reducing unnecessary resource provisioning to minimize costs
B.Ensuring workloads recover from failures and meet availability requirements
C.Encrypting all data and managing access identities
D.Monitoring resource performance and responding to performance alerts
AnswerB

Reliability covers redundancy design, failure recovery, capacity planning, and meeting defined availability targets.

Why this answer

The Azure Well-Architected Framework's Reliability pillar is specifically designed to ensure that workloads can recover from failures and meet defined availability and resiliency targets. This involves designing for fault tolerance, implementing redundancy across regions or availability zones, and using features like Azure Site Recovery and Azure Load Balancer to maintain service continuity. The core goal is to minimize downtime and data loss, which directly aligns with option B.

Exam trap

The trap here is that candidates often confuse the Reliability pillar with the Performance Efficiency pillar, mistakenly thinking that monitoring and responding to performance alerts (Option D) is the same as ensuring recovery from failures, but reliability specifically addresses fault tolerance and availability, not just performance tuning.

How to eliminate wrong answers

Option A is wrong because it describes the Cost Optimization pillar, which focuses on reducing unnecessary resource provisioning and minimizing expenses, not reliability. Option C is wrong because it describes the Security pillar, which deals with encrypting data, managing identities with Azure Active Directory, and implementing access controls, not workload recovery or availability. Option D is wrong because it describes the Performance Efficiency pillar, which involves monitoring resource performance and responding to alerts (e.g., using Azure Monitor and Autoscale), not ensuring recovery from failures or meeting availability requirements.

303
MCQmedium

Which Azure service provides code repository hosting with features like pull requests, code review, and branch protection?

A.Azure Artifacts
B.Azure Repos
C.Azure Pipelines
D.Azure Boards
AnswerB

Azure Repos provides Git source control with pull requests, code review, and branch policies.

Why this answer

Azure Repos is the correct answer because it provides Git-based code repository hosting with full support for pull requests, code review workflows, and branch protection policies. These features enable teams to collaborate on code changes, enforce quality gates, and prevent direct pushes to critical branches.

Exam trap

The trap here is that candidates often confuse Azure Repos with Azure Pipelines or Azure Boards because all three are part of Azure DevOps, but only Azure Repos provides the actual code repository hosting with pull request and branch protection features.

How to eliminate wrong answers

Option A is wrong because Azure Artifacts is a package management service for hosting Maven, npm, NuGet, and other package feeds, not a code repository. Option C is wrong because Azure Pipelines is a CI/CD service for building and deploying code, not for hosting repositories or managing code reviews. Option D is wrong because Azure Boards is a work tracking and Agile project management tool with backlogs and boards, not a code repository.

304
MCQmedium

An organization needs to ensure all VMs in Azure use approved VM sizes only. Which Azure feature enforces this?

A.Azure RBAC
B.Azure Policy with allowed VM SKU policy
C.Azure Resource Manager locks
D.Azure Cost Management budgets
AnswerB

Azure Policy's built-in 'Allowed virtual machine size SKUs' policy enforces that only specified VM sizes can be created.

Why this answer

Azure Policy with the 'Allowed virtual machine SKUs' built-in policy definition enforces which VM sizes can be deployed in a subscription or resource group. When assigned, this policy evaluates all VM creation or update requests and denies any that use a SKU not included in the allowed list, ensuring compliance with organizational standards.

Exam trap

The trap here is confusing Azure Policy (which enforces resource configuration rules) with Azure RBAC (which controls user permissions), leading candidates to incorrectly choose RBAC when the question asks about enforcing specific resource properties.

How to eliminate wrong answers

Option A is wrong because Azure RBAC controls who can perform actions on resources (authorization via role assignments), not what resource properties (like VM sizes) are allowed. Option C is wrong because Azure Resource Manager locks prevent accidental deletion or modification of resources but do not restrict the configuration or SKU of new or existing VMs. Option D is wrong because Azure Cost Management budgets track and alert on spending against defined thresholds but do not enforce technical restrictions on VM size selection.

305
MCQeasy

Which Azure database service supports both relational (SQL) and non-relational (NoSQL) data models with multi-master global distribution?

A.Azure SQL Database
B.Azure Database for PostgreSQL Hyperscale
C.Azure Cosmos DB
D.Azure Synapse Analytics
AnswerC

Cosmos DB supports multiple data models (SQL, MongoDB, Cassandra, Graph, Table) with global multi-master distribution.

Why this answer

Azure Cosmos DB is the correct answer because it is a globally distributed, multi-model database service that natively supports both SQL (relational) and NoSQL (non-relational) data models, including document, key-value, graph, and column-family. It offers multi-master replication, enabling writes to be accepted at any region with automatic conflict resolution, which is a unique capability not found in the other listed services.

Exam trap

The trap here is that candidates often confuse Azure SQL Database's elastic scale or Azure Synapse's distributed query capabilities with true multi-model and multi-master support, but only Cosmos DB provides native multi-master writes and support for both relational and non-relational data models.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database is a purely relational database service based on SQL Server engine, it does not support NoSQL data models or multi-master global distribution. Option B is wrong because Azure Database for PostgreSQL Hyperscale is a relational database service that scales out read replicas but does not support NoSQL models or multi-master writes. Option D is wrong because Azure Synapse Analytics is a big data analytics and data warehousing service that uses T-SQL for querying, it is not a multi-model database and does not offer multi-master global distribution.

306
MCQmedium

A company needs to store massive amounts of unstructured data, such as videos and images, that will be accessed over the internet. The data must be highly durable and available. Which Azure service should they use?

A.Azure Blob Storage
B.Azure Files
C.Azure Disk Storage
D.Azure Queue Storage
AnswerA

Blob storage is designed for unstructured data like images and videos with HTTP access.

Why this answer

Azure Blob Storage is designed for storing massive amounts of unstructured data, such as videos and images, and provides high durability (99.9999999999% with LRS) and availability through geo-redundancy options. It is accessible over the internet via HTTP/HTTPS, making it ideal for serving content globally.

Exam trap

The trap here is that candidates often confuse Azure Files (a managed SMB share) with object storage, but Azure Files is not designed for massive unstructured data or direct internet access without additional configuration like Azure File Sync.

How to eliminate wrong answers

Option B is wrong because Azure Files provides fully managed file shares using the SMB protocol, which is optimized for shared file access in hybrid environments, not for storing massive unstructured data like videos and images. Option C is wrong because Azure Disk Storage provides block-level storage volumes for Azure VMs, designed for persistent OS and data disks, not for internet-accessible unstructured data storage.

307
MCQmedium

Which Azure service allows you to create a private network connection between your Azure VNet and your on-premises network using a dedicated circuit, not over the public internet?

A.Azure VPN Gateway
B.Azure ExpressRoute
C.Azure Virtual WAN
D.Azure Bastion
AnswerB

ExpressRoute provides dedicated private circuits between on-premises and Azure, bypassing the public internet for better reliability and security.

Why this answer

Azure ExpressRoute is the correct answer because it provides a dedicated, private connection from your on-premises network to Azure, bypassing the public internet entirely. This is achieved through a direct, private circuit provided by a connectivity partner, offering higher reliability, lower latency, and higher bandwidth than internet-based connections.

Exam trap

The trap here is that candidates often confuse Azure VPN Gateway (which also connects on-premises to Azure) with ExpressRoute, failing to recognize that VPN Gateway uses the public internet while ExpressRoute uses a dedicated private circuit.

How to eliminate wrong answers

Option A is wrong because Azure VPN Gateway creates encrypted tunnels over the public internet using IPsec/IKE protocols, not a dedicated private circuit. Option C is wrong because Azure Virtual WAN is a networking service that aggregates branch connectivity, but it can use VPN or ExpressRoute as underlying transport; it is not itself a dedicated circuit service. Option D is wrong because Azure Bastion is a fully managed PaaS service that provides secure RDP/SSH access to VMs directly from the Azure portal over TLS, without exposing public IPs, and has nothing to do with private on-premises connectivity.

308
MCQmedium

A company stores sensitive customer data in an Azure Blob Storage account. The company's security policy requires that all data traffic between the virtual network (VNet) and the storage account must never traverse the public internet. Additionally, the storage account must remain accessible from an on-premises data center through a Site-to-Site VPN connection. Which Azure feature should the company configure on the storage account?

A.Azure service endpoints
B.Azure Private Link (using a private endpoint)
C.Azure VPN Gateway connection to the storage account
D.Azure route tables
AnswerB

A private endpoint creates a network interface with a private IP address in the VNet. Traffic to the storage account goes over the Microsoft backbone without ever leaving the VNet or touching the public internet. Because the storage account appears inside the VNet, on-premises access via Site-to-Site VPN is naturally possible. This meets both requirements.

Why this answer

Azure Private Link with a private endpoint is correct because it assigns a private IP address from the VNet to the storage account, ensuring all traffic between the VNet and the storage account stays within the Microsoft Azure backbone network and never traverses the public internet. Additionally, the storage account can still be accessed from an on-premises data center via a Site-to-Site VPN connection that terminates in the same VNet, as the private endpoint is reachable over the VPN.

Exam trap

The trap here is that candidates often confuse Azure service endpoints with private endpoints, thinking both provide the same level of isolation, but service endpoints still expose the public endpoint and do not guarantee that traffic from on-premises over a VPN stays off the public internet.

How to eliminate wrong answers

Option A is wrong because Azure service endpoints only provide a direct route from the VNet to the storage account over the Azure backbone, but they do not assign a private IP address to the storage account; the storage account's public endpoint is still used, and traffic from on-premises over a Site-to-Site VPN would still need to traverse the public internet to reach that public endpoint. Option C is wrong because an Azure VPN Gateway connection is used to connect on-premises networks to an Azure VNet, not to connect directly to a storage account; the storage account itself cannot have a VPN Gateway attached. Option D is wrong because Azure route tables control the routing of traffic within a VNet or between subnets, but they do not provide private connectivity to PaaS services like Blob Storage or prevent traffic from traversing the public internet.

309
MCQmedium

A company has multiple Azure subscriptions for different departments. They want to enforce consistent policies across all subscriptions regarding allowed virtual machine sizes and require compliance reporting. Which Azure feature should they use?

A.Azure Blueprints
B.Azure Resource Manager templates
C.Azure Policy
D.Role-Based Access Control (RBAC)
AnswerC

Azure Policy enforces rules on resources across subscriptions and provides compliance dashboards and reports.

Why this answer

Azure Policy is the correct choice because it enables you to create, assign, and manage policies that enforce specific rules (such as allowed VM sizes) across multiple subscriptions. It provides built-in compliance reporting via the Compliance dashboard, showing which resources are non-compliant. Unlike Blueprints or ARM templates, Policy focuses solely on governance rules and does not deploy resources or define the environment's architecture.

Exam trap

The trap here is that candidates confuse Azure Policy (which enforces rules and compliance) with Azure Blueprints (which packages multiple resources and policies together for repeatable deployments), leading them to choose Blueprints when the question focuses on policy enforcement and reporting rather than environment setup.

How to eliminate wrong answers

Option A is wrong because Azure Blueprints is used to orchestrate the deployment of resource groups, policies, role assignments, and ARM templates as a single composable artifact; it does not itself enforce ongoing compliance or provide granular policy-based controls like allowed VM sizes. Option B is wrong because Azure Resource Manager templates are declarative JSON files that define infrastructure to be deployed; they do not enforce policies after deployment or provide compliance reporting—they are for provisioning, not governance.

310
MCQmedium

Which statement correctly describes the relationship between cloud scalability and business continuity?

A.Scalability and business continuity are unrelated cloud concepts
B.Scalability supports business continuity by handling unexpected demand without service disruption
C.Business continuity only requires geo-redundancy, not scalability
D.Scalability reduces the need for security controls in cloud environments
AnswerB

Elastic scaling maintains service availability during demand spikes, supporting business continuity goals.

Why this answer

Scalability enables a cloud system to automatically add or remove resources (e.g., compute instances, bandwidth) in response to demand fluctuations. This directly supports business continuity by ensuring that sudden traffic spikes or resource surges do not cause service degradation or outages, maintaining availability and performance without manual intervention.

Exam trap

The trap here is that candidates often assume scalability only relates to performance optimization, not to availability and continuity, leading them to incorrectly choose Option A or C.

How to eliminate wrong answers

Option A is wrong because scalability and business continuity are closely related: scalability ensures that resources can be dynamically adjusted to maintain service availability during demand spikes, which is a core component of business continuity. Option C is wrong because business continuity requires more than geo-redundancy; it also needs scalability to handle local demand surges, load balancing, and failover capacity without disruption. Option D is wrong because scalability does not reduce the need for security controls; in fact, scaling out resources often increases the attack surface, requiring robust security measures like network security groups, identity management, and encryption.

311
MCQeasy

What is the purpose of Azure tags?

A.To control access to Azure resources based on user roles
B.To apply metadata to resources for organization, billing tracking, and filtering
C.To enforce compliance policies across resource configurations
D.To back up resource configurations automatically
AnswerB

Tags are metadata name-value pairs for organizing, tracking costs, and filtering Azure resources.

Why this answer

Azure tags are key-value pairs that you can assign to Azure resources to apply metadata for organization, billing tracking, and filtering. They enable you to categorize resources by department, environment, cost center, or any custom taxonomy, which is essential for managing costs and resource inventory at scale. Tags are not used for access control, compliance enforcement, or backup automation.

Exam trap

The trap here is that candidates often confuse tags with RBAC or Azure Policy, thinking tags control access or enforce compliance, when in reality tags are purely metadata for organization and cost tracking.

How to eliminate wrong answers

Option A is wrong because controlling access to Azure resources based on user roles is the purpose of Azure Role-Based Access Control (RBAC), not tags. Option C is wrong because enforcing compliance policies across resource configurations is achieved through Azure Policy, which uses policy definitions and initiatives, not tags (though tags can be used as a condition in policies). Option D is wrong because backing up resource configurations automatically is handled by Azure Backup or Azure Site Recovery, not by tags.

312
MCQmedium

A company wants to run a containerized microservices application on Azure. The application requires automatic scaling, service discovery, and rolling updates without manual intervention. They prefer not to manage the underlying virtual machines. Which Azure compute service should they choose?

A.Azure Container Instances
B.Azure Kubernetes Service (AKS)
C.Azure App Service
D.Azure Functions
AnswerB

AKS is a fully managed Kubernetes service that provides orchestration, automatic scaling, service discovery, and rolling updates. It offloads the management of the control plane to Azure.

Why this answer

Azure Kubernetes Service (AKS) is the correct choice because it provides a fully managed Kubernetes orchestration platform that handles automatic scaling (via Horizontal Pod Autoscaler), service discovery (via Kubernetes DNS and Services), and rolling updates (via Deployment strategies) without requiring you to manage the underlying virtual machines. AKS abstracts the control plane and node management, allowing you to focus on deploying and managing containerized microservices.

Exam trap

The trap here is that candidates often confuse Azure Container Instances (ACI) with AKS because both run containers, but ACI lacks orchestration features like automatic scaling, service discovery, and rolling updates, which are essential for multi-container microservices applications.

How to eliminate wrong answers

Option A (Azure Container Instances) is wrong because it is designed for running individual containers on demand without orchestration features like automatic scaling, service discovery, or rolling updates across multiple containers. Option C (Azure App Service) is wrong because it is a platform-as-a-service (PaaS) for web apps, APIs, and mobile backends, not optimized for containerized microservices orchestration; it lacks native Kubernetes-based service discovery and rolling update mechanisms. Option D (Azure Functions) is wrong because it is a serverless compute service for event-driven, short-lived functions, not designed for long-running containerized microservices with orchestration needs.

313
MCQmedium

Which Azure service provides a way to build workflows that integrate apps, data, and services across cloud and on-premises environments?

A.Azure Functions
B.Azure Logic Apps
C.Azure Service Bus
D.Azure Event Grid
AnswerB

Logic Apps provides visual workflow automation with connectors to integrate apps, data, and services.

Why this answer

Azure Logic Apps is the correct answer because it is a cloud-based platform for creating and running automated workflows that integrate apps, data, services, and systems across cloud and on-premises environments. It provides a visual designer and hundreds of prebuilt connectors to orchestrate business processes without writing code, making it ideal for enterprise integration scenarios.

Exam trap

The trap here is that candidates often confuse Azure Logic Apps with Azure Functions because both can automate tasks, but Logic Apps is specifically designed for workflow integration with prebuilt connectors, while Functions is for running custom code snippets in response to events.

How to eliminate wrong answers

Option A is wrong because Azure Functions is a serverless compute service for running event-driven code (functions) in response to triggers, not a workflow integration service; it lacks the built-in connectors and visual designer for orchestrating multi-step integrations. Option C is wrong because Azure Service Bus is a fully managed enterprise message broker for decoupling applications and services via queues and topics, not a workflow engine for building integration workflows. Option D is wrong because Azure Event Grid is a highly scalable event routing service that uses a publish-subscribe model to deliver events from sources to handlers, but it does not provide workflow orchestration or integration logic.

314
MCQmedium

A company hosts a web application on Azure App Service. The application must be accessible from any internet-connected device, including smartphones and laptops. Employees also use the Azure portal and Azure CLI from various locations to manage the application and other Azure resources. This scenario best illustrates which characteristic of cloud computing?

A.On-demand self-service
B.Broad network access
C.Resource pooling
D.Measured service
AnswerB

Broad network access is the correct characteristic. It describes how cloud resources are universally accessible over the network through standard protocols, enabling users to connect from various devices and locations. The web application being accessible via HTTPS from smartphones, laptops, and the use of Azure portal/CLI from anywhere exemplifies this.

Why this answer

Broad network access is the correct characteristic because the scenario explicitly describes the web application being accessible from any internet-connected device (smartphones, laptops) and employees managing resources via the Azure portal and CLI from various locations. This aligns with the NIST definition of broad network access, where resources are available over the network and accessed through standard protocols (e.g., HTTPS, SSH) by heterogeneous thin or thick client platforms.

Exam trap

The trap here is that candidates confuse 'broad network access' with 'on-demand self-service' because both involve user interaction, but broad network access specifically focuses on network-based accessibility from diverse devices and locations, not the ability to provision resources without human intervention.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user's ability to provision computing resources (e.g., VMs, storage) automatically without requiring human interaction with the service provider, not the accessibility of an already-deployed application from multiple device types. Option C is wrong because resource pooling describes the provider's multi-tenant model where physical and virtual resources are dynamically assigned and reassigned according to consumer demand, not the network-based accessibility of services from diverse locations.

315
MCQmedium

Which Azure identity service provides single sign-on (SSO) and multi-factor authentication (MFA) for cloud and on-premises applications?

A.Azure AD Domain Services
B.Azure Active Directory (Azure AD)
C.Azure Key Vault
D.Azure Information Protection
AnswerB

Azure AD provides SSO, MFA, conditional access, and identity management for cloud and on-premises apps.

Why this answer

Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service that provides single sign-on (SSO) and multi-factor authentication (MFA) for both cloud and on-premises applications. It enables users to sign in once and access multiple resources, while MFA adds an extra layer of security by requiring additional verification methods like a phone call or app notification.

Exam trap

The trap here is that candidates confuse Azure AD Domain Services (which sounds similar to Azure AD) as the identity provider for SSO and MFA, but it only provides domain join and LDAP services, not cloud authentication features.

How to eliminate wrong answers

Option A is wrong because Azure AD Domain Services provides managed domain services like group policy and Kerberos authentication, not SSO or MFA. Option C is wrong because Azure Key Vault is a secrets management service for storing cryptographic keys and certificates, not an identity provider for SSO or MFA. Option D is wrong because Azure Information Protection focuses on data classification and protection labels, not user authentication or identity services.

316
MCQmedium

What is the purpose of Azure Load Balancer?

A.To cache web content at edge locations globally
B.To distribute incoming network traffic across multiple backend resources
C.To connect on-premises networks to Azure
D.To manage domain names and DNS routing
AnswerB

Load Balancer distributes TCP/UDP traffic across healthy backend VMs for high availability.

Why this answer

Azure Load Balancer operates at Layer 4 (TCP/UDP) of the OSI model to distribute incoming traffic across healthy backend resources, such as virtual machines or instances in a backend pool. It uses a hash-based distribution algorithm (5-tuple hash for inbound traffic) to ensure high availability and scalability by spreading requests evenly. This directly supports fault tolerance by automatically routing traffic away from unhealthy instances based on health probes.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer with Azure Traffic Manager or Azure Application Gateway, but Load Balancer operates at Layer 4 (TCP/UDP) for regional traffic distribution, not at Layer 7 (HTTP/HTTPS) or for global DNS-based routing.

How to eliminate wrong answers

Option A is wrong because caching web content at edge locations globally is the purpose of Azure Content Delivery Network (CDN) or Azure Front Door, not Load Balancer. Option C is wrong because connecting on-premises networks to Azure is achieved via Azure VPN Gateway or Azure ExpressRoute, which provide site-to-site or dedicated private connectivity. Option D is wrong because managing domain names and DNS routing is the function of Azure DNS or Azure Traffic Manager, which handle name resolution and traffic routing based on DNS policies, not Layer 4 load balancing.

317
MCQmedium

What is the primary difference between CapEx (Capital Expenditure) and OpEx (Operational Expenditure) in the context of IT spending?

A.CapEx is recurring monthly spending; OpEx is a one-time purchase
B.CapEx requires large upfront investment in physical assets; OpEx is pay-as-you-go spending
C.CapEx is tax-deductible immediately; OpEx is depreciated over years
D.CapEx and OpEx are identical for cloud services
AnswerB

CapEx = upfront hardware purchase; OpEx = cloud's consumption-based billing model.

Why this answer

Option B is correct because CapEx involves a significant upfront investment in physical IT assets like servers, storage, and networking equipment, which are then depreciated over their useful life. OpEx, in contrast, aligns with cloud services where you pay only for what you consume (e.g., per-hour VM usage, per-GB storage), with no large initial outlay. This fundamental shift from owning to renting infrastructure is a core concept in Azure and cloud computing.

Exam trap

The trap here is that candidates confuse the tax treatment or the recurring nature of payments, mistakenly thinking CapEx is monthly (Option A) or that cloud can be CapEx (Option D), when the core distinction is upfront investment vs. pay-as-you-go.

How to eliminate wrong answers

Option A is wrong because it reverses the definitions: CapEx is a one-time, upfront purchase (not recurring), while OpEx is typically recurring monthly spending (e.g., subscription fees). Option C is wrong because CapEx is not immediately tax-deductible; it is capitalized and depreciated over the asset's useful life (e.g., 3-5 years for servers), whereas OpEx is generally fully deductible in the period incurred. Option D is wrong because CapEx and OpEx are fundamentally different financial models; cloud services are almost exclusively OpEx (pay-as-you-go), not CapEx.

318
MCQeasy

Which Azure service provides NoSQL wide-column database storage compatible with Apache Cassandra?

A.Azure Table Storage
B.Azure Cosmos DB for Apache Cassandra
C.Azure Cache for Redis
D.Azure SQL Database Hyperscale
AnswerB

Cosmos DB for Cassandra provides wide-column NoSQL storage with Cassandra wire protocol and CQL compatibility.

Why this answer

Azure Cosmos DB for Apache Cassandra is the correct choice because it provides a NoSQL wide-column database storage that is fully compatible with the Apache Cassandra Query Language (CQL) and wire protocol. This allows you to run existing Cassandra workloads and tools (like cqlsh and Cassandra drivers) directly on Azure without any code changes, while benefiting from Cosmos DB's global distribution and SLA-backed performance.

Exam trap

The trap here is that candidates confuse Azure Table Storage (a key-value store) with a wide-column database, or assume that any NoSQL service (like Redis) can substitute for Cassandra's specific data model and protocol compatibility.

How to eliminate wrong answers

Option A is wrong because Azure Table Storage is a key-value store, not a wide-column database, and it does not support the Apache Cassandra protocol or CQL. Option C is wrong because Azure Cache for Redis is an in-memory data store (caching and session management) based on the Redis protocol, not a wide-column NoSQL database compatible with Cassandra. Option D is wrong because Azure SQL Database Hyperscale is a relational database service using SQL Server engine, not a NoSQL wide-column store, and it has no compatibility with Apache Cassandra.

319
MCQeasy

A company is evaluating cloud service models. They need to migrate an existing application that requires full control over the operating system and custom software installations. They do not want to manage the underlying physical hardware. Which cloud service model best fits this requirement?

A.Infrastructure as a Service (IaaS)
B.Platform as a Service (PaaS)
C.Software as a Service (SaaS)
D.On-premises deployment
AnswerA

Correct. IaaS provides virtualized compute resources. The customer is responsible for the OS, applications, and middleware, while the provider manages the physical infrastructure.

Why this answer

Infrastructure as a Service (IaaS) provides virtualized computing resources over the internet, including virtual machines with full control over the guest operating system. This allows the company to install custom software and manage the OS while the cloud provider handles the underlying physical hardware, such as servers, storage, and networking. The requirement for full OS control and custom software installations excludes PaaS and SaaS, which abstract away the OS layer.

Exam trap

The trap here is that candidates often confuse PaaS with IaaS because both involve cloud hosting, but PaaS removes OS-level access, making it unsuitable for scenarios requiring custom software installations or full OS control.

How to eliminate wrong answers

Option B (PaaS) is wrong because Platform as a Service abstracts the operating system and runtime environment, preventing direct control over the OS or installation of custom software; it is designed for deploying applications without managing infrastructure. Option C (SaaS) is wrong because Software as a Service delivers fully managed applications accessed via a browser or API, offering no access to the underlying OS or ability to install custom software.

320
MCQmedium

A company has two on-premises data centers connected to each other via a high-speed MPLS link. They plan to migrate several critical workloads to Azure. The network team requires a dedicated, private connection from each on-premises site to Azure that does not traverse the public internet. The connection must provide high bandwidth, low latency, and a Service Level Agreement (SLA) for availability. Which Azure service should the network team provision to meet these requirements?

A.Azure VPN Gateway (Site-to-Site)
B.Azure ExpressRoute
C.Azure Virtual WAN
D.Azure Application Gateway
AnswerB

ExpressRoute extends your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. This connection does not traverse the public internet, offering higher security, reliability, and up to 10 Gbps bandwidth with an SLA.

Why this answer

Azure ExpressRoute provides a dedicated, private connection from on-premises data centers to Azure that does not traverse the public internet. It offers high bandwidth, low latency, and a financially backed SLA of 99.95% availability, meeting all the stated requirements for critical workloads.

Exam trap

The trap here is that candidates often confuse Azure Virtual WAN as a direct connectivity solution, when it is actually an orchestration hub that still relies on ExpressRoute or VPN for the underlying private connection.

How to eliminate wrong answers

Option A is wrong because Azure VPN Gateway (Site-to-Site) uses IPSec tunnels over the public internet, which does not meet the requirement for a private connection that avoids the public internet and lacks the same SLA guarantees as ExpressRoute. Option C is wrong because Azure Virtual WAN is a networking orchestration service that can aggregate multiple connection types (including VPN and ExpressRoute), but it is not itself a dedicated private connection; the actual private connectivity still requires ExpressRoute circuits, so Virtual WAN alone does not fulfill the dedicated, private, high-bandwidth, low-latency SLA requirement.

321
MCQmedium

A company uses Azure Management Groups to organize subscriptions. The hierarchy is: Root Management Group -> Contoso Management Group -> Sales (management group) and R&D (management group). Under Sales there are two subscriptions: Sales-Prod and Sales-Dev. Under R&D there is one subscription: R&D-Prod. The governance team assigns an Azure Policy definition that denies the creation of resources in the East US region. They assign this policy to the Contoso Management Group, but they add an exclusion for the Sales-Dev subscription. A developer in the Sales-Dev subscription attempts to create a virtual machine in the East US region. What will happen?

A.The creation will fail because the policy is assigned to the Contoso Management Group, and all subscriptions under it must comply.
B.The creation will succeed because the policy is assigned only to the Sales and R&D management groups, not directly to subscriptions.
C.The creation will succeed because the Sales-Dev subscription is excluded from the policy assignment.
D.The creation will fail because exclusions cannot be applied at the subscription level when the policy is assigned at a management group scope.
AnswerC

Correct. An exclusion removes the subscription from the policy's evaluation scope. Resources in the excluded subscription are not subject to the policy's effect, so the VM creation is allowed.

Why this answer

Option C is correct because Azure Policy allows exclusions at any child scope when a policy is assigned at a parent management group. The policy assigned to the Contoso Management Group denies resources in East US, but the Sales-Dev subscription is explicitly excluded from that assignment. Therefore, the developer's virtual machine creation in East US will succeed, as the exclusion overrides the deny effect for that subscription.

Exam trap

The trap here is that candidates may assume exclusions are not allowed when a policy is assigned at a higher scope, or mistakenly think that exclusions only work at the same scope as the assignment, rather than understanding that Azure Policy supports exclusions at any child scope (management group, subscription, or resource group).

How to eliminate wrong answers

Option A is wrong because exclusions are a valid feature in Azure Policy; a subscription under a management group can be excluded from a policy assignment, so compliance is not mandatory for all child scopes. Option B is wrong because the policy is assigned to the Contoso Management Group, which is the parent of both Sales and R&D management groups, so it does apply to all subscriptions under those groups unless excluded. Option D is wrong because exclusions can be applied at the subscription level even when the policy is assigned at a management group scope; Azure Policy supports exclusions at any child scope (management group, subscription, or resource group) within the assignment's scope.

322
MCQmedium

Which Azure feature allows you to organize resources into logical groups for billing, management, and access control purposes?

A.Azure Subscriptions
B.Azure Management Groups
C.Azure Resource Groups
D.Azure Blueprints
AnswerC

Resource Groups are logical containers for organizing related Azure resources together for management and billing.

Why this answer

Azure Resource Groups are logical containers that hold related resources for an Azure solution. They enable you to manage resources collectively, apply consistent access control policies via RBAC, and track costs at the group level. This directly supports organizing resources for billing, management, and access control purposes.

Exam trap

The trap here is confusing Azure Resource Groups with Azure Subscriptions, as both are used for organization and billing, but subscriptions are the billing boundary and contain multiple resource groups, while resource groups are the logical grouping mechanism within a subscription.

How to eliminate wrong answers

Option A is wrong because Azure Subscriptions are billing and security boundaries that contain resource groups, but they do not organize resources into logical groups within a subscription; they are higher-level containers for cost aggregation and access management. Option B is wrong because Azure Management Groups are hierarchical containers used to manage governance, policy, and compliance across multiple subscriptions, not to organize individual resources within a subscription. Option D is wrong because Azure Blueprints are a declarative orchestration tool for deploying and governing environments using templates, policies, and role assignments, not a logical grouping mechanism for resources.

323
MCQmedium

Which Azure service provides a managed Apache Kafka-compatible event streaming service for high-throughput data pipelines?

A.Azure Service Bus
B.Azure Event Hubs
C.Azure Queue Storage
D.Azure Event Grid
AnswerB

Event Hubs is the Azure equivalent of Apache Kafka — a managed, high-throughput event streaming service with Kafka protocol compatibility.

Why this answer

Azure Event Hubs is the correct answer because it provides a fully managed, native Apache Kafka-compatible event streaming platform designed for high-throughput data ingestion and processing. It supports the Kafka protocol (including Kafka Connect and Kafka Streams) without requiring you to run any Kafka clusters, making it ideal for real-time data pipelines and analytics.

Exam trap

The trap here is that candidates confuse Azure Event Hubs with Azure Service Bus because both handle messages, but Event Hubs is optimized for high-throughput event ingestion and Kafka compatibility, while Service Bus is for enterprise messaging with features like sessions and dead-lettering.

How to eliminate wrong answers

Option A is wrong because Azure Service Bus is a message broker for enterprise messaging patterns (e.g., queues and topics with competing consumers), not a Kafka-compatible event streaming service, and it lacks the high-throughput, partitioned log architecture of Event Hubs. Option C is wrong because Azure Queue Storage is a simple, low-cost message queue for decoupling application components, but it does not support the Kafka protocol, event streaming, or high-throughput data pipelines. Option D is wrong because Azure Event Grid is a serverless event routing service that uses a publish-subscribe model for reacting to events (e.g., resource state changes), but it is not designed for high-throughput event streaming and does not offer Kafka protocol compatibility.

324
MCQmedium

A multinational e-commerce company runs its customer-facing web application on Azure virtual machines deployed in two Azure regions: East US and West Europe. The company wants to automatically route user traffic to the nearest regional deployment based on the user's geographic location. Additionally, if one region becomes unavailable, all traffic should automatically be redirected to the remaining healthy region. The company wants a solution that works at the DNS level and does not require terminating HTTPS traffic at the routing layer. Which Azure service should they use?

A.Azure Load Balancer
B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure Front Door
AnswerC

Azure Traffic Manager is a DNS-based traffic routing service that can direct users to the closest or most appropriate regional endpoint based on geographic location, latency, or priority. It automatically detects endpoint health and fails over to healthy endpoints, making it ideal for global load balancing with DNS-level routing and without terminating HTTPS.

Why this answer

Azure Traffic Manager is a DNS-based traffic load balancer that routes incoming DNS requests to the nearest available endpoint based on geographic location (using the Performance traffic-routing method) and automatically fails over to the next healthy region when a region becomes unavailable. It operates at the DNS level, so it does not terminate HTTPS traffic, meeting the requirement to avoid SSL/TLS termination at the routing layer.

Exam trap

The trap here is that candidates often confuse Azure Traffic Manager (DNS-level, global, no SSL termination) with Azure Front Door (global, but terminates SSL at the edge), leading them to pick Front Door because it also supports geographic routing, but they overlook the explicit requirement to avoid HTTPS termination at the routing layer.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and distributes traffic within a single region, not across regions, and it cannot route based on user geography or perform DNS-level failover. Option B is wrong because Azure Application Gateway is a Layer 7 HTTP/HTTPS load balancer that terminates SSL/TLS traffic and routes based on URL paths, but it is regional (not global) and does not provide DNS-level geographic routing or cross-region failover. Option D is wrong because Azure Front Door is a global Layer 7 load balancer that terminates HTTPS traffic at its edge, which violates the requirement to not terminate HTTPS at the routing layer; it also provides application-layer acceleration and WAF, which are not needed here.

325
MCQmedium

A company runs a latency-sensitive application on Azure virtual machines and needs to connect its on-premises data center to Azure. The connection must offer high reliability, predictable performance, and a service-level agreement (SLA) from the connectivity provider. It must also bypass the public internet for security and performance reasons. Which Azure service should the company use?

A.Azure VPN Gateway
B.Azure ExpressRoute
C.Azure Virtual WAN
D.Azure Application Gateway
AnswerB

Correct. Azure ExpressRoute establishes a private, dedicated connection from on-premises to Azure, bypassing the public internet. It provides higher reliability, lower latency, consistent performance, and a service-level agreement from the connectivity partner, meeting all the stated requirements.

Why this answer

Azure ExpressRoute is the correct choice because it provides a dedicated, private connection from the on-premises data center to Azure that bypasses the public internet entirely. This ensures high reliability, predictable performance (low latency and jitter), and a financially backed SLA of up to 99.95% availability. For latency-sensitive applications, ExpressRoute offers consistent network performance that VPNs over the internet cannot guarantee.

Exam trap

The trap here is that candidates often confuse Azure VPN Gateway with ExpressRoute, assuming a VPN is sufficient for 'private' connectivity, but they overlook the requirement for a provider-backed SLA and bypassing the public internet, which only ExpressRoute fulfills.

How to eliminate wrong answers

Option A is wrong because Azure VPN Gateway uses encrypted tunnels over the public internet, which introduces variable latency, potential packet loss, and does not offer a performance SLA from the connectivity provider. Option C is wrong because Azure Virtual WAN is a networking orchestration service that can aggregate VPN, ExpressRoute, and SD-WAN connections, but it is not a connectivity service itself; it does not provide the dedicated private bypass of the internet required here. Option D is wrong because Azure Application Gateway is a Layer 7 load balancer and web application firewall (WAF) that operates within Azure, not a hybrid connectivity service; it cannot connect an on-premises data center to Azure.

326
MCQmedium

A company operates a fleet of on-premises servers running legacy applications. Due to strict regulatory compliance requirements, these servers cannot be migrated to Azure. However, the IT team wants to centrally manage these servers using Azure tools, including applying Azure Policy to enforce configuration standards and using Azure Monitor for log collection and performance monitoring. The team needs to treat these on-premises servers as Azure resources without moving them. Which Azure service should the company use?

A.Azure Arc
B.Azure Stack Edge
C.Azure Site Recovery
D.Azure Policy
AnswerA

Azure Arc enables you to project non-Azure (on-premises, multi-cloud) resources into Azure Resource Manager, allowing you to manage them with Azure tools like Azure Policy and Azure Monitor. This directly meets the requirement to manage on-premises servers without migration.

Why this answer

Azure Arc is the correct service because it extends Azure Resource Manager (ARM) and Azure management plane to on-premises servers, allowing them to be treated as Azure resources without migration. With Azure Arc, you can apply Azure Policy to enforce configuration standards and use Azure Monitor for log collection and performance monitoring on these servers, meeting the regulatory compliance requirement of keeping them on-premises.

Exam trap

The trap here is confusing Azure Arc (hybrid management) with Azure Stack Edge (edge compute appliance) or Azure Site Recovery (disaster recovery), as candidates often assume any on-premises integration requires migration or replication rather than extension of the Azure control plane.

How to eliminate wrong answers

Option B (Azure Stack Edge) is wrong because it is a hardware appliance that brings Azure compute and storage to edge locations for data processing and transfer, not for centrally managing existing on-premises servers with Azure Policy and Monitor. Option C (Azure Site Recovery) is wrong because it is a disaster recovery service that replicates workloads to Azure for failover, not for ongoing management, policy enforcement, or monitoring of on-premises servers as Azure resources.

327
MCQeasy

A small business wants to run its accounting application without managing the underlying operating systems or hardware. The application is accessed through a web browser. Which cloud service model is being used?

A.Infrastructure as a Service (IaaS)
B.Platform as a Service (PaaS)
C.Software as a Service (SaaS)
D.Functions as a Service (FaaS)
AnswerC

SaaS delivers a fully managed application to end users, typically via a web browser, with no management of underlying infrastructure.

Why this answer

The correct answer is C (SaaS) because the business uses a web browser to access the accounting application without managing the underlying OS or hardware. SaaS delivers fully functional software over the internet, where the provider handles all infrastructure, platform, and application management, matching the scenario's requirement of zero administrative overhead.

Exam trap

The trap here is that candidates confuse 'not managing the OS/hardware' with PaaS, forgetting that PaaS still requires the customer to manage the application code and its deployment, whereas SaaS delivers a fully managed application accessible via browser.

How to eliminate wrong answers

Option A is wrong because IaaS provides virtualized compute, storage, and networking resources, but the customer still manages the OS, middleware, and applications—contradicting the requirement to avoid OS/hardware management. Option B is wrong because PaaS provides a managed platform (runtime, database, middleware) for deploying custom applications, but the customer still develops and manages the application code, whereas the scenario describes using a pre-built accounting application accessed via browser. Option D is wrong because FaaS (e.g., Azure Functions) is an event-driven compute model for running individual functions without managing servers, but it requires writing and deploying code, not using a ready-made browser-based application.

328
Matchingmedium

Match each Azure support plan to its key feature.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Billing and subscription support only

Business hours access to support engineers

24/7 access with faster response times

Proactive guidance and faster response

Dedicated Technical Account Manager

Why these pairings

Support plans vary by response time and level of assistance.

329
MCQmedium

A global company is designing a disaster recovery solution for a critical application. They plan to deploy the application to two Azure regions. The company wants to minimize the risk of both regions failing simultaneously due to a major platform update or a widespread natural disaster. Which Azure feature provides a specific pairing of regions to meet this goal?

A.Availability Zones within a single region
B.Azure region pairs
C.Azure Traffic Manager with geographic routing
D.Azure Site Recovery replication between any two regions of your choice
AnswerB

Azure region pairs are designed to provide protection against simultaneous failures by ensuring sequential updates and physical separation. This is the specific feature that pairs regions for disaster recovery purposes.

Why this answer

Azure region pairs are designed to ensure that two paired regions are updated sequentially during platform maintenance, reducing the risk of simultaneous failure. They are also physically separated by at least 300 miles to minimize the impact of natural disasters. This meets the company's goal of minimizing simultaneous failure risk from both a major platform update and a widespread natural disaster.

Exam trap

The trap here is that candidates often confuse Availability Zones (which protect within a region) with region pairs (which protect across regions), or assume that any two regions can be used for disaster recovery with the same guarantees as official region pairs.

How to eliminate wrong answers

Option A is wrong because Availability Zones are physically separate datacenters within a single Azure region, which does not protect against a region-wide failure from a natural disaster or a major platform update affecting the entire region. Option C is wrong because Azure Traffic Manager with geographic routing distributes traffic based on user geography for latency or compliance, not for disaster recovery isolation between specific paired regions; it does not provide the guaranteed physical separation and sequential update benefit of region pairs. Option D is wrong because Azure Site Recovery can replicate between any two regions of your choice, but not all region pairs are guaranteed to have the same physical distance and sequential update isolation as official Azure region pairs; choosing arbitrary regions may increase the risk of simultaneous failure.

330
MCQmedium

A company wants to ensure that all Azure resources they deploy are created in the Europe West region to comply with data sovereignty requirements. They want to block creation of resources in any other region. Which Azure service should they use?

A.Resource groups
B.Management groups
C.Azure Policy with allowed locations
D.Azure Blueprints
AnswerC

Azure Policy can deny creation of resources outside allowed regions.

Why this answer

Azure Policy with the 'allowed locations' built-in policy definition can enforce that all resources are deployed only in the Europe West region. When assigned to a subscription or resource group scope, this policy denies any resource creation outside the specified regions, directly meeting the data sovereignty requirement.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure Blueprints, thinking Blueprints directly enforce restrictions, when in fact Blueprints package policies but the enforcement itself comes from Azure Policy.

How to eliminate wrong answers

Option A is wrong because Resource groups are logical containers for resources and do not enforce regional restrictions; they only group resources for management and billing. Option B is wrong because Management groups provide hierarchical governance for subscriptions but do not themselves block resource creation in specific regions; they are used for organizing policy and RBAC inheritance. Option D is wrong because Azure Blueprints is a declarative orchestration tool for deploying repeatable environments (including policies, role assignments, and resource templates), but it is not the service that directly enforces regional restrictions—it relies on Azure Policy definitions within the blueprint to do so.

331
MCQmedium

A company wants to enforce that all storage accounts use the 'Standard' performance tier and block creation of any 'Premium' storage accounts. Which Azure Policy effect could achieve this?

A.Append
B.Deny
C.Audit
D.Disabled
AnswerB

Deny blocks any operation that violates the policy, preventing creation of Premium storage accounts.

Why this answer

The Deny effect is the correct choice because it actively prevents the creation of Azure resources that do not comply with the policy definition. In this scenario, by assigning a policy with the Deny effect that targets storage accounts with the 'Premium' performance tier, Azure Resource Manager will block any request to create a Premium storage account, ensuring only 'Standard' tier accounts are provisioned.

Exam trap

The trap here is that candidates often confuse the Audit effect with Deny, thinking that logging non-compliance is sufficient to enforce a policy, but Audit only reports violations without blocking the resource creation.

How to eliminate wrong answers

Option A is wrong because the Append effect is used to add additional fields or tags to a resource during creation or update, not to block or deny resource creation. Option C is wrong because the Audit effect only logs a compliance warning when a non-compliant resource is created or updated, but it does not prevent the resource from being provisioned. Option D is wrong because the Disabled effect means the policy rule is not evaluated at all, so it would have no impact on enforcing the storage account performance tier.

332
MCQmedium

A company needs to protect their Azure VMs from DDoS attacks at the network layer. Which Azure service provides this protection?

A.Azure Firewall
B.Azure DDoS Protection Standard
C.Network Security Groups
D.Azure WAF
AnswerB

DDoS Protection Standard provides enhanced protection against volumetric DDoS attacks for Azure resources with automatic mitigation.

Why this answer

Azure DDoS Protection Standard is the correct service because it provides dedicated mitigation against Distributed Denial of Service (DDoS) attacks targeting Azure virtual machines at the network layer (Layer 3/4). It uses adaptive tuning, traffic monitoring, and automatic attack mitigation to protect public IP addresses associated with Azure resources, including VMs, without requiring any application-level changes.

Exam trap

The trap here is that candidates often confuse Azure Firewall or NSGs with DDoS protection because they both filter traffic, but they serve fundamentally different purposes—access control versus volumetric attack mitigation—and only DDoS Protection Standard handles network-layer DDoS attacks.

How to eliminate wrong answers

Option A is wrong because Azure Firewall is a stateful, network-level firewall that filters traffic based on rules (e.g., source/destination IP, port, protocol) but does not provide DDoS mitigation at the network layer; it is designed for access control, not volumetric attack protection. Option C is wrong because Network Security Groups (NSGs) are stateless or stateful packet filters that control inbound/outbound traffic to subnets or NICs based on rules, but they cannot detect or mitigate DDoS attacks—they lack the adaptive monitoring and automatic mitigation capabilities of DDoS Protection. Option D is wrong because Azure Web Application Firewall (WAF) operates at Layer 7 (application layer) to protect web applications from threats like SQL injection and cross-site scripting, not from network-layer DDoS attacks targeting VMs.

333
MCQmedium

Which Azure service provides compliance documentation, audit reports, and regulatory certifications to help organizations meet their own compliance obligations?

A.Azure Policy compliance dashboard
B.Microsoft Service Trust Portal
C.Microsoft Defender for Cloud
D.Azure Security Center
AnswerB

The Service Trust Portal provides Microsoft's compliance documentation, audit reports, and certification artifacts for customer compliance use.

Why this answer

The Microsoft Service Trust Portal (STP) is the dedicated Azure service that provides access to compliance documentation, audit reports, and regulatory certifications. It aggregates detailed information about Microsoft's security and compliance practices, including ISO 27001, SOC 2, and FedRAMP reports, enabling organizations to verify Azure's adherence to standards and fulfill their own compliance obligations.

Exam trap

The trap here is that candidates often confuse Azure Policy's compliance dashboard (which shows policy compliance of their own resources) with the Service Trust Portal (which provides Microsoft's third-party audit reports and certifications), leading them to select Azure Policy instead of the correct service.

How to eliminate wrong answers

Option A is wrong because the Azure Policy compliance dashboard is used to enforce and evaluate organizational policies (e.g., restricting resource locations or tagging rules), not to provide third-party audit reports or regulatory certifications. Option C is wrong because Microsoft Defender for Cloud is a cloud workload protection platform (CWPP) that offers security posture management and threat detection, not compliance documentation or audit reports. Option D is wrong because Azure Security Center (now integrated into Defender for Cloud) focuses on security recommendations and vulnerability assessments, not on providing regulatory certifications or compliance documentation.

334
MCQhard

A team uses Docker containers to run microservices. They need a service that automatically manages the cluster, scales containers based on demand, and provides load balancing without requiring them to manage the underlying VMs. Which Azure compute service should they choose?

A.Azure Container Instances
B.Azure Kubernetes Service
C.Azure Batch
D.Azure Virtual Machine Scale Sets
AnswerB

Correct. AKS is a managed Kubernetes service that offers full orchestration, scaling, and load balancing.

Why this answer

Azure Kubernetes Service (AKS) is the correct choice because it provides a managed Kubernetes cluster that automates container orchestration, scaling, and load balancing. AKS abstracts the underlying VMs, handling master node management, updates, and scaling based on demand, which aligns with the team's requirement to avoid VM management.

Exam trap

The trap here is that candidates often confuse Azure Container Instances (ACI) with AKS, assuming ACI can manage clusters and scale containers across multiple nodes, but ACI is for single-container deployments without orchestration features like cluster management or multi-node load balancing.

How to eliminate wrong answers

Option A is wrong because Azure Container Instances (ACI) is a serverless container service for running individual containers on demand, but it does not provide cluster management, automatic scaling across multiple nodes, or built-in load balancing for microservices. Option C is wrong because Azure Batch is designed for high-performance computing (HPC) and parallel job scheduling, not for managing containerized microservices with dynamic scaling and load balancing. Option D is wrong because Azure Virtual Machine Scale Sets (VMSS) manage VM-level scaling and load balancing, but they require the team to manage the VMs and container orchestration themselves, which contradicts the requirement to avoid managing underlying VMs.

335
MCQhard

When using Azure, a company wants to calculate the composite SLA for two services used together where both must be available. Service A has a 99.9% SLA and Service B has a 99.95% SLA. What is the composite SLA?

A.99.95% (the higher of the two SLAs)
B.99.9% (the lower of the two SLAs)
C.Approximately 99.85%
D.100% because Azure guarantees maximum availability
AnswerC

Composite SLA = 0.999 × 0.9995 ≈ 0.99850 or ~99.85%, lower than either individual SLA.

Why this answer

When two services must both be available (an 'and' scenario), the composite SLA is calculated by multiplying their individual SLAs. Service A at 99.9% (0.999) and Service B at 99.95% (0.9995) gives 0.999 × 0.9995 = 0.9985005, which rounds to approximately 99.85%. This reflects the increased probability of failure when multiple dependencies are required.

Exam trap

The trap here is that candidates often confuse the 'and' (multiplicative) scenario with the 'or' (redundancy) scenario, mistakenly picking the higher or lower SLA instead of performing the multiplication.

How to eliminate wrong answers

Option A is wrong because it incorrectly assumes the composite SLA equals the higher individual SLA, ignoring the multiplicative effect of dependencies. Option B is wrong because it incorrectly assumes the composite SLA equals the lower individual SLA, which would only be true in a parallel (redundancy) scenario, not a sequential dependency. Option D is wrong because Azure does not guarantee 100% availability; SLAs are contractual commitments with financial credits for breaches, and no cloud provider offers absolute uptime.

336
MCQmedium

Which Azure feature allows you to prevent accidental deletion or modification of critical Azure resources?

A.Azure RBAC
B.Azure Policy
C.Azure Resource Locks
D.Azure Blueprints
AnswerC

Resource Locks prevent accidental deletion or modification by overriding user permissions for those specific operations.

Why this answer

Azure Resource Locks are designed to prevent accidental deletion or modification of critical Azure resources by applying a lock at the subscription, resource group, or resource level. There are two types: CanNotDelete (prevents deletion but allows modifications) and ReadOnly (prevents both deletion and modification). This directly addresses the scenario of protecting resources from unintended changes.

Exam trap

The trap here is that candidates confuse Azure Policy (which enforces rules during creation) with Resource Locks (which protect existing resources from deletion/modification), or they assume RBAC alone is sufficient to prevent accidental changes by authorized users.

How to eliminate wrong answers

Option A is wrong because Azure RBAC (Role-Based Access Control) manages permissions for who can perform actions on resources, but it does not prevent accidental deletion or modification by authorized users; a user with Contributor role can still delete resources. Option B is wrong because Azure Policy enforces compliance rules (e.g., requiring specific tags or SKU sizes) and can audit or deny non-compliant resource creation, but it does not block deletion or modification of existing resources. Option D is wrong because Azure Blueprints is used to orchestrate the deployment of resource groups, policies, role assignments, and ARM templates for consistent environments, not to prevent accidental changes to individual resources.

337
MCQmedium

A global e-commerce company has web applications deployed on Azure virtual machines in the West US and West Europe regions. The company needs a single, global HTTP-based entry point that can perform SSL offloading, route requests based on the URL path (e.g., /api to one backend pool, /images to another), and provide a web application firewall (WAF) to protect against common web attacks. Additionally, the solution must automatically direct users to the closest regional deployment to minimize latency. Which Azure service should the company use?

A.Azure Traffic Manager
B.Azure Application Gateway
C.Azure Load Balancer
D.Azure Front Door
AnswerD

Azure Front Door is a global HTTP(S) load balancer that provides SSL offloading, path-based routing, WAF integration, and intelligent traffic routing to the closest available regional backend. It meets all the specified requirements in a single global service.

Why this answer

Azure Front Door is the correct choice because it provides a global, HTTP/HTTPS-based entry point with SSL offloading, URL path-based routing to different backend pools, and a built-in web application firewall (WAF). It also uses Anycast-based routing to automatically direct users to the closest regional deployment, minimizing latency.

Exam trap

The trap here is that candidates often confuse Azure Application Gateway (regional, path-based routing with WAF) with Azure Front Door (global, path-based routing with WAF and global load balancing), missing the critical requirement for global traffic distribution and automatic user proximity routing.

How to eliminate wrong answers

Option A is wrong because Azure Traffic Manager operates at the DNS layer (Layer 3/4) and cannot perform SSL offloading, URL path-based routing, or provide a web application firewall (WAF); it only directs traffic based on DNS responses. Option B is wrong because Azure Application Gateway is a regional service that can perform SSL offloading, path-based routing, and WAF, but it cannot route traffic globally or automatically direct users to the closest regional deployment across multiple regions. Option C is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot perform SSL offloading, URL path-based routing, or provide a web application firewall (WAF); it is designed for regional load balancing within a single region.

338
MCQmedium

A company plans to deploy two Azure virtual machines that host a critical web application. Both VMs will be in the same Azure region and the same virtual network. The company’s requirements are: 1) During Azure platform-initiated maintenance (e.g., OS updates), at least one VM must remain running. 2) If a hardware failure occurs in the server rack that hosts one VM, the other VM must not be affected. 3) The solution must not incur additional costs beyond the VMs themselves. Which Azure feature should the company configure?

A.Availability Zones
B.Availability Set
C.Azure Site Recovery
D.Azure Load Balancer
AnswerB

An Availability Set groups VMs across multiple fault domains (separate server racks) and update domains (for planned maintenance). This ensures that at least one VM remains available during maintenance and that a single rack failure does not affect both VMs. No additional cost is incurred for using an Availability Set.

Why this answer

An Availability Set distributes VMs across multiple fault domains (different server racks with independent power and networking) and update domains (groups that undergo platform maintenance sequentially). This ensures that during Azure-initiated maintenance, only one update domain is rebooted at a time, leaving at least one VM running, and that a hardware failure in one fault domain does not affect VMs in other fault domains. Availability Sets are free of charge beyond the cost of the VMs themselves, meeting all requirements.

Exam trap

The trap here is that candidates often confuse Availability Zones (which provide physical separation across data centers) with Availability Sets (which provide fault and update domain isolation within a single data center), leading them to choose Availability Zones despite the cost and networking constraints that make Availability Sets the correct answer for this scenario.

How to eliminate wrong answers

Option A is wrong because Availability Zones provide physical separation across different Azure data centers within a region, which incurs additional costs for inter-zone data transfer and does not guarantee that both VMs remain in the same virtual network without extra configuration; moreover, the requirement does not specify the need for zone-level isolation, and the cost constraint makes zones unsuitable. Option C is wrong because Azure Site Recovery is a disaster recovery service that replicates VMs to a secondary region for business continuity, which involves additional costs for replication, storage, and failover, and it does not address the requirement for maintaining at least one VM running during platform-initiated maintenance within the same region.

339
MCQmedium

Which Azure storage redundancy option stores three copies of data within a single data center in a single region?

A.Zone-Redundant Storage (ZRS)
B.Geo-Redundant Storage (GRS)
C.Locally Redundant Storage (LRS)
D.Read-Access Geo-Redundant Storage (RA-GRS)
AnswerC

LRS keeps three copies within a single data center in one region — the lowest cost option.

Why this answer

Locally Redundant Storage (LRS) replicates data three times within a single physical data center in a single region. This provides protection against server rack and drive failures but does not protect against a full data center outage. It is the lowest-cost redundancy option and is suitable for scenarios where data can be reconstructed from other sources.

Exam trap

The trap here is that candidates confuse 'zone' (availability zone) with 'data center' and incorrectly choose ZRS, thinking it replicates within a single data center, when in fact ZRS spans multiple data centers (availability zones) within a region.

How to eliminate wrong answers

Option A is wrong because Zone-Redundant Storage (ZRS) replicates data synchronously across three Azure availability zones within a single region, not within a single data center. Option B is wrong because Geo-Redundant Storage (GRS) replicates data to a secondary region, not within a single data center. Option D is wrong because Read-Access Geo-Redundant Storage (RA-GRS) is a variant of GRS that additionally provides read access to the secondary region copy; it also does not store three copies within a single data center.

340
MCQmedium

A retail company is planning to migrate its e-commerce application to Azure. The application will run on an Azure virtual machine that the company will manage. The IT manager wants to ensure that security patches are applied promptly. According to the shared responsibility model, who is responsible for applying security updates to the guest operating system of the Azure virtual machine?

A.Microsoft, because they manage the hypervisor under the virtual machine.
B.The customer, because the guest operating system is under the customer's control.
C.Both Microsoft and the customer share responsibility equally for patching the guest operating system.
D.The customer, but only if they have configured Azure Policy to enforce patch compliance.
AnswerB

In the shared responsibility model, the customer manages the guest OS, applications, and data. Even though the VM runs on Microsoft infrastructure, the customer has full administrative access and must apply updates to the guest OS.

Why this answer

In the shared responsibility model, the customer is responsible for securing and patching the guest operating system (OS) of an Azure virtual machine because the customer retains control over the OS, applications, and data. Microsoft manages the underlying hypervisor and physical infrastructure but does not have access to the guest OS. Therefore, the customer must apply security updates to the guest OS.

Exam trap

The trap here is that candidates confuse the hypervisor (managed by Microsoft) with the guest OS (managed by the customer), leading them to incorrectly select option A or C, assuming Microsoft handles all security updates for VMs.

How to eliminate wrong answers

Option A is wrong because Microsoft is responsible for the hypervisor and physical host, not the guest OS; the customer manages the guest OS. Option C is wrong because responsibility is not shared equally for the guest OS; the customer has full control and accountability for patching it, while Microsoft secures the host. Option D is wrong because Azure Policy can enforce compliance rules but does not change the fundamental responsibility for applying patches; the customer must still perform the patching regardless of policy configuration.

341
MCQmedium

A company decides to move its email to Microsoft 365. What cloud service model is this an example of?

A.IaaS
B.PaaS
C.SaaS
D.On-premises
AnswerC

Microsoft 365 email is SaaS — Microsoft manages everything; users access the fully managed email application.

Why this answer

Moving email to Microsoft 365 is an example of Software as a Service (SaaS) because Microsoft provides the entire email application (Exchange Online) as a fully managed service. The customer accesses the software via a web browser or email client without managing the underlying infrastructure, operating system, or middleware.

Exam trap

The trap here is that candidates often confuse PaaS with SaaS because both are cloud services, but PaaS is for building and deploying custom applications, whereas SaaS delivers a fully functional application like email.

How to eliminate wrong answers

Option A is wrong because IaaS (Infrastructure as a Service) provides virtualized computing resources like VMs and storage, not a complete email application. Option B is wrong because PaaS (Platform as a Service) provides a platform for developing and deploying custom applications, not a ready-to-use email service. Option D is wrong because on-premises would require the company to host and manage its own email servers and software locally, which is the opposite of moving to Microsoft 365.

342
MCQmedium

A company has an Azure subscription with multiple resource groups. The governance team wants to ensure that every new resource created in the subscription automatically receives a 'Department' tag with a default value of 'Finance' if the creator did not specify one. The team wants the tag to be applied without blocking the creation of the resource. Which Azure feature should they use?

A.Azure Policy with the 'Deny' effect
B.Azure Policy with the 'Append' effect
C.Azure Resource Lock
D.Azure role-based access control (RBAC) with a custom role
AnswerB

The 'Append' effect is designed to automatically add specified fields (such as tags) to a resource during creation or update. This meets the requirement because the tag is applied without blocking resource creation.

Why this answer

Azure Policy with the 'Append' effect is the correct choice because it adds the 'Department' tag with a default value of 'Finance' to a resource during creation or update, without blocking the operation. Unlike 'Deny', which prevents non-compliant resources, 'Append' modifies the resource request to include the missing tag, ensuring compliance without interrupting the creation process.

Exam trap

The trap here is that candidates often confuse 'Append' with 'Deny', assuming that enforcing a tag requires blocking non-compliant resources, but 'Append' silently adds the missing tag without interrupting the creation flow.

How to eliminate wrong answers

Option A is wrong because Azure Policy with the 'Deny' effect would block the creation of any resource that does not already have the 'Department' tag, which contradicts the requirement to not block creation. Option C is wrong because Azure Resource Lock prevents deletion or modification of existing resources at the resource group or subscription level, but it cannot automatically add tags to new resources during creation.

343
MCQmedium

Which Azure service provides a managed Apache Hadoop cluster for processing large amounts of data using batch analytics?

A.Azure Databricks
B.Azure HDInsight
C.Azure Synapse Analytics
D.Azure Stream Analytics
AnswerB

HDInsight provides managed Apache Hadoop (and other open-source frameworks) for batch analytics on large datasets.

Why this answer

Azure HDInsight is the correct answer because it is a fully managed, open-source analytics service that provides Apache Hadoop clusters specifically designed for batch processing of large data sets using MapReduce and other Hadoop ecosystem components. Unlike other services, HDInsight directly supports Hadoop's distributed file system (HDFS) and YARN resource management, making it the native choice for traditional big data batch analytics.

Exam trap

The trap here is that candidates confuse Azure Databricks (which also uses Spark) with HDInsight, but Databricks is not a managed Hadoop cluster and focuses on collaborative analytics and machine learning, not native batch Hadoop processing.

How to eliminate wrong answers

Option A is wrong because Azure Databricks is an Apache Spark-based analytics platform optimized for interactive and real-time processing, not a managed Hadoop cluster for batch analytics. Option C is wrong because Azure Synapse Analytics is a unified data warehouse and big data analytics service that uses SQL pools and serverless SQL, not a managed Hadoop cluster. Option D is wrong because Azure Stream Analytics is a real-time event processing engine for streaming data, not a batch analytics service for large static datasets.

344
MCQmedium

A company is deploying a web application in Azure. The application consists of an Azure App Service, an Azure SQL Database, and a Storage account. The development team maintains three separate environments: development, test, and production. The team wants to be able to delete all resources associated with a specific environment (e.g., development) in a single action, without affecting the other environments. The solution must also allow applying role-based access control (RBAC) and tags consistently to all resources within each environment. Which Azure component should the team use to achieve these requirements?

A.Azure subscription
B.Azure resource group
C.Azure management group
D.Azure availability zone
AnswerB

A resource group is a container that holds related resources for an Azure solution. It allows you to manage, delete, and apply policies, tags, and RBAC to all resources in that group together. This is exactly what the team needs to manage each environment independently.

Why this answer

An Azure resource group is a logical container that holds related resources for an Azure solution. By placing all resources for a specific environment (e.g., development) into a single resource group, the team can delete the entire environment in one action by deleting the resource group, without affecting other environments. Additionally, RBAC roles and tags applied at the resource group level are inherited by all resources within that group, ensuring consistent governance.

Exam trap

The trap here is that candidates often confuse resource groups with subscriptions or management groups, thinking that a subscription is needed to isolate environments, but subscriptions are billing boundaries, not lifecycle containers for a single environment's resources.

How to eliminate wrong answers

Option A is wrong because an Azure subscription is a billing and management boundary that can contain multiple environments; deleting a subscription would remove all environments, not just one, and it does not provide granular per-environment RBAC or tag inheritance. Option C is wrong because an Azure management group is a hierarchical container used to manage governance, policy, and compliance across multiple subscriptions, not to group resources within a single environment for lifecycle management. Option D is wrong because an Azure availability zone is a physically separate datacenter within an Azure region used for high availability and disaster recovery, not a logical container for organizing resources or applying RBAC and tags.

345
MCQmedium

A company has a critical Azure Storage account that stores immutable backups. The IT administrator wants to ensure that no one can delete or modify this storage account, even administrators with Contributor or Owner roles. The company still needs to allow read access to the data within the storage account. Which Azure governance feature should the administrator implement?

A.Azure Policy with Deny effect
B.Azure Blueprint with role assignment
C.Azure Resource Manager read-only lock
D.Azure role-based access control (RBAC) with Reader role
AnswerC

A read-only lock on the storage account prevents any user, including those with Owner or Contributor roles, from deleting or modifying the resource. It still allows read operations, such as reading the backup data. This lock is the correct Azure governance feature to make a resource immutable and protect it from accidental or intentional deletion or changes.

Why this answer

Option C is correct because an Azure Resource Manager read-only lock prevents any user, including those with Contributor or Owner roles, from deleting or modifying the storage account while still allowing read access to the data. This lock operates at the management plane, blocking DELETE and PATCH operations via the Azure Resource Manager API, but does not affect data plane operations like reading blobs or files.

Exam trap

The trap here is that candidates often confuse Azure Policy (which enforces compliance rules) with Azure Resource Manager locks (which prevent accidental deletion or modification), or they assume RBAC alone can block privileged users, not realizing that locks override RBAC for management-plane operations.

How to eliminate wrong answers

Option A is wrong because Azure Policy with Deny effect can enforce compliance rules (e.g., requiring encryption), but it does not prevent deletion or modification of the resource itself by privileged users; it only blocks non-compliant configurations. Option B is wrong because Azure Blueprint with role assignment is used to deploy and govern a set of resources and policies, not to apply a blanket lock that overrides all roles. Option D is wrong because Azure RBAC with Reader role would prevent modifications by users assigned that role, but it does not protect against administrators with Contributor or Owner roles who can change or delete the storage account.

346
MCQmedium

A company has a policy that all Azure Storage accounts must have diagnostic settings enabled to send logs and metrics to a specific Log Analytics workspace. The governance team wants to automatically configure these diagnostic settings when a new storage account is created, without blocking the initial creation. The solution must not require manual intervention. Which Azure Policy effect should the team use in their policy definition?

A.DeployIfNotExists
B.Audit
C.Deny
D.Append
AnswerA

DeployIfNotExists will automatically deploy a diagnostic setting to a storage account if it does not already exist. This meets the requirement of automatic configuration without blocking the storage account creation.

Why this answer

The DeployIfNotExists effect is correct because it automatically deploys a remediation task to configure diagnostic settings on storage accounts that lack them, without blocking the initial creation of the resource. This effect evaluates resources after creation and triggers a deployment to bring non-compliant resources into compliance, which aligns with the requirement for automatic configuration without manual intervention.

Exam trap

The trap here is that candidates often choose Audit thinking it will automatically fix the issue, or Deny thinking it will enforce compliance, but only DeployIfNotExists provides automatic remediation without blocking creation.

How to eliminate wrong answers

Option B (Audit) is wrong because it only logs non-compliance by marking the storage account as non-compliant in Azure Policy, but it does not automatically deploy or configure the diagnostic settings. Option C (Deny) is wrong because it blocks the creation of the storage account entirely if the diagnostic settings are not included at creation time, which violates the requirement to not block initial creation.

347
MCQmedium

A company needs to grant a group of users the ability to restart and start/stop virtual machines, but not to create or delete them. They want to assign this permission at the resource group level. What should they do?

A.Assign the built-in Contributor role
B.Create a custom role with the required actions
C.Assign the built-in Virtual Machine Contributor role
D.Use Azure Policy to restrict operations
AnswerB

A custom role can include just the 'Virtual Machine Contributor' or specific actions like start, restart, and deallocate.

Why this answer

Option B is correct because Azure's built-in roles do not provide a granular permission set that allows restarting and starting/stopping VMs while explicitly denying creation and deletion. A custom role must be created with specific actions such as 'Microsoft.Compute/virtualMachines/start/action', 'Microsoft.Compute/virtualMachines/restart/action', and 'Microsoft.Compute/virtualMachines/deallocate/action', and exclude actions like 'Microsoft.Compute/virtualMachines/write' and 'Microsoft.Compute/virtualMachines/delete'. This custom role can then be assigned at the resource group scope to grant the precise permissions required.

Exam trap

The trap here is that candidates often assume the Virtual Machine Contributor role (Option C) is sufficient for start/stop operations, but they overlook that it also includes write permissions that allow VM creation and deletion, which violates the requirement to restrict those actions.

How to eliminate wrong answers

Option A is wrong because the Contributor role includes the 'Microsoft.Compute/virtualMachines/write' action, which allows creating and deleting VMs, exceeding the required permissions. Option C is wrong because the Virtual Machine Contributor role also includes 'Microsoft.Compute/virtualMachines/write', enabling VM creation and deletion, which is not allowed. Option D is wrong because Azure Policy is used to enforce compliance rules (e.g., restricting VM SKUs or locations) and cannot grant or deny specific RBAC actions like start/stop; it operates on resource configurations, not permissions.

348
MCQmedium

A company has deployed a critical production application in an Azure resource group. The security team wants to prevent accidental deletion or modification of any resources within that resource group. They have already configured Azure RBAC roles to grant only necessary permissions to the operations team. However, they need an additional protection that even users with Owner permissions cannot delete the resource group or its resources without a two-step process to remove the protection. Which Azure feature should the company implement?

A.Azure Policy
B.Azure Resource Lock
C.Azure Blueprint
D.Azure Resource Tag
AnswerB

Azure Resource Locks (CanNotDelete or ReadOnly) prevent accidental deletion or modification of resources. Even users with Owner permissions must remove the lock before they can delete the resource, ensuring a two-step process. This meets the stated requirement exactly.

Why this answer

Azure Resource Lock is the correct feature because it provides a protection mechanism that prevents accidental deletion or modification of resources, even for users with Owner permissions. Unlike RBAC, which controls who can perform actions, a resource lock enforces a restriction that must be explicitly removed (a two-step process) before any changes can be made. This directly addresses the requirement for an additional layer of protection beyond role-based access control.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure Resource Lock, thinking that a policy can prevent deletion, but policies only audit or enforce configuration rules and do not block delete operations at the resource manager level like a lock does.

How to eliminate wrong answers

Option A is wrong because Azure Policy is used to enforce organizational standards and compliance by evaluating and auditing resource configurations (e.g., requiring specific tags or restricting resource SKUs), but it does not provide a lock that prevents deletion or modification actions by users with Owner permissions. Option C is wrong because Azure Blueprint is a declarative template for deploying and orchestrating resources, policies, and role assignments at scale, but it does not create a persistent lock that requires a two-step removal process to protect against accidental deletion.

349
MCQmedium

A company runs a critical application on multiple Azure virtual machines (VMs) in the East US region. The application requires that the VMs are physically separated from any other customer's workloads and that the underlying physical servers are dedicated to this company alone. The compliance team mandates that no other customer's VMs can run on the same physical hardware. Which Azure compute offering should the company use to meet this requirement?

A.Azure Dedicated Host
B.Azure Availability Set
C.Azure Virtual Machine Scale Set
D.Azure Reserved Virtual Machine Instances
AnswerA

Correct. Azure Dedicated Host provides single-tenant physical servers dedicated to a single customer, ensuring complete physical isolation from other customers' workloads.

Why this answer

Azure Dedicated Host provides single-tenant physical servers dedicated to a single customer, ensuring that no other customer's VMs run on the same hardware. This meets the compliance requirement for physical separation and dedicated underlying servers. The company can deploy VMs directly onto these dedicated hosts, guaranteeing isolation at the hardware level.

Exam trap

The trap here is that candidates often confuse Azure Dedicated Host with Azure Reserved Instances or Availability Sets, mistakenly thinking that high availability or cost savings can achieve physical isolation, when only Dedicated Host provides dedicated physical servers.

How to eliminate wrong answers

Option B (Azure Availability Set) is wrong because it only provides high availability by distributing VMs across fault domains and update domains within the same physical infrastructure, but does not guarantee physical separation from other customers' workloads. Option C (Azure Virtual Machine Scale Set) is wrong because it is designed for auto-scaling and load balancing of identical VMs, but it does not provide dedicated physical hardware or isolation from other tenants. Option D (Azure Reserved Virtual Machine Instances) is wrong because it is a billing discount for committing to a one- or three-year term, and it does not affect the underlying physical hardware or provide any form of tenant isolation.

350
MCQmedium

A company runs a critical ERP system on-premises and plans to extend the application to Azure IaaS VMs for burst capacity. The network team requires a dedicated, private connection between the on-premises data center and Azure that does not traverse the public internet. The connection must offer consistent latency, high bandwidth options up to 10 Gbps, and a financially backed SLA for availability. Which Azure service should the team provision to meet these requirements?

A.Azure ExpressRoute
B.Azure VPN Gateway (site-to-site)
C.Azure Front Door
D.Azure Bastion
AnswerA

Correct. ExpressRoute provides a dedicated private circuit from an on-premises network to Azure, bypassing the public internet for improved latency, security, and reliability. It supports high bandwidth (up to 10 Gbps) and offers a financially backed SLA (e.g., 99.95% availability for a single connection).

Why this answer

Azure ExpressRoute provides a dedicated, private connection from on-premises to Azure that bypasses the public internet, ensuring consistent latency and high bandwidth up to 10 Gbps. It also offers a financially backed SLA for availability, making it the ideal choice for extending a critical ERP system for burst capacity with predictable performance.

Exam trap

Microsoft often tests the misconception that a site-to-site VPN can provide dedicated, private connectivity with guaranteed performance, but the key differentiator is that ExpressRoute bypasses the public internet entirely and offers a financially backed SLA.

How to eliminate wrong answers

Option B is wrong because Azure VPN Gateway (site-to-site) uses IPSec tunnels over the public internet, which does not guarantee consistent latency, high bandwidth up to 10 Gbps, or a financially backed SLA for availability. Option C is wrong because Azure Front Door is a global load balancer and application delivery service that operates over the public internet, not a dedicated private connection, and it does not provide a direct private link between on-premises and Azure VNets.

351
MCQmedium

Which Azure governance concept ensures that access to resources is granted only to users who need it for their job function?

A.Defense in depth
B.Principle of least privilege
C.Role inheritance
D.Separation of duties
AnswerB

Least privilege grants only the minimum permissions needed for job functions, reducing the attack surface.

Why this answer

The principle of least privilege is an Azure governance concept that ensures users are granted only the minimum permissions necessary to perform their job functions. In Azure, this is implemented through Azure RBAC (Role-Based Access Control), where custom or built-in roles define specific actions allowed on resources, preventing over-permissioning.

Exam trap

The trap here is that candidates often confuse 'defense in depth' (a layered security strategy) with 'principle of least privilege' (an access control concept), leading them to pick Option A when the question specifically asks about granting access based on job function.

How to eliminate wrong answers

Option A is wrong because defense in depth is a security strategy that layers multiple controls (e.g., network, encryption, physical) to protect resources, not a principle for limiting access based on job need. Option C is wrong because role inheritance in Azure refers to how permissions propagate from a parent scope (e.g., subscription) to child scopes (e.g., resource group), not a governance concept for granting minimal access. Option D is wrong because separation of duties is a control that prevents a single user from performing conflicting actions (e.g., creating and approving a change), which is distinct from limiting access to only what is needed for a job function.

352
MCQmedium

A company has an Azure subscription with hundreds of existing virtual machines. The governance team wants to enforce a policy that every virtual machine must have a tag named 'CostCenter' with a valid value. The team wants to automatically add the 'CostCenter' tag with a default value of 'Undefined' to any existing or new virtual machine that is missing the tag. They do not want to block the creation of virtual machines that are missing the tag, but they do want the tag to be added automatically within a few minutes of detection. Which Azure Policy effect should the team use?

A.Audit
B.Deny
C.Append
D.Modify
AnswerD

The Modify effect uses a defined role (via managed identity) to change resource properties on existing and new resources. It can automatically add the 'CostCenter' tag with a default value to both existing VMs (through remediation tasks that run automatically or on a schedule) and new VMs, fulfilling the requirement without blocking resource creation.

Why this answer

The Modify effect is correct because it can automatically add or change tags on existing and new resources without blocking creation. Unlike Append, which only works during resource creation and cannot modify existing resources, Modify uses a 'remediation' task to fix non-compliant resources after they are created, aligning with the requirement to add the tag within minutes of detection.

Exam trap

The trap here is that candidates often confuse Append with Modify, assuming Append can handle existing resources, but Append only applies during resource creation, while Modify is designed for both new and existing resources with remediation.

How to eliminate wrong answers

Option A is wrong because Audit only logs non-compliant resources without taking any automatic remediation action. Option B is wrong because Deny would block the creation of virtual machines missing the tag, which contradicts the requirement to allow creation. Option C is wrong because Append can add tags during resource creation but cannot modify existing resources, and it does not support automatic remediation for already-deployed VMs.

353
MCQeasy

A company wants to segregate their Azure resources into logical groups based on department and environment. They also want to apply access control and management at these group levels. Which Azure construct should they use?

A.Resource groups
B.Availability sets
C.Virtual networks
D.Subscriptions
AnswerA

Correct. Resource groups group resources for management, RBAC, and policy enforcement.

Why this answer

Resource groups are logical containers in Azure that allow you to group related resources (e.g., VMs, databases, storage) by department and environment. They enable you to apply access control via Azure RBAC and management policies (e.g., tags, locks) at the group level, ensuring consistent governance across all resources within the group.

Exam trap

The trap here is that candidates often confuse subscriptions with resource groups, thinking subscriptions are the correct logical grouping mechanism, but subscriptions are billing and administrative boundaries, not designed for fine-grained grouping by department and environment.

How to eliminate wrong answers

Option B is wrong because availability sets are a VM high-availability feature that distributes VMs across fault and update domains, not a logical grouping construct for access control or management. Option C is wrong because virtual networks provide network isolation and connectivity for Azure resources, but they do not serve as a management or access control boundary for grouping resources by department or environment. Option D is wrong because subscriptions are billing and administrative boundaries that contain resource groups, but they are too coarse-grained for segregating resources by department and environment; resource groups are the correct construct for that purpose.

354
MCQmedium

What does the term 'fault tolerance' mean in cloud computing?

A.The ability to scale resources up and down automatically
B.The ability to continue operating despite component failures
C.The ability to recover data after accidental deletion
D.The ability to deploy applications across multiple regions
AnswerB

Fault tolerance means the system remains functional even when individual components fail, through redundancy and failover.

Why this answer

Fault tolerance is the ability of a system to continue operating without interruption when one or more of its components fail. In Azure, this is achieved through redundancy at multiple layers—such as using Availability Zones or redundant hardware—so that a failure in a single server, network path, or power supply does not bring down the entire workload. This is distinct from high availability, which focuses on minimizing downtime, whereas fault tolerance aims for zero downtime even during failures.

Exam trap

The trap here is that candidates often confuse 'fault tolerance' with 'high availability' or 'disaster recovery', but the key differentiator is that fault tolerance implies zero downtime and no data loss during a failure, whereas high availability may involve a brief interruption and disaster recovery involves a longer recovery time objective (RTO).

How to eliminate wrong answers

Option A is wrong because it describes 'elasticity' or 'autoscaling', which is the ability to automatically adjust resources based on demand, not the ability to withstand component failures. Option C is wrong because it describes 'disaster recovery' or 'backup and restore' capabilities, specifically data recovery after accidental deletion, which is a data protection feature, not a fault tolerance mechanism. Option D is wrong because deploying across multiple regions is a 'geo-redundancy' or 'disaster recovery' strategy that provides resilience against region-wide outages, but fault tolerance is a more granular concept that can be achieved within a single region or even a single datacenter through redundant components.

355
MCQeasy

A startup wants to use cloud services to launch their product quickly without investing in hardware. Which cloud benefit does this BEST describe?

A.Fault tolerance
B.Disaster recovery
C.Agility and speed to market
D.Geographic distribution
AnswerC

Cloud agility lets organizations launch products quickly without hardware investment, enabling faster time to market.

Why this answer

The startup's need to launch quickly without upfront hardware investment directly maps to the cloud benefit of agility and speed to market. Azure's pay-as-you-go model and instant provisioning of virtual machines (e.g., Azure VMs) or platform services (e.g., Azure App Service) eliminate procurement delays, allowing deployment in minutes rather than weeks. This is the core value proposition of cloud computing for rapid product iteration.

Exam trap

The trap here is that candidates confuse 'agility' (speed of deployment and iteration) with operational resilience features like fault tolerance or disaster recovery, which are separate cloud benefits that do not address the core requirement of launching quickly without hardware investment.

How to eliminate wrong answers

Option A is wrong because fault tolerance refers to a system's ability to continue operating after a component failure, typically achieved through redundancy (e.g., Azure Availability Zones), not the speed of initial deployment or hardware avoidance. Option B is wrong because disaster recovery is a specific set of policies and tools (e.g., Azure Site Recovery) for restoring services after a catastrophic event, not a benefit for launching a product quickly without hardware. Option D is wrong because geographic distribution describes deploying resources across multiple Azure regions to reduce latency or meet data residency requirements, which is a separate benefit unrelated to the speed of initial launch or hardware investment.

356
MCQeasy

Which Azure tool provides an interactive, browser-based command-line experience that is authenticated and pre-configured for Azure management?

A.Azure DevOps CLI
B.Azure Cloud Shell
C.Azure Remote Desktop
D.Azure Automation
AnswerB

Cloud Shell provides a browser-based, authenticated shell with Azure CLI and PowerShell pre-installed.

Why this answer

Azure Cloud Shell is the correct answer because it provides an interactive, browser-based command-line experience (PowerShell or Bash) that is automatically authenticated with your Azure credentials and pre-configured with common Azure management tools like Azure CLI, PowerShell modules, and storage. This allows users to manage Azure resources directly from a web browser without any local installation or configuration.

Exam trap

The trap here is that candidates may confuse Azure Cloud Shell with Azure DevOps CLI, thinking both are browser-based command-line tools, but Azure DevOps CLI is a local extension for the Azure CLI and does not provide a pre-configured, browser-based shell environment.

How to eliminate wrong answers

Option A is wrong because Azure DevOps CLI is a command-line extension for managing Azure DevOps services (like boards, repos, pipelines) and is not a browser-based, pre-authenticated shell for general Azure management. Option C is wrong because Azure Remote Desktop provides a graphical remote desktop connection to Windows virtual machines, not a command-line interface for Azure management. Option D is wrong because Azure Automation is a cloud-based automation and configuration management service that runs runbooks and configurations, not an interactive command-line experience.

357
MCQmedium

Which of the following best describes the 'shared responsibility' for operating system updates under the IaaS model?

A.The cloud provider is responsible for patching the OS in IaaS VMs
B.The customer is responsible for patching the guest OS in IaaS VMs
C.Both customer and provider share equal responsibility for OS patches in IaaS
D.OS patching is not required in cloud environments as Azure handles this automatically
AnswerB

In IaaS, customers must patch and maintain the guest OS; the provider manages physical infrastructure and hypervisor.

Why this answer

Under the Infrastructure as a Service (IaaS) model, the cloud provider is responsible for the physical infrastructure and the hypervisor, but the customer retains control over the guest operating system running inside the virtual machine. Therefore, the customer is responsible for patching and updating the guest OS, including applying security updates and managing configuration. This aligns with the shared responsibility model where the customer manages anything they deploy on top of the abstracted infrastructure.

Exam trap

The trap here is that candidates often assume the cloud provider handles all security updates, confusing IaaS with PaaS or SaaS where the provider does manage the OS, leading them to incorrectly select option A or D.

How to eliminate wrong answers

Option A is wrong because the cloud provider does not patch the guest OS in IaaS VMs; they only manage the underlying host OS and physical hardware. Option C is wrong because the responsibility for OS patches is not shared equally; the customer has full control and accountability for the guest OS, while the provider handles the host-level patches. Option D is wrong because OS patching is still required in cloud environments; Azure does not automatically patch the guest OS in IaaS VMs—the customer must manage updates themselves or use tools like Azure Update Manager.

358
MCQmedium

What benefit does Azure provide that specifically helps companies maintain business continuity when their primary location is unavailable?

A.Economies of scale reducing operational costs
B.Geo-redundancy and disaster recovery capabilities
C.Automatic performance optimization for all applications
D.Unified billing for all cloud services
AnswerB

Azure's geographic distribution and DR services maintain business continuity when primary locations are unavailable.

Why this answer

Azure's geo-redundancy and disaster recovery capabilities, such as Azure Site Recovery and geo-redundant storage (GRS), replicate workloads and data across paired Azure regions. This ensures that if a primary location fails due to an outage or disaster, services can failover to a secondary region, maintaining business continuity with minimal downtime and data loss.

Exam trap

The trap here is that candidates confuse high availability features (like load balancing or autoscaling) with disaster recovery, which specifically requires cross-region replication and failover capabilities to handle complete site failures.

How to eliminate wrong answers

Option A is wrong because economies of scale reduce operational costs through shared infrastructure, but they do not provide any mechanism for maintaining availability during a primary location outage. Option C is wrong because automatic performance optimization (e.g., Azure Autoscale or Azure Load Balancer) improves application responsiveness under load, but it does not address failover or data replication for disaster recovery. Option D is wrong because unified billing consolidates cost management across services, but it has no role in ensuring service continuity or data resilience during a disaster.

359
MCQeasy

What is 'scalability' in the context of cloud computing?

A.The ability to keep services running during failures
B.The ability to increase or decrease resources to match demand
C.The ability to recover data after a disaster
D.The ability to deploy resources in multiple geographic regions
AnswerB

Scalability is the ability to add or remove resources dynamically to match workload demand.

Why this answer

Scalability in cloud computing refers to the ability to dynamically adjust resources (such as compute power, memory, or storage) to match fluctuating demand. This is a core benefit of cloud platforms like Azure, enabling automatic scaling via services such as Azure Virtual Machine Scale Sets or Azure App Service autoscale, ensuring performance without over-provisioning.

Exam trap

The trap here is confusing scalability with high availability or disaster recovery, as all three are cloud benefits but serve distinct purposes; candidates often pick 'keeping services running during failures' (A) because they associate 'scaling' with reliability, but scalability is specifically about matching demand, not fault tolerance.

How to eliminate wrong answers

Option A is wrong because it describes 'resilience' or 'high availability', not scalability; resilience focuses on maintaining service continuity during failures through redundancy and failover mechanisms. Option C is wrong because it describes 'disaster recovery' (DR), which involves restoring data and services after a catastrophic event, not adjusting resources to meet demand. Option D is wrong because it describes 'geographic distribution' or 'global reach', which is about deploying resources across multiple regions for latency or compliance, not the ability to scale resources up or down.

360
MCQeasy

What is the Azure portal?

A.A marketplace for purchasing Azure hardware for on-premises deployment
B.A web-based graphical console for creating, managing, and monitoring Azure resources
C.A command-line tool for automating Azure resource deployments
D.A documentation site for Azure services
AnswerB

The Azure portal is the primary web GUI for managing all Azure services at portal.azure.com.

Why this answer

The Azure portal is a web-based graphical user interface (GUI) that allows users to create, manage, and monitor Azure resources through a browser. It provides a unified console for tasks such as deploying virtual machines, configuring networking, and viewing cost analytics, without requiring command-line tools or local software.

Exam trap

The trap here is that candidates confuse the Azure portal with Azure CLI or PowerShell, thinking all management tools are command-line based, but the portal is explicitly a web-based GUI for interactive management.

How to eliminate wrong answers

Option A is wrong because the Azure portal is not a marketplace for purchasing hardware; Azure hardware is managed entirely by Microsoft in its data centers, and customers do not purchase physical hardware for on-premises deployment through the portal. Option C is wrong because the Azure portal is a graphical console, not a command-line tool; command-line automation is handled by tools like Azure CLI or Azure PowerShell. Option D is wrong because the Azure portal is an interactive management interface, not a documentation site; Azure documentation is hosted separately on learn.microsoft.com.

361
MCQmedium

A company has an Azure Policy assignment that denies the creation of any virtual machine (VM) that does not have a mandatory 'CostCenter' tag. A development team needs to deploy a temporary test VM without the required tag for a short-term experiment. The governance team wants to allow this specific exception while recording the reason for the exception, ensuring the policy is still enforced for all other resources. The exception must also automatically expire after 30 days. Which Azure Policy feature should the governance team use?

A.Exclusion scope
B.Exemption
C.Audit effect
D.Override effect
AnswerB

This is correct because an exemption allows resources to be evaluated by the policy but marks them as exempt. You can provide a rationale, set an expiration date, and categorize the exemption (e.g., 'Mitigated' or 'Waiver'). The policy remains enforced for all other resources, and the exemption is visible in compliance reports for auditing.

Why this answer

Azure Policy Exemption allows the governance team to create a specific exception for the test VM while recording the reason and setting an automatic expiration date (30 days). Unlike exclusion scopes, exemptions are explicitly designed to handle scenarios where a resource should be excluded from policy evaluation with a defined justification and expiry, ensuring the policy remains enforced for all other resources.

Exam trap

The trap here is that candidates confuse 'Exclusion scope' (which permanently removes resources from policy evaluation without logging) with 'Exemption' (which provides a recorded, time-bound exception), leading them to choose the wrong feature for temporary, auditable exceptions.

How to eliminate wrong answers

Option A is wrong because Exclusion scope removes a resource from policy evaluation entirely without any recording of reason or automatic expiration, which would bypass the policy without accountability. Option C is wrong because Audit effect only logs non-compliance without blocking creation, so it would not deny the VM creation as required by the policy; it merely reports violations.

362
MCQmedium

A company is developing a new web application. The development team wants to deploy the application code without having to manage the underlying virtual machines, operating systems, or runtime environments. They only want to focus on writing code and let the cloud provider handle the infrastructure, platform, and scaling automatically. Which cloud service model does this scenario describe?

A.Infrastructure as a Service (IaaS)
B.Platform as a Service (PaaS)
C.Software as a Service (SaaS)
D.Function as a Service (FaaS)
AnswerB

PaaS provides a fully managed platform that includes the operating system, language runtime, and middleware. Developers can deploy web applications without worrying about underlying servers or scaling, matching the scenario exactly.

Why this answer

This scenario describes Platform as a Service (PaaS) because the development team wants to deploy application code without managing the underlying virtual machines, operating systems, or runtime environments. PaaS provides a managed hosting environment where the cloud provider handles infrastructure, platform updates, and automatic scaling, allowing developers to focus solely on writing and deploying code. In contrast, IaaS would require managing VMs and OS, while SaaS delivers fully built applications, not a platform for custom code deployment.

Exam trap

The trap here is that candidates often confuse PaaS with IaaS because both involve deploying applications, but IaaS requires managing the OS and runtime, while PaaS abstracts them entirely—a distinction Microsoft emphasizes by highlighting 'no OS management' as the key differentiator.

How to eliminate wrong answers

Option A is wrong because Infrastructure as a Service (IaaS) provides virtual machines, storage, and networking, but the customer must manage the operating system, runtime, and application code—contradicting the requirement to avoid managing VMs and OS. Option C is wrong because Software as a Service (SaaS) delivers ready-to-use applications accessed via a browser or API, not a platform for deploying custom application code; the development team would have no control over the runtime or scaling of their own code.

363
MCQmedium

A financial services firm uses a hybrid cloud strategy. They run customer-facing applications in a public cloud and store sensitive customer data in an on-premises data center to meet regulatory compliance. The firm wants to allow its applications in the public cloud to securely access the on-premises data when needed. Which cloud deployment model best describes this setup?

A.Public cloud
B.Private cloud
C.Hybrid cloud
D.Community cloud
AnswerC

Correct. A hybrid cloud combines public cloud and private cloud (on-premises) environments, enabling data and application sharing. This matches the firm's setup of running applications in the public cloud while keeping sensitive data on-premises with secure connectivity.

Why this answer

Option C is correct because the scenario describes a hybrid cloud deployment model, which combines a public cloud (for customer-facing applications) with an on-premises private cloud (for sensitive data storage) and enables secure connectivity between them, typically through VPN or dedicated circuits like Azure ExpressRoute. This allows the firm to meet regulatory compliance by keeping sensitive data on-premises while leveraging public cloud scalability for applications.

Exam trap

The trap here is that candidates may confuse 'hybrid cloud' with 'public cloud' because they see the use of a public cloud provider, but the key differentiator is the integration with on-premises infrastructure to meet compliance requirements.

How to eliminate wrong answers

Option A is wrong because a public cloud model would store all resources, including sensitive customer data, in the cloud provider's infrastructure, which would not satisfy the regulatory requirement to keep data on-premises. Option B is wrong because a private cloud model would keep everything on-premises, failing to utilize the public cloud for customer-facing applications as described. Option D is wrong because a community cloud is shared by several organizations with common concerns (e.g., compliance or security requirements), but this scenario involves only one firm using both public and private environments, not a multi-tenant community.

364
MCQeasy

What is an Azure availability zone?

A.A geographic region with multiple Azure datacenters
B.A physically separate datacenter within an Azure region with independent power and cooling
C.A pair of geographically distant Azure regions
D.A logical grouping of Azure resources for billing
AnswerB

Availability zones are distinct datacenters within a region, each independent so a failure in one doesn't affect others.

Why this answer

An Azure availability zone is a physically separate datacenter within an Azure region, each with its own independent power, cooling, and networking. This isolation ensures that if one zone fails, applications and data in other zones remain unaffected, providing high availability and fault tolerance for critical workloads.

Exam trap

The trap here is that candidates often confuse an availability zone with an Azure region or a region pair, mistakenly thinking a zone spans multiple datacenters or is used for geo-redundancy, when in fact it is a single, isolated datacenter within one region.

How to eliminate wrong answers

Option A is wrong because a geographic region with multiple Azure datacenters describes an Azure region, not an availability zone; a region contains multiple zones, but the zone itself is a single datacenter. Option C is wrong because a pair of geographically distant Azure regions describes a region pair (used for disaster recovery), not an availability zone, which is a single datacenter within one region. Option D is wrong because a logical grouping of Azure resources for billing refers to a management group or subscription, not an availability zone, which is a physical infrastructure concept.

365
MCQmedium

Which Azure feature creates an audit trail showing who performed what actions on Azure resources and when?

A.Azure Monitor Metrics
B.Azure Activity Log
C.Azure AD Sign-in logs
D.Azure Network Watcher packet captures
AnswerB

Activity Log provides a complete audit trail of all subscription-level management operations including who, what, when, and where.

Why this answer

The Azure Activity Log is a platform log in Azure that provides insight into subscription-level events, recording all control-plane operations (e.g., creating a VM, deleting a resource group) with details on who performed the action (via Azure AD principal), what the action was, and when it occurred. This makes it the correct feature for creating an audit trail of resource management actions.

Exam trap

The trap here is that candidates confuse Azure AD Sign-in logs (which track authentication) with the Activity Log (which tracks resource management actions), because both involve 'who' and 'when', but they serve entirely different scopes—one is identity-focused, the other is resource-focused.

How to eliminate wrong answers

Option A is wrong because Azure Monitor Metrics collects numerical performance data (e.g., CPU percentage, disk I/O) from Azure resources, not an audit trail of who performed actions. Option C is wrong because Azure AD Sign-in logs track user authentication events (e.g., successful or failed logins) to Azure AD, not actions performed on Azure resources. Option D is wrong because Azure Network Watcher packet captures capture network traffic data at the packet level for diagnostics, not a record of who performed management operations.

366
MCQhard

Which Azure service provides dedicated physical servers for regulatory or licensing requirements where hardware cannot be shared with other customers?

A.Azure Reserved VM Instances
B.Azure Spot VMs
C.Azure Dedicated Host
D.Azure Isolated VM sizes
AnswerC

Dedicated Host provides physical servers dedicated to one organization for compliance and licensing requirements.

Why this answer

Azure Dedicated Host provides physical servers dedicated to a single Azure subscription, ensuring that hardware is not shared with other customers. This meets regulatory or licensing requirements that mandate hardware isolation, such as specific compliance standards or software licensing agreements that restrict usage to dedicated hardware.

Exam trap

The trap here is that candidates often confuse Azure Dedicated Host with Azure Isolated VM sizes, but Isolated VM sizes only guarantee isolation from other VM sizes on the same host, not a dedicated physical server, whereas Dedicated Host provides full physical server exclusivity.

How to eliminate wrong answers

Option A is wrong because Azure Reserved VM Instances are a pricing model that reserves capacity and offers discounts for one- or three-year commitments, but they do not provide dedicated physical servers; the underlying hardware may still be shared. Option B is wrong because Azure Spot VMs offer unused compute capacity at a reduced cost but can be evicted when Azure needs the capacity back, and they run on shared hardware, not dedicated physical servers. Option D is wrong because Azure Isolated VM sizes run on isolated hardware for a specific VM size, but they do not guarantee a dedicated physical server; multiple VMs of the same size can still share the same physical host, and the isolation is at the VM level, not the physical server level.

367
MCQmedium

An organization wants to track which team or project each Azure resource belongs to for cost allocation purposes. Which Azure feature is BEST for this?

A.Azure resource groups
B.Azure tags
C.Management groups
D.Azure Subscriptions
AnswerB

Tags (e.g., 'Team': 'Engineering', 'Project': 'Alpha') enable cost allocation and reporting by team or project across any resource group or subscription.

Why this answer

Azure tags are metadata key-value pairs that can be applied to resources, resource groups, and subscriptions to logically organize them. They are the best choice for tracking cost allocation by team or project because Azure Cost Management can filter and group costs by tag values, enabling chargeback and showback scenarios.

Exam trap

The trap here is that candidates often confuse resource groups as a logical grouping for cost allocation, but resource groups cannot represent multiple dimensions (e.g., both team and project) simultaneously, whereas tags can hold multiple key-value pairs per resource.

How to eliminate wrong answers

Option A is wrong because Azure resource groups are containers for managing resources as a group, but they do not natively support multi-dimensional categorization (e.g., by team and project simultaneously) for cost allocation; a resource group can only belong to one team or project at a time. Option C is wrong because management groups are used for hierarchical organization of subscriptions and applying policy or RBAC at scale, not for tagging individual resources for cost tracking. Option D is wrong because Azure subscriptions are billing boundaries that aggregate costs, but they cannot be used to track granular cost allocation across multiple teams or projects within the same subscription.

368
MCQmedium

Which Azure service allows you to extend your on-premises Active Directory to the cloud for hybrid identity scenarios?

A.Azure AD B2C
B.Azure AD Connect
C.Azure Active Directory Domain Services
D.Azure Conditional Access
AnswerB

Azure AD Connect synchronizes on-premises AD user accounts and groups to Azure AD, enabling hybrid identity with SSO.

Why this answer

Azure AD Connect is the correct service because it synchronizes on-premises Active Directory identities with Azure AD, enabling hybrid identity scenarios where users can use the same credentials for both on-premises and cloud resources. It handles password hash synchronization, pass-through authentication, and federation integration, making it the primary tool for extending on-premises AD to the cloud.

Exam trap

The trap here is confusing Azure AD Domain Services (Azure AD DS) with Azure AD Connect, as both involve 'domain' concepts, but Azure AD DS provides managed domain services for cloud workloads without extending on-premises AD, while Azure AD Connect is the actual synchronization tool for hybrid identity.

How to eliminate wrong answers

Option A is wrong because Azure AD B2C is a customer-facing identity service for external users (e.g., social logins) and does not extend on-premises Active Directory. Option C is wrong because Azure Active Directory Domain Services (Azure AD DS) provides managed domain services like group policy and LDAP for cloud VMs, but it does not synchronize or extend on-premises AD; it creates a separate domain. Option D is wrong because Azure Conditional Access is a policy-based access control feature that evaluates sign-in conditions (e.g., location, device compliance) and does not perform identity synchronization or extension.

369
MCQeasy

A company has a resource group named 'RG-Prod' that contains critical virtual machines, a SQL database, and a storage account. The infrastructure team needs to ensure that no one can accidentally delete this resource group or any of its resources. However, users must still be able to create, update, and delete individual resources within the group as needed for normal operations. Which type of Azure Resource Lock should the team apply to 'RG-Prod'?

A.ReadOnly
B.CanNotDelete
C.DoNotDelete
D.ModifyOnly
AnswerB

Correct. A CanNotDelete lock prevents any user from deleting the resource group or any of its resources, but it still allows read, update, and create operations. This meets the requirement to prevent accidental deletion while allowing normal operational changes.

Why this answer

The CanNotDelete lock (Option B) is correct because it prevents the deletion of the resource group and all its resources while still allowing read, create, and update operations. This matches the requirement to protect against accidental deletion but permit normal operational changes. ReadOnly locks would block all write operations, which is too restrictive for the stated needs.

Exam trap

The trap here is that candidates may confuse the CanNotDelete lock with the ReadOnly lock, or assume a non-existent lock name like 'DoNotDelete' is valid, when in fact Azure only supports two lock levels: CanNotDelete and ReadOnly.

How to eliminate wrong answers

Option A is wrong because ReadOnly locks prevent any create, update, or delete operations on the resource group and its resources, which would block the users' ability to perform normal operations like creating or updating resources. Option C is wrong because 'DoNotDelete' is not a valid Azure Resource Lock type; the only lock levels are CanNotDelete and ReadOnly.

370
MCQmedium

Which Azure database service is specifically optimized for running open-source MariaDB workloads as a fully managed service?

A.Azure Database for MySQL
B.Azure Database for MariaDB
C.Azure SQL Database
D.Azure Cosmos DB
AnswerB

Azure Database for MariaDB is the dedicated fully managed service for MariaDB open-source workloads.

Why this answer

Azure Database for MariaDB is the correct answer because it is a fully managed relational database service specifically built for the MariaDB community edition, offering high availability, automated backups, and scaling. It uses the same wire protocol as MySQL but is tailored to MariaDB's specific engine features and versioning, such as support for the Aria storage engine and Galera cluster replication.

Exam trap

The trap here is that candidates often confuse MariaDB with MySQL due to their shared history, assuming Azure Database for MySQL can handle MariaDB workloads, but Azure explicitly separates these services to account for divergent features and versioning.

How to eliminate wrong answers

Option A is wrong because Azure Database for MySQL is optimized for the MySQL database engine, not MariaDB, and while MariaDB is a fork of MySQL, the two have diverged in features and compatibility, so Azure offers a separate service for each. Option C is wrong because Azure SQL Database is a fully managed relational database service for Microsoft SQL Server, which uses Transact-SQL (T-SQL) and is not compatible with MariaDB's SQL dialect or storage engines. Option D is wrong because Azure Cosmos DB is a globally distributed, multi-model NoSQL database service that supports document, key-value, graph, and column-family data models, not relational MariaDB workloads.

371
MCQmedium

A company has multiple Azure subscriptions used by different departments. The security team wants to enforce a requirement that all Azure Storage accounts in every subscription must be encrypted at rest using customer-managed keys (CMK). The solution must automatically evaluate existing and new storage accounts for compliance, and it must be able to automatically remediate non-compliant resources by enabling CMK encryption. The team wants to use a single, centralized Azure feature that can be assigned once and apply to all subscriptions. Which Azure feature should they use?

A.Azure Policy
B.Azure Blueprints
C.Azure Role-Based Access Control (RBAC)
D.Azure Security Center (Microsoft Defender for Cloud)
AnswerA

Azure Policy can be assigned at a management group or subscription level to audit and automatically enforce compliance rules. It includes built-in policies for storage encryption with customer-managed keys and can perform automatic remediation. This is the correct choice because it allows centralized governance across multiple subscriptions.

Why this answer

Azure Policy is the correct choice because it can enforce organizational standards and assess compliance across all Azure subscriptions from a single assignment. By using a built-in or custom policy definition that requires storage accounts to use customer-managed keys (CMK) for encryption at rest, Azure Policy can automatically evaluate both existing and new storage accounts. With the 'DeployIfNotExists' effect, it can also trigger remediation tasks to enable CMK encryption on non-compliant resources without manual intervention.

Exam trap

The trap here is confusing Azure Policy's continuous compliance enforcement and remediation capabilities with Azure Blueprints' deployment-time orchestration, leading candidates to choose Blueprints because they think 'assign once and apply to all subscriptions' implies a template-based approach.

How to eliminate wrong answers

Option B (Azure Blueprints) is wrong because Blueprints are used to orchestrate the deployment of resource templates, policies, and role assignments as a repeatable package for creating new environments; they do not continuously evaluate or automatically remediate existing resources across multiple subscriptions after deployment. Option C (Azure Role-Based Access Control) is wrong because RBAC manages who has access to Azure resources and what actions they can perform, not the configuration state or compliance of resources like encryption settings; it cannot enforce or remediate encryption requirements.

372
MCQmedium

A company is designing a multi-tier application on Azure. The web tier needs to scale out based on CPU usage, while the database tier requires high-performance storage for transactional data. Which combination of Azure services should they choose?

A.Azure Functions and Azure Cosmos DB
B.Azure App Service and Azure SQL Database
C.Azure Virtual Machine Scale Sets and Azure Files
D.Azure Kubernetes Service and Blob Storage
AnswerB

App Service provides autoscaling for web applications, and Azure SQL Database offers high-performance transactional storage with built-in scaling.

Why this answer

Azure App Service provides built-in autoscaling based on metrics like CPU usage, making it ideal for the web tier that needs to scale out. Azure SQL Database offers high-performance, low-latency storage for transactional data with features like automatic indexing and in-memory OLTP, meeting the database tier's requirements.

Exam trap

The trap here is that candidates often confuse Azure Functions with App Service for web tier scaling, overlooking that Functions is for event-driven, stateless code, not for a full web application with persistent scaling needs.

How to eliminate wrong answers

Option A is wrong because Azure Functions is a serverless compute service designed for event-driven, short-lived workloads, not for a multi-tier web application that requires continuous scaling based on CPU usage; Azure Cosmos DB is a NoSQL database optimized for globally distributed, schema-less data, not for high-performance transactional storage with ACID guarantees needed for a relational database tier. Option C is wrong because Azure Virtual Machine Scale Sets can scale VMs based on CPU, but they require manual management of the web server software and are more complex than App Service for a simple web tier; Azure Files provides SMB-based file shares, which lack the transactional performance and low-latency I/O of a dedicated database service like Azure SQL Database.

373
MCQeasy

What does 'reliability' mean as a cloud benefit?

A.The cloud is always 100% available with no interruptions ever
B.The platform is designed for consistent performance and rapid recovery from failures
C.All data is automatically backed up to multiple locations daily
D.Security vulnerabilities are never present in cloud services
AnswerB

Cloud reliability means redundant, resilient infrastructure with SLAs committing to high uptime and fast failure recovery.

Why this answer

Reliability in cloud computing means the platform is designed for high uptime and rapid recovery from failures. Azure achieves reliability through redundant infrastructure, global distribution, automatic failover, and SLAs that commit to specific uptime percentages.

374
MCQmedium

A company is migrating a legacy customer relationship management (CRM) application to Azure infrastructure as a service (IaaS). The application runs on Windows Server and uses a third-party database. The company's IT team will manage the application and database software. However, they want to minimize their operational overhead for tasks that Azure can handle automatically. According to the shared responsibility model, which of the following tasks is the responsibility of Microsoft?

A.Applying security updates to the CRM application code.
B.Configuring firewall rules within the virtual network.
C.Replacing a failed physical hard disk drive in the Azure data center.
D.Installing the latest Windows Server security patches on the virtual machine.
AnswerC

Correct. Microsoft manages the physical hardware in Azure data centers, including replacement of failed components like hard drives. This is part of the infrastructure responsibility.

Why this answer

In the shared responsibility model, Microsoft is responsible for the 'physical' aspects of the cloud, including the hardware, network, and data center infrastructure. Replacing a failed physical hard disk drive is a physical infrastructure task that falls under Microsoft's responsibility, as the customer has no access to the underlying hardware in an IaaS environment.

Exam trap

The trap here is that candidates often confuse 'operational overhead' with 'security updates' or 'network configuration,' mistakenly thinking Azure handles all management tasks, but the shared responsibility model clearly separates physical infrastructure (Microsoft) from customer-managed software and configuration.

How to eliminate wrong answers

Option A is wrong because applying security updates to the CRM application code is the customer's responsibility; the customer manages the application software and its code, even when running on Azure IaaS. Option B is wrong because configuring firewall rules within the virtual network is a network security configuration task that the customer must manage, as Azure provides the virtual network but the customer controls the traffic rules.

375
MCQmedium

A small business runs its IT infrastructure in a small on-premises server room. The business owner is considering moving to Azure and asks the IT manager: 'How can a large cloud provider like Microsoft offer compute and storage at a lower per-unit cost than I can get by purchasing my own servers, even though I only need a few virtual machines?' Which cloud computing benefit best answers this question?

A.High availability
B.Elasticity
C.Economies of scale
D.Fault tolerance
AnswerC

Economies of scale occur when a provider's large size enables it to purchase hardware, energy, and bandwidth at much lower prices per unit. These savings are passed to customers, making cloud services cost-effective even for small deployments.

Why this answer

Option C is correct because economies of scale allow Microsoft to spread massive capital and operational costs (data center construction, power, cooling, hardware procurement) across millions of customers. This per-unit cost reduction means even a small business consuming only a few virtual machines benefits from the same low-cost infrastructure that a large enterprise would, making Azure's compute and storage cheaper than purchasing and maintaining dedicated on-premises servers.

Exam trap

The trap here is that candidates often confuse economies of scale with elasticity, thinking that scaling resources up/down automatically reduces per-unit cost, when in fact elasticity only optimizes total cost by matching usage, not the underlying unit price of compute or storage.

How to eliminate wrong answers

Option A is wrong because high availability refers to ensuring services remain accessible during failures (e.g., using availability zones or redundancy), not to cost reduction from shared infrastructure. Option B is wrong because elasticity describes the ability to scale resources up or down based on demand, which optimizes cost for variable workloads but does not inherently lower the per-unit cost of compute or storage. Option D is wrong because fault tolerance is the ability of a system to continue operating despite component failures (e.g., through redundant hardware or automatic failover), which is a reliability feature, not a cost-saving mechanism.

Page 4

Page 5 of 14

Page 6