img img
Practice Exams:
View All
  • Home
  • Microsoft AZ-104 Microsoft Azure Administrator Exam Dumps and Practice Test Questions Set 7 Q121-140

Microsoft AZ-104 Microsoft Azure Administrator Exam Dumps and Practice Test Questions Set 7 Q121-140

Visit here for our full Microsoft AZ-104 exam dumps and practice test questions.

Question 121: 

You need to configure Azure Storage to allow only traffic from specific virtual networks while denying all other access. Which feature should you use?

A) Service Endpoints
B) Private Endpoint
C) Network Security Group
D) Route Table

Answer: B) Private Endpoint

Explanation: 

Private Endpoint allows private connectivity from specific virtual networks to an Azure Storage account, assigning a private IP within the VNet. Service Endpoints extend network access but still use public IPs. NSGs filter traffic but do not provide private access. Route Tables manage routing, not access control.

To configure Azure Storage so that only traffic from specific virtual networks is allowed while denying all other access, the most appropriate feature is a Private Endpoint. A Private Endpoint provides a secure and private connection to an Azure Storage account by assigning a private IP address from within the selected virtual network. This ensures that the storage account is accessible only through the private IP and effectively isolates it from public internet access, enhancing security and compliance.

Service Endpoints, on the other hand, extend the network boundary of a virtual network to the Azure service, allowing traffic from selected subnets to reach the storage account over the public IP space. While Service Endpoints provide subnet-level access control, the traffic still flows over the public network, which does not offer the same level of isolation as Private Endpoints.

Network Security Groups (NSGs) are designed to filter inbound and outbound traffic at the subnet or network interface level. NSGs can enforce access rules but cannot assign private connectivity directly to an Azure Storage account.

Route Tables define the routing paths for network traffic, controlling how packets are directed through the virtual network. They manage traffic flow but do not restrict access to services based on private connectivity.

Therefore, for secure, private access restricted to specific virtual networks, a Private Endpoint is the correct choice.

Question 122: 

You are tasked with replicating an on-premises Hyper-V VM to Azure for disaster recovery purposes. Which Azure service should you use?

A) Azure Site Recovery
B) Azure Backup
C) Azure Monitor
D) Azure Automation

Answer: A) Azure Site Recovery

Explanation: 

Azure Site Recovery continuously replicates on-premises VMs to Azure, enabling failover to the clouD) Backup provides point-in-time recovery. Monitor collects telemetry and logs. Automation runs scripts but does not replicate workloads.

To replicate an on-premises Hyper-V virtual machine to Azure for disaster recovery, the appropriate service to use is Azure Site Recovery. Azure Site Recovery is designed to provide continuous replication of on-premises virtual machines to Azure, ensuring that your workloads are protected and can be quickly failed over to the cloud in the event of an outage or disaster. This service helps maintain business continuity by keeping a near real-time copy of your VM in Azure, minimizing downtime and data loss during unplanned interruptions.

Azure Backup, while important for data protection, provides point-in-time recovery of files, folders, or entire virtual machines, but it does not offer continuous replication or failover capabilities. It is primarily intended for restoring data after accidental deletion, corruption, or other localized failures rather than for full disaster recovery scenarios.

Azure Monitor collects telemetry data, metrics, and logs from applications and infrastructure. It helps monitor the health and performance of resources, detect anomalies, and generate alerts, but it does not replicate or recover virtual machines.

Azure Automation is a service that allows you to run scripts, automate operational tasks, and manage resources efficiently, but it does not handle the replication or failover of workloads.

Therefore, for continuous replication of on-premises Hyper-V VMs and enabling seamless failover to Azure during disasters, Azure Site Recovery is the correct solution.

Question 123: 

You need to enforce encryption at rest for all Azure managed disks in your subscription. Which Azure feature allows this enforcement?

A) Azure Policy
B) Resource Lock
C) RBAC
D) Azure Monitor

Answer: A) Azure Policy

Explanation: 

Azure Policy can require all managed disks to use encryption, either with platform-managed keys or customer-managed keys. Resource Locks prevent deletion, RBAC controls access, and Monitor tracks metrics but does not enforce encryption.

To enforce encryption at rest for all Azure managed disks within a subscription, the appropriate feature to use is Azure Policy. Azure Policy allows administrators to define and enforce rules across Azure resources to ensure compliance with organizational or regulatory requirements. By creating a policy that requires all managed disks to use encryption, you can ensure that new and existing disks adhere to this standard. The policy can enforce the use of either platform-managed keys, which are automatically managed by Azure, or customer-managed keys, which give organizations full control over encryption keys stored in Azure Key Vault. This ensures data at rest is always encrypted and secure, reducing the risk of unauthorized access or data breaches.

Resource Locks, while useful for preventing accidental deletion or modification of critical resources, do not enforce security configurations such as encryption. They only restrict operations like deletion or update.

Role-Based Access Control, or RBAC, controls who can perform actions on Azure resources by assigning roles and permissions. Although it helps secure access, it does not enforce configuration policies like encryption.

Azure Monitor collects metrics, logs, and diagnostic information from resources, enabling monitoring and alerting. It does not have the ability to enforce security standards or ensure encryption compliance.

Therefore, for enforcing encryption at rest across all managed disks in a subscription, Azure Policy is the correct choice.

Question 124: 

You want to ensure that only corporate-approved devices can access Azure resources. Which feature provides this capability?

A) Conditional Access with device compliance
B) Azure AD Privileged Identity Management
C) Azure Policy
D) Resource Locks

Answer: A) Conditional Access with device compliance

Explanation: 

Conditional Access can enforce that only compliant devices or devices meeting organizational requirements can sign in. PIM manages elevated privileges. Policy enforces resource configuration, and Resource Locks prevent deletion but do not control access.

To ensure that only corporate-approved devices can access Azure resources, the recommended feature is Conditional Access with device compliance. Conditional Access policies allow organizations to define specific access requirements for users and devices, ensuring that only devices meeting corporate security standards can authenticate and access resources. By integrating with Microsoft Intune or other device management solutions, Conditional Access can verify device compliance based on factors such as operating system version, encryption status, or the presence of security software. If a device does not meet these requirements, access to Azure applications and resources can be blocked or restricted, helping to maintain security and reduce the risk of unauthorized access.

Azure AD Privileged Identity Management, or PIM, is focused on managing and controlling elevated privileges for administrative accounts. It helps enforce just-in-time access, approval workflows, and monitoring of privileged actions but does not enforce device compliance for regular user access.

Azure Policy is designed to enforce rules on resource configurations, such as requiring encryption or tagging, but it does not control which devices can access Azure resources.

Resource Locks prevent accidental deletion or modification of critical resources, ensuring operational safety, but they do not govern authentication or access based on device compliance.

Therefore, Conditional Access with device compliance is the correct solution for restricting Azure resource access to corporate-approved devices while maintaining security and compliance standards.

Question 125: 

You need to recover an Azure SQL Database to a previous point in time due to accidental data deletion. Which feature should you use?

A) Point-in-time restore
B) Geo-restore
C) Active Geo-Replication
D) Transparent Data Encryption

Answer: A) Point-in-time restore

Explanation: 

Point-in-time restore allows recovery of a database to a specific time within the retention period. Geo-restore restores to a different region in case of disaster. Active Geo-Replication provides read-only replicas for failover. Transparent Data Encryption encrypts data at rest but does not restore it.

To recover an Azure SQL Database to a previous point in time due to accidental data deletion or corruption, the appropriate feature to use is point-in-time restore. This feature allows you to restore a database to a specific moment within the retention period, which is typically configured based on your service tier and backup settings. By selecting the desired timestamp, point-in-time restore creates a new database instance with the data state as it existed at that moment, enabling recovery from accidental deletions, updates, or other undesired changes without affecting the current database. This ensures minimal data loss and helps maintain business continuity.

Geo-restore, in contrast, is designed for disaster recovery scenarios where an entire Azure region is unavailable. It allows you to restore a database to a different region using geo-replicated backups, but it does not provide the granular ability to recover to a specific point in time within the primary database’s retention period.

Active Geo-Replication enables creating readable secondary replicas of the primary database in the same or different regions. While it supports failover and high availability, it primarily provides redundancy rather than targeted point-in-time recovery.

Transparent Data Encryption ensures that your database files are encrypted at rest to protect against unauthorized access. However, it does not offer any data restoration capabilities.

Therefore, to recover from accidental data loss to a specific moment, point-in-time restore is the correct solution.

Question 126: 

You need to limit external access to Azure Storage accounts while allowing internal application servers to communicate. Which configuration should you implement?

A) Private Endpoints with virtual network integration
B) Public IP filtering
C) Network Security Group on storage account
D) Route Table

Answer: A) Private Endpoints with virtual network integration

Explanation: 

Private Endpoints allow storage accounts to be accessed privately from within VNets, restricting internet access. Public IP filtering is less secure and limited. NSGs and route tables control traffic at the subnet or NIC level but cannot provide service-specific private access.

To limit external access to Azure Storage accounts while allowing internal application servers to communicate, the recommended configuration is to use private endpoints with virtual network integration. A private endpoint assigns a private IP address from a virtual network to the storage account, enabling secure, private connectivity from resources within the VNet. This ensures that all traffic between the storage account and internal application servers stays within the Microsoft backbone network, effectively isolating it from the public internet and reducing exposure to potential security threats. With this setup, external users cannot access the storage account over the internet, while authorized internal applications can continue to communicate seamlessly.

Public IP filtering allows restricting access based on IP address ranges, but it relies on the storage account still being accessible over the public internet. This approach is less secure, as it can be bypassed if IP addresses are spoofed or if the filtering rules are not carefully maintained.

Network Security Groups control inbound and outbound traffic at the subnet or network interface level. While they can filter traffic for virtual machines and subnets, they cannot enforce service-specific private access to an Azure Storage account.

Route Tables manage routing paths for network traffic, determining how packets move within and between networks. They do not provide access control or private connectivity for storage services.

Therefore, using private endpoints with virtual network integration is the most secure and effective solution to limit external access while allowing internal communication.

Question 127: 

You are designing a multi-tier application in Azure and need automatic failover for VMs across physical locations in a single region. Which feature should you use?

A) Availability Zones
B) Availability Sets
C) VM Scale Sets
D) Resource Groups

Answer: A) Availability Zones

Explanation: 

Availability Zones are physically separate datacenters within a region and ensure that VMs can withstand a datacenter failure. Availability Sets provide redundancy within a single datacenter. VM Scale Sets handle scaling. Resource Groups organize resources.

When designing a multi-tier application in Azure that requires automatic failover for virtual machines across physical locations within a single region, the appropriate feature to use is Availability Zones. Availability Zones are physically separate datacenters within an Azure region, each with independent power, networking, and cooling. By deploying VMs across multiple Availability Zones, you ensure that your application can continue operating even if one datacenter experiences a failure. This provides high availability and fault tolerance at the regional level, reducing the risk of downtime due to localized hardware or infrastructure issues.

Availability Sets, in contrast, provide redundancy within a single datacenter by distributing VMs across fault domains and update domains. This protects against hardware failures and planned maintenance within that datacenter but does not provide resilience against a complete datacenter outage.

VM Scale Sets are designed to automatically scale the number of VMs based on demand. They are ideal for handling workload fluctuations and ensuring application performance but do not inherently provide failover across separate physical locations.

Resource Groups are logical containers used to organize and manage Azure resources collectively. While they help with management, monitoring, and access control, they do not provide redundancy or failover capabilities.

Therefore, for high availability and automatic failover across different physical locations within a single region, deploying VMs in Availability Zones is the correct solution.

Question 128: 

You need to automate patching for all Windows VMs in your subscription. Which service should you use?

A) Azure Automation Update Management
B) Azure Policy
C) RBAC
D) Azure Monitor

Answer: A) Azure Automation Update Management

Explanation: 

Update Management allows scheduling of automatic patching for Windows and Linux VMs, providing compliance reports. Policy enforces configuration but does not install updates. RBAC controls access. Monitor tracks performance metrics.

To automate patching for all Windows virtual machines in an Azure subscription, the appropriate service to use is Azure Automation Update Management. This service enables administrators to schedule and manage updates for both Windows and Linux VMs across multiple subscriptions. Update Management provides the ability to define maintenance windows, approve updates, and monitor compliance, ensuring that all virtual machines remain up to date with the latest security patches and software fixes. By automating the patching process, organizations can reduce the risk of vulnerabilities and maintain operational stability without requiring manual intervention on each VM.

Azure Policy is a service designed to enforce compliance and resource configuration standards across an Azure environment. While it can ensure that VMs have Update Management enabled, it does not actually perform the installation of updates.

Role-Based Access Control, or RBAC, is used to manage permissions and access to Azure resources. It allows administrators to define who can perform certain actions but does not provide patching or update capabilities.

Azure Monitor collects telemetry data, metrics, and logs from virtual machines and other resources, enabling alerting and performance analysis. Although it helps in monitoring update status indirectly, it does not automate the installation of updates or patches.

Therefore, to automate and manage patching for all Windows VMs, Azure Automation Update Management is the correct solution.

Question 129: 

You need to grant a user the ability to assign RBAC roles to other users but not allow them to manage resources. Which role should you assign?

A) User Access Administrator
B) Owner
C) Contributor
D) Reader

Answer: A) User Access Administrator

Explanation: 

User Access Administrator can assign or remove roles for resources without managing the resources themselves. Owner has full control, Contributor can manage resources but not assign roles, and Reader has view-only permissions.

To grant a user the ability to assign Role-Based Access Control roles to other users without giving them permission to manage resources, the appropriate role to assign is User Access Administrator. This role allows a user to manage access to Azure resources by assigning, modifying, or removing RBAC roles for other users, groups, or service principals. Importantly, it does not grant the ability to create, modify, or delete the actual resources, so the user can control access while maintaining the security and integrity of the environment. This is useful in scenarios where separation of duties is required, allowing access management without granting operational control.

The Owner role provides full administrative control over resources, including the ability to manage access, create, modify, or delete resources. Assigning this role would give more permissions than required and could pose security risks if the user does not need full resource management capabilities.

The Contributor role allows a user to create, update, and delete resources, but it does not provide permissions to assign or remove roles for other users. This makes it unsuitable for managing access while restricting resource control.The Reader role provides view-only access to resources. Users with this role can see configurations and monitor resources but cannot make changes or assign roles, making it insufficient for managing access.Therefore, for controlling RBAC assignments without managing resources, User Access Administrator is the correct choice.

Question 130: 

You need to replicate an Azure SQL Database to a secondary region while allowing read-only access to the replicA) Which feature should you implement?

A) Active Geo-Replication
B) Point-in-time restore
C) Geo-restore
D) Transparent Data Encryption

Answer: A) Active Geo-Replication

Explanation: 

Active Geo-Replication allows an Azure SQL Database to be replicated to a secondary region with the secondary database available for read-only queries. Point-in-time restore provides historical recovery. Geo-restore is for disaster recovery. TDE encrypts data at rest but does not replicate.

To replicate an Azure SQL Database to a secondary region while allowing read-only access to the replica, the appropriate feature to use is Active Geo-Replication. This feature enables the creation of up to four readable secondary databases in the same or different regions. The secondary databases are continuously synchronized with the primary database, ensuring that data is consistently up to date. Active Geo-Replication provides high availability and disaster recovery capabilities while allowing applications to run read-only workloads, such as reporting or analytics, on the secondary database without impacting the performance of the primary database. In the event of a regional outage, the secondary database can be promoted to become the new primary, minimizing downtime and ensuring business continuity.

Point-in-time restore is designed for recovering a database to a specific point in time within its retention period. While it allows recovery from accidental data loss or corruption, it does not provide continuous replication or read-only access to another region.

Geo-restore enables restoring a database to a different region using geo-replicated backups. This is primarily used for disaster recovery if the primary region fails, but it does not allow a continuously updated read-only replica to be queried.Transparent Data Encryption ensures that database files are encrypted at rest to protect against unauthorized access. However, it does not offer replication or read-only access capabilities.Therefore, for replicating an Azure SQL Database to a secondary region with read-only access, Active Geo-Replication is the correct solution.

Question 131: 

You need to monitor performance metrics and trigger alerts if an Azure VM exceeds 80 percent CPU usage. Which service should you configure?

A) Azure Monitor with metric alerts
B) Azure Policy
C) Resource Locks
D) RBAC

Answer: A) Azure Monitor with metric alerts

Explanation: 

Azure Monitor collects performance metrics and allows configuration of alerts based on thresholds such as CPU or memory usage. Policy enforces compliance. Resource Locks prevent deletion. RBAC controls permissions.

To monitor performance metrics of an Azure virtual machine and trigger alerts if CPU usage exceeds a specific threshold, the appropriate service to use is Azure Monitor with metric alerts. Azure Monitor collects telemetry data, including CPU, memory, disk, and network metrics, from Azure resources. By configuring metric alerts, you can set thresholds, such as 80 percent CPU usage, and define actions to take when the threshold is exceeded, such as sending email notifications, triggering Logic Apps, or executing automated remediation tasks. This enables proactive monitoring, ensuring that potential performance issues are detected and addressed before they impact applications or users.

Azure Policy is used to enforce compliance and configuration standards across resources, such as ensuring encryption is enabled or resources are tagged correctly. While it helps maintain governance, it does not provide real-time performance monitoring or alerting capabilities.Resource Locks are designed to prevent accidental deletion or modification of critical resources. They ensure operational safety but do not collect performance metrics or trigger alerts.Role-Based Access Control, or RBAC, manages permissions and determines who can perform actions on Azure resources. It controls access but does not provide monitoring, metrics collection, or alerting functionality.Therefore, to monitor CPU usage and respond when thresholds are exceeded, configuring Azure Monitor with metric alerts is the correct solution.

Question 132: 

You need to ensure that all Azure Storage accounts in a subscription use HTTPS. Which service allows you to enforce this requirement?

A) Azure Policy
B) Resource Lock
C) RBAC
D) Azure Monitor

Answer: A) Azure Policy

Explanation: 

Azure Policy can enforce that all storage accounts require secure transfer (HTTPS). Resource Locks prevent deletion. RBAC controls access but does not enforce settings. Monitor tracks metrics but does not enforce compliance.

To ensure that all Azure Storage accounts in a subscription require HTTPS for secure communication, the appropriate service to use is Azure Policy. Azure Policy allows administrators to define and enforce rules across resources to maintain compliance with organizational standards or regulatory requirements. By creating a policy that requires secure transfer, all storage accounts can be configured to only accept HTTPS connections, preventing insecure HTTP access. This ensures that data in transit between clients and the storage accounts is encrypted, enhancing security and reducing the risk of data interception or unauthorized access. Policies can be assigned at the subscription, resource group, or individual resource level, providing flexibility in enforcement.

Resource Locks are designed to prevent accidental deletion or modification of critical resources. While they protect resources from unintended changes, they do not enforce security configurations or control communication protocols such as HTTPS.

Role-Based Access Control, or RBAC, manages who has permission to perform specific actions on Azure resources. It controls access levels for users, groups, and applications, but it does not enforce configuration settings like secure transfer.

Azure Monitor collects telemetry, metrics, and logs from resources to track performance, usage, and health. While it provides insights into compliance and operational issues, it does not enforce configuration policies.Therefore, to enforce HTTPS for all Azure Storage accounts, Azure Policy is the correct solution.

Question 133: 

You are tasked with collecting centralized logs from multiple Azure subscriptions for auditing and reporting. Which service should you use?

A) Log Analytics Workspace
B) Azure Monitor Metrics
C) Azure Policy
D) Azure Automation

Answer: A) Log Analytics Workspace

Explanation: 

Log Analytics Workspace allows collection and querying of logs from multiple subscriptions and resources. Monitor Metrics tracks resource performance. Policy enforces compliance. Automation executes scripts but does not centralize logs.

To collect centralized logs from multiple Azure subscriptions for auditing and reporting purposes, the appropriate service to use is a Log Analytics Workspace. A Log Analytics Workspace provides a centralized repository where logs and telemetry from multiple Azure resources, subscriptions, and even on-premises systems can be collected, stored, and queried. By using a single workspace, organizations can perform advanced queries, generate reports, and create dashboards to monitor activities and ensure compliance across all resources. It supports collecting data from a wide variety of sources, including Azure Activity Logs, diagnostic logs, security events, and custom application logs, making it ideal for auditing and operational analysis.

Azure Monitor Metrics, in contrast, focuses on collecting numerical performance data, such as CPU usage, memory utilization, or disk I/O, and allows creating alerts based on thresholds. While it is useful for monitoring system health, it is not designed for centralized log collection and detailed auditing.Azure Policy enforces compliance and configuration standards across resources, such as requiring encryption or tagging, but it does not collect or centralize log data.Azure Automation allows for the creation and execution of scripts to automate administrative tasks, including maintenance or resource management, but it does not provide a centralized logging solution for auditing or reporting purposes.Therefore, for aggregating and analyzing logs across multiple subscriptions, a Log Analytics Workspace is the correct solution.

Question 134: 

You need to implement a VM that automatically scales based on queue length in Azure Storage. Which solution should you use?

A) VM Scale Sets with autoscale rules
B) Azure Automation
C) Azure Policy
D) Resource Locks

Answer: A) VM Scale Sets with autoscale rules

Explanation: 

VM Scale Sets can scale out or in based on custom metrics, including queue length or application loaD) Automation can run scripts but does not automatically scale based on metrics. Policy enforces configuration. Resource Locks prevent deletion but do not scale resources.

To implement a virtual machine that automatically scales based on the queue length in Azure Storage, the appropriate solution is VM Scale Sets with autoscale rules. VM Scale Sets allow you to deploy and manage a set of identical VMs that can automatically increase or decrease in number based on defined metrics or schedules. By configuring autoscale rules, you can monitor custom metrics such as the length of a storage queue, CPU utilization, or other application-specific indicators. When the queue length exceeds a defined threshold, additional VMs can be provisioned to handle the increased workload. Conversely, when the workload decreases, the scale set can reduce the number of VMs to optimize costs. This ensures that your application maintains performance and responsiveness while efficiently using resources.

Azure Automation can execute scripts to perform maintenance, updates, or operational tasks on resources, but it does not provide automatic scaling based on real-time metrics like queue length.Azure Policy enforces organizational standards and compliance rules, such as requiring encryption or tagging for resources, but it does not control the scaling behavior of VMs.Resource Locks are designed to prevent accidental deletion or modification of critical resources. They ensure resource safety but do not provide any mechanism for scaling or adjusting capacity automatically.Therefore, for automatic scaling of VMs based on storage queue metrics, VM Scale Sets with autoscale rules is the correct solution.

Question 135: 

You want to restrict which Azure regions can be used for VM deployment in a subscription. Which feature allows this enforcement?

A) Azure Policy
B) RBAC
C) Resource Locks
D) Azure Monitor

Answer: A) Azure Policy

Explanation: 

Azure Policy can restrict deployment to specific regions, ensuring compliance with corporate guidelines. RBAC controls access but not deployment locations. Resource Locks prevent deletion or modification. Monitor tracks metrics but does not enforce locations.

To restrict which Azure regions can be used for virtual machine deployment in a subscription, the appropriate feature to use is Azure Policy. Azure Policy allows administrators to define and enforce rules that govern resource configurations and deployment locations. By creating a policy that specifies allowed regions for VM deployment, organizations can ensure that all virtual machines are provisioned only in approved locations, helping meet regulatory, compliance, or internal corporate guidelines. Policies can be assigned at the subscription, resource group, or management group level, providing flexibility and centralized governance. When a deployment attempt violates the policy, it can either be blocked or audited, depending on how the policy is configured.

Role-Based Access Control, or RBAC, manages who can perform actions on Azure resources by assigning roles and permissions to users, groups, or service principals. While it controls access, it does not enforce where resources can be deployed.Resource Locks are used to prevent accidental deletion or modification of critical resources. They ensure resource stability but do not restrict deployment locations or configurations.Azure Monitor collects metrics, logs, and telemetry from Azure resources, enabling monitoring, alerting, and analysis. Although it helps track resource activity, it does not enforce deployment constraints or compliance rules.Therefore, to ensure virtual machines are only deployed in specific regions, Azure Policy is the correct solution.

Question 136: 

You need to allow external business partners to access a subset of Azure resources without giving full subscription access. Which solution should you implement?

A) Azure AD Guest Users
B) Azure AD B2C
C) Privileged Identity Management
D) Conditional Access

Answer: A) Azure AD Guest Users

Explanation: 

Guest Users allow external partners limited access to selected resources. B2C is for customer-facing applications. PIM manages temporary elevated privileges. Conditional Access enforces sign-in conditions.

To allow external business partners to access a subset of Azure resources without granting full subscription access, the appropriate solution is Azure AD Guest Users. Azure AD Guest Users enable organizations to invite external users into their Azure Active Directory tenant, providing them with limited access to specific resources such as applications, SharePoint sites, or virtual machines. Guest users are managed similarly to internal users but can be assigned only the roles or permissions necessary for their tasks. This approach allows secure collaboration with partners while maintaining control over sensitive data and overall subscription access. Access can be further restricted using group memberships, role assignments, and conditional access policies, ensuring that external users can perform only the actions required for their collaboration.

Azure AD B2C is primarily designed for managing customer identities in consumer-facing applications. It enables authentication and registration for end-users outside the organization but is not intended for business partner collaboration within an enterprise environment.Privileged Identity Management, or PIM, manages temporary elevated access for internal users with administrative roles. It provides just-in-time privilege activation but does not facilitate controlled access for external users.Conditional Access enforces security requirements such as multi-factor authentication or location-based restrictions during sign-in. While it can enhance security for guest users, it does not provide access by itself.Therefore, Azure AD Guest Users is the correct solution for granting controlled access to external partners.

Question 137: 

You need to restore a deleted Azure Key Vault and its secrets within a retention perioD) Which configuration supports this?

A) Soft Delete with Purge Protection
B) Resource Lock
C) Azure Policy
D) RBAC

Answer: A) Soft Delete with Purge Protection

Explanation: 

Soft Delete retains deleted Key Vaults and secrets for a retention period, and Purge Protection prevents permanent deletion until retention expires. Resource Locks prevent deletion proactively. Policy enforces settings. RBAC controls access.

To restore a deleted Azure Key Vault and its secrets within a retention period, the appropriate configuration is Soft Delete with Purge Protection. Soft Delete ensures that when a Key Vault or its secrets are deleted, they are not permanently removed immediately. Instead, they are retained in a recoverable state for a configurable retention period, allowing administrators to restore the Key Vault and all associated secrets if deletion was accidental or premature. Purge Protection complements Soft Delete by preventing the Key Vault or its secrets from being permanently deleted until the retention period expires. This provides an additional layer of protection against malicious or accidental permanent deletion, ensuring critical secrets and keys are recoverable.

Resource Locks are used to prevent accidental deletion or modification of resources by applying read-only or delete locks. While they help safeguard resources proactively, they do not allow recovery of resources once deletion has occurred.Azure Policy is used to enforce organizational rules and compliance across resources, such as requiring encryption, tagging, or specific configurations. Policies do not provide recovery capabilities for deleted resources.Role-Based Access Control, or RBAC, manages who has permission to perform actions on resources by assigning roles and privileges. RBAC ensures secure access but does not control recovery or retention of deleted Key Vaults.Therefore, to enable restoration of deleted Key Vaults and secrets within a retention period, Soft Delete with Purge Protection is the correct solution.

Question 138:

You are designing a solution where on-premises users authenticate to Azure AD without passwords being stored in the clouD) Which service should you implement?

A) Pass-through Authentication
B) Password Hash Synchronization
C) Azure AD B2C
D) Conditional Access

Answer: A) Pass-through Authentication

Explanation: 

Pass-through Authentication allows authentication against on-premises Active Directory without storing passwords in Azure AD) Password Hash Synchronization stores hashes in Azure AD) B2C is for external customer identities. Conditional Access enforces policies but does not authenticate users.

To enable on-premises users to authenticate to Azure AD without storing passwords in the cloud, the appropriate solution is Pass-through Authentication. Pass-through Authentication allows users to sign in to Azure AD using their on-premises credentials, with authentication requests securely validated against the on-premises Active Directory. This ensures that passwords are never stored or replicated in the cloud, maintaining compliance with organizational security policies and reducing the risk of credential exposure. It provides a seamless sign-in experience for users while allowing organizations to maintain control over authentication processes.

Password Hash Synchronization, in contrast, synchronizes a hash of users’ passwords from the on-premises Active Directory to Azure AD. While it allows users to authenticate with the same credentials in the cloud, it involves storing password hashes in Azure AD, which does not meet the requirement of avoiding cloud storage of passwords.Azure AD B2C is designed for managing identities of external customers and providing authentication for consumer-facing applications. It is not intended for integrating on-premises corporate user authentication with Azure AD.Conditional Access enforces policies such as multi-factor authentication, device compliance, or location-based restrictions. While it enhances security, it does not perform authentication or prevent passwords from being stored in the cloud.Therefore, to allow on-premises authentication without storing passwords in Azure AD, Pass-through Authentication is the correct solution.

Question 139: 

You need to enforce that all Azure SQL Databases in your subscription have auditing enabled automatically. Which service should you use?

A) Azure Policy with remediation
B) RBAC
C) Resource Lock
D) Azure Monitor

Answer: A) Azure Policy with remediation

Explanation: 

Azure Policy can detect non-compliant SQL Databases and trigger automated remediation to enable auditing. RBAC controls permissions. Resource Locks prevent deletion but do not enforce auditing. Monitor tracks metrics but does not remediate compliance.

To enforce that all Azure SQL Databases in a subscription have auditing enabled automatically, the appropriate service to use is Azure Policy with remediation. Azure Policy allows administrators to define rules that ensure resources comply with organizational or regulatory requirements. By creating a policy that requires auditing to be enabled on all SQL Databases, any non-compliant databases can be automatically detected. With remediation tasks configured, Azure Policy can also apply the necessary settings to enable auditing without manual intervention, ensuring that all databases remain compliant consistently. This approach simplifies governance, improves security, and helps meet compliance requirements by maintaining visibility and control over critical database configurations.

Role-Based Access Control, or RBAC, manages who can perform actions on Azure resources by assigning roles and permissions. While RBAC can restrict who can modify SQL Databases, it does not enforce configuration settings like auditing across all resources.Resource Locks are used to prevent accidental deletion or modification of critical resources by applying read-only or delete locks. They ensure resource stability but do not enforce auditing or other compliance settings.Azure Monitor collects metrics, logs, and telemetry from resources to track performance, availability, and health. Although it can help observe whether auditing is enabled, it does not provide enforcement or automatic remediation.Therefore, to ensure automatic enforcement of auditing on all SQL Databases, Azure Policy with remediation is the correct solution.

Question 140: 

You need to ensure that multiple VMs can communicate privately with an Azure Storage account over the Azure backbone network. Which solution should you implement?

A) Private Endpoint
B) Public IP
C) Network Security Group
D) Route Table

Answer: A) Private Endpoint

Explanation: 

Private Endpoints assign a private IP within the VNet for secure communication with services such as Storage. Public IP exposes the service to the internet. NSGs filter traffic at subnet or VM level. Route Tables control routing paths but do not secure service access.

To ensure that multiple virtual machines can communicate privately with an Azure Storage account over the Azure backbone network, the appropriate solution is a Private Endpoint. A Private Endpoint assigns a private IP address from within a virtual network to the storage account, enabling secure, private connectivity for all resources in that VNet. This ensures that traffic between the virtual machines and the storage account remains entirely within the Microsoft Azure backbone network, eliminating exposure to the public internet and reducing the risk of unauthorized access or interception. Private Endpoints also allow integration with multiple subnets and can be combined with DNS configurations to resolve the storage account’s private IP within the network, making it seamless for applications to access storage securely.

Using a public IP exposes the storage account to the internet, which can increase the attack surface and does not guarantee private communication between VMs and the storage account.Network Security Groups, or NSGs, are used to filter inbound and outbound traffic at the subnet or VM level. While they provide network-level access control, they do not create a private connection to Azure services and cannot enforce private traffic to a storage account.Route Tables manage how traffic is routed within a virtual network or to external networks. They control the path of packets but do not provide security or private access to Azure services.Therefore, to enable private and secure communication between multiple VMs and a storage account, implementing a Private Endpoint is the correct solution.

Related posts:

  1. Crack the DP-700 in 2025: A Step-by-Step Guide for Aspiring Data Engineers
  2. From MDAA to Endpoint Administrator: A Comprehensive Guide to the New Microsoft Certification
  3. How Do Microsoft MCSA SQL Server Database Certifications Benefit Database Developers and Administrators?
  4. How MCSA Cloud Platform Certification Skills Can Propel Your Career as an Azure Cloud Architect
  5. Insights from Successfully Completing the AZ-900 Microsoft Azure Fundamentals Exam
  6. Is Microsoft Office Certification Still Relevant Today
  7. Microsoft 365 Alerts Made Easy: Best Practices for Filtering and Controlling Notifications
  8. Step-by-Step Approach to Studying for the Microsoft AZ-104 Exam
  9. The AZ-304 Exam: Is It Worth the Time and Effort for Your Career?
  10. The End of MCSA Certification: A New Path for IT Careers

Popular posts

Top Vendors On The IT Certification Market

Case Study Hillary’s HillRaisers raising cash for Obama inauguration

What are Azure Blueprints and How Do They Help with Compliance?

Top 5 Agile Certifications You Should Pursue in 2020

What is MCSA? An In-Depth Overview of Microsoft Certified Solutions Associate

Retired Microsoft Certifications: What You Need to Know

Microsoft’s New Security Certifications: SC-200, SC-300, SC-400, and SC-900 – Everything You Need to Know

Job Opportunities For MCSE Certification

Your Best Career Path With EC-Council Certification

2025 CCNA v1.1 Exam Changes: A Complete Guide to Preparing for the 200-301 Certification

Recent Posts

img