Microsoft AZ-104 Microsoft Azure Administrator Exam Dumps and Practice Test Questions Set 6 Q101-120

Visit here for our full Microsoft AZ-104 exam dumps and practice test questions.

Question 101: 

You need to ensure that all Azure virtual machines in a subscription are automatically assigned a specific backup policy when deployeD) Which service allows this enforcement?

A) Azure Policy
B) Azure Automation
C) RBAC
D) Resource Locks

Answer: A) Azure Policy

Explanation:

Azure Policy can enforce that all newly deployed VMs are assigned a specific backup policy automatically. Automation can run scripts but does not enforce compliance at deployment. RBAC controls permissions, and Resource Locks prevent deletion or modification but do not enforce policies.

Azure Policy is the service that allows you to automatically assign a specific backup policy to all Azure virtual machines as soon as they are deployed. With Azure Policy, you can create or use built-in policy definitions that audit or enforce the presence of backup settings on every new VM. When a VM is created, the policy checks compliance and, if configured with a remediation task, automatically applies the required backup policy without any manual intervention. This ensures consistent protection across the subscription and prevents situations where VMs are deployed without proper backup coverage.

Azure Automation can help run scheduled tasks or scripts, such as configuring backups after deployment, but it does not enforce rules at deployment time, meaning a VM could still be created without the required protection. RBAC focuses on controlling who has permission to perform actions in the environment but does not automatically assign configurations to resources. Resource Locks help prevent accidental changes or deletions, but they do not ensure that backup settings are applied. Because Azure Policy is specifically designed to enforce governance standards and maintain compliance across resources, it is the correct choice for automatically assigning a backup policy to newly deployed virtual machines.

Question 102: 

Your company requires that only compliant devices can access Microsoft 365 resources through Azure AD) Which service allows this control?

A) Conditional Access
B) Azure AD Privileged Identity Management
C) Azure AD B2B
D) Azure Monitor

Answer: A) Conditional Access

Explanation: 

Conditional Access allows policies that enforce access based on device compliance, location, risk level, and other conditions. PIM manages temporary elevated access. B2B allows external collaboration. Monitor tracks logs and metrics but does not enforce access.

Conditional Access is the feature that lets your company ensure only compliant devices can access Microsoft 365 resources. With Conditional Access policies, you can define rules that check whether a device meets your organization’s compliance requirements before granting access. These policies evaluate factors such as device health, operating system version, security settings, and whether the device is managed through tools like Intune. If a device doesn’t meet the compliance standards, access to Microsoft 365 can be blocked or require additional actions, helping maintain strong security across your environment.

Azure AD Privileged Identity Management helps manage and control elevated roles but does not evaluate device compliance or handle access conditions for everyday users. Azure AD B2B focuses on enabling collaboration with external users, giving them limited access to resources, but it does not enforce compliance checks for internal devices. Azure Monitor collects and analyzes logs, metrics, and diagnostic data for visibility into performance and operations, but it does not control whether a device can access Microsoft 365. Because Conditional Access directly supports evaluating device compliance and applying access rules in real time, it is the right solution for enforcing this requirement.

Question 103: 

You need to implement a highly available Azure Storage solution that can withstand a regional outage. Which replication type should you select?

A) Geo-Redundant Storage
B) Locally Redundant Storage
C) Zone-Redundant Storage
D) Standard HDD

Answer: A) Geo-Redundant Storage

Explanation: 

Geo-Redundant Storage replicates data to a secondary region, providing protection against regional outages. Locally redundant storage replicates within a single datacenter. Zone-redundant storage replicates across zones in one region. Standard HDD is a performance tier, not a replication method.

Geo-Redundant Storage is the appropriate choice when you need an Azure Storage solution that can continue operating even if an entire region becomes unavailable. This replication option copies your data asynchronously to a secondary region that is geographically distant from the primary one. By maintaining this second copy, the service ensures that your data remains accessible during large-scale outages, offering a strong disaster recovery foundation. It provides continuity and resilience without requiring you to manually manage the replication process.

Locally Redundant Storage keeps data within a single datacenter, which helps protect against hardware failures but does not offer protection against regional disruptions. Zone-Redundant Storage distributes copies across availability zones within the same region to guard against zone-level failures, but it still cannot withstand a full regional outage. Standard HDD is simply a storage performance tier that influences cost and speed; it does not offer any replication or high availability features.

Because the requirement explicitly asks for resilience in the event of a regional outage, Geo-Redundant Storage is the best fit, as it ensures your data remains available across geographically separate locations.

Question 104: 

You want to allow users to access a specific Azure SQL Database without granting them full database roles. Which feature should you implement?

A) Dynamic Data Masking
B) Transparent Data Encryption
C) Resource Locks
D) Azure Policy

Answer: A) Dynamic Data Masking

Explanation: 

Dynamic Data Masking hides sensitive information for users without sufficient privileges while allowing them to query datA) Transparent Data Encryption encrypts data at rest. Resource Locks prevent deletion, and Policy enforces configurations.

Dynamic Data Masking is the appropriate feature when you need to let users access an Azure SQL Database but want to limit what they can actually see without giving them broad database roles. This capability works by masking specific fields at query time, so users can run their usual queries but only receive masked values for sensitive columns such as emails, credit card numbers, or personal identifiers. It allows fine-grained control over exposure while keeping the underlying data intact and fully visible to authorized users.

Transparent Data Encryption serves a completely different purpose, as it focuses on encrypting data at rest to protect against unauthorized access to stored files; it does not control what users see within queries. Resource Locks are meant to protect infrastructure resources from accidental deletion or modification rather than restrict visibility of data. Azure Policy helps enforce rules for resource configurations across subscriptions but does not alter or mask data within databases.

Since the goal is to let users work with the database while shielding sensitive information, Dynamic Data Masking offers the right balance by maintaining access but selectively obscuring protected fields based on user permissions.

Question 105: 

Your company wants to deploy virtual machines that automatically scale based on custom metrics from a queue in Azure. Which solution should you implement?

A) VM Scale Sets with autoscale rules
B) Azure Automation Runbooks
C) Resource Locks
D) Azure Policy

Answer: A) VM Scale Sets with autoscale rules

Explanation: 

VM Scale Sets can scale out or in based on custom metrics such as queue length or application loaD) Automation can run scripts but does not provide dynamic scaling. Resource Locks prevent deletion, and Policy enforces configuration compliance.

VM Scale Sets with autoscale rules are the right choice when you need virtual machines to adjust automatically based on real-time demand, especially when the trigger comes from custom metrics like the length of a queue. Scale sets allow you to define thresholds that determine when more instances should be added or removed, enabling your environment to respond smoothly as workload levels rise or fall. This automatic scaling helps maintain performance without constant manual oversight and keeps costs optimized by running only the necessary number of VMs.

Azure Automation Runbooks are useful for scheduled or scripted tasks, but they don’t offer dynamic, metric-driven scaling that responds instantly to workload changes. Resource Locks focus on protecting infrastructure resources from accidental deletion or modification rather than managing capacity. Azure Policy helps enforce configuration standards across your environment but doesn’t take action based on real-time load or queue depth.

Because VM Scale Sets were designed specifically for elastic workloads and integrate seamlessly with metrics from Azure Monitor, they are the ideal option when your scaling logic depends on custom measurements from an application queue or similar workload indicators.

Question 106: 

You need to ensure that external contractors can access specific resources in Azure AD without giving them full permissions. Which solution should you use?

A) Azure AD Guest Users
B) Azure AD B2C
C) Privileged Identity Management
D) Conditional Access

Answer: A) Azure AD Guest Users

Explanation: 

Guest Users allow external contractors limited access to selected resources. B2C is for customer-facing applications. PIM manages temporary elevated privileges, and Conditional Access controls authentication conditions.

Azure AD Guest Users are the appropriate solution when you need to provide external contractors with controlled access to specific Azure AD resources. This feature allows organizations to invite outside users into their directory while maintaining tight control over what those users can access. Contractors can be assigned only the permissions they require, ensuring that internal resources remain protected and unnecessary privileges are not granted.

Azure AD B2C, on the other hand, is designed for customer identity and access management in public-facing applications and isn’t intended for internal collaboration scenarios. Privileged Identity Management focuses on providing just-in-time elevated access to internal administrators or tightly managed roles, which is not typically what contractors need. Conditional Access adds conditional rules to authentication but doesn’t handle the onboarding or identity management of external users.

Using Azure AD Guest Users ensures that external personnel can collaborate securely while respecting organizational boundaries. Permissions remain flexible, temporary access can be granted as needed, and auditing capabilities remain intact. This setup helps maintain a balance between collaboration and security by granting the minimum access required without exposing full administrative or directory-wide permissions.

Question 107: 

You are designing a solution that requires encrypted communication between Azure services over private networks. Which feature should you implement?

A) Private Endpoint
B) Network Security Group
C) Public IP
D) Azure Policy

Answer: A) Private Endpoint

Explanation: 

Private Endpoints provide private connectivity over Azure backbone network for services like Storage or SQL Database. NSGs filter traffic but do not create private connections. Public IP exposes services to the internet. Policy enforces compliance but does not create private communication channels.

Private Endpoint is the right choice when you need encrypted communication between Azure services using private network paths instead of exposing traffic to the public internet. This feature assigns a private IP address from your virtual network to supported Azure services such as Storage, SQL Database, Key Vault, and many others. Because the traffic flows entirely over the Azure backbone network, it not only remains isolated from the public internet but is also encrypted and protected by Azure’s internal network infrastructure. This ensures that service-to-service communication stays secure and private without requiring external routing.

Network Security Groups can help control inbound and outbound traffic by applying security rules at the subnet or NIC level, but they don’t establish private connectivity or enforce encrypted communication between services on their own. Public IP is the opposite of what the requirement calls for since it exposes resources externally. Azure Policy is helpful for enforcing rules and ensuring resources follow organizational standards, but it doesn’t create or manage private communication channels.

By using Private Endpoint, you enable service interaction with guaranteed privacy, reduced exposure surface, and protection against internet-based threats, all while keeping connectivity simple and tightly controlled within your Azure virtual network.

Question 108: 

You need to track all administrative changes to Azure resources, including who performed the actions and when. Which service should you use?

A) Azure Activity Logs
B) Azure Monitor Metrics
C) Azure Policy
D) RBAC

Answer: A) Azure Activity Logs

Explanation: 

Activity Logs provide audit information for management operations, showing who modified resources and when. Monitor metrics track performance, Policy enforces rules, and RBAC controls permissions but does not log changes.

Azure Activity Logs are the right tool when you need complete visibility into administrative actions across your Azure environment. This service records all management operations, including resource creation, updates, deletions, and configuration changes. It also captures who performed each action, when it occurred, and the outcome. This makes it essential for auditing, compliance checks, and troubleshooting unexpected modifications. The logs can be viewed directly in the Azure portal, exported to a Log Analytics workspace for deeper analysis, or streamed to external SIEM systems for long-term retention and correlation.

Azure Monitor Metrics focuses on performance indicators like CPU usage or latency but doesn’t record administrative actions. Azure Policy ensures resources follow specific configuration rules, yet it does not track who made changes—it simply evaluates compliance. RBAC allows you to control access levels for users and groups, but it doesn’t provide any history of actions taken by those roles.

By using Azure Activity Logs, you ensure you have a clear and reliable audit trail for every administrative event in your subscription, helping your organization meet regulatory requirements and maintain accountability across all resource operations.

Question 109: 

You want to recover an accidentally deleted Azure Key Vault and its secrets. Which configuration ensures this is possible?

A) Soft Delete with Purge Protection
B) Resource Lock
C) Azure Policy
D) RBAC

Answer: A) Soft Delete with Purge Protection

Explanation: 

Soft Delete retains deleted Key Vaults and secrets for a retention period, and Purge Protection prevents permanent deletion during that perioD) Resource Lock prevents deletion proactively but does not restore. Policy enforces settings, and RBAC controls access.

Soft Delete with Purge Protection is the configuration that ensures an accidentally deleted Azure Key Vault and its secrets can be recovered reliably. Soft Delete keeps deleted vaults and their contents in a recoverable state for a defined retention period, allowing administrators to restore them if needed. This feature is crucial for safeguarding sensitive keys, secrets, and certificates that might otherwise be lost due to user mistakes or automated processes. Purge Protection adds an extra safety layer by preventing permanent deletion until the retention period expires, ensuring no one—intentionally or accidentally—can remove the vault beyond recovery.

Resource Lock can help prevent deletion in the first place, but once a vault is deleted despite the lock being removed, it cannot restore previously deleted items. Azure Policy is useful for enforcing how resources should be configured but it does not preserve deleted data. RBAC controls who can access or manage the vault, yet it does nothing to restore a deleted resource.

By enabling Soft Delete along with Purge Protection, you guarantee that your Key Vault and its sensitive contents remain recoverable, supporting strong operational resilience and meeting organizational or regulatory security requirements.

Question 110: 

You need to allow on-premises users to access Azure AD resources while maintaining password validation on-premises. Which solution should you deploy?

A) Pass-through Authentication
B) Password Hash Synchronization
C) Azure AD B2C
D) Conditional Access

Answer: A) Pass-through Authentication

Explanation: 

Pass-through Authentication allows users to authenticate using on-premises passwords without replicating them to Azure AD) Password Hash Synchronization stores hashes in Azure AD) B2C is for customer-facing identities. Conditional Access enforces policies but does not handle authentication.

Pass-through Authentication is the appropriate solution when you want on-premises users to access Azure AD resources while still validating their passwords against the on-premises Active Directory. This method securely routes authentication requests from Azure AD back to your local environment, ensuring that passwords never leave your network or get synced to the cloud. It provides a balance between security and convenience, allowing users to sign in with their usual credentials while keeping password validation under your control.

Password Hash Synchronization copies password hashes into Azure AD, which means authentication happens in the cloud rather than on-premises. While secure, it doesn’t meet the requirement of keeping validation local. Azure AD B2C is designed for customer or external user identity management and is not intended for internal employee authentication. Conditional Access is used to enforce policies like MFA, location restrictions, or device compliance but does not manage how or where passwords are validated.

By choosing Pass-through Authentication, you maintain security boundaries, reduce administrative overhead, and allow seamless access to Azure AD applications without storing any password information in the cloud. This setup is ideal for organizations with strict compliance requirements or environments where password validation must remain fully on-premises.

Question 111: 

You need to automatically remediate non-compliant storage accounts that do not have secure transfer enableD) Which service can do this?

A) Azure Policy with remediation tasks
B) Azure Automation
C) RBAC
D) Azure Monitor

Answer: A) Azure Policy with remediation tasks

Explanation: 

Azure Policy can detect non-compliant resources and trigger automated remediation, such as enabling secure transfer on storage accounts. Automation can perform scripted tasks but does not enforce compliance automatically. RBAC controls access, and Monitor only notifies.

To automatically remediate non-compliant Azure Storage accounts that do not have secure transfer enabled, the appropriate service to use is Azure Policy with remediation tasks. Azure Policy allows administrators to define compliance rules for resources, such as requiring that secure transfer is enabled on all storage accounts. When a storage account is deployed or modified in a way that violates the policy, Azure Policy can identify it as non-compliant. By enabling remediation tasks, Azure Policy can automatically correct the configuration, in this case by enabling secure transfer on the storage account without requiring manual intervention. This ensures continuous compliance across the subscription and reduces the risk of misconfigurations that could expose data to unencrypted connections.

Azure Automation can execute scripts or runbooks to perform tasks such as updating configurations, starting or stopping VMs, or patching systems, but it does not inherently enforce compliance or automatically detect non-compliant resources. Role-Based Access Control (RBAC) manages who can access or modify resources in Azure, ensuring that only authorized users perform actions, but it does not monitor compliance or apply remediation. Azure Monitor collects telemetry, metrics, and logs from resources and can trigger alerts when specific conditions are met, but it does not take corrective action. Therefore, Azure Policy with remediation tasks is the correct solution for automatically detecting and remediating storage accounts that do not have secure transfer enabled, ensuring consistent security and compliance throughout the environment.

Question 112: 

You need to create a VM that uses a custom image shared across multiple regions. Which service should you use?

A) Shared Image Gallery
B) Azure Marketplace
C) Azure Policy
D) VM Scale Set

Answer: A) Shared Image Gallery

Explanation: 

Shared Image Gallery allows the storage and replication of custom VM images across regions. Marketplace provides pre-built images. Policy enforces settings but does not host images. VM Scale Sets deploy VMs but require images from the gallery or Marketplace.

To create a virtual machine that uses a custom image shared across multiple regions, the appropriate service to use is Shared Image Gallery. Shared Image Gallery allows organizations to store, manage, and replicate custom VM images across different Azure regions, ensuring consistency in virtual machine deployments. By using a Shared Image Gallery, administrators can version images, control which images are available for deployment, and maintain standard configurations for virtual machines across multiple regions. This approach simplifies management, reduces errors, and ensures that all VMs deployed from the gallery are consistent with organizational requirements. Additionally, replication across regions improves deployment speed and availability, as images are already present in the target regions, reducing the need to transfer large image files at deployment time.

Azure Marketplace provides pre-built, standard images for common operating systems and applications, but it does not allow storage or replication of organization-specific custom images. Azure Policy is used to enforce compliance rules and configurations across resources, such as requiring encryption or tagging, but it does not host or provide images for VM deployment. VM Scale Sets allow the deployment of multiple identical virtual machines and provide autoscaling capabilities, but they still require an image source, such as a Shared Image Gallery or Marketplace image. Therefore, Shared Image Gallery is the correct solution for deploying virtual machines from custom images across multiple regions while maintaining consistency, version control, and efficient management.

Question 113: 

You need to implement disaster recovery for Azure VMs that requires replication to a secondary region with minimal downtime. Which service should you use?

A) Azure Site Recovery
B) Azure Backup
C) Log Analytics Workspace
D) Azure Automation

Answer: A) Azure Site Recovery

Explanation: 

Azure Site Recovery replicates VMs to a secondary region and supports failover with minimal downtime. Backup provides point-in-time recovery. Log Analytics collects logs. Automation runs scripts but does not replicate workloads.

To implement disaster recovery for Azure virtual machines with replication to a secondary region and minimal downtime, the appropriate service to use is Azure Site Recovery. Azure Site Recovery enables replication of VMs from a primary region to a secondary region, providing a near real-time copy of the workload. In the event of a regional outage or disaster, administrators can initiate a failover to the secondary region, ensuring business continuity with minimal downtime. This service supports both planned and unplanned failovers, allowing organizations to test disaster recovery plans without impacting production workloads. Additionally, Site Recovery manages replication policies, recovery points, and orchestrated recovery plans, enabling consistent and automated failover processes across multiple virtual machines and applications.

Azure Backup, in contrast, provides point-in-time recovery of VMs, files, and applications, but it does not support continuous replication or automated failover to a secondary region. It is primarily intended for data protection rather than disaster recovery with minimal downtime. Log Analytics Workspace collects and analyzes logs and telemetry from resources for monitoring and diagnostics but does not replicate workloads or provide failover capabilities. Azure Automation allows administrators to run scripts and automate operational tasks, but it does not provide replication or disaster recovery functionality. Therefore, Azure Site Recovery is the correct solution for ensuring highly available, replicated Azure VMs with rapid failover to a secondary region, minimizing downtime and supporting comprehensive disaster recovery planning.

Question 114: 

You want to prevent accidental deletion of critical VMs but still allow all other operations. Which feature should you enable?

A) Resource Lock with CanNotDelete
B) Azure Policy
C) RBAC Contributor role
D) Azure Monitor

Answer: A) Resource Lock with CanNotDelete

Explanation: 

Resource Locks with CanNotDelete prevent deletion while allowing normal VM operations. Policy enforces configuration compliance but does not prevent deletion directly. RBAC controls permissions, and Monitor only alerts on actions.

To prevent accidental deletion of critical Azure virtual machines while still allowing all other operations, the appropriate feature to enable is a Resource Lock with the CanNotDelete setting. Resource Locks provide a safeguard against unintended or accidental deletion of resources by restricting the delete action, yet they do not interfere with other management operations such as starting, stopping, or updating the virtual machines. This ensures that critical workloads remain protected while administrators and users can continue to perform normal operational tasks. Resource Locks are particularly useful in production environments or for mission-critical resources, where accidental deletion could lead to significant downtime, data loss, or operational impact.

Azure Policy is designed to enforce organizational standards and compliance rules across resources, such as requiring encryption, specific VM sizes, or tagging conventions. While Policy can audit and enforce configuration compliance, it does not inherently block deletion of resources. Assigning the RBAC Contributor role grants users full management permissions on resources except for assigning roles, which does not prevent deletion and could even allow users to accidentally remove critical VMs. Azure Monitor provides monitoring, logging, and alerting capabilities, such as notifying administrators when a delete operation is attempted, but it does not prevent the action itself. Therefore, enabling a Resource Lock with CanNotDelete is the correct solution to protect critical virtual machines from accidental deletion while allowing normal management operations, maintaining both security and operational flexibility.

Question 115: 

You need to analyze billing and usage across multiple Azure subscriptions and set budgets. Which service provides this functionality?

A) Azure Cost Management + Billing
B) Azure Monitor
C) Azure Policy
D) Resource Groups

Answer: A) Azure Cost Management + Billing

Explanation: 

Cost Management + Billing allows tracking usage, setting budgets, and reporting across subscriptions. Monitor tracks performance metrics. Policy enforces rules. Resource Groups organize resources but do not track costs.

To analyze billing and usage across multiple Azure subscriptions and set budgets, the appropriate service to use is Azure Cost Management + Billing. This service provides comprehensive visibility into cloud spending, enabling organizations to track resource usage, monitor costs, and allocate budgets effectively. Administrators can view detailed breakdowns of costs by subscription, resource group, or individual service, which helps identify spending patterns and areas where optimization is possible. Cost Management + Billing also allows the creation of budgets with alerts, notifying stakeholders when spending approaches or exceeds predefined thresholds. This proactive approach helps organizations control costs, avoid overspending, and plan for future cloud expenditures. Additionally, the service supports exporting reports for internal reporting, forecasting, and financial analysis, making it easier to align cloud usage with organizational financial goals.

Azure Monitor focuses on collecting telemetry, metrics, and logs from Azure resources to monitor performance and health. While it provides insights into resource utilization, it does not track cost or provide budgeting capabilities. Azure Policy enforces compliance and configuration standards across resources, such as requiring encryption, specific VM sizes, or tags, but it does not provide cost analysis or budgeting functionality. Resource Groups organize and manage related Azure resources for easier administration, access control, and lifecycle management, but they do not track usage or costs. Therefore, Azure Cost Management + Billing is the correct solution for analyzing billing, monitoring usage, and setting budgets across multiple subscriptions, ensuring financial control and operational efficiency in Azure environments.

Question 116: 

You need to encrypt data at rest for Azure SQL Databases using customer-managed keys stored in Azure Key Vault. Which two services are required?

A) Azure Key Vault and Azure SQL CMK encryption
B) RBAC and Azure Monitor
C) Azure Backup and Azure Policy
D) Resource Locks and Conditional Access

Answer: A) Azure Key Vault and Azure SQL CMK encryption

Explanation: 

Customer-managed keys stored in Key Vault allow control over database encryption. RBAC only manages access. Backup protects data but does not encrypt. Policy can enforce use but does not store keys.

To encrypt data at rest for Azure SQL Databases using customer-managed keys (CMKs), the two required services are Azure Key Vault and Azure SQL CMK encryption. Azure Key Vault serves as a secure storage solution for cryptographic keys, secrets, and certificates, allowing organizations to maintain full control over key lifecycle, access policies, and key rotation. By storing the customer-managed key in Key Vault, administrators can manage encryption independently of Azure’s built-in platform-managed keys, giving greater control over security and compliance requirements.

Azure SQL CMK encryption enables the SQL Database to use a customer-managed key from Key Vault to encrypt data at rest. When CMK encryption is configured, all database files, backups, and snapshots are protected using the specified key, ensuring that sensitive data remains secure and under organizational control. This approach allows businesses to meet regulatory and corporate security standards while maintaining flexibility in key management.

RBAC is used to manage permissions and access to resources but does not provide encryption capabilities. Azure Monitor tracks metrics and logs but does not secure data at rest. Azure Backup ensures recoverability of databases but does not control encryption. Azure Policy can enforce that CMK encryption is enabled but does not store or manage the keys themselves. Resource Locks prevent accidental deletion, and Conditional Access enforces authentication policies, neither of which provides encryption. Therefore, Azure Key Vault in combination with Azure SQL CMK encryption is the correct solution for implementing customer-managed encryption for SQL databases.

Question 117: 

You need to track failed login attempts and potential risky sign-ins in Azure AD) Which service should you configure?

A) Azure AD Identity Protection
B) Azure Monitor Metrics
C) Azure Policy
D) Resource Locks

Answer: A) Azure AD Identity Protection

Explanation: 

Identity Protection monitors risky sign-ins, failed login attempts, and unusual behavior, allowing administrators to respond to potential threats. Monitor tracks performance metrics. Policy enforces configuration. Resource Locks prevent deletion but do not track sign-ins.

To track failed login attempts and potential risky sign-ins in Azure Active Directory, the appropriate service to configure is Azure AD Identity Protection. This service provides advanced monitoring and security analytics for user sign-ins, detecting unusual or potentially risky activities such as multiple failed login attempts, sign-ins from unfamiliar locations or devices, and atypical behavior patterns that could indicate compromised accounts. Identity Protection assigns risk levels to both users and sign-ins, enabling administrators to take proactive actions, such as requiring multi-factor authentication, resetting passwords, or blocking access, based on configurable risk policies. This helps organizations reduce the likelihood of unauthorized access and ensures compliance with security and regulatory requirements.

Azure Monitor Metrics focuses on collecting performance and utilization data from Azure resources, providing insight into CPU usage, memory, network traffic, and other operational metrics. While it is valuable for monitoring resource performance, it does not provide authentication or security risk tracking for user sign-ins. Azure Policy is used to enforce organizational rules and compliance settings across resources, such as requiring encryption or tagging, but it does not monitor login activity. Resource Locks prevent accidental or malicious deletion of resources but do not offer auditing or detection capabilities for authentication events. Therefore, Azure AD Identity Protection is the correct solution for monitoring failed login attempts and risky sign-ins, enabling proactive security management and mitigation of potential threats.

Question 118: 

You need to deploy a web application with automatic scaling and high availability across regions. Which combination of services is appropriate?

A) App Service with Traffic Manager and deployment slots
B) Azure VM with Resource Locks
C) Azure SQL Database with Transparent Data Encryption
D) Azure Storage with Soft Delete

Answer: A) App Service with Traffic Manager and deployment slots

Explanation: 

App Service provides hosting, Traffic Manager distributes traffic across regions for high availability, and deployment slots support staged deployments. VM with locks does not provide automatic scaling. SQL TDE secures data but does not provide. Storage Soft Delete protects data but not application traffic.

To deploy a web application with automatic scaling and high availability across regions, the appropriate combination of services is App Service with Traffic Manager and deployment slots. Azure App Service provides a fully managed platform for hosting web applications, APIs, and mobile backends, supporting automatic scaling based on metrics such as CPU utilization, memory usage, or HTTP request count. This ensures that the application can handle varying workloads without manual intervention. Deployment slots allow administrators to create separate environments for staging, testing, or pre-production, enabling seamless updates and reducing downtime when deploying new versions of the application.

Azure Traffic Manager is a DNS-based traffic load balancer that distributes user traffic across multiple regions, improving availability and responsiveness. By directing requests to the healthiest endpoint, Traffic Manager ensures that the application remains available even if a regional outage occurs. Together, App Service and Traffic Manager provide a resilient architecture with both automatic scaling and high availability across regions.

Azure Virtual Machines with Resource Locks provide compute resources and protect them from accidental deletion but do not inherently provide automatic scaling or multi-region high availability. Azure SQL Database with Transparent Data Encryption secures data at rest but does not host web applications or manage traffic distribution. Azure Storage with Soft Delete protects stored data from accidental deletion but does not handle application hosting or scaling. Therefore, using App Service with Traffic Manager and deployment slots is the correct solution for building a highly available, scalable, and resilient web application.

Question 119: 

You need to restrict which Azure regions can be used for resource deployment across a subscription. Which service allows enforcement?

A) Azure Policy
B) Resource Locks
C) RBAC
D) Azure Monitor

Answer: A) Azure Policy

Explanation: 

Azure Policy can restrict resource deployment to approved regions. Resource Locks prevent deletion or modification but do not control deployment locations. RBAC controls access, and Monitor tracks metrics.

To restrict which Azure regions can be used for resource deployment across a subscription, the appropriate service to use is Azure Policy. Azure Policy allows administrators to define and enforce rules that ensure resources are deployed only in approved regions, helping organizations maintain compliance with regulatory requirements, data residency policies, or corporate governance standards. When a deployment is attempted in a region that is not allowed by the policy, the request can be denied, preventing non-compliant resources from being created. This centralized enforcement ensures consistency across all subscriptions and resource groups within the scope of the policy. Additionally, Azure Policy provides auditing capabilities, allowing administrators to identify existing resources that are out of compliance and remediate them if necessary.

Resource Locks are designed to prevent accidental or unauthorized deletion or modification of resources, but they do not control where resources can be deployed. Role-Based Access Control (RBAC) manages who can perform actions on Azure resources, such as creating, modifying, or deleting resources, but it does not enforce geographic deployment restrictions. Azure Monitor collects telemetry, metrics, and logs from resources, providing insights into performance and availability, but it does not enforce policies or compliance rules. Therefore, Azure Policy is the correct solution for restricting resource deployment to specific regions, ensuring compliance and governance across the subscription while allowing controlled, auditable deployment practices.

Question 120: 

You need to ensure high availability for a multi-tier application deployed in Azure by distributing VMs across separate physical locations in a region. Which feature should you implement?

A) Availability Zones
B) Availability Sets
C) VM Scale Sets
D) Resource Groups

Answer: A) Availability Zones

Explanation: 

Availability Zones provide physically separate datacenters within a region to host VMs for high availability. Availability Sets provide fault domain protection within one datacenter. VM Scale Sets handle scaling, and Resource Groups organize resources.

To ensure high availability for a multi-tier application deployed in Azure, distributing virtual machines across separate physical locations within a region, the appropriate feature to implement is Availability Zones. Availability Zones are physically separate datacenters within a single Azure region, each with independent power, cooling, and networking. By deploying VMs across multiple Availability Zones, applications can withstand datacenter-level failures, ensuring that if one zone experiences an outage, workloads in other zones continue to operate without interruption. This architecture provides higher resilience and meets stringent uptime requirements for mission-critical applications.

Availability Sets, in contrast, provide fault and update domain protection within a single datacenter. They help mitigate localized hardware failures or maintenance events but do not protect against a complete datacenter outage. VM Scale Sets allow automatic scaling of multiple identical virtual machines to handle changing workloads, improving performance and resource efficiency, but they do not inherently provide physical separation across datacenters. Resource Groups are logical containers for organizing and managing Azure resources, simplifying administration, access control, and lifecycle management, but they do not contribute directly to high availability or fault isolation.

By combining Availability Zones with proper network and load balancing configurations, administrators can build highly resilient multi-tier applications. Each tier of the application—such as web, application, and database—can be deployed across zones, ensuring redundancy and minimal downtime. Therefore, implementing Availability Zones is the correct solution for achieving high availability through physical separation within an Azure region while maintaining application performance and reliability.