Microsoft AZ-104 Microsoft Azure Administrator Exam Dumps and Practice Test Questions Set 4 Q61-80

Visit here for our full Microsoft AZ-104 exam dumps and practice test questions.

Question 61: 

You need to implement network-level encryption for data flowing between Azure virtual networks across regions. Which service should you use?

A) VPN Gateway
B) Azure Firewall
C) Network Security Groups
D) Private Endpoint

Answer: A) VPN Gateway

Explanation: 

VPN Gateway establishes encrypted IPsec/IKE tunnels between virtual networks in different regions, providing secure network communication. Azure Firewall and NSGs control traffic but do not provide encryption. Private Endpoints provide private access but not cross-region encryption.

To implement network-level encryption for data flowing between Azure virtual networks across regions, the correct service to use is VPN Gateway. VPN Gateway enables secure communication by establishing IPsec/IKE encrypted tunnels between virtual networks, regardless of their geographical location. This ensures that all data transmitted between virtual networks is protected from interception or unauthorized access while in transit. It is specifically designed for scenarios where you need secure cross-region or cross-premises connectivity.

Azure Firewall, on the other hand, is a managed cloud-based network security service that primarily provides threat protection, traffic filtering, and policy enforcement. While it can control and monitor traffic, it does not inherently encrypt data flowing between virtual networks. Network Security Groups (NSGs) are another security feature in Azure that allow administrators to create rules to permit or deny network traffic based on IP addresses, ports, or protocols. NSGs help control access but do not provide encryption. Private Endpoints allow resources to connect privately to Azure services over a private IP address within a virtual network, eliminating exposure to the public internet. However, Private Endpoints do not provide network-level encryption across virtual networks or regions. Therefore, for encrypted communication between virtual networks across regions, VPN Gateway is the appropriate choice.

This explanation clarifies why VPN Gateway is the only service among the listed options that meets the requirement for secure, encrypted network-level communication.

Question 62: 

Your company requires that all Azure VMs in a subscription must have backup enabled by default. Which service allows you to enforce this?

A) Azure Policy
B) Resource Locks
C) RBAC
D) Azure Monitor

Answer: A) Azure Policy

Explanation: 

Azure Policy can enforce compliance rules that require backup to be enabled on all virtual machines. RBAC controls who can manage resources, Resource Locks prevent accidental deletion, and Azure Monitor tracks metrics and alerts but does not enforce backup policies.

To ensure that all Azure virtual machines in a subscription have backup enabled by default, the appropriate service to use is Azure Policy. Azure Policy is a governance tool that allows administrators to create, assign, and manage policies that enforce specific rules across Azure resources. By defining a policy that requires backup to be enabled on every virtual machine, the organization can automatically assess compliance and remediate non-compliant resources, ensuring that all VMs are protected according to corporate requirements. Azure Policy also provides detailed compliance reporting, which helps administrators track and manage adherence to the backup requirements across the subscription.

Resource Locks, while useful for protecting resources from accidental deletion or modification, do not enforce configuration requirements such as enabling backups. They are primarily used to safeguard critical resources from changes but cannot automatically ensure compliance with operational policies. Role-Based Access Control (RBAC) manages permissions by determining who can perform specific actions on Azure resources. While RBAC is essential for controlling access, it does not enforce configuration standards or automatically apply backup settings. Azure Monitor is designed to collect metrics, logs, and generate alerts for resources. It helps track the health and performance of VMs but cannot enforce policies like enabling backup. Therefore, Azure Policy is the only service among these options that can automatically enforce backup on all virtual machines in a subscription, ensuring consistent compliance and protection.

Question 63: 

You need to ensure that sensitive data in Azure Blob Storage is accessible only over secure connections. Which setting should you enable?

 

A) Secure transfer required
B) Private endpoint
C) Network Security Group
D) Azure Policy

Answer: A) Secure transfer required

Explanation: 

Enabling the secure transfer setting enforces HTTPS connections for all requests to the storage account. Private endpoints restrict access to VNets. NSGs control network traffic to VMs and subnets, and Azure Policy can enforce the setting but does not enable it by itself.

To ensure that sensitive data in Azure Blob Storage is accessed only over secure connections, the setting to enable is secure transfer required. This setting forces all requests to the storage account to use HTTPS, preventing data from being transmitted over unencrypted HTTP connections. By enforcing HTTPS, the storage account ensures that data in transit is protected against eavesdropping or interception, which is critical for safeguarding sensitive information. Any request made over HTTP will be rejected, helping maintain compliance with security best practices and organizational policies.

A private endpoint, while useful for restricting access to the storage account from specific virtual networks, does not enforce encryption for data in transit. It provides private connectivity but does not guarantee that all communications use secure protocols. Network Security Groups (NSGs) can control inbound and outbound traffic to virtual machines and subnets by defining allow or deny rules based on IP addresses, ports, and protocols. However, NSGs do not enforce HTTPS or encrypt data transmitted to storage accounts. Azure Policy can be used to enforce organizational standards, such as requiring secure transfer, but it only evaluates compliance and can trigger remediation—it does not itself enable secure connections. Therefore, to directly enforce secure, encrypted access to Azure Blob Storage, enabling the secure transfer required setting is the correct approach, ensuring that all communication uses HTTPS.

Question 64: 

Your organization wants to implement Azure Backup for on-premises servers and store backups in the clouD) Which component must you install on on-premises servers?

A) Microsoft Azure Recovery Services (MARS) agent
B) Azure Site Recovery agent
C) Azure Automation agent
D) Azure Monitor agent

Answer: A) Microsoft Azure Recovery Services (MARS) agent

Explanation: 

The MARS agent allows on-premises servers to back up files, folders, and system state directly to an Azure Recovery Services vault. Azure Site Recovery agent is for VM replication, Azure Automation runs operational scripts, and Azure Monitor agent collects telemetry.

To implement Azure Backup for on-premises servers and store backups in the cloud, the component that must be installed on the servers is the Microsoft Azure Recovery Services (MARS) agent. The MARS agent enables on-premises servers to back up critical data, including files, folders, and system state, directly to an Azure Recovery Services vault. Once installed, it communicates securely with the Recovery Services vault in Azure, encrypts data before transmission, and ensures that backups are retained according to the configured policies. This setup allows organizations to leverage cloud-based storage for disaster recovery and long-term retention without maintaining their own backup infrastructure on-premises.

The Azure Site Recovery agent, by contrast, is used primarily for replicating entire virtual machines to Azure for disaster recovery purposes. It is not designed for backing up individual files or folders from on-premises servers. The Azure Automation agent is intended to facilitate the execution of operational scripts and automated tasks across Azure and on-premises environments but does not provide backup capabilities. Similarly, the Azure Monitor agent collects telemetry, metrics, and logs from servers to provide monitoring and observability insights. While valuable for tracking performance and health, it does not enable backup or recovery functions. Therefore, the MARS agent is the only component among these options that directly supports backing up on-premises servers to Azure, making it essential for cloud-based backup implementation.

Question 65: 

You need to grant a user the ability to assign roles to others in a subscription without giving them full administrative control over resources. Which role should you assign?

A) User Access Administrator
B) Owner
C) Contributor
D) Reader

Answer: A) User Access Administrator

Explanation: 

The User Access Administrator role allows the user to assign or remove RBAC roles for resources. Owner has full control over resources, Contributor can manage resources but cannot assign roles, and Reader has view-only access.

To grant a user the ability to assign roles to others in an Azure subscription without giving full administrative control over resources, the appropriate role to assign is User Access Administrator. This role allows the user to manage access to Azure resources by assigning or removing role-based access control (RBAC) roles for users, groups, or service principals. With this capability, the user can control who has access to which resources and at what permission level, without having the ability to modify the actual resources themselves. This provides a focused administrative capability specifically for managing access while maintaining security and separation of duties.

The Owner role, in contrast, provides full administrative control over all resources in the subscription, including the ability to manage resources and assign roles. Assigning this role would give the user complete control, which may exceed the required permissions and introduce security risks. The Contributor role allows a user to create, modify, and manage resources, but it does not allow them to assign roles to other users. Therefore, a Contributor cannot manage access, only resource configuration. The Reader role provides view-only access to resources, allowing the user to monitor and inspect configurations but not make any changes or assign roles. Therefore, the User Access Administrator role is the most appropriate choice for granting role management capabilities without giving broader administrative rights, ensuring secure and controlled delegation of permissions.

Question 66: 

You need to implement high availability for an Azure SQL Database that requires automatic failover to a secondary region. Which feature should you use?

A) Auto-failover groups
B) Read-scale out
C) Geo-restore
D) Backup retention

Answer: A) Auto-failover groups

Explanation: 

Auto-failover groups provide automatic failover of databases to a secondary region while maintaining connectivity through the primary listener. Read-scale out improves read performance but does not handle failover. Geo-restore is manual, and backup retention only stores historical backups.

To implement high availability for an Azure SQL Database with automatic failover to a secondary region, the appropriate feature to use is auto-failover groups. Auto-failover groups allow you to configure a group of databases to automatically fail over to a secondary region in the event of an outage in the primary region. This ensures minimal downtime and continuity of operations while maintaining connectivity through the primary listener endpoint. The feature also supports transparent redirection of client connections, so applications can continue functioning without requiring manual intervention or reconfiguration. Additionally, auto-failover groups simplify the management of geo-replication and failover policies for multiple databases at once.

Read-scale out, in contrast, is designed to improve read performance by routing read-only workloads to secondary replicas in the same region. While it enhances query performance, it does not provide automatic failover across regions. Geo-restore allows you to restore a database to a different region in the event of a disaster, but it is a manual process and does not support automatic failover or continuous availability. Backup retention determines how long database backups are kept for recovery purposes, but it does not provide high availability or automatic failover capabilities. Therefore, for scenarios requiring automatic failover to a secondary region and continuous connectivity, auto-failover groups are the correct choice, ensuring both resilience and operational continuity.

Question 67: 

You need to restrict the outbound traffic from Azure VMs to specific ports and IP ranges. Which feature should you configure?

A) Network Security Group
B) Azure Firewall
C) Route Table
D) Private Endpoint

Answer: A) Network Security Group

Explanation: 

NSGs allow inbound and outbound traffic filtering at the VM or subnet level based on ports, protocols, and IP ranges. Azure Firewall can control outbound traffic centrally but NSGs are more granular and directly applied to VMs. Route Tables define routes, not filtering. Private Endpoints control private access to resources.

To restrict outbound traffic from Azure virtual machines to specific ports and IP ranges, the appropriate feature to configure is a Network Security Group (NSG). NSGs provide granular control over both inbound and outbound network traffic at the subnet or individual VM level. By defining rules within an NSG, administrators can allow or deny traffic based on source and destination IP addresses, ports, and protocols. This ensures that VMs can only communicate with approved endpoints and helps prevent unauthorized or potentially harmful traffic from leaving the virtual network. NSGs are applied directly to network interfaces or subnets, providing precise control over traffic flow for each resource.

Azure Firewall can also control outbound traffic, but it is a centralized service designed for broader network enforcement across multiple resources. While effective for managing traffic at scale, it is not as granular as NSGs for controlling traffic at the individual VM or subnet level. Route tables, on the other hand, define how network traffic is directed between subnets, virtual networks, or on-premises networks. They do not filter or restrict traffic based on IP addresses or ports. Private Endpoints allow resources to connect privately to Azure services over a private IP address, limiting exposure to the public internet, but they do not provide traffic filtering for outbound connections. Therefore, NSGs are the most suitable solution for controlling outbound traffic from Azure VMs with fine-grained rules, ensuring both security and compliance.

Question 68: 

You need to ensure that all Azure SQL Databases in your environment are compliant with a specific configuration, such as auditing and threat detection. Which Azure feature should you use?

A) Azure Policy
B) RBAC
C) Resource Locks
D) Azure Monitor

Answer: A) Azure Policy

Explanation:

Azure Policy allows enforcement of configuration standards, such as auditing, threat detection, or encryption on Azure SQL Databases. RBAC controls permissions, Resource Locks prevent deletion or modification, and Monitor tracks performance metrics and logs but does not enforce compliance.

To ensure that all Azure SQL Databases in your environment are compliant with specific configurations, such as auditing, threat detection, or encryption, the appropriate feature to use is Azure Policy. Azure Policy enables organizations to define and enforce rules that govern the configuration of Azure resources. By creating a policy for SQL Databases, administrators can ensure that all databases adhere to required security and compliance standards. Azure Policy can evaluate existing resources for compliance, automatically remediate non-compliant resources, and provide detailed reports to track adherence across the environment. This ensures that databases remain consistently configured according to organizational requirements without relying on manual checks.

Role-Based Access Control (RBAC) focuses on managing who can perform actions on Azure resources. While RBAC is essential for assigning permissions, it does not enforce specific configuration settings on resources. Resource Locks are used to prevent accidental deletion or modification of resources, helping protect critical assets, but they do not enforce operational or security configurations. Azure Monitor collects telemetry data, performance metrics, and logs to provide insight into resource health and activity. Although it is valuable for monitoring, it does not actively enforce compliance or apply configuration standards. Therefore, Azure Policy is the correct solution for ensuring that Azure SQL Databases remain compliant with defined settings, providing centralized governance, automation, and visibility across all databases.

Question 69: 

You are tasked with recovering a deleted Azure storage account within the retention perioD) Which feature allows you to recover it?

A) Soft Delete
B) Resource Lock
C) Azure Policy
D) Azure Monitor

Answer: A) Soft Delete

Explanation: 

Soft Delete protects storage accounts, blobs, and containers by retaining deleted resources for a configured retention period, allowing recovery. Resource Locks prevent deletion proactively but cannot restore deleted resources. Policy enforces configuration, and Monitor only tracks events.

To recover a deleted Azure storage account within the retention period, the feature to use is Soft Delete. Soft Delete provides protection for storage accounts, blobs, and containers by retaining deleted resources for a configurable retention period. During this retention period, deleted items can be restored, preventing accidental or unintended data loss. This feature ensures that critical data can be recovered quickly without requiring complex recovery procedures, making it an essential part of a robust data protection strategy. Soft Delete works automatically once enabled and provides administrators with the ability to restore deleted storage objects through the Azure portal, PowerShell, or REST APIs, maintaining business continuity and minimizing operational impact.

Resource Locks, while helpful for preventing accidental deletion or modification of critical resources, operate proactively. They cannot recover resources that have already been deleted. Azure Policy enforces specific organizational or compliance standards on resources, such as requiring encryption or backup settings, but it does not provide mechanisms to restore deleted resources. Azure Monitor collects logs, metrics, and alerts from Azure resources, providing visibility into events and performance, but it does not facilitate recovery of deleted storage accounts. Therefore, Soft Delete is the correct and necessary feature to restore deleted Azure storage accounts and their contents within the defined retention period, ensuring data protection and recoverability.

Question 70: 

You need to limit which users can join devices to Azure AD and prevent unauthorized device registrations. Which Azure feature provides this control?

A) Azure AD Device Settings
B) Conditional Access
C) Privileged Identity Management
D) Azure Policy

Answer: A) Azure AD Device Settings

Explanation: 

Azure AD Device Settings allow administrators to control who can join devices to Azure AD, ensuring only authorized users can register devices. Conditional Access controls sign-in behavior, PIM manages temporary privileged roles, and Azure Policy enforces resource configurations.

To limit which users can join devices to Azure Active Directory (Azure AD) and prevent unauthorized device registrations, the feature to use is Azure AD Device Settings. This feature allows administrators to specify which users or groups are allowed to join devices to Azure AD. By configuring these settings, organizations can ensure that only authorized personnel can register devices, reducing the risk of unmanaged or potentially insecure devices accessing corporate resources. This control is critical for maintaining device compliance, enforcing security policies, and protecting sensitive organizational data from unauthorized access.

Conditional Access, while a powerful tool for controlling access to applications and resources based on conditions such as user location, device compliance, or risk level, does not manage the ability to register devices with Azure AD. Privileged Identity Management (PIM) is designed to manage, control, and monitor temporary elevated permissions for users, ensuring that privileged roles are assigned only when necessary. It does not govern device registration permissions. Azure Policy enables administrators to enforce organizational standards and configurations for Azure resources, such as requiring encryption or specific tagging, but it does not control user permissions for device join operations. Therefore, Azure AD Device Settings is the appropriate feature to enforce device registration policies, ensuring that only authorized users can join devices to Azure AD and helping maintain security and compliance across the organization.

Question 71: 

You are designing an Azure virtual machine that must use a custom image stored in a shared image gallery. Which Azure service or feature should you use to deploy it?

A) Shared Image Gallery
B) Azure Marketplace
C) Azure Policy
D) VM Scale Set

Answer: A) Shared Image Gallery

Explanation: 

Shared Image Gallery allows administrators to store and deploy custom VM images across regions and subscriptions. Azure Marketplace provides standard images. Azure Policy can enforce image usage but does not host images. VM Scale Sets deploy multiple VMs but require images from Shared Image Gallery or Marketplace.

To deploy an Azure virtual machine using a custom image, the appropriate service to use is Shared Image Gallery. Shared Image Gallery enables organizations to create, manage, and share custom virtual machine images across regions, subscriptions, and even tenants. By using this service, administrators can maintain consistent VM configurations and streamline deployment processes while ensuring that images are up-to-date and compliant with organizational standards. Shared Image Gallery supports versioning, which allows multiple versions of an image to coexist, making it easier to roll back or update VM deployments as needed. It also provides scalability by enabling rapid deployment of VMs from the same image across multiple regions, improving operational efficiency and disaster recovery capabilities.

Azure Marketplace, by comparison, offers prebuilt, standardized VM images provided by Microsoft and third-party vendors. While convenient, Marketplace images do not accommodate custom configurations or organization-specific requirements. Azure Policy can be used to enforce compliance rules, such as requiring that VMs use approved images, but it does not host or provide images for deployment. VM Scale Sets allow the deployment of multiple VMs to support large-scale workloads, but they require images from either the Shared Image Gallery or the Marketplace. Therefore, to deploy a VM using a custom image, Shared Image Gallery is the correct solution, as it provides storage, versioning, sharing, and consistent deployment capabilities across an organization.

Question 72: 

You need to encrypt Azure Disk Storage with customer-managed keys stored in Azure Key Vault. Which option allows this configuration?

A) Customer-managed keys with Storage Account encryption
B) Transparent Data Encryption
C) RBAC roles assignment
D) Azure Policy enforcement

Answer: A) Customer-managed keys with Storage Account encryption

Explanation: 

Azure Storage Accounts can use customer-managed keys stored in Key Vault to encrypt managed disks. Transparent Data Encryption is for databases. RBAC controls access, and Policy can enforce usage but does not encrypt data itself.

To encrypt Azure Disk Storage using customer-managed keys stored in Azure Key Vault, the correct option is customer-managed keys with Storage Account encryption. This configuration allows organizations to maintain full control over the encryption keys used to protect their managed disks. By storing keys in Azure Key Vault, administrators can rotate, revoke, or manage key access policies according to organizational security standards. When customer-managed keys are enabled, all data written to the managed disks is encrypted using the specified key, providing enhanced security and compliance capabilities compared to platform-managed keys. This approach ensures that organizations have direct control over the lifecycle and security of the encryption keys while still leveraging Azure’s built-in storage encryption.

Transparent Data Encryption (TDE) is a feature designed specifically for encrypting databases, such as Azure SQL Database or SQL Managed Instances, and does not apply to disk storage. Role-Based Access Control (RBAC) focuses on granting permissions to users, groups, or service principals to manage resources, but it does not provide encryption or key management capabilities. Azure Policy can enforce organizational rules, such as requiring the use of customer-managed keys, but it cannot directly encrypt data or manage the encryption process. Therefore, to ensure Azure managed disks are encrypted with keys under your control, customer-managed keys with Storage Account encryption is the appropriate solution, providing both strong data protection and compliance alignment.

Question 73: 

Your company requires centralized log collection for all Azure resources and wants to create custom queries for auditing. Which service should you use?

A) Log Analytics Workspace
B) Azure Monitor Metrics
C) Azure Policy
D) Azure Automation

Answer: A) Log Analytics Workspace

Explanation: 

Log Analytics Workspace collects logs from multiple resources and subscriptions and allows custom queries for auditing, troubleshooting, and reporting. Monitor Metrics tracks performance but not detailed logs. Policy enforces rules, and Automation is for scripted operational tasks.

To achieve centralized log collection for all Azure resources and enable custom queries for auditing, the appropriate service to use is Log Analytics Workspace. Log Analytics Workspace provides a centralized platform to collect, store, and analyze log data from multiple Azure resources, subscriptions, and even on-premises systems. By aggregating logs in a single workspace, administrators can perform detailed auditing, troubleshooting, and reporting across the entire environment. Custom queries can be created using the Kusto Query Language (KQL), allowing organizations to extract meaningful insights, detect anomalies, and generate compliance reports based on specific operational or security requirements. This capability makes Log Analytics Workspace essential for proactive monitoring, security auditing, and operational governance.

Azure Monitor Metrics, while useful for tracking performance and operational trends of resources, focuses on numeric metrics such as CPU usage, memory consumption, or network throughput. It does not provide detailed log collection or enable complex querying for auditing purposes. Azure Policy is a governance tool that enforces compliance rules, such as requiring encryption or tagging, but it does not store or analyze log data. Azure Automation allows the automation of repetitive operational tasks using runbooks and scripts, helping with resource management and orchestration, but it does not serve as a centralized log repository or support custom audit queries. Therefore, Log Analytics Workspace is the correct solution for consolidating logs from all resources and enabling custom auditing queries, providing a unified view of operational and security data across the organization.

Question 74: 

You need to ensure that all new Azure Storage Accounts are deployed in a specific replication type. Which service can enforce this policy?

A) Azure Policy
B) Resource Locks
C) RBAC
D) Azure Monitor

Answer: A) Azure Policy

Explanation: 

Azure Policy can enforce the replication type, such as Geo-Redundant Storage, at the time of deployment. Resource Locks prevent deletion but not configuration. RBAC manages access. Monitor tracks activity but does not enforce settings.

To ensure that all new Azure Storage Accounts are deployed with a specific replication type, such as Geo-Redundant Storage (GRS), the appropriate service to use is Azure Policy. Azure Policy allows organizations to define and enforce rules for resource configurations at the time of deployment. By creating a policy that specifies the required replication type, administrators can automatically audit and, if configured, remediate non-compliant Storage Accounts. This ensures that all storage resources adhere to organizational standards for data durability and availability without relying on manual checks or post-deployment corrections. Azure Policy also provides compliance reporting, giving visibility into which resources meet the defined standards and which require attention.

Resource Locks are designed to prevent accidental deletion or modification of resources by restricting certain actions. While useful for protecting critical storage accounts, they do not enforce specific configuration settings like replication type. Role-Based Access Control (RBAC) manages who can create, modify, or delete resources but does not dictate how the resources should be configured. Azure Monitor collects metrics, logs, and alerts to provide insight into resource performance and health, but it does not enforce configuration rules. Therefore, Azure Policy is the correct solution to ensure that all new Storage Accounts are created with the required replication type, enabling consistent governance, compliance, and adherence to organizational data protection requirements.

Question 75: 

You need to enable multi-factor authentication (MFA) for Azure AD users only when they log in from unmanaged devices. Which feature should you configure?

A) Conditional Access policy
B) Privileged Identity Management
C) Azure AD Audit Logs
D) Self-Service Password Reset

Answer: A) Conditional Access policy

Explanation: 

Conditional Access policies allow enforcement of MFA based on device compliance or location. PIM manages temporary elevated access. Audit Logs record activities but do not enforce MFA) Self-Service Password Reset only handles password resets.

To enable multi-factor authentication (MFA) for Azure AD users only when they log in from unmanaged devices, the appropriate feature to configure is a Conditional Access policy. Conditional Access allows administrators to define access controls based on specific conditions, such as user location, device compliance, or risk level. By creating a policy targeting unmanaged devices, you can require users to complete MFA only when signing in from devices that are not registered, compliant, or managed by the organization. This approach balances security and user convenience by enforcing additional verification only in scenarios that pose higher risk, while trusted devices can access resources with standard authentication. Conditional Access policies integrate seamlessly with Azure AD, providing centralized management and detailed reporting on access attempts and policy enforcement.

Privileged Identity Management (PIM) is designed to manage, monitor, and control temporary privileged access to Azure resources. While PIM is valuable for reducing the exposure of administrative roles, it does not enforce MFA based on device conditions. Azure AD Audit Logs track user sign-ins, changes, and other directory activities, providing visibility and compliance insights but cannot enforce authentication requirements. Self-Service Password Reset allows users to reset or unlock their passwords independently but is unrelated to MFA enforcement. Therefore, Conditional Access policies are the correct solution for requiring MFA on unmanaged devices, providing precise, policy-based control over authentication and improving organizational security posture.

Question 76: 

You need to prevent accidental deletion of critical Azure SQL Databases while allowing read/write access. Which feature should you enable?

A) Resource Lock with CanNotDelete
B) Azure Policy
C) RBAC Contributor role
D) Azure Monitor

Answer: A) Resource Lock with CanNotDelete

Explanation: 

A Resource Lock with CanNotDelete prevents the database from being deleted while allowing all other operations. Policy enforces configuration but cannot block deletion directly. RBAC controls permissions, and Monitor provides alerts but cannot prevent actions.

To prevent accidental deletion of critical Azure SQL Databases while still allowing read and write operations, the appropriate feature to enable is a Resource Lock with the CanNotDelete option. This type of resource lock ensures that the database cannot be deleted, providing an additional layer of protection for critical resources. Users and applications retain the ability to read from and write to the database, perform updates, or manage data within the database, but any attempt to delete the database is blocked. This helps safeguard important data and maintain business continuity, especially in environments where multiple administrators or automation processes interact with resources.

Azure Policy can enforce organizational compliance standards and configuration rules, such as requiring auditing or encryption, but it does not directly prevent resource deletion. Role-Based Access Control (RBAC) assigns permissions to users, groups, or applications, allowing control over who can perform actions on a resource. While RBAC can restrict deletion privileges, it requires careful assignment of roles and cannot provide a simple, consistent prevention mechanism like a CanNotDelete lock. Azure Monitor collects telemetry, metrics, and logs from resources, enabling monitoring and alerting for unusual or risky activities, but it cannot actively prevent deletions. Therefore, enabling a Resource Lock with CanNotDelete is the most effective way to protect critical Azure SQL Databases from accidental deletion while maintaining full operational access for legitimate activities.

Question 77: 

You need to implement centralized outbound internet filtering for multiple VNets and subnets across a region. Which service should you deploy?

A) Azure Firewall
B) Network Security Group
C) Route Table
D) Application Gateway

Answer: A) Azure Firewall

Explanation: 

Azure Firewall provides centralized outbound and inbound traffic filtering, threat intelligence, and logging for multiple VNets. NSG filters traffic per subnet or NIC but is not centralizeD) Route Tables control routing, and Application Gateway is for HTTP load balancing.

To implement centralized outbound internet filtering for multiple virtual networks (VNets) and subnets across a region, the appropriate service to deploy is Azure Firewall. Azure Firewall is a fully managed, cloud-native network security service that provides centralized filtering for both inbound and outbound traffic. It allows organizations to define network and application rules to control traffic to and from the internet, as well as between VNets. By using Azure Firewall, administrators can enforce consistent security policies across multiple VNets, monitor traffic through logging and analytics, and leverage built-in threat intelligence to block known malicious IP addresses or domains. This centralization simplifies network management and enhances overall security posture.

Network Security Groups (NSGs) provide granular traffic filtering at the subnet or network interface level, allowing administrators to define inbound and outbound rules. While effective for localized traffic control, NSGs are not designed for centralized management across multiple VNets and do not offer advanced threat protection. Route tables define how traffic is routed between subnets, VNets, or to the internet, but they do not provide filtering or security enforcement. Application Gateway is a layer 7 load balancer and web application firewall primarily for HTTP and HTTPS traffic; it is not intended for centralized outbound internet filtering. Therefore, Azure Firewall is the optimal choice for providing unified, region-wide outbound traffic control, threat intelligence, and logging across multiple VNets and subnets.

Question 78: 

You want to restore an Azure SQL Database to a point in time within the last 7 days. Which feature allows this?

A) Point-in-time restore
B) Active Geo-Replication
C) Geo-restore
D) Backup Retention

Answer: A) Point-in-time restore

Explanation: 

Point-in-time restore allows recovery of databases to a specific time within the retention perioD) Active Geo-Replication is for multi-region failover. Geo-restore is for region-level disaster recovery. Backup retention only defines how long backups are kept.

To restore an Azure SQL Database to a specific point in time within the last seven days, the feature to use is Point-in-time restore. Point-in-time restore enables administrators to recover a database to any moment within the retention period, providing protection against accidental data loss, corruption, or unintended changes. When performing a point-in-time restore, Azure creates a new database from the backup corresponding to the selected time, ensuring that the restored database reflects the exact state it was in at that point. This feature is critical for maintaining business continuity and minimizing the impact of user errors or operational issues.

Active Geo-Replication, on the other hand, is designed for creating readable secondary databases in different regions to support high availability and disaster recovery. It allows failover in case the primary database becomes unavailable but is not intended for restoring a database to a previous point in time. Geo-restore is used for recovering databases after a regional outage or disaster by restoring from geo-redundant backups, but it does not allow precise point-in-time recovery within the same region. Backup retention defines how long automated backups are stored and available for restore, but it does not perform the restore itself. Therefore, for restoring a database to a specific moment within the last seven days, Point-in-time restore is the appropriate feature, offering precise recovery and protection against data loss.

Question 79: 

You need to automate VM shutdown and startup for cost optimization based on a schedule. Which Azure service allows this?

A) Azure Automation Runbooks
B) Azure Policy
C) Azure Monitor Alerts
D) RBAC

Answer: A) Azure Automation Runbooks

Explanation: 

Azure Automation Runbooks allow scheduling routine tasks, including starting and stopping VMs based on time. Policy enforces configurations but does not automate tasks. Monitor can trigger alerts but not execute actions. RBAC controls access, not scheduling.

To automate the shutdown and startup of Azure virtual machines (VMs) for cost optimization based on a schedule, the appropriate service to use is Azure Automation Runbooks. Azure Automation Runbooks provide a cloud-based platform to create, schedule, and execute automated tasks across Azure resources. By using Runbooks, administrators can define scripts that start or stop VMs at specific times, ensuring that non-essential VMs are powered down during off-hours and restarted when needed. This helps reduce operational costs by minimizing resource consumption without requiring manual intervention, while maintaining availability during business hours. Runbooks support PowerShell, Python, and graphical workflows, providing flexibility in automation design.

Azure Policy is primarily used for enforcing compliance rules and organizational standards, such as requiring encryption or tagging on resources, but it does not perform operational tasks like starting or stopping VMs. Azure Monitor Alerts can notify administrators when specific conditions or metrics are met, such as high CPU usage, but alerts alone cannot execute scheduled actions unless integrated with automation solutions. Role-Based Access Control (RBAC) manages permissions for users, groups, and service principals, controlling who can perform actions on resources, but it does not provide automation or scheduling capabilities. Therefore, Azure Automation Runbooks is the correct solution for automating VM start and shutdown operations on a defined schedule, enabling cost savings and operational efficiency.

Question 80: 

Your organization wants to replicate Azure SQL Databases to a secondary region for disaster recovery while keeping them readable. Which feature should you implement?

A) Active Geo-Replication
B) Backup Retention
C) Read-scale Out
D) Azure Monitor

Explanation: 

Active Geo-Replication allows replication of Azure SQL Databases to a secondary region with the secondary database available for read-only queries. Backup retention provides restore points. Read-scale Out only improves read performance in the primary region. Azure Monitor tracks metrics but does not replicate data.

To replicate Azure SQL Databases to a secondary region for disaster recovery while keeping the secondary database readable, the appropriate feature to implement is Active Geo-Replication. Active Geo-Replication enables the creation of one or more readable secondary databases in a different Azure region from the primary database. These secondary databases are continuously synchronized with the primary, ensuring that data remains up-to-date. In the event of a regional outage or disaster affecting the primary database, failover can be initiated to the secondary database to maintain business continuity. Additionally, because the secondary database is readable, it can be used for reporting, analytics, or offloading read-only workloads, helping to optimize performance and reduce load on the primary database.

Backup Retention defines how long automated backups are kept and provides restore points for recovering databases, but it does not support real-time replication to a secondary region or maintain a read-accessible copy. Read-scale Out improves read performance by routing read-only queries to secondary replicas, but it operates only within the same region and does not provide geographic disaster recovery. Azure Monitor collects telemetry, logs, and metrics for monitoring database performance and health, but it does not replicate data or provide a failover solution. Therefore, Active Geo-Replication is the correct solution for enabling both disaster recovery and read-accessibility in a secondary region, ensuring high availability and operational flexibility.