Microsoft AZ-104 Microsoft Azure Administrator Exam Dumps and Practice Test Questions Set 3 Q41-60

Visit here for our full Microsoft AZ-104 exam dumps and practice test questions.

Question 41: 

You need to ensure that all Azure virtual machines deployed in a subscription are tagged with the environment (Production, Development, or Test) at creation time. Which Azure service should you use?

A) Azure Policy
B) Resource Locks
C) RBAC
D) Azure Monitor

Answer: A) Azure Policy

Explanation: 

Azure Policy allows administrators to enforce rules across resources, including requiring specific tags during resource creation. Resource locks prevent accidental deletion or modification but do not enforce tagging. RBAC controls permissions, and Azure Monitor is used for telemetry and alerts, not enforcing configuration standards.

To ensure that all Azure virtual machines deployed in a subscription are tagged with the environment (Production, Development, or Test) at creation time, the most appropriate service to use is Azure Policy. Azure Policy is a governance tool that enables administrators to define rules and enforce them across Azure resources consistently. By creating a policy that requires specific tags, such as “Environment,” administrators can ensure that every virtual machine is automatically evaluated for compliance at the time of creation. If a resource does not meet the tagging requirement, it can be denied deployment or flagged for remediation, depending on the policy settings.

Resource Locks, on the other hand, are designed to prevent accidental deletion or modification of critical resources. While useful for protecting existing resources, they do not enforce tagging or any other configuration rules during deployment. Role-Based Access Control (RBAC) focuses on managing who can perform actions on Azure resources. RBAC assigns permissions to users or groups but does not enforce specific resource configurations such as tags. Azure Monitor is primarily a monitoring service that collects metrics, logs, and telemetry data from resources, enabling alerts and diagnostics. It does not enforce resource creation rules or governance standards.

Therefore, to mandate that virtual machines include the correct environment tags at creation, Azure Policy is the correct and most effective solution.

Question 42: 

Your company requires that Azure virtual networks cannot have subnets with overlapping IP addresses. Which Azure feature can enforce this requirement?

A) Azure Policy
B) Network Security Groups
C) Route Tables
D) Azure Firewall

Answer: A) Azure Policy

Explanation: 

Azure Policy can enforce networking rules such as preventing overlapping IP address spaces across virtual networks. Network Security Groups control traffic flow, Route Tables define routing, and Azure Firewall filters traffic, none of which prevent IP overlaps.

To ensure that Azure virtual networks do not have subnets with overlapping IP addresses, the appropriate service to use is Azure Policy. Azure Policy provides governance across Azure resources by allowing administrators to define and enforce rules consistently. In this scenario, a policy can be created to validate the address spaces of virtual network subnets, preventing deployments that would result in overlapping IP ranges. This ensures network integrity, reduces configuration conflicts, and supports compliance with organizational standards. Azure Policy evaluates resources at deployment and can either deny non-compliant configurations or mark them for remediation.

Network Security Groups are designed to control inbound and outbound traffic to resources within a virtual network. They define security rules based on ports, protocols, and IP addresses but do not manage subnet configurations or enforce address space rules. Route Tables are used to direct traffic between subnets or virtual networks by defining custom routes, but they do not prevent IP overlaps. Azure Firewall is a managed network security service that inspects and filters network traffic to protect resources. While it provides advanced traffic management and threat protection, it does not enforce network design rules or prevent overlapping subnets.

Therefore, to guarantee that virtual networks are created without overlapping IP address ranges, Azure Policy is the only option among these services that can implement and enforce this requirement effectively.

Question 43: 

You are tasked with deploying a highly available Azure App Service that must be resilient to region failures. Which deployment option should you use?

 

A) App Service Environment with multi-region deployment
B) Single App Service plan in one region
C) Azure Functions with consumption plan
D) Azure Container Instances

Answer: A) App Service Environment with multi-region deployment

Explanation: 

App Service Environment supports dedicated hosting and can be deployed across multiple regions for high availability and disaster recovery. A single App Service plan is region-specifiC) Azure Functions consumption plan and Azure Container Instances do not provide the same multi-region resilience automatically.

To deploy a highly available Azure App Service that is resilient to region failures, the best option is an App Service Environment (ASE) with multi-region deployment. An App Service Environment provides a fully isolated and dedicated hosting environment for securely running App Service apps at high scale. By deploying an ASE across multiple regions, organizations can ensure that applications remain available even if an entire Azure region experiences an outage. This approach supports disaster recovery, high availability, and seamless traffic failover between regions, making it suitable for mission-critical workloads that require maximum uptime.

A single App Service plan in one region does not provide regional resilience. If that region becomes unavailable due to an outage or maintenance, all apps running on that plan will be impacted. Azure Functions with a consumption plan provides serverless execution with automatic scaling but does not inherently support multi-region deployment or resilience to regional failures. Similarly, Azure Container Instances allow running containers on demand, but they are region-specific and do not include built-in multi-region redundancy or high availability features.

Therefore, for applications requiring both high availability and resilience to regional disruptions, deploying an App Service Environment with multi-region deployment is the most suitable choice. This setup ensures dedicated resources, isolation, and geographic redundancy, which cannot be achieved with a single App Service plan, serverless functions, or container instances alone.

Question 44: 

You need to audit all changes to Azure resources, including who modified a resource and when. Which Azure service provides this capability?

A) Azure Activity Log
B) Azure Monitor Metrics
C) Azure Policy
D) Resource Locks

Answer: A) Azure Activity Log

Explanation: 

The Azure Activity Log captures all management operations performed on resources, including creation, modification, and deletion along with the user identity. Azure Monitor Metrics tracks performance data, Policy enforces compliance, and Resource Locks prevent deletion or modification but do not track changes.

To audit all changes to Azure resources, including tracking who modified a resource and when, the correct service to use is the Azure Activity Log. The Activity Log records all management operations performed on Azure resources, such as creation, updates, and deletion. It captures detailed information including the identity of the user or service principal who performed the action, the timestamp of the operation, and the type of action taken. This makes it an essential tool for auditing, troubleshooting, and ensuring compliance with organizational policies or regulatory requirements. Administrators can access this log to review historical changes, investigate incidents, and generate reports on resource activity.

Azure Monitor Metrics, while an important service for monitoring, focuses on performance and operational data of resources, such as CPU utilization, memory usage, and network throughput. It does not provide detailed information about who made configuration changes. Azure Policy enforces governance by ensuring that resources comply with organizational rules, like requiring specific tags or configurations, but it does not track user actions or modifications. Resource Locks help prevent accidental deletion or modification of resources by restricting operations, but they do not log or audit any changes.

Therefore, for comprehensive auditing of all resource modifications, including who performed them and when, the Azure Activity Log is the appropriate and effective solution.

Question 45: 

You need to configure an Azure Storage Account so that only specific virtual machines in a virtual network can access it privately. Which feature should you implement?

A) Private Endpoint
B) Service Endpoint
C) Public IP Address
D) Azure Firewall

Answer: A) Private Endpoint

Explanation: 

Private Endpoint assigns a private IP address to the storage account within a virtual network, allowing only designated VMs to access it privately. Service Endpoint allows access from VNets but does not assign a private IP. Public IP addresses expose the resource to the internet. Azure Firewall is for centralized traffic filtering, not direct private connectivity.

To configure an Azure Storage Account so that only specific virtual machines within a virtual network can access it privately, the appropriate solution is to implement a Private Endpoint. A Private Endpoint assigns a private IP address from the virtual network directly to the storage account, enabling secure, private connectivity. This ensures that traffic between the virtual machines and the storage account remains entirely within the Azure backbone network, without traversing the public internet. By using a Private Endpoint, access can be tightly controlled so that only selected virtual machines or subnets within the virtual network can reach the storage account.

A Service Endpoint also allows virtual network traffic to reach Azure services like storage accounts, but it does not provide a private IP address for the storage account. Instead, it simply extends the virtual network identity to the service, leaving the storage account accessible via its public IP, which may not meet strict private access requirements. Assigning a Public IP Address would expose the storage account to the internet, which increases security risks and does not restrict access to specific virtual machines. Azure Firewall is a network security service that provides centralized traffic filtering and threat protection but does not create direct private connectivity to a storage account.

Therefore, to achieve secure, private access from selected virtual machines, implementing a Private Endpoint is the correct approach, providing both isolation and fine-grained access control.

Question 46: 

Your organization wants to enforce automatic encryption of all new Azure SQL databases with customer-managed keys. Which two services must you configure?

A) Azure Key Vault and Azure Policy
B) RBAC and Azure Monitor
C) Azure Backup and Azure Firewall
D) Resource Locks and Azure AD Conditional Access

Answer: A) Azure Key Vault and Azure Policy

Explanation: 

Azure Key Vault securely stores customer-managed keys, while Azure Policy enforces that all new SQL databases use these keys for encryption. RBAC controls access but does not enforce encryption. Azure Backup protects data, Firewall controls traffic, Resource Locks prevent deletion, and Conditional Access manages identity policies.

To enforce automatic encryption of all new Azure SQL databases using customer-managed keys, two Azure services must be configured: Azure Key Vault and Azure Policy. Azure Key Vault provides a secure and centralized location to store cryptographic keys, secrets, and certificates. By using Key Vault, organizations can create, manage, and control access to customer-managed keys (CMKs) that are required for encrypting SQL databases. This ensures that the encryption keys are protected and that the organization maintains control over key lifecycle and access permissions.

Azure Policy complements this by enforcing organizational rules across Azure resources. A policy can be created to require that all newly deployed Azure SQL databases use customer-managed keys stored in Azure Key Vault for encryption. This ensures compliance automatically, as any attempt to create a database without using the designated keys can be denied or flagged for remediation.

Other options do not achieve this goal. Role-Based Access Control (RBAC) manages permissions but does not enforce encryption rules. Azure Monitor tracks metrics and logs, but it does not configure encryption. Azure Backup and Azure Firewall protect data and filter traffic respectively, while Resource Locks and Azure AD Conditional Access focus on preventing accidental deletions or managing identity access, none of which enforce encryption policies.

Therefore, combining Azure Key Vault for key management with Azure Policy for enforcement is the correct approach to ensure all new SQL databases are encrypted with customer-managed keys.

Question 47: 

You want to monitor the performance of a virtual machine in Azure and be alerted if disk I/O exceeds a thresholD) Which service should you use?

A) Azure Monitor
B) Azure Policy
C) Resource Locks
D) Azure Automation

Answer: A) Azure Monitor

Explanation: 

Azure Monitor collects metrics and logs from VMs, including CPU, memory, and disk I/O. It can trigger alerts when thresholds are exceedeD) Azure Policy enforces configuration, Resource Locks prevent accidental changes, and Automation is used for scripting and operational tasks.

To monitor the performance of a virtual machine in Azure and receive alerts when disk I/O exceeds a defined threshold, the appropriate service to use is Azure Monitor. Azure Monitor collects and analyzes telemetry data from Azure resources, including virtual machines, applications, and networks. For virtual machines, it gathers metrics such as CPU utilization, memory usage, disk I/O, and network traffic. By configuring metric-based alerts within Azure Monitor, administrators can be notified immediately if a virtual machine’s disk operations exceed a specified threshold. This allows proactive management of performance issues and helps maintain application reliability.

Azure Policy is designed to enforce compliance with organizational standards by applying rules and restrictions on resource configurations, such as requiring tags or enforcing certain SKUs. While it ensures proper governance, it does not track real-time performance or generate alerts. Resource Locks are intended to protect critical resources from accidental deletion or modification, but they do not provide monitoring or alerting capabilities. Azure Automation allows administrators to automate routine tasks and operational workflows using runbooks, but it does not collect performance metrics or trigger alerts based on thresholds.

Therefore, for continuous monitoring of virtual machine performance and automated alerting based on disk I/O or other metrics, Azure Monitor is the correct service. It provides comprehensive visibility, actionable insights, and real-time notifications, making it essential for maintaining optimal VM performance.

Question 48: 

Your company wants to ensure that users cannot sign in to Azure AD from unmanaged devices. Which feature should you configure?

A) Conditional Access policies
B) Azure AD Privileged Identity Management
C) Self-Service Password Reset
D) Azure AD B2B Collaboration

Answer: A) Conditional Access policies

Explanation: 

Conditional Access policies enforce access controls based on device compliance, location, and other conditions. Privileged Identity Management manages temporary elevated permissions. Self-Service Password Reset allows users to reset passwords. B2B collaboration manages guest access.

To ensure that users cannot sign in to Azure AD from unmanaged devices, the appropriate feature to configure is Conditional Access policies. Conditional Access allows administrators to enforce access controls based on a variety of conditions, such as device compliance, user location, application sensitivity, and risk level. By creating a policy that requires devices to be marked as compliant or managed before allowing access, organizations can prevent users from signing in from personal or unmanaged devices. This strengthens security by reducing the risk of unauthorized access and helps maintain compliance with organizational policies.

Azure AD Privileged Identity Management (PIM) focuses on managing, controlling, and monitoring elevated access for privileged accounts. It allows administrators to assign time-bound, just-in-time permissions but does not restrict sign-ins based on device management. Self-Service Password Reset enables users to reset their passwords without administrator intervention, improving user experience, but it does not enforce device compliance or sign-in restrictions. Azure AD B2B Collaboration facilitates secure guest access for external users to resources in an organization, allowing cross-organization collaboration, but it is not designed to control access from unmanaged devices for internal users.

Therefore, to prevent sign-ins from unmanaged devices while maintaining secure and controlled access, configuring Conditional Access policies is the correct approach. These policies provide granular, flexible, and automated enforcement of security requirements across devices and users.

Question 49: 

You are asked to implement Azure Site Recovery for disaster recovery of on-premises VMs to Azure. Which replication method ensures continuous data replication?

A) Hyper-V Replica or VMware to Azure replication
B) Manual backup to Azure Blob Storage
C) Storage Account snapshot
D) Azure Monitor metrics

Answer: A) Hyper-V Replica or VMware to Azure replication

Explanation: 

Azure Site Recovery uses Hyper-V or VMware replication to continuously replicate VMs to Azure. Manual backups or snapshots are point-in-time and do not provide continuous failover. Azure Monitor collects telemetry but does not replicate workloads.

To implement disaster recovery of on-premises virtual machines to Azure using Azure Site Recovery (ASR), the replication method that ensures continuous data replication is Hyper-V Replica or VMware to Azure replication. Azure Site Recovery integrates directly with on-premises Hyper-V and VMware environments to replicate virtual machines to Azure in near real-time. This continuous replication ensures that the latest changes on the on-premises VMs are synchronized with their Azure counterparts, enabling rapid failover in the event of a disaster. ASR supports both planned failover for maintenance scenarios and unplanned failover during outages, minimizing downtime and data loss.

Manual backup to Azure Blob Storage, while useful for data protection, only provides point-in-time copies of virtual machines. These backups do not continuously replicate changes and therefore cannot support near-instantaneous recovery in disaster scenarios. Similarly, creating storage account snapshots captures the state of a VM at a specific moment, but does not provide ongoing replication or automatic synchronization of data. Azure Monitor metrics are designed to collect and analyze performance and health telemetry for resources, but they do not replicate workloads or provide disaster recovery capabilities.

Therefore, to achieve continuous replication and ensure business continuity for on-premises virtual machines in Azure, using Hyper-V Replica or VMware to Azure replication through Azure Site Recovery is the correct solution. This approach enables reliable, near real-time replication and supports both planned and unplanned failovers.

Question 50: 

You need to create a centralized logging solution for multiple Azure subscriptions. Which service allows you to aggregate logs across subscriptions?

A) Log Analytics Workspace
B) Azure Monitor Metrics
C) Azure Policy
D) Resource Locks

Answer: A) Log Analytics Workspace

Explanation: 

Log Analytics Workspace can collect and query logs from multiple subscriptions and resources, providing centralized monitoring. Azure Monitor Metrics tracks performance but is subscription-specifiC) Policy enforces rules, and Resource Locks prevent accidental changes.

To create a centralized logging solution for multiple Azure subscriptions, the appropriate service to use is a Log Analytics Workspace. A Log Analytics Workspace allows organizations to collect, store, and analyze log and telemetry data from various Azure resources across different subscriptions. By configuring multiple subscriptions to send logs to the same workspace, administrators gain a unified view of activities, performance metrics, and security events across their entire environment. This centralized approach simplifies monitoring, troubleshooting, and reporting, making it easier to detect anomalies, investigate incidents, and maintain compliance.

Azure Monitor Metrics is designed to track performance data such as CPU utilization, memory usage, and network activity. While it provides valuable insights, it is typically scoped to individual subscriptions or resources and does not aggregate logs from multiple subscriptions in a single location. Azure Policy is used to enforce organizational rules and governance by ensuring resources comply with required configurations, such as tagging or SKU restrictions, but it does not collect or centralize log data. Resource Locks help prevent accidental deletion or modification of critical resources, providing protection rather than monitoring or logging capabilities.

Therefore, for a comprehensive centralized logging solution across multiple Azure subscriptions, a Log Analytics Workspace is the correct choice. It enables unified collection, querying, and analysis of logs from diverse resources, supporting proactive monitoring and operational efficiency.

Question 51: 

Your company wants to deploy VMs in an availability zone that ensures redundancy if a single datacenter fails. What feature should you use?

A) Availability Zones
B) Availability Sets
C) VM Scale Sets
D) Azure Backup

Answer: A) Availability Zones

Explanation: 

Availability Zones are physically separate datacenters within a region, providing higher redundancy than availability sets. Availability Sets protect against maintenance events and local hardware failure but are in a single datacenter. VM Scale Sets provide scaling, and Azure Backup protects data.

To deploy virtual machines in a way that ensures redundancy if a single datacenter fails, the correct feature to use is Availability Zones. Availability Zones are physically separate locations within an Azure region, each with independent power, cooling, and networking. By deploying VMs across multiple Availability Zones, organizations can achieve higher fault tolerance and resiliency because the failure of one datacenter does not impact VMs running in other zones. This setup is ideal for mission-critical applications that require continuous availability and protection against datacenter-level outages.

Availability Sets, in contrast, provide redundancy within a single datacenter by distributing VMs across multiple fault and update domains. They protect against localized hardware failures and maintenance events but do not offer protection if the entire datacenter becomes unavailable. VM Scale Sets are designed to automatically deploy and manage a set of identical VMs, enabling horizontal scaling to handle load, but they do not inherently provide cross-datacenter redundancy. Azure Backup focuses on protecting data by creating point-in-time backups of VMs, files, or databases, but it does not ensure continuous availability or prevent downtime in the event of a datacenter failure.

Therefore, for high availability that protects against a complete datacenter outage, deploying VMs across Availability Zones is the most effective solution. It ensures that workloads remain resilient and operational even during regional infrastructure disruptions.

Question 52: 

You need to ensure that all data stored in Azure Blob Storage is encrypted at rest using Microsoft-managed keys. Which feature accomplishes this?

A) Storage Service Encryption
B) Azure Key Vault Firewall
C) Azure Policy
D) Resource Locks

Answer: A) Storage Service Encryption

Explanation: 

Storage Service Encryption automatically encrypts all data at rest using Microsoft-managed keys. Key Vault stores keys but does not automatically encrypt blobs. Azure Policy enforces rules but does not perform encryption. Resource Locks prevent deletion but not data protection.

To ensure that all data stored in Azure Blob Storage is encrypted at rest using Microsoft-managed keys, the appropriate feature to use is Storage Service Encryption. Storage Service Encryption (SSE) automatically encrypts data before it is persisted in Azure storage and decrypts it when accessed, without requiring any application changes. By default, Microsoft manages the encryption keys, ensuring that all data stored in blobs, files, queues, and tables is protected with strong, industry-standard encryption algorithms. This provides a seamless way to meet security and compliance requirements for data at rest.

Azure Key Vault is a secure service for storing and managing cryptographic keys, secrets, and certificates. While it allows organizations to use customer-managed keys for encryption, it does not automatically encrypt Azure Blob Storage data unless explicitly configured in combination with Storage Service Encryption. Azure Policy is a governance tool that enforces organizational rules, such as requiring certain tags or configurations, but it does not perform actual encryption of stored data. Resource Locks help protect storage accounts or other resources from accidental deletion or modification, but they do not provide encryption or data protection.

Therefore, to automatically protect all data stored in Azure Blob Storage at rest using Microsoft-managed keys, enabling Storage Service Encryption is the correct and most effective approach. It ensures data security without additional management overhead.

Question 53: 

Your organization wants to restrict which users can register devices in Azure AD) Which feature allows you to control this?

A) Azure AD Device Settings
B) RBAC
C) Azure Policy
D) Conditional Access

Answer: A) Azure AD Device Settings

Explanation: 

Azure AD Device Settings allow administrators to control who can join or register devices in the directory. RBAC controls resource permissions, Policy enforces compliance, and Conditional Access controls login access but not device registration.

To restrict which users can register devices in Azure Active Directory, the appropriate feature to use is Azure AD Device Settings. This feature allows administrators to manage device registration policies and control which users or groups are permitted to join or register devices with the directory. By configuring these settings, organizations can prevent unauthorized users from adding devices, reducing security risks and ensuring that only approved personnel can integrate devices into the corporate environment. This is particularly important for maintaining compliance, securing corporate resources, and managing devices effectively.

Role-Based Access Control (RBAC) is used to manage permissions for Azure resources, such as granting users the ability to create, modify, or delete resources. While RBAC controls access to resources, it does not govern device registration in Azure AD. Azure Policy is a governance tool that enforces organizational standards and compliance rules across Azure resources but does not regulate who can register devices. Conditional Access policies are designed to enforce access requirements based on conditions like user risk, device compliance, or location; however, they control login and access to resources rather than the ability to register devices.

Therefore, to control and restrict which users can join or register devices in Azure AD, configuring Azure AD Device Settings is the correct and effective solution. It provides direct management of device registration permissions and enhances organizational security.

Question 54: 

You want to deploy Azure VMs that automatically scale based on CPU usage or memory utilization. Which feature should you implement?

A) VM Scale Sets with autoscale
B) Availability Sets
C) Resource Groups
D) Azure Automation

Answer: A) VM Scale Sets with autoscale

Explanation: 

VM Scale Sets allow automatic scaling of multiple identical VMs based on metrics such as CPU or memory. Availability Sets provide redundancy but no autoscaling. Resource Groups organize resources. Automation can perform actions but not dynamic autoscaling automatically.

To deploy Azure virtual machines that automatically scale based on CPU usage or memory utilization, the appropriate feature to implement is VM Scale Sets with autoscale. VM Scale Sets enable the deployment and management of a group of identical VMs, allowing applications to scale out or scale in automatically in response to performance metrics. By configuring autoscale rules, administrators can specify conditions such as increasing the number of VM instances when CPU usage exceeds a threshold or reducing instances during periods of low demand. This ensures that applications maintain performance and responsiveness while optimizing costs.

Availability Sets provide high availability by distributing VMs across multiple fault and update domains within a single datacenter. They protect against hardware failures and maintenance events but do not support automatic scaling based on performance metrics. Resource Groups are logical containers used to organize and manage related Azure resources, making deployment and administration easier, but they do not provide scaling capabilities. Azure Automation allows the automation of administrative tasks through runbooks and scripts, which can perform scheduled or triggered actions, but it does not inherently provide dynamic, metric-based scaling of virtual machines.

Therefore, to achieve automatic scaling of virtual machines in response to workload demands such as CPU or memory utilization, deploying VM Scale Sets with autoscale is the correct solution. It provides both scalability and flexibility while ensuring efficient use of resources.

Question 55: 

You are tasked with recovering an Azure virtual machine that was accidentally deleteD) Which feature allows you to recover it?

A) Azure Backup
B) Resource Locks
C) Azure Policy
D) Azure Monitor

Answer: A) Azure Backup

Explanation: 

Azure Backup enables recovery of deleted VMs if backups exist. Resource Locks prevent accidental deletion but do not recover resources. Policy enforces configurations. Monitor provides logging and alerts but no restoration capability.

To recover an Azure virtual machine that was accidentally deleted, the appropriate feature to use is Azure Backup. Azure Backup provides a reliable and fully managed backup solution for Azure resources, including virtual machines. If backups of the VM exist, administrators can restore the VM to its previous state, including the operating system, data disks, and configuration. This enables recovery from accidental deletion, data corruption, or other unexpected failures, ensuring business continuity and minimizing downtime. Azure Backup also supports point-in-time recovery, allowing organizations to restore VMs to a specific backup instance as needed.

Resource Locks are a preventative measure that can protect resources from accidental deletion or modification by restricting user actions. While they help prevent mistakes, they do not provide a method to recover a resource that has already been deleted. Azure Policy is used to enforce governance rules and organizational standards across resources, such as requiring specific tags or configurations, but it does not offer backup or recovery capabilities. Azure Monitor collects telemetry, metrics, and logs from Azure resources to provide insights, alerts, and diagnostics, but it does not allow restoration of deleted resources.

Therefore, to restore an accidentally deleted Azure virtual machine, leveraging Azure Backup is the correct solution. It ensures that resources can be recovered efficiently and reliably, minimizing data loss and operational disruption.

Question 56: 

Your organization wants to restrict network access to Azure Storage Accounts so only specific public IP addresses can connect. Which feature should you use?

A) Storage Account Firewall
B) Network Security Group
C) Azure Policy
D) Private Endpoint

Answer: A) Storage Account Firewall

Explanation: 

Storage Account Firewall allows administrators to whitelist specific IP addresses or IP ranges that can access the storage account. NSG controls traffic at VM/subnet level. Policy enforces rules but does not filter traffiC) Private Endpoint enables private access through a VNet.

To restrict network access to Azure Storage Accounts so that only specific public IP addresses can connect, the appropriate feature to use is the Storage Account Firewall. This feature allows administrators to create rules that explicitly whitelist certain IP addresses or ranges, ensuring that only traffic from those sources can access the storage account. By configuring the firewall, organizations can enhance security, prevent unauthorized access, and protect sensitive data stored in blobs, files, queues, and tables. The firewall works at the storage account level, providing granular control over who can connect to resources.

Network Security Groups (NSGs) control inbound and outbound traffic to virtual machines or subnets by defining rules based on IP addresses, ports, and protocols. While NSGs help secure network traffic within a virtual network, they do not provide direct filtering for storage accounts. Azure Policy is a governance tool that enforces organizational rules and ensures compliance by requiring configurations like tagging or specific SKUs, but it does not directly block or allow network traffic. Private Endpoints enable private connectivity to a storage account through a virtual network, ensuring traffic remains on the Azure backbone, but they do not filter access based on public IP addresses.

Therefore, to allow access to a storage account only from specific public IP addresses, configuring the Storage Account Firewall is the correct solution. It provides precise, IP-based access control while protecting data from unauthorized external connections.

Question 57: 

You need to ensure that sensitive data in Azure SQL Database is masked when viewed by certain users. Which feature should you use?

A) Dynamic Data Masking
B) Transparent Data Encryption
C) Azure Policy
D) Azure Key Vault

Answer: A) Dynamic Data Masking

Explanation: 

Dynamic Data Masking hides sensitive information in query results for non-privileged users. Transparent Data Encryption encrypts data at rest. Policy enforces configurations. Key Vault stores keys and secrets but does not mask data.

To ensure that sensitive data in an Azure SQL Database is masked when viewed by certain users, the appropriate feature to use is Dynamic Data Masking. Dynamic Data Masking (DDM) allows administrators to define masking rules on specific database columns containing sensitive information, such as Social Security numbers, credit card numbers, or personal identifiers. When non-privileged users query the database, the sensitive data is automatically obscured according to the defined masking rules, while privileged users, such as database administrators, can see the full data. This approach helps prevent unauthorized exposure of confidential information while maintaining usability for legitimate queries and operations.

Transparent Data Encryption (TDE) encrypts the database at rest, protecting it from unauthorized access to the underlying storage, but it does not modify the way data appears in query results. Azure Policy is a governance tool that enforces organizational rules and compliance requirements, such as tagging or allowed resource types, but it does not provide masking or data-level protection. Azure Key Vault securely stores and manages keys, secrets, and certificates, enabling encryption and access control, but it does not directly mask or alter database query results.

Therefore, to prevent sensitive information from being visible to unauthorized users while still allowing legitimate queries, implementing Dynamic Data Masking in Azure SQL Database is the correct solution. It provides targeted, real-time protection of sensitive data without affecting application functionality.

Question 58: 

You want to implement role-based access control for Azure resources at the management group level. Which principle should you follow?

A) Assign roles to groups or users at the management group scope
B) Assign roles at the subscription level only
C) Assign roles directly to resources only
D) RBAC does not support management group scope

Answer: A) Assign roles to groups or users at the management group scope

Explanation: 

RBAC supports assigning roles at management group, subscription, resource group, and resource levels. Assigning at management group scope propagates access to all child subscriptions, simplifying governance. Assigning only at subscription or resource level is more granular.

To implement role-based access control (RBAC) for Azure resources at the management group level, the correct approach is to assign roles to groups or users at the management group scope. RBAC in Azure allows administrators to grant access at multiple levels, including management groups, subscriptions, resource groups, and individual resources. By assigning roles at the management group level, the permissions automatically propagate to all child subscriptions and resources within that management group. This simplifies governance, ensures consistent access policies across the organization, and reduces the need to assign roles repeatedly at lower levels.

Assigning roles only at the subscription level limits access control to that particular subscription and does not automatically extend to other subscriptions or resources. While this approach provides more granular control, it increases administrative effort when managing multiple subscriptions. Assigning roles directly to individual resources allows for very specific access control but can become difficult to manage at scale and may lead to inconsistent permissions. The option suggesting that RBAC does not support management group scope is incorrect, as RBAC fully supports assignments at management group level, enabling hierarchical access control across an organization.

Therefore, for consistent and scalable role-based access control across multiple subscriptions and resources, assigning roles to users or groups at the management group scope is the most effective and efficient strategy. This ensures centralized governance while maintaining flexibility for additional granular assignments if needed.

Question 59: 

You need to enforce Azure VMs to use only specific OS images. Which Azure feature provides this enforcement?

A) Azure Policy
B) RBAC
C) Resource Locks
D) Azure Monitor

Answer: A) Azure Policy

Explanation:

Azure Policy can restrict VM deployment to approved OS images, ensuring compliance across subscriptions. RBAC controls access but not configuration. Resource Locks prevent accidental deletion. Monitor tracks metrics but does not enforce OS restrictions.

Question 60: 

You are designing a hybrid identity solution that allows on-premises Active Directory users to authenticate to Azure AD Which service should you configure?

A) Azure AD Connect
B) Azure AD Domain Services
C) Azure AD B2C
D) Privileged Identity Management

Answer: A) Azure AD Connect

Explanation: 

Azure AD Connect synchronizes on-premises Active Directory accounts with Azure AD, enabling hybrid identity and single sign-on. Azure AD Domain Services provides managed domain services in the cloud .B2C is for external customer identities. PIM manages temporary privileged roles.

To design a hybrid identity solution that allows on-premises Active Directory (AD) users to authenticate to Azure AD, the correct service to configure is Azure AD Connect. Azure AD Connect is a Microsoft tool that synchronizes on-premises AD objects, such as user accounts, groups, and passwords, with Azure AD. This synchronization enables a hybrid identity environment, allowing users to sign in to cloud resources using their existing on-premises credentials. Additionally, Azure AD Connect supports features like single sign-on (SSO), password hash synchronization, and pass-through authentication, providing seamless access to both on-premises and cloud applications while maintaining centralized identity management.

Azure AD Domain Services provides managed domain services, such as domain join, LDAP, and Kerberos/NTLM authentication, directly in Azure without requiring on-premises domain controllers. While useful for lifting and shifting legacy applications to the cloud, it does not synchronize on-premises AD accounts for hybrid authentication. Azure AD B2C is designed to manage identities for external customers, allowing authentication through social accounts or local accounts, and is not intended for corporate on-premises AD integration. Privileged Identity Management (PIM) is used to manage, control, and monitor temporary elevated privileges in Azure AD, but it does not provide synchronization or authentication of on-premises users.

Therefore, for enabling a hybrid identity solution where on-premises AD users can authenticate to Azure AD, configuring Azure AD Connect is the correct approach. It ensures seamless integration, centralized identity management, and secure access to cloud resources.