Microsoft Certified: Azure Administrator Associate > Microsoft Practice Test Questions > Flashcards

Microsoft Practice Test Questions Flashcards

(100 cards)

Study These Flashcards
1
Q

You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. You need to ensure that the resources on both VNet1 and VNet2 can communicate seamlessly between both networks. What should you configure from the Azure portal?Select only one answer.

connected devices
firewall
peerings
service endpoints

A

peerings

You can connect virtual networks to each other with virtual network peering. Once the virtual networks are peered, the resources on both virtual networks can communicate with each other with the same latency and bandwidth as though the resources were on the same virtual network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
1
Q

You have an Azure subscription that contains a virtual network named VNet1 and a virtual machine named VM1. VM1 can only be accessed from the internal network. An external contractor needs access to VM1. The solution must minimize administrative effort. What should you configure? Select only one answer.

a public IP address
a second private IP address
a Site-to-Site (S2S) VPN
Azure Firewall

A

a public IP address

To share a virtual machine with an external user, you must add a public IP address to the virtual machine. An additional IP address or firewall configuration will not help in this case. Configuring a S2S VPN does not have minimal administrative effort.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You have an Azure subscription that contains network security groups (NSGs). Which two resources can be associated with a NSG? Each correct answer presents a complete solution. Select all answers that apply.

Virtual networks
Virtual machines
network interfaces
subnets

A

network interfaces
subnets

You can use a network security group (NSG) to be assigned to a network interface. NSGs can be associated with subnets or individual virtual machine instances within that subnet. When an NSG is associated with a subnet, the access control list (ACL) rules apply to all virtual machine instances of that subnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You have an Azure subscription that contains two resource groups named RG1 and RG2.

RG1 contains the following resources:
A virtual network named VNet1 located in the East US Azure region
A network security group (NSG) named NSG1 located in the West US Azure region
RG2 contains the following resources:
A virtual network named VNet2 located in the East US Azure region
A virtual network named VNet3 located in the West US Azure region
You need to associate NSG1. To which subnets can you associate NSG1? Select only one answer.

the subnets of all the virtual networks
the subnets of VNet1 only
the subnets of VNet1 and VNet2
the subnets of VNet3 only

A

the subnets of VNet3 only

You can assign an NSG to the subnet of the virtual network in the same region as the NSG and NSG1 is in the West US region.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You create several Azure virtual machines that run Windows Server.
You need to connect to the virtual machines without exposing RDP ports over the internet. Which Azure service should you deploy? Select only one answer.

Azure Bastion
Azure Front Door
Azure Network Watcher
Azure Virtual Desktop

A

Azure Bastion

Azure Bastion is a service that lets you connect to a virtual machine by using a browser, without exposing RDP and SSH ports. Azure Monitor helps you maximize the availability and performance of applications and services. Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Remote Desktop is a feature of the operating system, which exposes the RDP port to connect to a server from the internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You have an Azure subscription that contains a resource group named RG1.
You plan to create and configure a network security group (NSG) named NSG1 for the following types of traffic:
Remote Desktop Management
HTTP
NSG1 will be used on the subnets of multiple virtual networks.
Which two cmdlets should you run? Each correct answer presents part of the solution. Select all answers that apply.

Add-AzLoadBalancerFrontendIpConfig
Add-AzNetworkInterfaceTapConfig
New-AzNetworkSecurityGroup
New-AzNetworkSecurityRuleConfig

A

New-AzNetworkSecurityGroup
New-AzNetworkSecurityRuleConfig

New-AzNetworkSecurityRuleConfig allows you to create a rule and provide the type, protocol, direction, and port number. New-AzNetworkSecurityGroup creates a network security group (NSG). -SecurityRules specifies a list of network security rule objects to create in a NSG.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You have an Azure subscription that contains an ASP.NET application. The application is hosted on four Azure virtual machines that run Windows Server. You have a load balancer named LB1 that load balances requests to the virtual machines. You need to ensure that site users connect to the same web server for all requests made to the application. Which two actions should you perform? Each correct answer presents part of the solution. Select all answers that apply.

Configure an inbound NAT rule.
Set Session persistence to Client IP.
Set Session persistence to None.
Set Session persistence to Protocol.

A

Set Session persistence to Client IP.
Set Session persistence to Protocol.

By setting Session persistence to Client IP and Protocol, you ensure that site users connect to the same web server for all requests made to the application. Setting Session persistence to None disables sticky sessions and an inbound NAT rule is used to forward traffic from a load balancer frontend to a backend pool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You have an Azure subscription. You plan to implement four Azure virtual networks that will be peered. All virtual machines will use a DNS suffix of contoso.com. You need to configure name resolution for the virtual networks to ensure that all the virtual machines can communicate by using their FQDNs. The solution must minimize administrative effort. What should you use? Select only one answer.

a DNS server on an Azure virtual machine
an Azure Private DNS zone
an Azure public DNS zone
Azure-provided name resolution

A

an Azure Private DNS zone

Azure Private DNS allows for private name resolution between Azure virtual networks. Azure public DNS provides DNS for public access, such as name resolution for a publicly accessible website. Azure-provided name resolution does not support user-defined domain names and only supports a single virtual network. A DNS server on a virtual machine can also be used to achieve the goal but involves much more administrative effort to implement and maintain than using Azure Private DNS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You have an Azure subscription that contains four virtual machines. Each virtual machine is connected to a subnet on a different virtual network. You install the DNS Server role on a virtual machine named VM1. You configure each virtual network to use the IP address of VM1 as the DNS server. You need to ensure that all four virtual machines can resolve IP addresses by using VM1. What should you do? Select only one answer.

Configure a DNS server on all four virtual machines.
Configure network peering.
Create and associate a route table to all four subnets.
Create Site-to-Site (S2S) VPNs.

A

Configure network peering.

By default, Azure virtual machines can communicate only with other virtual machines that are connected to the same virtual network. If you want a virtual machine to communicate with other virtual machines that are connected to other virtual networks, you must configure network peering. A route table controls how network traffic is routed. But without network peering, network traffic is still limited to single virtual network. Configuring a Site-to-Site (S2S) VPN is incorrect because you are not connecting on-premises virtual machines to the cloud.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Your organization uses an Azure Load Balancer to manage traffic for VMs hosting a web application. Users experience uneven traffic distribution, with some VMs receiving more traffic than others. You need to configure the load balancer to ensure even traffic distribution across all VMs in the backend pool. What should you do? Select only one answer.

Add more VMs to the pool.
Adjust the load balancing rule settings.
Disable session persistence.
Enable session persistence (source IP affinity).

A

Disable session persistence.

Disabling session persistence ensures even traffic distribution by removing any affinity that directs traffic to the same VM. Adjusting the load balancing rule settings might seem like a solution but does not address the root cause of uneven distribution. Enabling source IP affinity maintains session persistence, potentially exacerbating the uneven distribution of traffic. Adding more VMs does not solve the distribution issue caused by session persistence settings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You have an Azure virtual network named VNet1. You need to ensure that email is sent to an administrator when a virtual machine is connected to VNet1. What should you create? Select only one answer.

an action group
an alert processing rule
an alert rule
a mail-enabled security group

A

an alert rule

Azure Monitor alerts proactively notify you when important conditions are found in monitoring data. They allow you to identify and address issues in the system before customers notice them. You can set alerts on metrics, logs, and the activity log. Different types of alerts have benefits and drawbacks. Metrics is a feature of Azure Monitor that collects numeric data from monitored resources into a time-series database. Metrics are numerical values that are collected at regular intervals and describe some aspect of a system at a particular time.

When Azure Monitor data indicates that there may be an issue with an infrastructure or application, an alert is triggered. Azure Monitor, Azure Service Health, and Azure Advisor then use action groups to notify users about the alert and take action. An action group is a collection of notification preferences defined by the owner of an Azure subscription.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You have an Azure subscription that contains a resource group named RG1. RG1 contains two virtual machines named VM1 and VM2. You need to inspect all the network traffic from VM1 to VM2.The solution must use Azure Monitor metrics. Which two actions should you perform? Each correct answer presents part of the solution. Select all answers that apply.

Configure a log alert.
Configure Network In and Network Out.
Install AzureNetworkWatcherExtension.
Use packet capture.

A

Install AzureNetworkWatcherExtension.
Use packet capture.

Azure Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet capture helps to diagnose network anomalies both reactively and proactively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You plan to provision an Azure subscription that will contain the following virtual networks:

VNet1 in the East US Azure region with two subnets
VNet2 in the East US region with four subnets
VNet3 in the West Europe Azure region with four subnets
VNet4 in the West Europe region with two subnets
How many Azure Network Watcher instances will be provisioned as part of the deployment? Select only one answer.

1
2
4
12

A

2

Azure Network Watcher is a regional service that allows you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. When you create or update a virtual network in a subscription, Network Watcher will be enabled automatically in the virtual network’s region. There is no impact on resources or associated charges for automatically enabling Network Watcher.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You have an Azure subscription that contains 20 virtual networks and 500 virtual machines. You deploy a new virtual machine named VM501. You discover that VM501 is unable to communicate with a virtual machine named VM20 in the subscription. You suspect that a network security group (NSG) is the cause of the issue. You need to identify whether an NSG is blocking communications. The solution must minimize administrative effort. What should you use? Select only one answer.

diagnostic logs
IP flow verify
NSG flow logs
packet capture

A

IP flow verify

IP flow verify lets you specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify can identify the specific network security group (NSG) that prevents communication. NSG flow logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG. Although the logs may help you identify the source of the issue, it requires much more configuration and manual evaluation. Packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet capture may help narrow down the scope of the issue, but it will not identify the specific NSG that prevents communication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You have a Log Analytics workspace that collects data from various data sources. You create a new Azure Monitor log query. You plan to view data pinned as a chart to a shared dashboard. What is the maximum number of days for which data can be shown on the shared dashboard? Select only one answer.

14
30
90
180

A

30

Data shown on a shared dashboard can only be displayed for a maximum of 30 days.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You have an Azure virtual machine named Server1 that runs Windows Server. You need to configure Azure Backup to back up files and folders. What should you install on Server1? Select only one answer.

Microsoft Azure Backup Server (MABS)
Microsoft Azure Site Recovery Provider
the Azure Connected Machine agent
the Microsoft Azure Recovery Services (MARS) agent

A

the Microsoft Azure Recovery Services (MARS) agent

The Microsoft Azure Recovery Service (MARS) agent must be installed on the servers. The MARS agent is mandatory to perform backup and recovery services for any servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You have an Azure virtual machine that you back up by using Azure Backup. The backup policy sub type is Standard, and the backup policy has the following configurations:

Backup schedule frequency: Weekly
Retain instant recovery snapshot(s) for: 5 days
Retention of weekly backup point: On Sunday at 8:00 AM for 12 weeks

You discover that Instant Restore is consuming more storage than expected. You need to reduce the amount of storage consumed by Instant Restore. What should you do first? Select only one answer.

Change the backup schedule frequency to Daily.
Change the retention of weekly backup points to 1 week.
Modify the backup policy to reduce the retention of instant recovery snapshots.
Provision an additional blob storage container.

A

Modify the backup policy to reduce the retention of instant recovery snapshots.

Correct – The “Retain instant recovery snapshot(s)” setting directly determines how long snapshots are stored locally before being transferred to the Recovery Services vault. Reducing this from 5 days to 2 days lowers Instant Restore storage usage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You are an Azure Administrator for Best For You Organics Company. The company uses ARM templates for deploying resources. You need to pass an array as an inline parameter during the deployment of the ARM template. What should you do? Select only one answer.

Modify the template to include the array values.
Use the –template-file switch to pass the array values.
Provide the array values in the –parameters switch in the deployment command.
Create a separate parameters file that includes the array values.

A

Provide the array values in the –parameters switch in the deployment command.

To pass an array as an inline parameter during the deployment of a local template, you should provide the array values in the –parameters switch in the deployment command. The other options are not correct methods for passing an array as an inline parameter.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You have an Azure Resource Manager (ARM) template named Template1 that is used to deploy Azure virtual machines. Template1 contains the following text.

“resources”: [
{
“type”: “Microsoft.Compute/virtualMachines”,
“apiVersion”: “2018-06-01”,
“name”: “[parameters(‘vmName’)]”,
“location”: “[resourceGroup().location]”,
“properties”: {
<text removed>
}
}
]

You need to deploy two Azure virtual machines by using Template1. What should you add to Template1? Select only one answer.

a copy element
the API version
the Azure subscription ID
the resource group location

A

a copy element

The correct solution is to add a copy element, because ARM templates use the copy property to deploy multiple instances of a resource, such as two virtual machines, in a single deployment. The API version is already specified in the template and does not control the number of resources deployed. The subscription ID is never hardcoded in ARM templates since deployments are scoped to a subscription, and the resource group location is already provided through “[resourceGroup().location]”. Therefore, only the copy element enables the template to create two virtual machines from a single resource definition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

You are creating an Azure virtual machine that will run Windows Server. You need to ensure that VM1 will be part of a virtual machine scale set. Which setting should you configure during the creation of the virtual machine? Select only one answer.

Availability options
Azure Spot instance
Management
Region

A

Availability options

You must configure the virtual machine scale set from the availability options. Azure spot instance is used to add virtual machines with a discounted price. Region will not affect the configuration of the availability options. The management setting allows you to configure the monitoring and management options for the virtual machine.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

You have an Azure virtual network that contains two subnets named Subnet1 and Subnet2. You have a virtual machine named VM1 that is connected to Subnet1. VM1 runs Windows Server. You need to ensure that VM1 is connected directly to both subnets. What should you do first? Select only one answer.

From the Azure portal, add a network interface.
From the Azure portal, create an IP group.
From the Azure portal, modify the IP configurations of an existing network interface.
Sign in to Windows Server and create a network bridge.

A

From the Azure portal, add a network interface.

A network interface is used to connect a virtual machine to a subnet. Since VM1 is connected to Subnet1, VM1 already has a network interface attached that is connected to Subnet1. To connect VM1 directly to Subnet2, you must create a new network interface that is connected to Subnet2. Next, you must attach the new network interface to VM1.

An IP group is a user-defined collection of static IP addresses, ranges, and subnets. A network bridge allows you to connect multiple existing network connection in Windows together. Changing the IP configurations of the existing network interface results in VM1 being connected to Subnet2 but not to Subnet1.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

You have an Azure subscription that contains an Azure Storage account named vmstorageaccount1.
You create an Azure container instance named container1.
You need to configure persistent storage for container1.
What should you create in vmstorageaccount1? Select only one answer.

a blob container
a file share
a queue
a table

A

a file share

An Azure container instance (Docker container) can mount Azure File Storage shares as directories and use them as persistent storage. An Azure container instance cannot mount and use as persistent storage blob containers, queues and tables.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Your development team plans to deploy an Azure container instance. The container needs a persistent storage layer.
Which service should you use? Select only one answer.

Azure Blob storage
Azure Files
Azure Queue Storage
Azure SQL Database

A

Azure Files

You can persist data for Azure Container Instances with the use of Azure Files. Azure Files offers fully managed file shares hosted in Azure Storage that are accessible via the industry standard Server Message Block (SMB) protocol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

You have an Azure subscription that contains a Docker container image named container1. You plan to create a new Azure web app named WebApp1. You need to ensure that you can use container1 for WebApp1. Which WebApp1 setting should you configure? Select only one answer.

Continuous deployment
Pricing plan
Publish
Runtime stack

A

Publish

If you want to run a Docker container as an Azure web service, you must configure the Publish option and select Docker container.

Runtime stack specifies the stack that you want to use for the web app. If you want to deploy a Docker container as web app, the runtime stack option is unavailable.

Pricing plan specifies the location, features, and costs of the web app.

Continuous deployment is a strategy for software releases. This option is unavailable when you publish a Docker container as an Azure web app.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
You have an Azure subscription that contains a resource group named RG1. RG1 contains an application named App1 and a container app named containerapp1. App1 is experiencing performance issues when attempting to add messages to the containerapp1 queue. You need to create a job to perform an application resource cleanup when a new message is added to a queue. Which command should you run? Select only one answer. az containerapp job create \ --name "my-job" --resource-group "RG1" -trigger-type "Event" -replica-timeout 60 --replica-retry-limit 1 ... az containerapp job create \ --name "my-job" --resource-group " RG1" -trigger-type "Manual" -replica-timeout 60 --replica-retry-limit 1 ... az containerapp job start \ --name "my-job" --resource-group " RG1" -trigger-type "Schedule" -replica-timeout 60 --replica-retry-limit 1 ... az containerapp job start \ --name "my-job" --resource-group " RG1" -trigger-type "Event" -replica-timeout 60 --replica-retry-limit 1 ...
az containerapp job create \ --name "my-job" --resource-group "RG1" -trigger-type "Event" -replica-timeout 60 --replica-retry-limit 1 ... Azure Container Apps jobs enable you to run containerized tasks that execute for a finite duration, and then exit. You can use jobs to perform tasks such as data processing, machine learning, or any scenario where on-demand processing is required. Container apps and jobs run in the same environment, allowing them to share capabilities such as networking and logging. A job's trigger type determines how the job is started. The following trigger types are available: Manual: Manual jobs are triggered on demand. Schedule: Scheduled jobs are triggered at specific times and can run repeatedly. Event: Event-driven jobs are triggered by events such as a message arriving in a queue.
25
You have an Azure subscription that contains multiple resource groups and Azure App Service web apps. A resource group named RG1 hosts a web app named appservice1. The App Service uses a free App Service Managed SSL certificate. You create a resource group named RG2. You plan to move all the resources in RG1 to RG2. Which two actions should you perform? Each correct answer presents part of the solution. Select all answers that apply. Create a new App Service plan in RG2. Create a new web app in RG2. Delete the SSL certificate from RG1 and upload it to RG2. Move all the resources from RG1 to RG2.
Delete the SSL certificate from RG1 and upload it to RG2. Move all the resources from RG1 to RG2. The SSL certificate must be deleted. You will have to move all other resources to RG2.
26
You have a Basic Azure App Service plan that contains a web app. You need to ensure that the web app can scale automatically when the CPU usage is over 80% for a duration of 15 minutes. Which two actions should you perform? Each correct answer presents part of the solution. Select all answers that apply. Configure a deployment slot. Configure a scaling condition to scale based on a metric, and then add the rules. Configure a scaling condition to scale based on an instance count, and then set the instance count. Scale out the App Service plan. Scale up the App Service plan.
Configure a scaling condition to scale based on a metric, and then add the rules. Scale up the App Service plan. The Basic app service plan does not support automatic scaling - you must scale up the plan to Premium (or higher) to support automatic scaling. After that you must configure a scaling condition, based on a metric (CPU), which will automatically trigger scaling (out) of the app service web app.
27
You need to create an Azure App Service web app that runs on Windows. The web app requires scaling to five instances, 45 GB of storage, and a custom domain name. The solution must minimize costs. Which App Service plan should you use? Select only one answer. Basic Free Premium Standard
Standard The Standard service plan can host unlimited web apps, up to 50 GB of disk space, and up to 10 instances. The plan will cost approximately $0.10/hour. The Free plan only offers 1 GB of disk size and 0 instances to host the app. The Premium plan offers 250 GB of disk space and up to 30 instances and will cost approximately $0.20/hour. The Basic plan offers 10 GB of disk space and up to three virtual machines.
28
You have an Azure subscription that contains a web app named App1. You configure App1 with a custom domain name of webapp1.contoso.com. You need to create a DNS record for App1. The solution must ensure that App1 remains accessible if the IP address changes. Which type of DNS record should you create? Select only one answer. A CNAME SOA SRV TXT
CNAME For web apps, you create either an A (Address) record or a CNAME (Canonical Name) record. An A record maps a domain name to an IP address. A CNAME record maps a domain name to another domain name. DNS uses the second name to look up the address. Users still see the first domain name in their browser. If the IP address changes, a CNAME entry is still valid, whereas an A record must be updated.
29
You have an Azure subscription that is linked to a Microsoft Entra tenant named contoso.com. All users in contoso.com are currently able to invite external users to B2B collaboration. You need to ensure that only members of the Guest Inviter, User Administrator, and Global Administrator roles can invite guest users. What should you configure? Select only one answer. Access reviews Conditional Access Cross-tenant access settings External collaboration settings
External collaboration settings External collaboration settings let you specify which roles in your organization can invite external users for B2B collaboration. These settings also include options for allowing or blocking specific domains and options for restricting which external guest users can see in your Microsoft Entra directory. Conditional Access allows you to apply rules to strengthen authentication and block access to resources from unknown locations. Cross-tenant access settings are used to configure collaboration with a specific Microsoft Entra organization. Access reviews are not used to control who can invite guest users.
30
You have an Azure subscription that contains the following users: User1: Member User2: Member User3: Guest User4: Member The subscription contains a group named Group1 with the following configuration: Membership type: Assigned Members: User1, User2, User3 Owners: User4 You assign a Microsoft 365 license to Group1. How many Microsoft 365 licenses will be used? Select only one answer. 0 1 3 4
3 When you assign licenses to a Microsoft Entra group, the licenses are consumed only by the members of the group, not by the group’s owners. In this case, Group1 has three members: User1, User2, and User3. Even though User3 is a guest user, assigning a license to them still consumes a license unless the organization has configured restricted guest licensing. User4 is an owner only, not a member, so they do not consume a license from this assignment. Therefore, a total of three Microsoft 365 licenses are used.
31
You have a Microsoft Entra tenant named contoso.com that contains a group named Group1. Group1 contains the following users: User1 — Type: Member; Sync from on-premises: Yes User2 — Type: Member; Sync from on-premises: No User3 — Type: Guest; Sync from on-premises: No Password writeback is enabled in Microsoft Entra Connect Sync. You enable self-service password reset (SSPR) for Group1. You need to identify which users must register for SSPR. Which users should you identify? Select only one answer. User2 only User1 and User2 only User2 and User3 only User1, User2, and User3
User1 and User2 only SSPR registration is required for users in scope who are eligible to use SSPR. In this scenario, Group1 is in scope and includes two member users (User1 and User2) and one guest user (User3). Because password writeback is enabled, the synced member (User1) can use SSPR to write changes back to on-premises AD, and the cloud-only member (User2) can reset in Entra ID—both must register. Guest users (User3) are not supported for SSPR in the resource tenant (they manage passwords in their home tenant), so they do not need to register here.
32
You have a Microsoft Entra tenant that contains a user named User1. You need to ensure that User1 can invite external users to the tenant. The solution must follow the principle of least privilege. Which role should you assign to User1? Select only one answer. Global Administrator Groups Administrator Guest Inviter Security Administrator
Guest Inviter The correct solution is to assign the Guest Inviter role, because it grants only the specific ability to invite external users into the Microsoft Entra tenant, aligning with the principle of least privilege. The Global Administrator role would allow full tenant-wide control and far exceeds the requirement. The Groups Administrator role allows management of groups but not external user invitations. The Security Administrator role manages security settings and reports but does not enable guest invitations. Therefore, the Guest Inviter role provides the exact permissions needed without granting unnecessary rights.
33
You have an Azure subscription that contains multiple users and administrators. You are creating a new custom role by using the following JSON. `` { "Name": "Custom Role", "Id": null, "IsCustom": true, "Description": "Custom Role description", "Actions": [ "Microsoft.Compute/*/read", “Microsoft.Compute/snapshots/write”, “Microsoft.Compute/snapshots/read”, ], "NotActions": [ “Microsoft.Compute/snapshots/delete” ], "AssignableScopes": [ "/subscriptions/00000000-0000-0000-0000-000000000000", "/subscriptions/11111111-1111-1111-1111-111111111111" ] } Which two actions can be performed by a user that is assigned the custom role? Each correct answer presents a complete solution. Select all answers that apply. Create and delete a snapshot. Create and read a snapshot. Create virtual machines. Read all virtual machine settings.
Create and read a snapshot. Read all virtual machine settings. The role can read all compute resources, call Microsoft support roles, and allow the creation and reading of a snapshot.
34
You have an Azure subscription. You run the following command: Get-AzRoleDefinition | Format-Table -Property Name, Id The command output contains data that includes the following: CustomRole1 111-222-333-444-555 Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Contributor b24988ac-6180-42a0-ab88-20f7382dd24c Reader acdd72a7-3385-48ef-bd42-f606fba81ae7 You have a script that manages access to resources at the resource group level. The assignment process is automated by running the following PowerShell script nightly. $rg = "RG1" $RoleName = "111-222-333-444-555" $Role = Get-AzRoleDefinition -Name $RoleName New-AzRoleAssignment -SignInName user1@contoso.com -RoleDefinitionName $Role.Name ` -ResourceGroupName $rg User1 is unable to access the RG1 resource group. You discover that the script fails to complete for User1. You need to modify the script to ensure that it does not fail. What should you change in the script? Select only one answer. $Role = Add-AzRoleDefinition -Name $RoleName $Role = Get-AzRoleAssignment -Name $RoleName $Role = Set-AzRoleAssignment -Name $RoleName $RoleName = "CustomRole1"
$RoleName = "CustomRole1" For the script to work as written, the $RoleName variable should refer to the name instead of the ID.
35
You have an Azure subscription and a user named User1. You need to assign User1 a role that allows the user to create and manage all types of resources in the subscription. The solution must ensure that User1 is not able to assign roles to other users. Which Azure role should you assign to User1? Select only one answer. API Management Service Contributor Contributor Owner Reader
Contributor Users with the Contributor role can create and manage all types of resources but cannot delegate new access to other users. Users with the Reader role can view existing Azure resources but cannot perform any action against them. Users with the API Management Service Contributor role can only manage API Management services and APIs. Users with the Owner role provides full access to all resources, including the right to delegate access to others.
36
You are responsible for managing user identities and governance within your Azure environment. You need to ensure that a new user named User1 can create and manage user accounts and groups, manage support tickets, and monitor service health. The solution must follow the principle of least privilege. Which Microsoft Entra role should you assign to User1? Select only one answer. User Administrator Billing Administrator Global Administrator Service Administrator
User Administrator The User Administrator role allows creation and management of users and groups, managing support tickets, and monitoring service health. The Global Administrator has more permissions than required. The Billing Administrator is focused on financial aspects and the Service Administrator is a classic role with full access to Azure services, which is not required for user and group management.
37
You have an Azure subscription. You plan to create an Azure Policy definition named Policy1. You need to include remediation information in Policy. To which definition section should you add remediation information for Policy1? Select only one answer. metadata mode parameters policyRule
metadata You must use the RemediationDescription field in the metadata section from properties to specify a custom recommendation. The remaining options are Azure policies, but do not allow specific custom remediation information.
38
You have an Azure subscription that contains an Azure policy named Policy1. Policy1 enforces a tag and its value on all Azure Resource Manager (ARM) resources. The enforcement mode is set to Default. You discover that when you create a virtual network by using an ARM template, Policy1 is NOT applied. You need to ensure that Policy1 is applied when you create resources by using an ARM template. What should you do? Select only one answer. Add the tag and its value to the template. Assign Policy1 to the resource group that contains the virtual network. Change the enforcement mode of Policy1. Modify the ARM template.
Modify the ARM template. The correct solution is to modify the ARM template to include the required tag and its value, because Azure Policy with enforcement mode set to Default evaluates resource creation requests but does not automatically append tags during template deployments unless the template itself provides the required tag field. Assigning the policy to a resource group would not change this behavior, and changing the enforcement mode is not necessary since Default already enforces compliance during resource creation. Simply adding tags manually in the portal is unrelated to ensuring compliance during ARM deployments. By explicitly including the tag in the ARM template, you guarantee that the deployment passes policy evaluation and the resource remains compliant.
39
You have an Azure subscription that contains a resource group named RG1. RG1 contains 10 resources. You need to prevent the resources from being deleted accidentally. The solution must ensure that RG1 can be deleted if it no longer contains any resources. What should you do? Select only one answer. From Azure Cloud Shell, run the New-AzureRmResourceGroup cmdlet. From Azure Cloud Shell, run the Set-AzResourceGroup cmdlet. From the Azure portal, modify the handlers of the RG1 resource group. From the Azure portal, modify the locks of RG1.
From the Azure portal, modify the locks of RG1. The correct solution is to configure a lock on RG1 from the Azure portal, because a Delete lock prevents accidental deletion of resources within the resource group while still allowing the resource group itself to be deleted once it is empty. Creating a new resource group with New-AzureRmResourceGroup is irrelevant, and using Set-AzResourceGroup changes properties but does not enforce deletion protection. The “handlers” option does not exist in Azure resource group settings. Locks are the supported mechanism for safeguarding resources against accidental deletion while maintaining flexibility to remove the resource group if needed.
40
You have an Azure subscription that contains a storage account named storage1 and is linked to a Microsoft Entra tenant named contoso.com. You plan to provide identity-based access to storage1. Which storage1 data service can be configured to use identity-based access? Select only one answer. containers file shares queues tables
file shares File shares can be configured to use Microsoft Entra Kerberos to provide identity-based access to data storage.
41
You have an Azure subscription that contains a storage account named storage1. You need to ensure that access to storage1 is prevented from the internet. What should you configure on storage1? Select only one answer. Access keys Data protection Encryption Networking
Networking The Networking node of a storage account provides settings to configure public network access and network routing. To disable public network access, you can disable public network access, or configure the access to only allow specific virtual networks and IP addresses.
42
You have an on-premises network. You have an Azure subscription that contains a virtual network named VNet1. VNet1 is connected to the on-premises network by using ExpressRoute. You perform the following actions: Create a storage account named storage1 Associate VNet1 to storage1 and configure network routing to use Microsoft network routing. You need to ensure that only connections from the on-premises network are allowed to access storage1. The solution must minimize administrative effort. What should you do? Select only one answer. Configure the network settings of storage1. Create a routing table. Add a filter rule to the table. Create a shared access signature (SAS). Create an ExpressRoute circuit. Create a filter on the ExpressRoute connection.
Configure the network settings of storage1. The correct solution is to configure the network settings of the storage account, because Azure Storage allows you to restrict access by enabling firewall and virtual network rules so that only traffic from specific VNets or on-premises networks (via ExpressRoute or VPN) is allowed. This approach directly satisfies the requirement with minimal administrative effort, since it leverages built-in network settings. Creating a routing table with filter rules would not block storage access—it only influences packet routing. A SAS token controls authentication and permissions but does not restrict the network source of requests. Creating another ExpressRoute circuit and configuring filters adds unnecessary complexity when network rules on the storage account already provide the needed control.
43
You need to create an Azure Storage account that supports the Azure Data Lake Storage Gen2 capabilities. Which two types of storage accounts can you use? Each correct answer presents a complete solution. Select all answers that apply. premium block blobs premium file shares standard general-purpose v2 premium page blobs
premium block blobs standard general-purpose v2 To support Data Lake Storage, the storage account must support blob storage, which is available as standard general-purpose v2 and premium block blobs. Additionally, when you create the storage account, you must enable the hierarchical namespace.
44
You need to create an Azure Storage account that meets the following requirements: Stores data in multiple Azure regions Supports reading the data from primary and secondary regions Which type of storage redundancy should you use? Select only one answer. geo-redundant storage (GRS) locally-redundant storage (LRS) read-access geo-redundant storage (RA-GRS) zone-redundant storage (ZRS)
read-access geo-redundant storage (RA-GRS) Since you must ensure that data can be read from a secondary region, you must choose read-access geo-redundant storage (RA-GRS).
45
You have an Azure Storage account named corpimages and an on-premises shared folder named \server1\images. You need to migrate all the contents from \server1\images to corpimages. Which two commands can you use? Each correct answer presents a complete solution. Select all answers that apply. Azcopy copy \\server1\images https://corpimages.blob.core.windows.net/public -recursive Azcopy sync \\server1\images https://corpimages.blob.core.windows.net/public -recursive Get-ChildItem -Path \\server1\images -Recurse | Set-AzStorageBlobContent -Container "corpimages" Set-AzStorageBlobContent -Container "ContosoUpload" -File "\\server1\images" -Blob "corporateimages "
Azcopy copy \\server1\images https://corpimages.blob.core.windows.net/public -recursive Get-ChildItem -Path \\server1\images -Recurse | Set-AzStorageBlobContent -Container "corpimages" The AzCopy command allows you to copy all files to a storage account. You then use Get-ChildItem with the path parameter, recurse to select everything, and then use the Set-AzureStorageBlobContent cmdlet.
46
You have an Azure Storage account. You need to copy data to the storage account by using the AzCopy tool. Which two types of data storage are supported by AzCopy? Each correct answer presents a complete solution. Select all answers that apply. blob file queue table
blob file You can provide authorization credentials by using Microsoft Entra, or by using a shared access signature (SAS) token. Both storage types, blob and file, are supported in AzCopy.
47
You have an Azure Storage account named storageaccount1 with a blob container named container1 that stores confidential information. You need to ensure that content in container1 is not modified or deleted for six months after the last modification date. What should you configure? Select only one answer. a custom Azure role lifecycle management the change feed the immutability policy
the immutability policy A timed-based retention policy or legal hold policies can be applied to block deletion. Immutability policies can be scoped to a blob version or to a container.
48
You have an Azure subscription that contains multiple storage accounts. A storage account named storage1 has a file share named share1 that stores marketing videos. Users reported that 99 percent of the assigned storage is used. You need to ensure that share1 can support large files and store up to 100 TiB. Which two PowerShell commands should you run? Each correct answer presents part of the solution. Select all answers that apply. New-AzRmStorageShare -ResourceGroupName RG1 -Name -StorageAccountName storage1 -Name share1 -QuotaGiB 100GB Set-AzStorageAccount -ResourceGroupName RG1 -Name storage1 -EnableLargeFileShare Set-AzStorageAccount -ResourceGroupName RG1 -Name storage1 -Type "Standard_RAGRS" Update-AzRmStorageShare -ResourceGroupName RG1 -Name -StorageAccountName storage1 -Name share1 -QuotaGiB 102400
Set-AzStorageAccount -ResourceGroupName RG1 -Name storage1 -EnableLargeFileShare Update-AzRmStorageShare -ResourceGroupName RG1 -Name -StorageAccountName storage1 -Name share1 -QuotaGiB 102400 You must enable the storage account to support large files and update the storage account quota to 102,400 GB. You do not need to change the type of storage account, and you are updating the existing share.
49
You want to store a script that you constantly use for operations on Azure resources. This script needs to be rapidly available when you open a new Azure Cloud Shell session. Which of these procedures should you use?
Upload the script to your CloudDrive on an Azure Cloud Shell session.
50
You have an Azure subscription that contains a virtual network named VNet1. You plan to deploy a virtual machine named VM1 to be used as a network inspection appliance. You need to ensure that all network traffic passes through VM1. What should you do? Select only one answer. Configure a user-defined route. Create a virtual network gateway. Modify the default route. Modify the system route.
Configure a user-defined route. Azure automatically creates a route table for each subnet on an Azure virtual network and adds system default routes to the table. You can override some of the Azure system routes with custom user-defined routes and add more custom routes to route tables. Azure routes outbound traffic from a subnet based on the routes on a subnet's route table.
51
You have an Azure virtual network that contains four subnets. Each subnet contains 10 virtual machines. You plan to configure a network security group (NSG) that will allow inbound traffic over TCP port 8080 to two virtual machines on each subnet. The NSG will be associated to each subnet. You need to recommend a solution to configure the inbound access by using the fewest number of NSG rules possible. What should you use as the destination in the NSG? Select only one answer. an application security group a service tag the subnets of the virtual machines
an application security group Application security groups allow you to group together the network interfaces from multiple virtual machines, and then use the group as the source or destination in an NSG rule. The network interfaces must be in the same virtual network. You can use the IP address of each virtual machine as the destination, but you must create a rule for each virtual machine. Using the subnets will require four rules and will also allow traffic to all the virtual machines on those subnets. Service tags are for specific Azure services, such as Azure App Service or Azure Backup.
52
You have web app that is running in four Windows Server Azure virtual machines behind a load balancer. Users experience issues when accessing the web app. You suspect an issue with the web server and must check whether the server is listening on port 80. Which command should you run? Select only one answer. Get-AzVirtualNetworkUsageList nbtstat -c netstat -an Test-NetConnection localhost
netstat -an Using netstat -an will list the ports that the server is listening on. Test-NetConnection will perform a ping/ICMP test. Nbtstat -c checks the NBT cache. Get-AzVirtualNetwork gets the virtual networks in a resource group.
53
You have an Azure virtual network named VNet1. You create an Azure Private DNS zone named contoso.com. You need to ensure that the virtual machines on VNet1 register in the contoso.com private DNS zone. What should you do? Select only one answer. Add a virtual network link to contoso.com. Add Azure DNS Private Resolver to VNet1. Configure each virtual machine to use a custom DNS server. Configure VNet1 to use a custom DNS server.
Add a virtual network link to contoso.com. To associate a virtual network to a private DNS zone, you add the virtual network to the zone by creating a virtual network link. Azure DNS Private Resolver is used to proxy DNS queries between on-premises environments and Azure DNS. A custom DNS server will work if you deploy a DNS server as a virtual machine or an appliance, however, this configuration does not work with a private DNS zone.
54
Your company has deployed an Azure Load Balancer to distribute traffic across multiple VMs in a web farm. Users report intermittent connection timeouts when accessing the web app. You need to resolve the connection timeout issues and ensure even traffic distribution by the load balancer. What should you do? Select only one answer. Change the distribution mode to five-tuple hash. Configure a health probe for the load balancer. Enable session persistence with source IP affinity. Upgrade the load balancer to a higher SKU.
Change the distribution mode to five-tuple hash. Changing the distribution mode to five-tuple hash ensures even traffic distribution by considering multiple parameters, which helps in resolving connection timeouts. Configuring a health probe for the load balancer does not impact internal traffic distribution or resolve connection timeouts. Enabling session persistence with source IP affinity can lead to uneven traffic distribution, directing requests from the same client to the same VM, which doesn't resolve the issue. Upgrading the load balancer to a higher SKU without addressing the distribution mode will not resolve the uneven traffic distribution or connection timeout issues.
55
You have deployed a web application in Microsoft Azure using a public Microsoft Load Balancer to distribute traffic across virtual machines. Users report intermittent connectivity issues. You need to troubleshoot the connectivity issues for consistent application access. Each correct answer presents part of the solution. Which two actions should you take? Select all answers that apply. Change the load balancer's distribution mode to Source IP affinity. Check the health probe configuration. Check the network security group rules for the virtual machines. Verify matching SKUs for the load balancer and public IP.
Check the health probe configuration. Verify matching SKUs for the load balancer and public IP. Checking the health probe configuration is crucial because an inactive or incorrectly configured probe can lead to traffic being routed to unhealthy instances, causing connectivity issues. Verifying matching SKUs for the load balancer and public IP is also essential, as mismatched SKUs can disrupt proper operation and lead to connectivity problems. Checking the network security group rules might seem relevant but does not address the root cause of the connectivity issues. Changing the load balancer's distribution mode might seem like it could improve session persistence but does not resolve the underlying configuration problems causing the connectivity issues.
56
You have 100 virtual machines deployed to Azure. You have Azure Monitor alerts configured for CPU and memory utilization for the virtual machines. You open Azure Monitor alerts and discover 50 closed alerts for the virtual machines. What can cause the alert state to be Closed? Select only one answer. An administrator manually changed the state of the alerts. The alerts are older than 60 days. The alert rule contains an action group that remediates the alert conditions. The conditions that caused the alerts are no longer present.
An administrator manually changed the state of the alerts. The alert state is manually set by the user and does not have any automated logic behind it. The alert state can be either New, Acknowledged, or Closed.
57
You have an Azure virtual machine named VM1 that is protected by using Azure site recovery. You fail over VM1 from the primary region to the secondary region. You need to reprotect VM1 after the failover so that VM1 will replicate back to the primary region. What is the VM1 status before the reprotection? Select only one answer. Committing failover Failover committed Failover confirmed Starting failover
Failover committed Before you begin, you must ensure that the virtual machine status is Failover committed. This will ensure replication back to the primary region.
58
You have an Azure subscription that contains a resource group named RG1. You have an Azure Resource Manager (ARM) template for an Azure virtual machine. You need to use PowerShell to provision a virtual machine in RG1 by using the template. Which PowerShell cmdlet should you run? Select only one answer. New-AzManagementGroupDeployment New-AzResourceGroupDeployment New-AzSubscriptionDeployment New-AzVM
New-AzResourceGroupDeployment Virtual machines are deployed to resource groups, so you must run the New-AzResourceGroupDeployment cmdlet. You can deploy virtual machines to subscriptions or management groups directly, therefore, New-AzManagementGroupDeployment and New-AzSubscriptionDeployment cannot be used. New-AzVM can be used to provision a new virtual machine, but without using a template.
59
You have an Azure Resource Manager (ARM) template named deploy.json that is stored in an Azure Blob storage container. You plan to deploy the template by running the New-AzDeployment cmdlet. Which parameter should you use to reference the template? Select only one answer. -Tag -Templatefile -TemplateSpecId -TemplateUri
-TemplateUri The PowerShell deployment cmdlets can be used to deploy JSON templates that are stored locally in a resources group as a template spec, or from a web-based location. You can use the -TemplateUri parameter to specify a web-based location, such as GitHub or an Azure Blob Storage account. You can use -Templatefile to specify a local file. You can use -TemplateSpecId to specify a template that was save to Azure as a template spec.
60
You have two Azure virtual machines named VM1 and VM2 that run Windows Server. VM1 has a single data disk that stores backup files. You need to move the data disk from VM1 to VM2 as quickly as possible. What should you do first? Select only one answer. Detach the data disk from VM1. Restart VM1. Stop VM1. Stop VM2.
Detach the data disk from VM1. You can detach a disk from a running virtual machine (hot removal). You do not need to stop VM2 or restart the VM1.
61
You have an Azure virtual machine. You receive a notification that the virtual machine is going to be affected by an underlying maintenance activity on the physical infrastructure. You need to move the virtual machine to a different host to avoid a service interruption. What should you do? Select only one answer. Apply an Azure policy. Apply an Azure tag. Move the virtual machine to another Azure subscription. Redeploy the virtual machine.
Redeploy the virtual machine. You must redeploy the virtual machine, which can move the virtual machine to a different host. Azure will shut down the virtual machine and move the virtual machine to a new node within the Azure infrastructure.
62
You plan to deploy an Azure virtual machine. You are evaluating whether to use an Azure Spot instance. Which two factors can cause an Azure Spot instance to be evicted? Each correct answer presents a complete solution. Select all answers that apply. the average CPU usages of the instance the Azure capacity needs the current price of the instance the time of day
the Azure capacity needs the current price of the instance Azure Spot instances allow you to provision virtual machines at a reduced cost, but these virtual machines can be stopped by Azure when Azure needs the capacity for other pay-as-you-go workloads, or when the price of the spot instance exceeds the maximum price that you have set. These virtual machines are good for dev, testing, or for workloads that do not require any specific SLA.
63
Your company has an Azure subscription that is linked to a Microsoft Entra tenant. You have been asked to limit the access to the Kubernetes API server. Which two options should you choose? Each correct answer presents a complete solution. Select all answers that apply. API server authorized IP ranges public cluster private cluster Azure tags
API server authorized IP ranges private cluster You can use API server authorized IP ranges if you want to maintain a public endpoint for the API server but restrict access to a set of trusted IP ranges. You can use a private cluster if you want to limit the API server to only be accessible from within your virtual network.
64
You have an Azure subscription that contains a Docker container image named container1. You plan to create a new Azure App Service web app named WebApp1. You need to ensure that you can use container1 for WebApp1. Which WebApp1 setting should you configure? Select only one answer. Continuous deployment Pricing plan Publish Runtime stack
Publish Continuous deployment is a strategy for software releases. This option is unavailable when you publish a Docker container as an Azure web app.
65
You have an Azure subscription that contains an App Service web app named App1. You configure App1 with a custom domain name of webapp1.contoso.com. You need to create a DNS record for App1. The solution must ensure that App1 remains accessible if the IP address changes. Which type of DNS record should you create? Select only one answer. A CNAME SOA SRV TXT
CNAME For web apps, you create either an A (Address) record or a CNAME (Canonical Name) record. An A record maps a domain name to an IP address. A CNAME record maps a domain name to another domain name. DNS uses the second name to look up the address. Users still see the first domain name in their browser. If the IP address changes, a CNAME entry is still valid, whereas an A record must be updated.
66
You have an Azure subscription that contains a storage account named storage1. You need to provide a partner organization with access to storage1. Access to storage1 must automatically expire after 24 hours. What should you configure? Select only one answer. a shared access signature (SAS) an access key Azure Content Delivery Network (CDN) lifecycle management
a shared access signature (SAS) A SAS provides secure delegated access to resources in a storage account. With a SAS, you have granular control over how a client can access data, including time restrictions. Access keys and Azure CDN provide permanent access to resources. They will require manual steps to remove access. Lifecycle management is not needed.
67
Your network contains an on-premises Active Directory Services Domain (AD DS) domain named contoso.com. The domain contains a server named Server1 that runs Windows Server. The domain syncs with a Microsoft Entra tenant named contoso.com. You have an Azure subscription that contains a storage account named storage1. The subscription is linked to contoso.com. You plan to use Server1 to access a file share in storage1. What should you do first? Select only one answer. From File share settings, configure identity-based access for storage1. From Server1, modify the membership of an existing local group. From Server1, modify the Security file share settings of storage1. From storage1, enable a shared access signature (SAS).
From File share settings, configure identity-based access for storage1. The correct solution is to first configure identity-based access for Azure file shares on storage1, because this enables authentication and authorization through Microsoft Entra ID (synchronized from on-premises AD DS). Without enabling identity-based access, Server1 cannot use domain credentials to access the share. Modifying group memberships on Server1 or changing security settings on the file share are relevant only after identity-based access is configured. A shared access signature (SAS) provides token-based access but does not integrate with AD DS/Entra identities, so it would not allow seamless domain authentication. Therefore, enabling identity-based access for the file share is the required first step.
68
Your need to create an Azure Storage account that meets the following requirements: Stores data in a minimum of two availability zones Provides high availability Which type of storage redundancy should you use? Select only one answer. geo-redundant storage (GRS) locally-redundant storage (LRS) read-access geo-redundant storage (RA-GRS) zone-redundant storage (ZRS)
zone-redundant storage (ZRS) Zone-redundant storage (ZRS) replicates a storage account synchronously across three Azure availability zones in the primary region. For ensuring high availability, Microsoft recommends using ZRS in the primary region and also replicating to a secondary region.
69
You plan to configure object replication between two Azure Storage accounts. The Blob service of the source storage account has the following settings: Hierarchical namespace: Disabled Default access tier: Hot Blob public access: Enabled Blob soft delete: Enabled (7 days) Container soft delete: Enabled (7 days) Versioning: Disabled Change feed: Enabled NFS v3: Disabled Allow cross-tenant replication: Enabled Which setting should be modified on the source storage account to support object replication? Select only one answer. Blob soft delete Change feed Hierarchical namespace Versioning
Versioning Versioning must be enabled for both the source and destination accounts. In this scenario, versioning is currently disabled.
70
You have two premium block blob Azure Storage accounts named storage1 and storage2. You need to configure object replication from storage1 to storage2. Which three features should be enabled before configuring object replication? Each correct answer presents part of the solution. Select all answers that apply. blob versioning for storage1 blob versioning for storage2 change feed for storage1 change feed for storage2 point-in-time restore for the containers on storage1 point-in-time restore for the containers on storage2
blob versioning for storage1 blob versioning for storage2 change feed for storage1 Object replication can be used to replicate blobs between storage accounts. Before configuring object replication, you must enable blob versioning for both storage accounts, and you must enable the change feed for the source account.
71
You have an Azure subscription. You plan to create a storage account named storage1. You need to ensure that storage1 provides POSIX-compliant access control lists (ACLs). Which option should you configure when creating storage1? Select only one answer. access tier hierarchical namespace SFTP version-level immutable support
hierarchical namespace To enable POSIX-compliant access control lists (ACLs), the hierarchical namespace must be used. The remaining options are valid for a storage account, but do not provide the POSIX-compliant feature.
72
You have an Azure subscription that contains a storage account. You need to recommend a storage solution for storing infrequently accessed data. The solution must meet the following requirements: The data must be stored for at least 90 days. The data must be available within seconds. Storage costs must be minimized. Which tier should you recommend? Select only one answer. Cold Cool Hot Premium
Cold The correct solution is the Cold tier, because it is an online storage tier in Azure designed for infrequently accessed data that must remain available within seconds. The Cold tier has a recommended minimum retention period of 90 days, aligning directly with the scenario, and offers lower storage costs than Hot or Cool tiers while still supporting immediate access. The Cool tier requires only 30 days of retention and has higher costs than Cold for long-term storage, the Hot tier is optimized for frequently accessed data at higher storage prices, and the Premium tier is intended for high-performance workloads, not for cost efficiency. Therefore, Cold best satisfies the requirements for cost savings, online availability, and the 90-day storage requirement.
73
You have a Microsoft Entra tenant. You create a new user named User1. You need to assign a Microsoft 365 E5 license to User1. Which user attribute should be configured for User1 before you can assign the license? Select only one answer. First name Last name Other email address Usage location User type
Usage location Not all Microsoft 365 services are available in all locations. Before a license can be assigned to a user, you must specify the Usage location. The attributes of First name, Last name, Other email address, and User type are not mandatory for license assignment.
74
Your Microsoft Entra tenant and on-premises Active Directory domain contain multiple users. You need to configure self-service password reset (SSPR) functionality. The solution must minimize costs. Which Microsoft Entra ID edition should you use? Select only one answer. Microsoft Entra ID Free Microsoft Entra ID P1 Microsoft Entra ID P2
Microsoft Entra ID P1 Only Microsoft Entra ID P1 and P2 support SSPR, but Microsoft Entra ID P1 is the lower cost option.
75
You have the following resource groups, management groups, and Azure subscriptions: Two resource groups named RG1 and RG2 in a subscription named Sub1 and a management group named MG1. Two resource groups named RG3 and RG4 in a subscription named Sub2 and a management group named MG1. Two resource groups named RG5 and RG6 in a subscription named Sub3 and a management group named MG1. Two resource group named RG10 and RG11 in a subscription named Sub4 and a management group named MG2. Two resource group named RG11 and RG12 in a subscription named Sub5 and a management group named MG2. You need to assign a role to a user to ensure the user can view all the resources in the subscriptions. The solution must use the principle of least privilege. Which role should you assign? Select only one answer. the Billing Reader role for all the subscriptions the Billing Reader role for MG1 and MG2 the Contributor role for MG1 and MG2 the Reader role for MG1 and MG2
the Reader role for MG1 and MG2 This answer is correct. Assigning the Reader role for MG1 and MG2 is correct because the simplest way to give user access to all resources is to assign a role at the management group level.
76
You have an Azure subscription that contains a network security group (NSG) named NSG1. You plan to configure NSG1 to allow the following types of traffic: Remote Desktop Management Secured HTTPS Which two ports should you allow in NSG1? Each correct answer presents part of the solution. 80 25 443 587 3389
443 3389 You must open port 443 to secured HTTPS traffic, port 3389 for Remote Desktop, and 587 to send outbound email by using authenticated SMTP relay. Port 80 is used for unsecured traffic. Port 25 is used by mail traffic.
77
You have a Microsoft Entra tenant named contoso.com. You need to assign licenses to the users based on Microsoft Entra ID attributes. The solution must minimize administrative effort. Which two actions should you perform? Each correct answer presents part of the solution. Select all answers that apply. Assign the licenses to the dynamic security groups. Assign a license to each user. Create an automatic assignment policy. Create dynamic security groups. Create Administrative units.
Assign the licenses to the dynamic security groups. Create dynamic security groups. To assign licenses to users based on Microsoft Entra ID attributes, you must create a dynamic security group and configure rules based on custom attributes. The dynamic group must be added to a license group for automatic synchronization. All users in the groups will get the license automatically. Microsoft Entra evaluates the users in the organization that are in scope for an assignment policy rule and creates assignments for the users who don't have assignments to an access package; automatic assignment policies are not used for licensing.
78
You have an Azure subscription. From PowerShell, you run the Get-MgUser cmdlet for a user and receive the following details: Id: 8755b347-3545-3876-3987-999999999999 DisplayName: Ben Smith Mail: bsmith@contoso.com UserPrincipalName: bsmith_contoso.com#EXT#@fabrikam.com Based upon the output of the cmdlet, which statement accurately describes the user? Select only one answer. The user account is disabled. The user is a guest in the tenant. The user is assigned an administrative role. The user is deleted.
The user is a guest in the tenant. For guest users, the user principal name (UPN) will contain the email of the guest user (bsmith_contoso.com) followed by #EXT# followed by the domain name of the tenant (@fabrikam.com). Regular Microsoft Entra users appear in a format of user@fabrikam.com.
79
You have an Azure subscription that contains several storage accounts. You need to provide a user with the ability to perform the following tasks: Manage containers within the storage accounts. View storage account access keys. The solution must use the principle of least privilege. Which role should you assign to the user? Select only one answer. Owner Reader Storage Account Contributor Storage Blob Data Contributor
Storage Account Contributor Storage Account Contributor allows the management of storage accounts. It provides access to the account key, which can be used to access data via Shared Key authorization. Storage Blob Data Contributor grants permissions to read, write, and delete Azure Storage containers and blobs. Reader allows you to view all resources but does not allow you to make any changes. Owner grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
80
You have an Azure subscription that contains 25 virtual machines. You need to ensure that each virtual machine is associated to a specific department for reporting purposes. What should you use? Select only one answer. administrative units management groups storage accounts tags
tags Tags are metadata elements that can be applied to Azure resources. Tags can be used for tracking resources such as virtual machines and associating each resource to a department for billing and reporting purposes. Administrative units are containers used for delegating administrative roles to manage a specific portion of Microsoft Entra. Administrative units cannot contain Azure virtual machines. Management groups are containers that can be used to manage access, policy, and compliance across multiple Azure subscriptions. Azure Storage accounts contain Azure Storage data objects, including blobs, file shares, queues, tables, and disks. A storage account cannot contain virtual machines.
81
You have an Azure subscription that contains 10 virtual machines. You need to ensure that a user named User1 can tag all the virtual machines by using the Azure portal. The solution must follow the principle of least privilege. What should you do? Select only one answer. From the Azure portal, create a custom role that has the Microsoft.Compute virtual machines/*/write permission. From the Azure portal, modify the Access control (IAM) settings of the virtual machines. From the Azure portal, modify the Policies settings of the Azure subscription. From the command line, run the az role assignment create command.
From the Azure portal, modify the Access control (IAM) settings of the virtual machines. The correct solution is to update the Access control (IAM) settings of the virtual machines in the Azure portal and assign User1 a role that grants tagging rights, such as the built-in Tag Contributor role. This follows the principle of least privilege because it gives User1 only the permissions required to apply and manage tags, without granting full write or administrative rights. Creating a custom role with full virtualMachines/*/write permission is unnecessary and too broad, modifying Policies only enforces tagging rules rather than granting permissions, and using the az role assignment create command is another way to assign roles but does not specify the least-privilege role or the portal-based method requested in the scenario.
82
You have a Kusto query that returns 1,000 events from the SecurityEvent table in Azure Monitor. You need to configure the query to aggregate the results by the Account column. Which operator should you use? Select only one answer. extend project summarize where
summarize Summarize is used to group records from one or more columns of data. Where is used to filter the rows. Project is used to rename and select columns. Extend is used to add columns.
83
You have an Azure virtual machine that runs Linux. The virtual machine hosts a custom application that outputs log data in the JSON format. You need to recommend a solution to collect the logs in Log Analytics workspace. What should you include in the recommendation? Select only one answer. the Azure VMAccess extension the Custom Script Extension Version 2 extension the DSC extension for Linux the Azure Monitor agent for Linux
the Azure Monitor agent for Linux You can use the Log Analytics agent for Linux as part of a solution to collect JSON output from the Linux virtual machines. The Azure Custom Script Extension is used for post-deployment configuration, software installation, or any other configuration or management task. Desired State Configuration (DSC) is a management platform that you can use to manage an IT and development infrastructure with configuration as code. The Azure VMAccess extension acts as a KVM switch that allows you to access the console to reset access to Linux or perform disk-level maintenance.
84
You have multiple Azure virtual machines and an Azure recovery services vault. Virtual machines are configured with the default backup policy. What is the retention period of virtual machine backups in the default backup policy? Select only one answer. 7 days 14 days 30 days 90 days
30 days By default, backups of virtual machines are kept for 30 days.
85
You have an Azure subscription that contains a storage account named storage1. You need to use shared access signatures (SAS) to grant a third-party application access to storage1 for the next 30 days. What should you use? Select only one answer. a service SAS a stored access policy an account SAS an ad hoc SAS
an ad hoc SAS The correct solution is to use an ad hoc SAS, because it allows you to directly specify the start time and expiry time within the SAS token itself without requiring a stored access policy. This makes it ideal for granting time-limited access—such as 30 days—to a third-party application. A stored access policy is useful for centrally managing or revoking multiple SAS tokens but isn’t required if you only need a one-off token. A service SAS restricts access to specific services within a storage account (such as a blob or queue) but still requires either ad hoc parameters or a stored access policy to define its validity period. An account SAS grants broader permissions at the storage account level, which goes beyond the principle of least privilege. Therefore, an ad hoc SAS is the most appropriate option for granting limited, 30-day access.
86
You have an Azure subscription that contains a storage account named storage1. You have an app named App1 that reads data from storage1. You need to generate a shared access signature (SAS) token. The solution must meet the following requirements: Ensure that App1 can access storage1 for 12 hours. Ensure that App1 can access storage1 if the token is compromised or shared with other applications. Minimize administrative effort. What should you use to generate the token? Select only one answer. an account SAS Azure Storage Explorer the az storage container generate-sas command the New-AzStorageAccountSASToken cmdlet
the az storage container generate-sas command The correct solution is to use the az storage container generate-sas command, because a service-level SAS scoped at the container or blob level allows App1 to access only the required data in storage1, limits the validity to 12 hours, and reduces risk if the token is compromised. An account SAS would expose the entire storage account, violating the principle of least privilege. Using Azure Storage Explorer is a manual GUI-based option, not suitable for repeatable secure token generation in app scenarios. The New-AzStorageAccountSASToken cmdlet creates an account SAS rather than a container SAS, giving broader access than required. Therefore, generating a container-level SAS with az CLI best meets the requirements while minimizing administrative effort.
87
You create an Azure Storage account. You need to create a lifecycle management rule to move blobs to Cool storage if the blobs have not been accessed for 30 days. What should you do first? Select only one answer. Enable access tracking. Enable versioning for blobs. Refresh the blob inventory. Rotate the storage account keys.
Enable access tracking. A lifecycle management rule can be used to move or delete blobs automatically. The rule can be based on the time the blob was last modified or the time the blob was last accessed (read or write). To perform an action based on the access time, access tracking must be enabled. This can incur additional storage costs.
88
You have an Azure subscription that contains a resource group named RG1. RG1 contains an Azure virtual machine named VM1. You need to use VM1 as a template to create a new Azure virtual machine. Which three methods can you use to complete the task? Each correct answer presents a complete solution. Select all answers that apply. From Azure Cloud Shell, run the Get-AzVM and New-AzVM cmdlets. From Azure Cloud Shell, run the Save-AzDeploymentScriptLog and New-AzResourceGroupDeployment cmdlets. From Azure Cloud Shell, run the Save-AzDeploymentTemplate and New-AzResourceGroupDeployment cmdlets. From RG1, select Export template, select Download, and then, from Azure Cloud Shell, run the New-AzResourceGroupDeployment cmdlet. From VM1, select Export template, and then select Deploy.
From Azure Cloud Shell, run the Save-AzDeploymentTemplate and New-AzResourceGroupDeployment cmdlets. From RG1, select Export template, select Download, and then, from Azure Cloud Shell, run the New-AzResourceGroupDeployment cmdlet. From VM1, select Export template, and then select Deploy. From RG1, selecting the Download option from the Export template page exports the Azure Resource Manager (ARM) template from the resource group properties. You can then deploy the ARM template by running the New-AzResourceGroupDeployment cmdlet. By using the Save-AzDeploymentTemplate cmdlet, you can save the resource ARM template. You can then deploy the ARM template by running the New-AzResourceGroupDeployment cmdlet. From VM1, selecting the Deploy option from the Export template page allows you to deploy a new Azure virtual machine and use the configuration of VM1 as the template. The Save-AzDeploymentScriptLog cmdlet is used to save the log of a deployment script execution. The Get-AzVM cmdlet generates a list of virtual machines that are created in the Azure subscription.
89
Your company has a set of resources deployed to an Azure subscription. The resources are deployed to a resource group named app-grp1 by using Azure Resource Manager (ARM) templates. You need to verify the date and the time that the resources in app-grp1 were created. Which blade should you review for app-grp1 in the Azure portal? Select only one answer. Deployments Diagnostics setting Deployment stacks Policy
Deployments Navigating to the Diagnostics settings blade provides the ability to diagnose errors or review warnings. Navigating to the Metrics blade provides metrics information (CPU, resources) to users. On the Deployments blade for the resource group (app-grp1), all the details related to a deployment, such as the name, status, date last modified, and duration, are visible. Navigating to the Policy blade only provides information related to the policies enforced on the resource group.
90
You are deploying a virtual machine by using an availability set in the East US Azure region. You have deployed 18 virtual machines in two fault domains and 10 update domains. Microsoft performed planned physical hardware maintenance in the East US region. What is the maximum number of virtual machines that will be unavailable? Select only one answer. 2 8 9 18
2 This answer is incorrect. 18 virtual machines are shared across 10 update domains. The first 10 virtual machines go to 10 update domains, so eight update domains will have two virtual machines. When there is physical hardware maintenance, some virtual machines will be unavailable based on their configuration. If there was a rack failure, then 18 virtual machines will be distributed to two fault domains with nine virtual machines each.
91
You have an Azure subscription that contains a container app named App1. App1 is configured to use cached data. You plan to create a new container. You need to ensure that the new container automatically refreshes the cache used by App1. Which type of container should you configure? Select only one answer. blob init privileged sidecar
sidecar Azure Container Apps manages the details of Kubernetes and container orchestration. Containers in Azure Container Apps can use any runtime, programming language, or development stack of your choice. You can define multiple containers in a single container app to implement the sidecar pattern, for example, an agent that reads logs from the primary app container in a shared volume and forwards them to a logging service.
92
You have an Azure subscription that contains hundreds of virtual machines that were migrated from a local datacenter. You need to identify which virtual machines are underutilized. Which Azure Advisor settings should you use? Select only one answer. Cost High Availability Operational Excellence Performance
Cost The Cost blade allows you to optimize and reduce your overall Azure spending. You can use this to identify the virtual machines that are underutilized. The Performance blade allows you to improve the speed of your applications. High availability is unavailable via Azure Advisor. Operational Excellence helps you achieve process and workflow efficiency, resource manageability, and deployment best practices.
93
Your company plans to host an application on four Azure virtual machines. You need to ensure that at least two virtual machines are available if a single Azure datacenter fails. Which availability option should you select for the virtual machine? Select only one answer. an availability set an availability zone scale sets
an availability zone To protect against datacenter level failures, and if you want connectivity to multiple machines, you must ensure that the virtual machines are deployed across various availability zones.
94
You have an Azure subscription. You plan to deploy a web app in a Linux-based Docker container. You need to recommend a solution for the deployment of the web app that meets the following requirements: Supports a custom domain name Provides the ability to scale out automatically based on demand. Minimizes administrative effort Minimizes costs Which solution should you recommend? Select only one answer. Azure App Service Azure Container Instances Azure Kubernetes Service (AKS) Azure Virtual Machine Scale Sets
Azure App Service Azure App Service fulfills all the stated requirements. Azure Virtual Machine Scale Sets, Azure Kubernetes Service (AKS), and Azure Container Instances are more difficult to administer and more costly.
95
You have an Azure subscription that contains the following resources: Eight virtual networks 24 virtual machines 16 storage accounts You need to implement a monitoring solution that provides the ability to view diagnostics and telemetry data generated by Azure resources. What should you include in the solution? Select only one answer. a Log Analytics workspace an Azure Machine Learning workspace metrics logs resource logs
a Log Analytics workspace A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace has its own data repository and configuration and can combine data from multiple services.
96
You have an Azure subscription that contains virtual machines, virtual networks, application gateways, and load balancers. You need to monitor the network health of the resources. Which Azure service should you use? Select only one answer. Azure Monitor Azure Network Watcher Azure Resource Manager network security groups (NSGs)
Azure Network Watcher Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources on an Azure virtual network. Azure Resource Manager is the deployment and management service for Azure. Network security groups (NSGs) are used only for security, not monitoring. Azure Monitor is used for the HTTP Data Collector API to send log data to Log Analytics.
97
You have an Azure subscription that contains an Azure DNS zone named contoso.com. You add a new subdomain named test.contoso.com. You plan to delegate test.contoso.com to a different DNS server. How should you configure the domain delegation? Select only one answer. Add an A record for test.contoso.com. Add an NS record set named test to the contoso.com zone. Create the SOA record for test.contoso.com. Modify the A record for contoso.com.
Add an NS record set named test to the contoso.com zone. You must create a DNS NS record set named test in the contoso.com zone. An NS zone must be created at the apex of the zone named contoso.com. You do not need to create the SOA record set in test.contoso.com. It must only be created in contoso.com. You do not need to create or modify the DNS A record.
98
You have an Azure virtual machine that hosts a third-party application named App1. Users report that they experience performance issues when they use the application. You need to find the root cause of the performance issue. What should you use? Select only one answer. activity logs Azure Advisor Azure Cost Azure Monitor
Azure Monitor Azure Monitor stores metrics in a time-series database that is optimized for analyzing time-stamped data. Activity logs detect and address issues before users notice them proactivity. Azure Advisor analyzes configuration and usage metrics but does not provide time-lapsed data. Azure Cost only helps to optimize and reduce overall Azure spending.
99
You have an Azure Storage account that contains a file share. Several users work from a secure location that limits outbound traffic to the internet. You need to ensure that the users at the secure location can access the file share in Azure by using SMB protocol. Which outbound port should you allow from the secure location? Select only one answer. 80 443 445 5671
445 For accessing the file share, port 445 must be open. Port 5671 is used to send health information to Microsoft Entra. It is recommended, but not required, in the latest versions. Port 80 is used to download certificate revocation lists (CRLs) to verify TLS/SSL certificates. Port 443 is used for https traffic, for example to sync AD DS with Microsoft Entra.
Microsoft Certified: Azure Administrator Associate
flashcards
Decks in class (5)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions