CCNA Secure Monitor Optimize Data Questions

75 of 255 questions · Page 1/4 · Secure Monitor Optimize Data topic · Answers revealed

1
Multi-Selectmedium

You are securing an Azure Data Lake Storage Gen2 account that contains sensitive data. Which TWO of the following should you implement to protect data from unauthorized access?

Select 2 answers
A.Configure ACLs to grant least privilege to users and groups
B.Use private endpoints to restrict access to the storage account
C.Set the default ACL to allow read access for all authenticated users
D.Enable CORS rules to allow only specific origins
E.Enable large file shares on the storage account
AnswersA, B

ACLs allow granular permissions at the file and directory level.

Why this answer

Option A is correct because private endpoints ensure data traffic does not traverse the public internet. Option C is correct because ACLs provide fine-grained access control at the directory/file level. Option B is wrong because cross-origin resource sharing (CORS) is for web applications, not security.

Option D is wrong because a default ACL of 'read' for all authenticated users would grant broad access. Option E is wrong because large file shares are for Azure Files, not ADLS Gen2.

2
MCQeasy

You are monitoring Azure Data Factory pipelines. You need to set up an alert when a pipeline run fails. What is the most efficient way to achieve this?

A.Add an activity in each pipeline to log failures to a custom table in Log Analytics.
B.Enable diagnostic settings to send pipeline runs to a Log Analytics workspace and create a log alert.
C.Create an Azure Monitor alert based on the 'Failed pipeline runs' metric.
D.Use Application Insights to monitor pipeline executions.
AnswerC

This is the simplest method using built-in metrics.

Why this answer

Option A is correct because Azure Monitor alerts can be configured on Data Factory metrics like 'Failed pipeline runs'. Option B is wrong because custom logging in a sink requires additional effort. Option C is wrong because diagnostic settings send logs to a workspace, but alerts are easier with metrics.

Option D is wrong because Application Insights is not natively integrated with Data Factory for pipeline runs.

3
Multi-Selecteasy

Which TWO methods can you use to authenticate an Azure Data Factory pipeline to access Azure Data Lake Storage Gen2? (Choose TWO)

Select 2 answers
A.Use a service principal with a client secret or certificate.
B.Use a shared access signature (SAS) token.
C.Use a managed identity assigned to the Data Factory.
D.Use a user account with password.
E.Use the storage account access key.
AnswersA, C

Service principal is a standard authentication method.

Why this answer

Correct answers: A and C. A: Managed identity is a recommended method for Azure services. C: Service principal is another common method.

B is wrong because storage account key is not recommended for production due to security risks. D is wrong because SAS tokens are less secure and have expiration. E is wrong because user password is not supported.

4
MCQmedium

Your company uses Azure Data Lake Storage Gen2 and needs to implement a data retention policy that automatically deletes files older than 90 days in a specific container. What should you use?

A.Azure Data Factory pipeline with a Delete activity scheduled to run daily.
B.Azure Policy with a deny effect for files older than 90 days.
C.Azure Storage lifecycle management rule with a filter for the container and a delete action after 90 days.
D.Azure Purview data lifecycle policy.
AnswerC

Lifecycle management can automatically delete blobs based on age, reducing manual effort.

Why this answer

Option B is correct because Azure Storage lifecycle management policies can automatically delete blobs based on age. Option A is wrong because Azure Purview is for governance, not deletion. Option C is wrong because Azure Data Factory can be scheduled to delete, but lifecycle management is simpler.

Option D is wrong because Azure Policy enforces rules, not automated deletion.

5
MCQeasy

You need to secure data at rest for an Azure Data Lake Storage Gen2 account that contains sensitive financial data. Which configuration should you enable to ensure that data is encrypted using a customer-managed key stored in Azure Key Vault, and that access to the key is logged?

A.Enable Azure Storage encryption with Microsoft-managed keys
B.Implement client-side encryption using Azure Key Vault
C.Enable infrastructure encryption for double encryption
D.Configure Azure Storage encryption with customer-managed keys in Azure Key Vault and enable Key Vault logging
AnswerD

This allows you to control and rotate keys, and logging provides an audit trail.

Why this answer

Option D is correct because Azure Storage encryption with customer-managed keys in Key Vault provides control and logging. Option A is wrong because Microsoft-managed keys are the default but do not provide customer control. Option B is wrong because client-side encryption requires managing keys on the client side.

Option C is wrong because infrastructure encryption adds a second layer but does not use customer-managed keys.

6
MCQmedium

Your Azure Stream Analytics job is failing to start because the job's storage account is configured to allow access from selected networks. The job uses managed identity for authentication. What should you do to resolve the issue?

A.Create a private endpoint for the Stream Analytics job to access the storage account.
B.Disable the firewall on the storage account to allow all networks.
C.Add the Stream Analytics job's managed identity as a trusted service in the storage account firewall.
D.Generate a SAS token for the storage account and configure the job to use it.
AnswerC

Trusted services bypass firewall rules when using managed identity.

Why this answer

Option C is correct because the Stream Analytics job's managed identity must be added as a trusted service to bypass the network restrictions. Option A is wrong because firewall rules apply to all services; managed identity must be explicitly allowed. Option B is wrong because private endpoints require additional configuration and are not required.

Option D is wrong because SAS tokens are not needed with managed identity.

7
MCQhard

Refer to the exhibit. You have an Azure Data Lake Storage Gen2 account with hierarchical namespace enabled. The exhibit shows an Azure CLI command output that lists access permissions. User user@contoso.com is a member of group-analysts@contoso.com. What level of access does user@contoso.com have to the /data/analytics/ directory?

A.Access denied because of the directory-level reader role
B.Read-only access
C.Read and write access
D.No access
AnswerC

The user's root-level contributor role provides read and write access to all directories.

Why this answer

Option C is correct because RBAC permissions are additive. The user has Storage Blob Data Contributor at the root scope, which grants read/write access to all directories. The reader role at the directory scope does not override the broader contributor role.

Option A is wrong because the user has write access via the root scope. Option B is wrong because the user has read access from the root scope already. Option D is wrong because the user has explicit permissions.

8
MCQeasy

You are monitoring an Azure Data Factory pipeline that runs daily to load data from an on-premises SQL Server to Azure Synapse Analytics. The pipeline has been failing intermittently with timeout errors. You need to configure alerts to notify the team when the pipeline fails. What is the most efficient way to achieve this?

A.Enable diagnostic settings to send pipeline logs to a Log Analytics workspace and create a log search alert.
B.Use Azure Service Health alerts to notify when Data Factory is unhealthy.
C.Create an alert rule in Azure Monitor using the 'Pipeline failed runs' metric.
D.Configure Microsoft Defender XDR to monitor pipeline activities.
AnswerC

Azure Data Factory exposes pipeline run metrics in Azure Monitor, allowing direct alert creation based on failures.

Why this answer

Option B is correct because Azure Monitor alerts on pipeline run metrics can trigger notifications based on failure conditions. Option A is wrong because Azure Log Analytics itself does not send alerts; it stores logs. Option C is wrong because Azure Service Health alerts are for Azure service issues, not pipeline failures.

Option D is wrong because Microsoft Defender XDR is for security, not pipeline monitoring.

9
MCQmedium

Your organization uses Azure Data Lake Storage Gen2 for a data lake. You need to prevent accidental deletion of data by enabling a soft delete policy. Which configuration is required?

A.Apply an Azure Resource Manager lock.
B.Configure Azure Backup for the storage account.
C.Enable blob versioning.
D.Enable blob soft delete on the storage account.
AnswerD

Soft delete retains deleted blobs for a specified period.

Why this answer

Option A is correct because Azure Data Lake Storage Gen2 supports soft delete for blobs. Option B is wrong because Azure Backup is for VM and other sources, not for Data Lake. Option C is wrong because versioning is different from soft delete.

Option D is wrong because Azure Resource Manager locks prevent resource deletion, not data deletion.

10
MCQhard

Your team uses Azure Databricks for data processing. You need to implement a cost-control strategy that automatically terminates idle clusters after 30 minutes of inactivity, but allows users to override this policy for specific workloads that require long-running clusters. What is the most efficient approach?

A.Instruct all users to set auto-termination to 30 minutes on each cluster they create.
B.Configure a global auto-termination setting in the Azure Databricks workspace that terminates all clusters after 30 minutes of inactivity.
C.Use Azure Policy to enforce a tag that triggers a function to terminate idle clusters.
D.Create a cluster policy that enforces auto-termination with a default of 30 minutes, but allows users to override the value for specific clusters.
AnswerD

Correct: Cluster policies provide a balance between governance and flexibility, allowing overrides as needed.

Why this answer

Option D is correct because cluster policies in Azure Databricks allow admins to define rules (e.g., auto-termination) while allowing users to choose different values within allowed limits. Option A is wrong because manual termination is not automatic. Option B is wrong because cluster policies are not enforced by Azure Policy.

Option C is wrong because auto-termination is a cluster-level setting, not a global policy.

11
MCQmedium

You have an Azure Databricks workspace that processes sensitive data. The security team requires that all access to the workspace be authenticated using Microsoft Entra ID and that all API calls be audited. Which configuration should you implement?

A.Configure workspace to use Microsoft Entra ID authentication and enable diagnostic settings for audit logs.
B.Enable VNet injection and configure network security groups.
C.Deploy Azure Private Link and disable public access.
D.Configure personal access tokens for API access and enable cluster logs.
AnswerA

Entra ID authentication ensures identity-based access, and diagnostic settings capture API call logs.

Why this answer

Option C is correct because Microsoft Entra ID authentication is required, and diagnostic settings audit API calls. Option A is wrong because VNet injection is for network isolation, not authentication or auditing. Option B is wrong because personal access tokens bypass Entra ID.

Option D is wrong because Azure Private Link is for private connectivity.

12
MCQeasy

Your organization uses Azure Data Factory to orchestrate data pipelines. You need to ensure that sensitive data is not exposed in pipeline logs. What should you configure?

A.Store connection strings in Azure Key Vault.
B.Enable 'Secure output' on pipeline activities.
C.Set a retention policy for pipeline logs.
D.Use data flow debug logs with session logs.
AnswerB

Secure output masks sensitive data in activity logs.

Why this answer

Option A is correct because enabling secure output prevents sensitive data from being written to logs. Option B is wrong because data flow debug logs are for debugging, not for masking. Option C is wrong because Azure Key Vault stores secrets but does not mask pipeline logs.

Option D is wrong because setting a TTL does not prevent sensitive data exposure.

13
MCQmedium

Your company uses Azure Purview for data governance. You need to ensure that sensitive data in Azure Data Lake Storage Gen2 is automatically detected and classified. What should you configure in Purview?

A.Apply sensitivity labels to the storage account using Microsoft Purview Information Protection.
B.Enable Microsoft Defender for Cloud's data sensitivity discovery.
C.Use Azure Policy to enforce tagging of resources containing sensitive data.
D.Create a scan rule set that includes built-in classification rules for sensitive data types.
AnswerD

Purview scanning with classification rules automatically detects sensitive data patterns.

Why this answer

Option A is correct because Purview's scanning and classification rules automatically detect sensitive data. Option B is wrong because sensitivity labels in Microsoft Purview Information Protection are applied manually or via policy, not automatically by Purview scanning. Option C is wrong because Azure Policy enforces resource compliance, not data classification.

Option D is wrong because Defender for Cloud is for security posture, not data classification.

14
Multi-Selecthard

Your Azure Synapse Analytics dedicated SQL pool is experiencing high resource utilization. You need to identify queries that are consuming excessive memory. Which THREE DMVs should you query?

Select 3 answers
A.sys.dm_pdw_sql_requests
B.sys.dm_pdw_nodes_resource_usage
C.sys.dm_pdw_request_steps
D.sys.dm_pdw_exec_requests
E.sys.dm_pdw_waits
AnswersA, C, D

Shows SQL operations on distributions.

Why this answer

sys.dm_pdw_exec_requests shows requests, sys.dm_pdw_request_steps shows steps, and sys.dm_pdw_sql_requests shows distributed SQL requests. Option D is for resource waits, Option E is for node resource usage.

15
MCQhard

You are designing a data processing solution using Azure Databricks. The solution must use Delta Lake for ACID transactions and must optimize storage costs by automatically compacting small files. Which feature should you enable?

A.Run OPTIMIZE command in a scheduled job.
B.Set retention duration for vacuum to 7 days.
C.Enable Z-order indexing on the Delta table.
D.Enable auto-optimize on the Delta table.
AnswerD

Auto-optimize automatically compacts small files during write operations.

Why this answer

Option D is correct because Delta Lake's auto-optimize feature automatically compacts small files during writes. Option A is wrong because OPTIMIZE is a manual command. Option B is wrong because Z-order is for data skipping, not compaction.

Option C is wrong because vacuum removes old files, not compacts.

16
MCQeasy

You need to monitor the performance of your Azure Synapse Analytics dedicated SQL pool. Which metric should you use to identify queued queries due to concurrency limits?

A.Queued queries
B.DWU percentage
C.Active queries
D.Memory percentage
AnswerA

This metric directly shows queries waiting for concurrency slots.

Why this answer

Option C is correct because 'Queued queries' metric directly shows the number of queries waiting due to concurrency limits. Option A is wrong because DWU percentage shows resource usage, not queuing. Option B is wrong because active queries show running queries.

Option D is wrong because memory percentage shows memory pressure.

17
MCQmedium

You are monitoring an Azure Synapse Analytics dedicated SQL pool and notice that queries are experiencing excessive wait time due to concurrency slots being exhausted. What is the recommended approach to improve concurrency without increasing cost?

A.Create additional workload groups and assign queries to them.
B.Classify queries using workload classification and assign lower importance to reduce concurrency slot usage.
C.Scale up the dedicated SQL pool to a higher service level.
D.Change the distribution type of tables to round-robin.
AnswerB

Lower importance queries use fewer slots, allowing more concurrent queries.

Why this answer

Option C is correct because using workload classification and assigning a lower importance to background queries can allow critical queries to run while reducing slot consumption for non-critical ones. Option A is wrong because scaling up increases cost and may not be necessary. Option B is wrong because workload groups can limit resources but do not directly increase concurrency slots.

Option D is wrong because changing distribution does not affect concurrency slots.

18
MCQmedium

Your company uses Azure Synapse Analytics serverless SQL pool to query data in Azure Data Lake Storage Gen2. You need to monitor query performance and identify queries that are consuming excessive resources. Which Azure tool should you use?

A.Azure Monitor Metrics for the serverless SQL pool.
B.Synapse Studio monitoring hub.
C.Azure Log Analytics queries against diagnostic logs.
D.SQL Server Management Studio Query Performance Insight.
AnswerB

Synapse Studio provides detailed monitoring for serverless SQL pool.

Why this answer

Option A is correct because Synapse Studio provides monitoring dashboards for serverless SQL pool. Option B is wrong because Azure Monitor Metrics can show some metrics but not query-level details. Option C is wrong because Log Analytics can be used but requires diagnostic settings.

Option D is wrong because Query Performance Insight is for dedicated SQL pool.

19
MCQhard

Refer to the exhibit. You are reviewing an Azure Policy definition that was created to audit diagnostic settings for Azure Data Lake Storage Gen2. The policy is assigned to a management group containing several storage accounts. You notice that the policy is not flagging storage accounts that lack diagnostic settings. What is the most likely cause?

A.The existence condition incorrectly checks for a specific log category 'StorageRead' instead of any diagnostic setting.
B.The 'field' property in the 'if' condition should be 'type' equals 'Microsoft.Storage/storageAccounts/blobServices' for Data Lake.
C.The effect parameter is not assigned a value; the default 'AuditIfNotExists' is not applied.
D.The policy type is 'Custom', which requires special permissions to evaluate.
AnswerA

The policy should audit if no diagnostic setting exists, not check for a specific category.

Why this answer

Option C is correct because the existence condition checks if a diagnostic setting of category 'StorageRead' exists, but the policy should check for any diagnostic setting. Option A is wrong because the policy type is custom, but that doesn't cause the issue. Option B is wrong because the effect is parameterized and default is AuditIfNotExists, which should work.

Option D is wrong because the field check for type is correct.

20
MCQmedium

You are designing a data pipeline in Azure Data Factory that reads data from an Azure SQL Database and writes to Azure Synapse Analytics dedicated SQL pool. The pipeline will run hourly and process incremental changes. You need to ensure that the pipeline handles retries for transient failures and logs all activities for audit purposes. What should you configure?

A.Enable auditing on the Azure SQL Database and Azure Synapse SQL pool.
B.Configure a tumbling window trigger to rerun the pipeline on failure.
C.Enable pipeline logging to an Azure Storage account and set retry policy on copy activity.
D.Use an Azure Monitor alert to notify on failures.
AnswerC

Logs capture all events; retry handles transient errors.

Why this answer

Option B is correct because enabling pipeline logging to a storage account captures all activity, and retry policy in activities handles transient failures. Option A is wrong because Azure Monitor can monitor but does not log pipeline activities. Option C is wrong because Azure SQL Database audit is for database access, not pipeline.

Option D is wrong because event-based trigger does not provide logging or retry.

21
MCQhard

You are optimizing an Azure Synapse Analytics dedicated SQL pool. A frequent query scans a large fact table and filters on a date column. You notice that the query uses a full table scan. What is the most effective way to improve query performance?

A.Create a nonclustered index on the date column.
B.Create a clustered columnstore index on the table.
C.Change the distribution to round-robin.
D.Partition the table on the date column.
AnswerD

Enables partition pruning, reducing data scanned.

Why this answer

Option C is correct because a partitioned table on the date column allows partition elimination. Option A is wrong because a clustered columnstore index is good for scans but partition elimination is more effective for filtering. Option B is wrong because round-robin distribution does not help with filtering.

Option D is wrong because a nonclustered index on date may help but partition elimination is more effective for large scans.

22
Multi-Selectmedium

Which TWO Azure services can be used to monitor and analyze query performance in Azure Synapse Analytics dedicated SQL pool?

Select 2 answers
A.SQL Data Sync
B.Azure Policy
C.Azure Advisor
D.Azure Monitor with Log Analytics
E.Dynamic Management Views (DMVs)
AnswersD, E

Can collect and analyze query performance logs.

Why this answer

Options B and D are correct. DMVs provide detailed query execution statistics, and Azure Monitor with Log Analytics can store and analyze performance data. Option A is wrong because Azure Advisor provides recommendations but not real-time monitoring.

Option C is wrong because SQL Data Sync is for synchronization. Option E is wrong because Azure Policy is for governance.

23
MCQmedium

You are designing a data lake architecture using Azure Data Lake Storage Gen2. You need to implement a least-privilege security model. Which authorization mechanism should you use for granular control?

A.Use storage account keys for access.
B.Use Azure RBAC roles at the storage account level.
C.Use POSIX-like access control lists (ACLs).
D.Use shared access signatures (SAS) with stored access policies.
AnswerC

ACLs provide granular permissions on files and directories.

Why this answer

Option D is correct because ACLs provide granular permissions at the file and directory level. Option A is wrong because Azure RBAC is at the subscription/resource group level, not granular. Option B is wrong because shared keys provide full access.

Option C is wrong because SAS tokens with stored access policies provide limited granularity but are not as flexible as ACLs.

24
MCQmedium

You are monitoring an Azure Synapse Analytics dedicated SQL pool using dynamic management views (DMVs). You want to identify queries that are experiencing excessive memory grants causing concurrency issues. Which DMV should you query?

A.sys.dm_pdw_waits
B.sys.dm_pdw_exec_requests
C.sys.dm_pdw_resource_waits
D.sys.dm_pdw_workload_management_workload_groups_details
AnswerB

Contains total_request_memory_granted column to identify large memory consumers

Why this answer

Option D is correct because sys.dm_pdw_exec_requests contains the total_request_memory_granted column that can be used to identify queries with large memory grants. Option A is wrong because it shows only waits, not memory grants. Option B is wrong because it shows resource class membership, not current memory usage.

Option C is wrong because it shows workload group settings, not actual grants.

25
Multi-Selecteasy

Which THREE best practices should be followed when designing a data lake in Azure Data Lake Storage Gen2 for optimal performance?

Select 3 answers
A.Disable hierarchical namespace to improve performance.
B.Use a deep directory structure with many subfolders.
C.Use Parquet file format for analytics workloads.
D.Use a naming convention that avoids special characters and high cardinality.
E.Partition data by date to enable partition elimination.
AnswersC, D, E

Parquet is columnar and efficient for analytics.

Why this answer

Options A, C, and E are correct. Using Parquet improves compression and query performance; partitioning by date allows partition pruning; using a naming convention that avoids high cardinality directories prevents throttling. Option B is wrong because hierarchical namespace is required for ADLS Gen2 and is not a best practice to disable.

Option D is wrong because a deep directory structure can cause performance issues.

26
MCQmedium

You are using Azure Data Factory to load data from an on-premises SQL Server to Azure Synapse Analytics. The data size is 500 GB, and you need to minimize the load time. The network bandwidth is limited. Which approach should you use?

A.Use a self-hosted integration runtime and copy directly to Synapse.
B.Use a self-hosted integration runtime and stage the data in Azure Blob Storage before loading to Synapse.
C.Use Azure ExpressRoute to improve network bandwidth.
D.Use an Azure integration runtime and copy to Azure Data Lake Storage, then to Synapse.
AnswerB

Staging improves performance by splitting the copy into two phases.

Why this answer

Option A is correct because using a self-hosted integration runtime with staging via Azure Blob Storage allows you to stage the data in Azure and then copy to Synapse, which is faster over limited bandwidth. Option B (copy activity directly) is slower. Option C (Azure Data Lake Storage) is similar but staging is more efficient.

Option D (Azure ExpressRoute) requires additional setup and cost.

27
MCQeasy

You are running an Azure Stream Analytics job that reads from an Event Hub and writes to a Power BI dataset. The job is falling behind and processing latency is increasing. What should you do to improve performance?

A.Increase the number of Streaming Units (SUs) allocated to the job.
B.Use a reference data input to filter events.
C.Change the output to Azure Blob Storage instead of Power BI.
D.Decrease the size of events sent to the Event Hub.
AnswerA

More SUs increase processing capacity.

Why this answer

Option D is correct because increasing the Streaming Units (SUs) allocates more compute resources to the job, improving throughput. Option A (change output to blob) changes architecture. Option B (decrease event size) is not always possible.

Option C (use reference data) does not affect throughput.

28
MCQeasy

You need to ensure that data in an Azure Data Lake Storage Gen2 account is encrypted at rest using a customer-managed key. Which feature should you configure?

A.Azure Key Vault integration with Storage Service Encryption
B.Azure Information Protection
C.Azure Storage Service Encryption with Microsoft-managed keys
D.Azure Disk Encryption
AnswerA

Azure Storage Service Encryption supports customer-managed keys stored in Azure Key Vault.

Why this answer

Option C is correct because ADLS Gen2 supports encryption at rest with customer-managed keys via Azure Key Vault. Option A is wrong because Azure Information Protection is for labeling, not encryption at rest. Option B is wrong because Azure Disk Encryption is for VMs.

Option D is wrong because Azure Storage Service Encryption uses Microsoft-managed keys by default; customer-managed keys require Key Vault.

29
MCQeasy

Your organization uses Azure Data Lake Storage Gen2 and needs to prevent accidental deletion of data by enabling soft delete. You also need to ensure that deleted blobs are recoverable for 30 days. What should you configure?

A.Enable blob snapshots and set them to expire after 30 days.
B.Use Azure Backup to create daily backups of the storage account.
C.Enable container soft delete with a retention period of 30 days.
D.Enable blob soft delete and set retention period to 30 days.
AnswerD

Blob soft delete retains deleted blobs for the specified period, allowing recovery.

Why this answer

Option A is correct because blob soft delete allows recovery of deleted blobs within a specified retention period. Option B is wrong because container soft delete is for entire containers, not individual blobs. Option C is wrong because Azure Backup is for VM backups, not blob recovery.

Option D is wrong because snapshots are manual and not automatic.

30
MCQmedium

You have an Azure Data Factory pipeline that copies data from an on-premises SQL Server to Azure Blob Storage. The pipeline runs successfully but you notice that the data transfer is taking longer than expected. You need to improve the transfer performance without increasing the cost significantly. Which configuration change should you make?

A.Enable staged copy with an Azure Blob Storage staging location.
B.Use PolyBase to load the data into Blob Storage.
C.Increase the number of concurrent connections on the SQL Server.
D.Increase the Data Integration Units (DIU) for the copy activity.
AnswerA

Staged copy uses staging storage to improve performance by enabling parallel uploads and automatic retries.

Why this answer

Option C is correct because enabling staged copy with staging storage can improve performance by allowing parallel uploads and retries. Option A is wrong because increasing DIUs may increase cost. Option B is wrong because increasing the number of concurrent connections on SQL Server might not be the bottleneck.

Option D is wrong because using PolyBase is for loading into Azure Synapse or SQL DW, not Blob Storage.

31
MCQhard

You are designing a data processing solution using Azure Databricks with Delta Live Tables (DLT). The solution must handle late-arriving data and ensure that updates to the delta table are processed exactly once. Which DLT pipeline setting should you configure?

A.Set the pipeline mode to 'Trigger once'.
B.Set the pipeline mode to 'Continuous' and enable 'Exactly once' delivery.
C.Use Auto Loader with 'file arrival' mode.
D.Configure the DLT pipeline with 'Delta Live Tables' and use 'APPLY CHANGES INTO' with a watermark.
AnswerD

APPLY CHANGES INTO handles late-arriving data with exactly-once semantics.

Why this answer

Option D is correct because DLT pipelines support exactly-once processing and handle late data via watermarking and append-only or update modes. Option A is wrong because 'Trigger once' processes data one time only, not continuous. Option B is wrong because 'Continuous' mode processes data as it arrives but may not guarantee exactly-once without proper configuration.

Option C is wrong because 'File arrival' is not a DLT setting.

32
MCQeasy

Your company uses Azure SQL Database and needs to audit all data modifications, including SELECT operations on sensitive columns, for compliance. Which feature should you enable?

A.Enable SQL auditing and configure to log SELECT operations.
B.Enable Transparent Data Encryption (TDE).
C.Enable Azure Defender for SQL.
D.Enable SQL vulnerability assessment.
AnswerA

Auditing can log SELECT and other events for compliance.

Why this answer

Option A is correct because Azure SQL Database auditing captures database events including SELECT statements. Option B is wrong because vulnerability assessment scans for security issues but does not audit. Option C is wrong because TDE encrypts data at rest.

Option D is wrong because Azure Defender for SQL provides security alerts but not detailed audit logs.

33
Multi-Selecthard

Which THREE security features are available in Azure Data Lake Storage Gen2 to protect data at rest and in transit? (Choose three.)

Select 3 answers
A.Azure Storage firewalls and virtual network rules
B.Azure Information Protection
C.Encryption at rest using Storage Service Encryption (SSE)
D.Azure ADLS Gen2 supports HTTPS for data in transit.
E.Azure Policy
AnswersA, C, D

Restrict access to specific networks.

Why this answer

Options A, B, and D are correct. A ensures data is encrypted at rest using AES-256. B provides data integrity for data in transit.

D provides network-level security. C is wrong because Azure Information Protection is for classification, not a built-in storage security feature. E is wrong because Azure Policy is for governance, not data protection.

34
MCQhard

Refer to the exhibit. You deploy the ARM template to create a storage account. After deployment, a developer reports that they cannot access the storage account from an Azure Databricks notebook running in the same virtual network as specified in the subnet rule. What is the most likely reason?

A.The storage account uses customer-managed keys from Key Vault, which requires additional permissions.
B.The firewall default action is Deny, and there are no IP rules allowing the Databricks cluster's public IP.
C.The Databricks cluster is not using a managed virtual network with a service endpoint to the storage account.
D.The storage account has hierarchical namespace enabled, which blocks non-ADLS Gen2 tools.
AnswerC

For the subnet rule to work, the Databricks cluster must be deployed in a virtual network that has a service endpoint to Microsoft.Storage. If the cluster is using a public IP, access is denied.

Why this answer

Option D is correct because the default action is Deny, and only traffic from the specified subnet is allowed. The developer's Databricks notebook might be using a cluster that is not using a managed virtual network or is not in that subnet. Option A is wrong because HNS enabled does not block access.

Option B is wrong because firewall is correctly set to Deny with a rule for the subnet. Option C is wrong because the key vault encryption doesn't block access.

35
MCQmedium

Your team uses Azure Synapse Analytics serverless SQL pool to query data in Azure Data Lake Storage Gen2. You notice that queries are running slower than expected. You need to improve query performance by reducing the amount of data scanned. Which two features should you implement? (Select two.)

A.Partition the data in the data lake and use partition elimination in queries.
B.Enable result-set caching for the serverless SQL pool.
C.Enable auto-optimize on the Delta Lake tables.
D.Create materialized views on the serverless SQL pool.
E.Use file pruning by specifying file paths in the OPENROWSET query.
AnswerA, E

Partition elimination allows the query to skip irrelevant partitions, reducing data scanned.

Why this answer

Options A and C are correct. File pruning reduces data scanned by skipping irrelevant files. Partition elimination reduces data scanned by skipping irrelevant partitions.

Option B is wrong because materialized views store pre-computed data but do not reduce scan on source. Option D is wrong because result-set caching caches query results but does not reduce data scanned for new queries. Option E is wrong because enabling auto-optimize is for Delta Lake, not serverless SQL.

36
MCQmedium

You are designing access control for Azure Data Lake Storage Gen2. You need to allow a group of data scientists to read and write files in the 'processed' directory but prevent them from deleting files. Which authorization method should you use?

A.Assign the Storage Blob Data Contributor role at the container level
B.Assign the Storage Blob Delegator role at the container level
C.Assign the Storage Blob Data Contributor role at the container level and use ACLs to deny delete on the directory
D.Assign the Storage Blob Data Reader role and use ACLs to grant write
AnswerC

ACLs can override RBAC permissions to deny delete.

Why this answer

Azure RBAC roles like Storage Blob Data Contributor grant read/write/delete permissions. To differentiate write and delete, you need ACLs that allow read/execute on the container and read/write on the directory, but not delete. Option A (Storage Blob Data Contributor) includes delete.

Option B (Storage Blob Data Reader) is read-only. Option D (Storage Blob Delegator) is not a built-in role.

37
Multi-Selecthard

Which THREE metrics should you monitor for an Azure Synapse Analytics dedicated SQL pool to ensure optimal performance?

Select 3 answers
A.tempdb usage
B.DWU usage
C.Queued queries
D.Login failures
E.Total storage size
AnswersA, B, C

High tempdb usage can slow queries.

Why this answer

Options A, C, and E are correct. Option A: DWU usage indicates how much of the allocated resources are used. Option C: Queued queries indicate concurrency bottlenecks.

Option E: tempdb usage can cause performance issues. Option B is wrong because storage size is capacity, not performance. Option D is wrong because login failures are security, not performance.

38
MCQhard

Your organization uses Azure Data Lake Storage Gen2 with hierarchical namespace enabled. You need to implement a security strategy that allows users to read only specific folders within a container. Which authorization method should you use?

A.Storage account shared key
B.Azure RBAC roles (e.g., Storage Blob Data Contributor) at the container level
C.Shared access signatures (SAS) with folder-level permissions
D.Access control lists (ACLs) on the folder
AnswerD

ACLs allow granular permissions at directory level

Why this answer

Option C is correct because ACLs (Access Control Lists) can be set at the folder level in ADLS Gen2 to grant granular permissions to specific directories. Option A is wrong because RBAC roles at the container level apply to the entire container. Option B is wrong because SAS tokens grant access at the container or file level, not folder level.

Option D is wrong because shared key is account-level access.

39
MCQhard

Your company uses Azure Databricks to process large datasets stored in Azure Data Lake Storage Gen2. You need to implement a solution that automatically rotates the storage account access keys every 90 days without interrupting running jobs. The solution should use managed identities where possible. What should you do?

A.Configure Azure Databricks to use a user-assigned managed identity for authentication to Azure Data Lake Storage Gen2.
B.Use Azure Policy to automatically rotate keys and update Databricks cluster configurations.
C.Use Azure Key Vault to store the storage account keys and configure a lifecycle policy to rotate them every 90 days. Update Databricks secrets accordingly.
D.Generate a SAS token with a 90-day expiry and update the Databricks secret before expiry.
AnswerA

Managed identity eliminates the need for keys, and rotation is handled automatically by Azure, avoiding job disruption.

Why this answer

Option A is correct because using a user-assigned managed identity for Databricks to access storage eliminates the need for access keys. Option B is wrong because key rotation would disrupt jobs that rely on keys. Option C is wrong because SAS tokens with expiry still require token management and rotation.

Option D is wrong because storing keys in Key Vault does not prevent job interruption during rotation.

40
MCQeasy

You need to monitor the performance of an Azure Stream Analytics job in real time. Which Azure service should you use to track the job's resource utilization (e.g., SU % utilization) and set up alerts when the job is approaching its capacity?

A.Azure Monitor
B.Azure Advisor
C.Microsoft Sentinel
D.Azure Log Analytics
AnswerA

Azure Monitor collects metrics like SU % utilization and allows you to set alerts to notify when thresholds are exceeded.

Why this answer

Option C is correct because Azure Monitor provides metrics and alerts for Stream Analytics jobs. Option A is wrong because Azure Log Analytics ingests logs but is not primarily for real-time metric alerts. Option B is wrong because Microsoft Sentinel is a SIEM.

Option D is wrong because Azure Advisor provides recommendations but not real-time monitoring and alerts for resource utilization.

41
Multi-Selectmedium

Which TWO Azure services can be used to monitor Azure Data Factory pipeline runs and set up alerts?

Select 2 answers
A.Log Analytics
B.Microsoft Sentinel
C.Azure Policy
D.Azure Monitor
E.Azure Advisor
AnswersA, D

Log Analytics queries logs and can trigger alerts.

Why this answer

Azure Monitor provides metrics and logs for ADF, and Log Analytics allows querying and alerting based on logs. Option C is wrong because Microsoft Sentinel is a SIEM that ingests from Log Analytics, not directly. Option D is wrong because Azure Policy is for governance.

Option E is wrong because Azure Advisor provides recommendations, not monitoring.

42
MCQmedium

Your organization uses Azure Synapse Analytics to run large-scale queries. You need to implement a solution that automatically pauses the dedicated SQL pool when no activity is detected for a specified period, and resumes it when a connection is attempted. What should you configure?

A.You cannot configure auto-pause for a dedicated SQL pool.
B.Use Azure Automation to run a PowerShell script that pauses and resumes the pool.
C.Create an Azure Function that pauses the pool on a schedule.
D.Set the auto-pause delay in the SQL pool properties.
AnswerA

Auto-pause is only for serverless SQL pools.

Why this answer

Option D is correct because Azure Synapse Analytics dedicated SQL pool does not support auto-pause; auto-pause is only for serverless SQL pools. Option A (auto-pause setting) is for serverless. Option B (Azure Automation runbook) could work but is not a built-in feature.

Option C (Azure Functions) is custom. The correct answer is that you cannot configure auto-pause for dedicated SQL pool.

43
MCQmedium

You are designing a data ingestion pipeline for Azure Synapse Analytics. The pipeline will load sensitive financial data from an on-premises SQL Server to a dedicated SQL pool. The data must be encrypted at rest and in transit. Which combination of features should you use?

A.Use Always Encrypted in SQL Server and Azure Key Vault for column encryption.
B.Enable Azure Disk Encryption on the source server and use a VPN gateway.
C.Implement client-side encryption using Azure Storage client library and store keys in Microsoft Purview.
D.Use Azure Synapse Transparent Data Encryption (TDE) and enforce TLS 1.2 for connections.
AnswerD

TDE encrypts data at rest in Synapse, and TLS secures data in transit.

Why this answer

Option C is correct because Transparent Data Encryption (TDE) encrypts data at rest in the dedicated SQL pool, and TLS ensures encryption in transit. Option A is wrong because Always Encrypted is for column-level encryption, not for the entire pipeline. Option B is wrong because Azure Disk Encryption is for IaaS VMs, not for Azure Synapse.

Option D is wrong because client-side encryption is not built-in for Synapse ingestion.

44
MCQmedium

You are designing a solution to monitor the performance of Azure Synapse Analytics dedicated SQL pools. You need to identify queries that are consuming more than 100 GB of memory and have been running for more than 30 minutes. Which DMV should you query?

A.sys.dm_pdw_resource_waits
B.sys.dm_pdw_nodes
C.sys.dm_pdw_exec_requests
D.sys.dm_pdw_waits
AnswerC

Contains memory and duration columns for queries.

Why this answer

Option B is correct because sys.dm_pdw_exec_requests provides query execution details including memory and duration. Option A is wrong because sys.dm_pdw_nodes is for node-level info. Option C is wrong because sys.dm_pdw_resource_waits shows waits, not memory usage.

Option D is wrong because sys.dm_pdw_waits shows wait types, not memory consumption.

45
MCQmedium

You are optimizing an Azure Data Factory pipeline that moves data from Azure Blob Storage to Azure SQL Database. The pipeline currently uses a Copy activity with a staging setting enabled. You notice high DTU consumption on the Azure SQL Database during the copy operation. How can you reduce the impact on the source database?

A.Configure the Copy activity to use staging with Azure Blob Storage and then use a stored procedure to bulk insert.
B.Use PolyBase to load data directly from Blob Storage to Azure SQL Database.
C.Enable parallel copy in the Copy activity settings.
D.Increase the DTU of the Azure SQL Database to handle the load.
AnswerA

Staging allows the copy to offload transformation to Blob Storage, and bulk insert reduces DTU consumption.

Why this answer

Option B is correct because using PolyBase in Azure Synapse Analytics (not SQL Database) is for bulk loads, but the target is Azure SQL Database. Actually, the correct approach is to use staging copy with Azure Blob Storage as staging and then use PolyBase? Wait, the target is Azure SQL Database, not Synapse. For SQL Database, using a staging blob and then bulk insert can reduce DTU consumption.

But among options, Option A (increase DTU) is scaling, not reduction. Option B (use PolyBase) is for Synapse. Option C (use staging copy with Azure Blob Storage and then use bulk insert) is correct.

Option D (use parallel copy) increases throughput but also DTU. So correct is C.

46
Multi-Selecthard

Which TWO actions should you take to secure access to Azure Data Lake Storage Gen2 when using Azure Synapse Analytics serverless SQL pools? (Choose two.)

Select 2 answers
A.Enable firewall rules and virtual network service endpoints for the storage account.
B.Use managed identity authentication from the serverless SQL pool to the storage account.
C.Use a service principal with a client secret to access the storage account.
D.Generate a shared access signature (SAS) token for the storage account and store it securely.
E.Use Azure Active Directory (Azure AD) passthrough authentication for the serverless pool.
AnswersA, B

Network restrictions reduce the attack surface.

Why this answer

Options A and D are correct. A: Enabling firewall and virtual network rules restricts network access. D: Using managed identity for authentication avoids storing credentials.

Option B is wrong because Azure AD passthrough is only for dedicated SQL pools, not serverless. Option C is wrong because service principal is less secure than managed identity. Option E is wrong because shared access signatures should be avoided for security.

47
MCQeasy

You have an Azure Synapse Analytics serverless SQL pool. You need to monitor the number of queries that are currently executing. Which dynamic management view should you query?

A.sys.dm_resource_governor_workload_groups
B.sys.dm_exec_query_stats
C.sys.dm_exec_requests
D.sys.dm_exec_sessions
AnswerC

This DMV returns information about each request currently executing.

Why this answer

Option A is correct because sys.dm_exec_requests shows currently executing requests in serverless SQL pool. Option B is wrong because sys.dm_exec_sessions shows sessions, not executing queries. Option C is wrong because sys.dm_exec_query_stats shows cumulative statistics.

Option D is wrong because sys.dm_resource_governor_workload_groups shows workload group configuration.

48
MCQeasy

You need to monitor resource usage for an Azure Synapse Analytics dedicated SQL pool. Which dynamic management view (DMV) should you query to see current query execution status?

A.sys.dm_pdw_nodes_db_size
B.sys.dm_pdw_os_performance_counters
C.sys.dm_pdw_exec_requests
D.sys.dm_pdw_nodes_resource_usage
AnswerC

Shows current and recent requests with status.

Why this answer

sys.dm_pdw_exec_requests provides information about all requests currently executing or recently executed in the dedicated SQL pool. Option A is for resource usage, Option B is for database sizes, Option D is for distribution states.

49
MCQhard

You are configuring Microsoft Purview to scan an Azure Data Explorer (ADX) cluster. You define the JSON shown in the exhibit. However, the scan fails with an authentication error. What is the most likely cause?

A.The ADX cluster is behind a firewall and Purview cannot connect.
B.The database name in the scan configuration is incorrect.
C.The ADX cluster does not have a managed identity enabled for Purview.
D.The region of the ADX cluster does not match the Purview account region.
AnswerC

Purview uses managed identity for authentication; it must be enabled.

Why this answer

Option C is correct because Purview requires a system-assigned managed identity (or user-assigned) to be enabled on the ADX cluster and granted permissions. Option A (firewall) could be a cause, but the error is authentication specifically. Option B (region mismatch) is not a common issue.

Option D (incorrect database) would cause a different error.

50
MCQeasy

You are designing a data pipeline that uses Azure Data Factory to copy data from an Azure SQL database to Azure Data Lake Storage Gen2. The data contains personally identifiable information (PII) that must be masked. Which Data Factory feature should you use?

A.Use a copy activity with a query to select only non-PII columns.
B.Use a stored procedure activity to mask data in the source before copy.
C.Enable staging on the copy activity to use PolyBase.
D.Use a mapping data flow to apply a mask transformation on PII columns.
AnswerD

Data flows support mask transformations.

Why this answer

Option B is correct because Data Factory data flows allow column-level transformations including data masking. Option A is wrong because copy activity only copies data without transformation. Option C is wrong because stored procedures run on the source, not during copy.

Option D is wrong because staging is for bulk copy performance, not masking.

51
Multi-Selecteasy

Which TWO Azure services can be used to audit data access and changes in Azure Data Lake Storage Gen2? (Choose two.)

Select 2 answers
A.Microsoft Entra ID sign-in logs.
B.Azure Backup reports.
C.Storage account diagnostic settings.
D.Azure Monitor and Microsoft Sentinel.
E.Azure Policy.
AnswersC, D

Diagnostic settings log read/write operations.

Why this answer

Options B and C are correct. Diagnostic settings in storage accounts capture logs, and Azure Monitor integrates with Microsoft Sentinel for security monitoring. Option A is wrong because Azure Policy is for compliance, not auditing data access.

Option D is wrong because Microsoft Entra ID is for identity, not logging. Option E is wrong because Azure Backup is for data protection, not auditing.

52
MCQeasy

Your company uses Azure Data Lake Storage Gen2 as a data lake. You need to monitor for unauthorized access attempts and ensure compliance with regulatory requirements. You want to be alerted when someone attempts to access data without proper permissions. What should you configure?

A.Assign RBAC roles to limit access and rely on Azure Activity Log.
B.Configure Azure Policy to audit storage account access.
C.Enable diagnostic settings for the storage account, send logs to Log Analytics, and create an alert rule for 'StorageRead' failures.
D.Enable Azure Sentinel and connect storage logs.
AnswerC

Diagnostic logs capture detailed access, alerts can be set on specific conditions.

Why this answer

Option D is correct because diagnostic settings send logs to Log Analytics, and Azure Monitor alerts can be created to detect unauthorized access. Option A is wrong because Azure Policy is for governance, not real-time alerts. Option B is wrong because RBAC is for access control, not monitoring.

Option C is wrong because Azure Sentinel is for SIEM, but simpler solution is Log Analytics alerts.

53
Multi-Selecthard

Which TWO Azure services can be used to monitor data pipeline runs and set up alerts for failures in Azure Data Factory?

Select 2 answers
A.Azure Data Factory monitoring views
B.Azure Log Analytics
C.Azure Sentinel
D.Azure Monitor
E.Azure Automation
AnswersA, D

Azure Data Factory provides built-in monitoring views and can integrate with Azure Monitor for alerts.

Why this answer

Options A and D are correct. Azure Monitor is the primary service for monitoring and alerts; Azure Data Factory metrics and logs are sent to Azure Monitor. Option B is wrong because Azure Sentinel is for security, not pipeline monitoring.

Option C is wrong because Log Analytics is part of Azure Monitor but not the service name for alerting. Option E is wrong because Azure Automation is for automation, not monitoring.

54
MCQeasy

You are monitoring an Azure Data Factory pipeline that runs hourly. You notice that the pipeline occasionally fails due to transient errors. Which monitoring solution should you use to get alerts on failures and analyze trends over time?

A.Azure Event Grid subscription for pipeline failures
B.Azure Monitor with Log Analytics workspace
C.Azure Dashboard pinned with pipeline metrics
D.Azure Data Factory Monitor in the Azure portal
AnswerB

Provides alerting and long-term trend analysis via KQL queries.

Why this answer

Option B is correct because Azure Monitor with alerts and Log Analytics provides historical analysis and alerting. Option A (Data Factory Monitor) is for real-time monitoring but lacks long-term trend analysis. Option C (Azure Dashboard) is a visualization tool.

Option D (Event Grid) is for event-driven notifications, not analysis.

55
Multi-Selectmedium

Which TWO actions should you take to secure data at rest in Azure Synapse Analytics dedicated SQL pools?

Select 2 answers
A.Use Always Encrypted with secure enclaves for specific columns.
B.Implement column-level security to filter sensitive columns.
C.Enable Transparent Data Encryption (TDE) on the SQL pool.
D.Configure Dynamic Data Masking on tables containing sensitive data.
E.Assign Azure RBAC roles to restrict access to the storage account.
AnswersA, C

Always Encrypts protects data at rest and in use.

Why this answer

Option A is correct: Transparent Data Encryption (TDE) encrypts data at rest without application changes. Option D is correct: Always Encrypted protects sensitive columns with client-side encryption. Option B (Dynamic Data Masking) is for masking data in query results, not at rest.

Option C (Azure RBAC) is for access control, not encryption. Option E (Column-level security) is for access control, not encryption.

56
MCQhard

A company uses Azure Synapse Analytics serverless SQL pool to query data in Azure Data Lake Storage Gen2. They notice that queries are slow and want to improve performance by reducing the amount of data read. What is the most effective strategy?

A.Partition the data by a frequently filtered column and use file elimination in queries.
B.Increase the number of compute nodes in the serverless pool.
C.Use OPENROWSET with CSV format instead of Parquet.
D.Create external tables using CETAS and query them.
AnswerA

Partitioning allows the serverless pool to skip irrelevant partitions, reducing data scanned.

Why this answer

Option A is correct because partitioning the data in the lake and using partition elimination reduces data read. Option B is wrong because OPENROWSET with CSV reads all files; it does not reduce data read. Option C is wrong because CETAS is for creating external tables, not for improving query performance directly.

Option D is wrong because increasing the number of compute nodes is not possible in serverless; it's auto-scaling.

57
Multi-Selecteasy

Which TWO Azure features can be used to encrypt data at rest in Azure Blob Storage? (Choose two.)

Select 2 answers
A.Azure Disk Encryption
B.Azure Information Protection
C.Customer-managed keys in Azure Key Vault
D.Storage Service Encryption (SSE)
E.Transport Layer Security (TLS)
AnswersC, D

CMK allows customers to control encryption keys for SSE.

Why this answer

Options A and C are correct. A: Storage Service Encryption (SSE) encrypts data at rest by default. C: Customer-managed keys in Azure Key Vault provide additional control over encryption keys.

Option B is wrong because Azure Disk Encryption is for VMs. Option D is wrong because TLS is for data in transit. Option E is wrong because Azure Information Protection is for classification, not encryption at rest.

58
Multi-Selecthard

You are optimizing the performance of an Azure Synapse Analytics dedicated SQL pool. Which THREE of the following actions will most likely improve query performance?

Select 3 answers
A.Create materialized views for frequently used aggregations
B.Use a smaller distribution column to improve data distribution
C.Partition large fact tables on a date column
D.Enable result-set caching for repetitive queries
E.Convert all tables to heap tables to avoid index maintenance
AnswersA, C, D

Materialized views store precomputed results, speeding up queries.

Why this answer

Option A is correct because partitioning large tables can reduce data scanned. Option B is correct because materialized views precompute aggregations. Option D is correct because result-set caching speeds up repeated queries.

Option C is wrong because smaller distribution columns can cause data skew. Option E is wrong because converting to heap table is for staging data, not performance optimization.

59
MCQeasy

You need to ensure that an Azure Data Factory pipeline retries a failed activity up to three times with a 5-minute delay between retries. How should you configure the activity?

A.Configure the Retry policy on the pipeline activity as 'Exponential' with count 3
B.Set retry to 3 and retryIntervalInSeconds to 300 in the activity policy
C.Set the activity timeout to 15 minutes and enable retry
D.Set maxRetries to 3 and delay to 5 minutes in the pipeline JSON
AnswerB

This configures 3 retries with 300 seconds (5 minutes) interval.

Why this answer

The retry property in activity policy sets the number of retries, and retryIntervalInSeconds sets the delay. Option B is wrong because there is no 'maxRetries' property; it's 'retry'. Option C is wrong because 'retryPolicy' is not a property; retry is at the activity level.

Option D is wrong because timeout is separate from retry.

60
MCQmedium

You are optimizing a Slowly Changing Dimension (SCD) Type 2 load in Azure Synapse Analytics. The dimension table has 10 million rows. Which table distribution strategy minimizes data movement during the merge operation?

A.Round-robin distribution
B.Hash distribution on the surrogate key
C.Replicated distribution
D.Hash distribution on the business key
AnswerD

Hash on business key ensures same key values land on same distribution, minimizing data movement.

Why this answer

Option D is correct because Hash distribution on the business key (surrogate key source) ensures that matching rows are co-located, reducing data movement during MERGE. Option A is wrong because Round-robin distributes randomly, causing data movement. Option B is wrong because Replicated works for small tables, not 10 million rows.

Option C is wrong because Hash on an unrelated column does not help.

61
Multi-Selecthard

Your organization uses Azure Data Lake Storage Gen2 with hierarchical namespace enabled. You need to implement a monitoring strategy to detect and alert on unusual access patterns that could indicate a security breach. Which THREE services or features should you use? (Choose three.)

Select 3 answers
A.Enable Microsoft Defender for Storage to get security alerts about unusual access patterns.
B.Apply Azure Policy to enforce encryption and access policies.
C.Ingest the logs into Microsoft Sentinel and create analytics rules for anomalous patterns.
D.Enable diagnostic settings on the storage account to collect read, write, and delete logs.
E.Use Azure Monitor Metrics to track storage account transactions and latency.
AnswersA, C, D

Correct: Defender for Storage provides built-in threat detection for Azure Storage.

Why this answer

Options A, B, and D are correct. A: Diagnostic settings stream logs to Log Analytics. B: Microsoft Sentinel provides advanced security analytics.

D: Microsoft Defender for Storage detects anomalies. Option C is wrong because Azure Monitor Metrics do not include access logs. Option E is wrong because Azure Policy is for governance, not monitoring.

62
MCQeasy

You use Azure Data Lake Storage Gen2 with a hierarchical namespace. You need to delegate permissions to a group of data scientists so they can create folders and upload files only within a specific directory path. What is the best way to achieve this?

A.Use a stored access policy to grant permissions to the directory.
B.Set ACL entries on the specific directory path granting read, write, and execute permissions to the users.
C.Generate a shared access signature (SAS) with permissions scoped to the specific directory.
D.Assign the Storage Blob Data Contributor role to the users at the storage account level.
AnswerB

Correct: ACLs allow fine-grained permissions on directories and files.

Why this answer

Option B is correct because Azure Data Lake Storage Gen2 supports POSIX-like ACLs that can be set on directory paths to grant granular permissions. Option A is wrong because RBAC roles are scoped to the entire storage account or container, not subdirectories. Option C is wrong because SAS tokens are scoped to the entire storage account or container.

Option D is wrong because access policies are for shared access signatures, not granular directory permissions.

63
Multi-Selectmedium

Which TWO security features should be implemented to protect data in Azure Data Lake Storage Gen2?

Select 2 answers
A.Role-based access control (RBAC)
B.Azure Policy
C.Azure Active Directory (Microsoft Entra ID) integration
D.Firewall and virtual network rules
E.Azure Monitor alerts
AnswersA, D

RBAC controls access to storage account resources at the management plane and data plane for certain operations.

Why this answer

Option A and D are correct: RBAC provides coarse-grained access control, and firewall rules restrict network access. Option B is wrong because Azure AD (Microsoft Entra ID) is used for authentication, but it's not a security feature specific to data protection. Option C is wrong because Azure Policy is for governance, not direct data protection.

Option E is wrong because Azure Monitor is for monitoring, not security.

64
MCQhard

You are a data engineer for a healthcare company. You have a production Azure Synapse Analytics dedicated SQL pool (DW500c) that hosts patient data. The pool is used for both ETL and reporting. You need to ensure that reporting queries always get resources even during heavy ETL loads. You also need to monitor query performance and set up alerts when certain queries exceed a threshold. You have configured workload management using workload groups and classifiers. However, reporting queries are still waiting for resources when ETL is running. You check the sys.dm_pdw_exec_requests DMV and see that ETL queries are using the largest resource class. You need to modify the configuration to guarantee resources for reporting. What should you do?

A.Create a new workload group for reporting with min_percentage_resource set to 30%
B.Set importance to HIGH for the reporting workload group
C.Increase the DWU setting to DW1000c
D.Change the classifier for reporting queries to use the same workload group as ETL but with a different resource class
AnswerA

Guarantees a minimum resource allocation for reporting.

Why this answer

Workload isolation is achieved by creating separate workload groups with minimum resource allocation. By setting minimum resources for the reporting workload group, it ensures a baseline of resources even during heavy ETL. Option A (increase DWU) is costly and may not isolate.

Option B (importance) helps but without min resources, high concurrency can still starve. Option D (change classifier) does not guarantee resources.

65
MCQeasy

Your company uses Azure Data Lake Storage Gen2. You need to ensure that data at rest is encrypted using a customer-managed key stored in Azure Key Vault. What should you configure?

A.Use Azure Policy to audit storage accounts without encryption.
B.Enable 'Azure Storage encryption' with customer-managed keys in the storage account's encryption blade.
C.Implement client-side encryption in the application code.
D.Enable 'Infrastructure encryption' for double encryption.
AnswerB

This configures server-side encryption with CMK.

Why this answer

Option A is correct because Azure Storage encryption with customer-managed keys is configured at the storage account level. Option B is wrong because infrastructure encryption is an additional layer. Option C is wrong because client-side encryption is done by the application, not at rest.

Option D is wrong because Azure Policy can enforce encryption but does not configure it.

66
MCQhard

You are designing a data lake in Azure Data Lake Storage Gen2 for a large enterprise. You need to ensure that only authorized users can access the data, and you must implement the principle of least privilege. Which security mechanism should you use to grant fine-grained access to specific directories and files without modifying the underlying storage account firewall settings?

A.Azure RBAC roles combined with POSIX-like ACLs
B.Managed identities for Azure resources
C.Storage account firewall rules
D.Shared access signatures (SAS)
AnswerA

RBAC roles grant coarse permissions (e.g., Storage Blob Data Contributor) while ACLs provide fine-grained permissions on directories and files, enabling least privilege.

Why this answer

Option D is correct because Azure RBAC with ACLs allows fine-grained permissions at the directory and file level. Option A is wrong because SAS tokens grant time-limited access but are not fine-grained. Option B is wrong because managed identities provide identity-based access but still require RBAC or ACLs for fine-grained control.

Option C is wrong because firewall rules apply at the account level, not directory/file level.

67
MCQeasy

You are configuring Azure Synapse Analytics dedicated SQL pool. To optimize query performance for a large fact table that is frequently filtered on date and region columns, which table distribution and indexing strategy should you recommend?

A.Hash distribution on date column with clustered index.
B.Replicated distribution with heap index.
C.Round-robin distribution with clustered index.
D.Hash distribution on region column with clustered columnstore index.
AnswerD

Hash distribution on a high-cardinality column improves joins and filtering; columnstore is efficient for large tables.

Why this answer

Option B is correct because hash distribution on region spreads data evenly if region has high cardinality, and clustered columnstore index is optimal for large fact tables. Option A is wrong because round-robin distribution is for staging tables. Option C is wrong because heap index is for temporary data.

Option D is wrong because replicated distribution is for small dimension tables.

68
Multi-Selecthard

You are optimizing an Azure Synapse Analytics dedicated SQL pool that is experiencing high concurrency and frequent resource class contention. You need to improve query performance and reduce contention without changing the workload. Which two actions should you take? (Choose two.)

Select 2 answers
A.Increase the DWU (Data Warehouse Units) to allocate more resources.
B.Implement workload isolation to separate critical queries into dedicated resource groups.
C.Create materialized views to pre-aggregate data.
D.Use workload classification to assign importance and resource allocation to different queries.
E.Enable result set caching to reduce repeated query execution.
AnswersB, D

Workload isolation prevents resource contention by allocating dedicated resources to specific workloads.

Why this answer

Options B and D are correct. Workload isolation and workload classification help manage resource allocation and reduce contention. Option A is wrong because increasing DWU may help but does not address contention directly.

Option C is wrong because result set caching helps read workloads but not contention. Option E is wrong because materialized views improve performance but do not reduce contention.

69
MCQmedium

You are configuring security for an Azure Synapse Analytics workspace that uses a serverless SQL pool. The workspace is connected to Azure Data Lake Storage Gen2 via a managed identity. You need to ensure that only the Synapse workspace can access the storage account, and no other Azure service or user can access it directly. The storage account should not be accessible from the public internet. What should you do?

A.Configure the storage account firewall to allow only the Synapse workspace's public IP address.
B.Enable 'Allow trusted Microsoft services to access this storage account' on the firewall.
C.Use Azure RBAC to assign the Storage Blob Data Contributor role to the Synapse workspace managed identity.
D.Configure a private endpoint for the storage account in the same virtual network as the Synapse workspace, and disable public network access.
AnswerD

Private endpoint ensures private connectivity; disabling public access restricts others.

Why this answer

Option A is correct because a private endpoint for the storage account, combined with disabling public network access, ensures only the Synapse workspace can access it via the managed identity. Option B is wrong because firewall rules alone do not restrict access to a specific service. Option C is wrong because allowing trusted Microsoft services is broader than just Synapse.

Option D is wrong because managed identity alone does not restrict network access.

70
MCQmedium

Your Azure Synapse Analytics dedicated SQL pool is experiencing performance degradation. You notice that some queries are being queued due to resource class conflicts. What should you implement to optimize performance and reduce queuing?

A.Scale the dedicated SQL pool to a higher DWU level
B.Configure workload management with workload groups and classifiers
C.Create materialized views for the most common aggregations
D.Enable result-set caching for frequently run queries
AnswerB

Workload management allows you to assign appropriate resources to queries based on their priority, reducing conflicts.

Why this answer

Option C is correct because workload management in Synapse allows you to assign queries to different workload groups with resource classes, preventing conflicts. Option A is wrong because scaling the pool adds cost and may not resolve the specific resource class conflict. Option B is wrong because result-set caching does not address concurrency issues.

Option D is wrong because materialized views improve query performance but do not resolve queuing.

71
MCQeasy

You have an Azure Data Factory pipeline that copies data from an FTP server to Azure Blob Storage. The pipeline runs successfully most of the time, but occasionally fails with a 'FTP server connection refused' error during peak hours. You need to minimize these failures with minimal cost. What should you do?

A.Add a retry policy to the copy activity with a backoff interval.
B.Set up Azure ExpressRoute to improve network reliability.
C.Migrate the FTP server to SFTP.
D.Increase the parallel copy count in the copy activity.
AnswerA

Retry with backoff handles transient connection failures.

Why this answer

Option D is correct because adding a retry policy with a short delay handles transient connection issues. Option A is wrong because increasing the number of parallel copies does not solve connection refused errors. Option B is wrong because Azure ExpressRoute is costly and unnecessary for FTP.

Option C is wrong because migrating to SFTP may not resolve connection refused if the server is overloaded.

72
MCQhard

You are designing a data processing solution using Azure Synapse Analytics serverless SQL pool. The solution will query data stored in Parquet files in Azure Data Lake Storage Gen2. You need to ensure that the queries are optimized for performance. Which action should you take?

A.Increase the MAXDOP setting in the query.
B.Convert the Parquet files to CSV format for faster parsing.
C.Create materialized views on the external tables.
D.Partition the Parquet files by date and use partition pruning in the query.
AnswerD

Partition pruning limits the data scanned, improving performance.

Why this answer

Option B is correct because partitioning the data by a commonly filtered column, such as date, allows the serverless SQL pool to use partition elimination, reducing the amount of data scanned. Option A is wrong because increasing MAXDOP may not help and can cause resource contention. Option C is wrong because usingOPENROWSET with CSV is less efficient than Parquet.

Option D is wrong because materialized views are not supported in serverless SQL pool.

73
Multi-Selectmedium

Which TWO actions should you take to ensure that data at rest is encrypted in Azure Synapse Analytics dedicated SQL pool?

Select 2 answers
A.Enable Always Encrypted with secure enclaves.
B.Enable infrastructure-level encryption using double encryption.
C.Apply column-level encryption using ENCRYPTBYPASSPHRASE.
D.Create a customer-managed key in Azure Key Vault.
E.Enable Transparent Data Encryption (TDE) using service-managed keys.
AnswersB, E

Azure Storage double encryption provides additional layer at rest.

Why this answer

Options A and D are correct. TDE encrypts data at rest for dedicated SQL pool, and enabling double encryption provides additional protection. Option B is wrong because Always Encrypted is for client-side encryption, not at rest.

Option C is wrong because column-level encryption is for specific columns, not the whole pool. Option E is wrong because creating a customer-managed key is only part of TDE configuration, not a separate action.

74
Multi-Selecthard

Your organization uses Azure Purview for data governance. You need to ensure that sensitive data is properly classified and that access to it is monitored. Which THREE actions should you take? (Choose three.)

Select 3 answers
A.Define Azure Policy initiatives to enforce classification on all storage accounts.
B.Use Azure Sentinel to classify data as it is ingested.
C.Create custom sensitivity labels in Microsoft Purview Information Protection and apply them to data sources.
D.Integrate Azure Purview with Microsoft Defender for Cloud Apps to monitor access to sensitive data.
E.Set up automated scanning in Azure Purview to discover and classify sensitive data.
AnswersC, D, E

Correct: Sensitivity labels help enforce protection policies and are used in monitoring.

Why this answer

Options A, B, and D are correct. A: Automated scanning classifies data. B: Labeling helps in applying sensitivity tags.

D: Microsoft Defender for Cloud Apps can monitor access and generate alerts. Option C is wrong because Azure Policy does not directly classify or monitor data access. Option E is wrong because Azure Sentinel is for security incident detection, not data classification.

75
MCQeasy

You are designing a data pipeline in Azure Data Factory that processes streaming data from Azure Event Hubs and stores it in Azure Data Lake Storage Gen2. The data must be encrypted at rest and in transit. Which configuration ensures encryption in transit?

A.Enable encryption at rest using Azure Storage Service Encryption.
B.Use HTTPS endpoint for Azure Data Lake Storage Gen2.
C.Configure the Azure Data Factory integration runtime to use TLS 1.2.
D.Deploy Azure Firewall to inspect traffic between Event Hubs and Data Lake.
AnswerB

HTTPS encrypts data in transit.

Why this answer

Option C is correct because HTTPS ensures encryption in transit. Option A is wrong because encryption at rest does not cover transit. Option B is wrong because TLS is used for SQL connections, not for Data Lake.

Option D is wrong because Azure Firewall does not provide encryption.

Page 1 of 4 · 255 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Secure Monitor Optimize Data questions.