Microsoft AZ-104 Microsoft Azure Administrator Exam Dumps and Practice Test Questions Set 2 Q21-40

Visit here for our full Microsoft AZ-104 exam dumps and practice test questions.

Question 21: 

You are deploying an Azure Kubernetes Service (AKS) cluster. You need to ensure that only authorized developers can deploy containers to the cluster. Which Azure feature should you use?

A) Azure AD Role-Based Access Control (RBAC)
B) Azure Policy
C) Network Security Groups (NSG)
D) Azure Firewall

Answer: A) Azure AD Role-Based Access Control (RBAC)

Explanation:

Azure AD RBAC integrates with AKS to control access at the cluster level. You can assign roles like Azure Kubernetes Service Cluster User to developers to allow them to deploy containers without giving them full administrative rights. NSGs and Azure Firewall control network traffic, not identity or permissions. Azure Policy can enforce configurations but does not manage user access.

When deploying an Azure Kubernetes Service (AKS) cluster, controlling who can deploy containers is critical for maintaining security and operational integrity. Azure Active Directory (Azure AD) Role-Based Access Control (RBAC) is the appropriate feature to manage this access. RBAC allows you to assign specific roles to users or groups, such as the Azure Kubernetes Service Cluster User role, which grants developers the ability to deploy and manage containers without granting them full administrative privileges. This ensures that only authorized personnel can perform deployment actions, reducing the risk of accidental or malicious changes to the cluster.

Network Security Groups (NSGs) and Azure Firewall, while important for protecting the cluster, focus solely on network-level security. NSGs control inbound and outbound traffic at the subnet or network interface level, while Azure Firewall provides centralized network traffic filtering. These features do not manage user permissions or define who can deploy workloads.

Azure Policy, on the other hand, is used to enforce specific configuration standards and compliance requirements within the cluster, such as restricting container images or enforcing resource limits. However, it does not grant or restrict individual user permissions. Therefore, to ensure that only authorized developers can deploy containers, Azure AD RBAC is the most suitable choice.

This approach provides granular access control, integrates seamlessly with AKS, and helps maintain both security and operational efficiency.

Question 22: 

You want to implement automatic OS patching for your Azure Windows VMs to reduce manual maintenance. Which Azure service provides this capability?

A) Azure Automation Update Management
B) Azure Policy
C) Azure Monitor
D) VM Scale Sets

Answer: A) Azure Automation Update Management

Explanation:

Update Management in Azure Automation allows you to schedule automatic patching for Windows and Linux VMs, monitor compliance, and generate reports. Azure Policy can enforce configuration compliance but does not handle patch installation. Azure Monitor tracks metrics and logs. VM Scale Sets are for scaling VMs and do not manage patching automatically.

To implement automatic operating system patching for Azure Windows virtual machines (VMs), Azure Automation Update Management is the most suitable service. This service allows administrators to schedule and deploy updates automatically to both Windows and Linux VMs, helping reduce the need for manual maintenance. It also provides monitoring capabilities, enabling you to track which updates have been applied and which are pending, ensuring compliance with organizational patching policies. Additionally, Update Management can generate detailed reports on update status, helping maintain visibility and auditing for security and operational purposes.

Azure Policy, while useful for enforcing configuration compliance across Azure resources, does not actually perform update installation or patch management. It can ensure that certain configurations or standards are followed but cannot automate the process of keeping operating systems up to date. Azure Monitor focuses on collecting metrics and logs from your VMs and other resources. While it provides valuable insights into system performance and health, it does not include the ability to schedule or apply patches. VM Scale Sets are designed to automatically scale virtual machines in or out based on demand and maintain high availability, but they do not include automatic operating system patching by default.

By leveraging Azure Automation Update Management, you can reduce manual intervention, ensure timely application of updates, maintain compliance, and improve the overall security and stability of your Azure Windows VMs.

Question 23: 

Your company requires secure private communication between Azure VMs across different virtual networks without using the public internet. Which solution should you implement?

A) Virtual Network Peering
B) VPN Gateway
C) ExpressRoute
D) Service Endpoint

Answer: A) Virtual Network Peering

Explanation:

VNet Peering allows Azure VMs in different virtual networks to communicate privately using the Azure backbone network. VPN Gateway provides connectivity over public internet, ExpressRoute connects on-premises to Azure, and Service Endpoints extend private connectivity to Azure services but not between VNets directly.

To enable secure and private communication between Azure virtual machines (VMs) across different virtual networks without using the public internet, Virtual Network (VNet) Peering is the most suitable solution. VNet Peering connects two Azure virtual networks, allowing VMs in each network to communicate directly using private IP addresses over the Azure backbone infrastructure. This approach ensures low-latency, high-bandwidth, and fully private connectivity between VMs without exposing traffic to the public internet, which enhances security and performance. Peered VNets appear as one network for connectivity purposes, making management simpler while maintaining isolation and control over network policies.

VPN Gateway, in contrast, enables encrypted connections between Azure VNets or between on-premises networks and Azure over the public internet. While secure, this method relies on internet-based transport and typically introduces higher latency compared to the direct backbone connectivity provided by VNet Peering. ExpressRoute offers a private connection between on-premises infrastructure and Azure, bypassing the public internet, but it is intended for hybrid connectivity rather than connecting VNets within Azure. Service Endpoints extend private access from a virtual network to specific Azure services, such as Azure Storage or SQL Database, but they do not facilitate direct communication between virtual networks.

By using VNet Peering, organizations can achieve seamless, secure, and private communication between VMs in separate Azure virtual networks while leveraging Azure’s high-speed backbone network.

Question 24: 

You are tasked with implementing resource tagging enforcement so that all resources must include “CostCenter” and “Environment” tags. Which tool should you use?

A) Azure Policy
B) RBAC
C) Azure Resource Locks
D) Azure Monitor

Answer: A) Azure Policy

Explanation:

Azure Policy allows administrators to enforce mandatory tags during resource creation. RBAC controls access rights, Resource Locks prevent deletion/modification, and Azure Monitor is for logging and alerting, not enforcing resource metadata.

To enforce that all Azure resources include specific tags such as “CostCenter” and “Environment,” Azure Policy is the most appropriate tool. Azure Policy enables administrators to define and enforce organizational standards across resources, including mandatory tagging requirements. When a policy is applied, it can automatically audit existing resources for compliance and prevent the creation of new resources that do not meet the tagging criteria. This ensures consistent metadata management, which is essential for cost tracking, resource organization, and governance across the Azure environment.

Role-Based Access Control (RBAC) manages permissions and determines who can perform actions on resources, but it does not enforce policies or ensure that resources include specific tags. RBAC focuses on access management rather than compliance or metadata enforcement. Azure Resource Locks provide protection against accidental deletion or modification of resources by restricting certain operations, but they do not control metadata or enforce tagging standards. Azure Monitor is designed to collect metrics, logs, and alerts for monitoring resource health and performance. While it provides visibility into the environment, it cannot enforce resource creation policies or tagging requirements.

By using Azure Policy to enforce mandatory tags, organizations can maintain governance, ensure proper cost allocation, and improve overall resource management without relying on manual processes. This approach standardizes tagging practices, enhances reporting capabilities, and strengthens compliance across all Azure resources.

Question 25: 

You need to create a solution that allows on-premises servers to access Azure SQL Database securely over the internet. Which feature ensures secure connectivity?

A) Private Endpoint
B) Service Endpoint
C) Public IP
D) VPN Gateway

Answer: B) Service Endpoint

Explanation:

Service Endpoints allow on-premises servers to securely connect to Azure services over the Azure backbone network while still accessing the service via its public IP. Private Endpoints assign a private IP within a VNet but are mainly for VNet resources. Public IP alone does not secure traffiC) VPN Gateway connects entire networks but is not required for endpoint-level secure access.

To enable on-premises servers to securely access an Azure SQL Database over the internet, Service Endpoints provide the most effective solution. Service Endpoints extend your virtual network’s private address space to Azure services, allowing traffic to flow securely over the Azure backbone network while still using the service’s public IP address. This ensures that the connection is protected from exposure to the broader internet and allows you to restrict access to only selected virtual networks or subnets. Using Service Endpoints simplifies security management and reduces the attack surface without requiring complex network configurations.

Private Endpoints, in contrast, assign a private IP address from a virtual network to the Azure SQL Database. While this provides secure access, it is primarily intended for resources within the same virtual network and does not directly facilitate secure access from on-premises servers over the internet. Public IP addresses alone allow connectivity but do not provide encryption or control over which networks can access the database, leaving the service exposed to potential threats. VPN Gateway enables encrypted connections between entire networks, such as connecting an on-premises network to Azure, but it is not necessary if the goal is secure endpoint-level access to an Azure SQL Database.

By implementing Service Endpoints, organizations can ensure secure, controlled, and reliable access from on-premises servers to Azure SQL Database while leveraging the Azure backbone for improved security and performance.

Question 26: 

You are asked to implement role-based restrictions so that a user can start/stop virtual machines but cannot delete them. Which role should you assign?

A) Virtual Machine Contributor
B) Contributor
C) Owner
D) Reader

Answer: A) Virtual Machine Contributor

Explanation:

Virtual Machine Contributor allows management of VM operations like start, stop, restart, or redeploy but does not permit deletion. Contributor can delete resources. Owner has full control, and Reader is read-only.

To implement role-based access that allows a user to manage virtual machines (VMs) by starting or stopping them without giving permission to delete them, the Virtual Machine Contributor role is the most appropriate choice. This role provides granular permissions specifically for virtual machine management. Users assigned this role can perform operations such as starting, stopping, restarting, and redeploying VMs, allowing them to handle day-to-day operational tasks without risking accidental or unauthorized deletion of critical resources.

The Contributor role provides broader permissions across all types of Azure resources within a subscription or resource group. While it allows managing VMs, it also includes the ability to delete them, which exceeds the intended restrictions and could pose a security or operational risk. The Owner role grants full administrative control over resources, including the ability to assign roles, modify configurations, and delete resources, making it far too permissive for this scenario. The Reader role is read-only and allows users to view resource properties and statuses, but it does not enable any operational actions like starting or stopping virtual machines.

By assigning the Virtual Machine Contributor role, organizations can enforce the principle of least privilege, ensuring users can perform necessary operational tasks while protecting resources from deletion. This approach provides secure, controlled, and task-specific access, balancing operational efficiency with governance and risk management.

Question 27: 

You want to analyze Azure billing data across multiple subscriptions. Which feature provides cost visibility and reporting?

A) Azure Cost Management + Billing
B) Azure Monitor
C) Azure Policy
D) Resource Groups

Answer: A) Azure Cost Management + Billing

Explanation:

Azure Cost Management + Billing enables tracking of costs, creating budgets, and reporting across multiple subscriptions. Azure Monitor collects metrics but does not provide billing insights. Azure Policy enforces compliance. Resource Groups organize resources but do not provide cost analysis.

To analyze and gain visibility into Azure billing data across multiple subscriptions, Azure Cost Management + Billing is the most suitable feature. It provides comprehensive tools to track spending, monitor resource usage, and generate detailed reports across subscriptions, resource groups, or specific resources. With this service, organizations can create budgets, set alerts for overspending, and identify cost trends, enabling proactive financial management and optimization of cloud resources. Cost Management + Billing also supports exporting detailed usage data, allowing for integration with external reporting tools or financial systems for further analysis.

Azure Monitor, while valuable for observing performance metrics, collecting logs, and setting alerts on operational aspects of Azure resources, does not provide insights into billing or cost tracking. Azure Policy is used to enforce governance and compliance standards, such as requiring tags or specific configurations on resources, but it does not analyze spending or generate cost reports. Resource Groups are logical containers that organize resources within a subscription, making management and access control easier, but they do not offer billing or cost analysis capabilities.

By leveraging Azure Cost Management + Billing, organizations can achieve complete cost visibility, optimize resource usage, and maintain financial governance across multiple subscriptions. This ensures that spending is tracked efficiently and supports strategic decision-making regarding Azure resource allocation and budgeting.

Question 28: 

Your organization wants to enforce encryption using customer-managed keys (CMK) for Azure SQL Databases. Which service can store these keys securely?

A) Azure Key Vault
B) Azure Policy
C) RBAC
D) Azure Storage Account

Answer: A) Azure Key Vault

Explanation:

Azure Key Vault securely stores encryption keys, secrets, and certificates. Using CMK allows you to control key rotation and access. Azure Policy can enforce use of CMK but does not store keys. RBAC controls permissions. Storage Accounts are for data, not key storage.

To enforce encryption for Azure SQL Databases using customer-managed keys (CMK), Azure Key Vault is the recommended service for securely storing these keys. Key Vault provides a centralized, highly secure repository for encryption keys, secrets, and certificates. By using CMK stored in Key Vault, organizations gain full control over key lifecycle management, including creation, rotation, and access policies. This approach ensures that sensitive data in Azure SQL Databases is encrypted with keys that the organization controls, rather than relying solely on Microsoft-managed keys, enhancing security and compliance.

Azure Policy can complement this setup by enforcing the use of CMK across resources, ensuring that databases comply with organizational encryption requirements. However, it does not store or manage the encryption keys themselves; its role is limited to governance and compliance. Role-Based Access Control (RBAC) manages permissions for users and applications, allowing fine-grained access to Azure resources, including Key Vault, but it does not provide key storage or encryption capabilities. Azure Storage Accounts are designed for storing data such as blobs, files, and queues, and are not intended for storing encryption keys or secrets securely.

By combining Azure Key Vault with CMK, organizations can ensure that their Azure SQL Databases are encrypted with keys they control, enhancing data security while maintaining compliance with internal and regulatory requirements. This solution provides both secure storage and operational control over encryption keys.

Question 29: 

You are designing a hybrid backup strategy for on-premises VMs and Azure VMs. Which Azure service allows you to manage both workloads centrally?

A) Azure Backup
B) Azure Site Recovery
C) Azure Monitor
D) Azure Automation

Answer: A) Azure Backup

Explanation:

Azure Backup supports backup for on-premises machines via the MARS agent and Azure VMs, providing a centralized backup solution. Azure Site Recovery is for disaster recovery. Azure Monitor is for telemetry, and Automation is for operational scripts.

To implement a hybrid backup strategy that covers both on-premises virtual machines (VMs) and Azure VMs, Azure Backup is the most appropriate service. Azure Backup provides a centralized platform for managing backups across different environments. For on-premises workloads, the Microsoft Azure Recovery Services (MARS) agent can be installed on physical servers or VMs to enable secure backup to Azure. For Azure VMs, backups can be configured directly through the Azure portal, allowing for consistent policies, scheduling, and retention management across both on-premises and cloud workloads. This centralization simplifies monitoring, reporting, and compliance, ensuring that all critical data is protected regardless of its location.

Azure Site Recovery focuses primarily on disaster recovery rather than backup. It replicates workloads to a secondary location, enabling failover in case of outages, but it does not provide the same centralized backup management for ongoing recovery operations. Azure Monitor collects telemetry, metrics, and logs to provide insights into performance and operational health, but it does not handle backup or recovery tasks. Azure Automation is designed for automating operational processes and managing scripts, which can complement backup processes but does not provide a dedicated mechanism for storing and managing backup data.

By using Azure Backup, organizations can create a unified, reliable, and secure hybrid backup strategy that protects both on-premises and cloud-based VMs, reduces administrative complexity, and ensures that data recovery requirements are met consistently across all environments.

Question 30: 

You need to deploy an Azure VM that requires ultra-low latency storage for a database workloaD) Which disk type should you choose?

A) Ultra Disk
B) Standard SSD
C) Premium SSD
D) Standard HDD

Answer: A) Ultra Disk

Explanation:

Ultra Disks provide extremely low latency, high throughput, and high IOPS, ideal for performance-intensive databases. Premium SSDs are fast but not as performant as Ultra Disks. Standard SSD and HDD are suitable for general workloads, not high-performance requirements.

For deploying an Azure virtual machine that requires ultra-low latency storage, particularly for a performance-intensive database workload, Ultra Disks are the most suitable choice. Ultra Disks offer extremely low latency, high throughput, and very high input/output operations per second (IOPS), making them ideal for applications that demand consistent, high-speed storage performance. They allow fine-grained control over disk performance parameters such as IOPS and throughput independently of disk size, providing flexibility to meet the specific needs of demanding database workloads.

Premium SSDs are also high-performance storage options designed for low-latency and high-throughput workloads, but they do not match the extreme performance levels and configurability of Ultra Disks. They are suitable for most mission-critical applications but may not fully meet requirements for workloads that demand the lowest possible latency. Standard SSDs provide a balance between performance and cost, offering improved speed over traditional HDDs but are intended for less demanding workloads rather than latency-sensitive databases. Standard HDDs are cost-effective and suitable for infrequent access or archival workloads but are not designed for high-performance scenarios due to higher latency and lower IOPS.

Choosing Ultra Disks ensures that database applications on Azure VMs benefit from the fastest, most consistent storage performance, minimizing latency, maximizing throughput, and supporting high transactional workloads efficiently. This makes them the optimal solution for performance-critical enterprise applications.

Question 31: 

Your organization requires conditional access to enforce MFA only when users log in from untrusted locations. Which Azure feature accomplishes this?

A) Azure AD Conditional Access
B) Privileged Identity Management
C) Azure AD Identity Protection
D) RBAC

Answer: A) Azure AD Conditional Access

Explanation:

Conditional Access allows policies that enforce MFA based on risk, location, device compliance, or user roles. Identity Protection detects risky sign-ins but does not enforce policies by itself. PIM manages privileged access, and RBAC controls resource permissions.

To enforce multi-factor authentication (MFA) based on user location, Azure AD Conditional Access is the most appropriate feature. Conditional Access enables organizations to define policies that evaluate conditions such as user location, device compliance, application sensitivity, or risk level before granting access. For example, a policy can require MFA only when users attempt to log in from untrusted or unfamiliar locations, while allowing seamless access from trusted corporate networks. This approach improves security by reducing the risk of unauthorized access while maintaining usability for low-risk scenarios.

Privileged Identity Management (PIM) focuses on managing, monitoring, and controlling access to privileged roles within Azure AD and other Microsoft services. While PIM ensures that elevated permissions are granted securely and temporarily, it does not provide conditional enforcement of MFA for general sign-ins based on location. Azure AD Identity Protection detects risky sign-ins and user accounts using risk-based algorithms, but it does not directly enforce access policies without being combined with Conditional Access. Role-Based Access Control (RBAC) defines permissions for users and groups to access Azure resources, controlling what actions a user can perform, but it does not enforce authentication requirements or conditional policies.

By implementing Azure AD Conditional Access, organizations can create fine-grained security controls, requiring MFA only when necessary, such as from untrusted locations, improving both security and user experience. This ensures a balance between protection and productivity while enforcing organizational access policies consistently.

Question 32: 

You want to prevent accidental deletion of critical Azure resources like VMs and storage accounts. Which feature should you implement?

A) Resource Locks
B) RBAC
C) Azure Policy
D) Azure Monitor

Answer: A) Resource Locks

Explanation:

Resource Locks prevent accidental deletion or modification. Can be applied as CanNotDelete or ReadOnly. RBAC controls who can manage resources but doesn’t prevent accidental deletion if permissions exist. Policy enforces rules but does not lock resources. Monitor alerts on events but doesn’t block actions.

To prevent accidental deletion or modification of critical Azure resources such as virtual machines and storage accounts, implementing Resource Locks is the most effective approach. Resource Locks provide a safeguard by restricting operations on resources, helping organizations maintain stability and avoid unintended disruptions. There are two types of locks available: CanNotDelete and ReadOnly. CanNotDelete allows authorized users to modify a resource but prevents deletion, while ReadOnly restricts all modifications, effectively making the resource immutable except for certain administrative operations. This feature ensures that critical infrastructure remains protected even if users have sufficient permissions to perform changes or deletions.

Role-Based Access Control (RBAC) manages who can access and perform operations on Azure resources, controlling permissions based on roles. While RBAC is essential for enforcing the principle of least privilege, it does not prevent accidental deletion if a user already has permissions to delete resources. Azure Policy allows organizations to enforce compliance and configuration standards across resources, such as requiring tags or enforcing specific configurations, but it does not lock resources against deletion. Azure Monitor provides monitoring, alerts, and insights into resource performance and health, but it cannot block actions or prevent accidental deletions.

By combining Resource Locks with RBAC, organizations can both control access and add an additional layer of protection, ensuring critical resources are safeguarded against accidental or unintended deletion while maintaining operational flexibility for authorized tasks.

Question 33: 

You need to create an automated solution that scales out Azure VMs based on queue length in Azure Storage Queues. Which Azure service allows this?

A) Azure Automation with Runbooks
B) VM Scale Sets with Autoscale rules
C) Azure Logic Apps
D) Azure Monitor Alerts

Answer: B) VM Scale Sets with Autoscale rules

Explanation:

VM Scale Sets can autoscale VMs based on metrics such as CPU usage or custom metrics like queue length via Azure Monitor. Automation runbooks are procedural scripts. Logic Apps orchestrate workflows, and Monitor Alerts only notify but don’t automatically scale.

To create an automated solution that scales out Azure virtual machines (VMs) based on the length of messages in Azure Storage Queues, VM Scale Sets with autoscale rules are the most suitable option. VM Scale Sets allow you to deploy and manage a group of identical VMs, and autoscale rules can adjust the number of instances dynamically based on defined metrics. For example, you can configure a rule to increase VM instances when the queue length exceeds a certain threshold and scale down when the workload decreases. This ensures that the system can handle variable workloads efficiently, optimizing both performance and cost. Custom metrics from Azure Monitor, such as queue length, can be integrated into these autoscale rules, allowing precise control over scaling behavior.

Azure Automation with runbooks provides the ability to automate administrative tasks and workflows across Azure resources but is procedural and does not directly enable automatic scaling based on real-time metrics. Azure Logic Apps orchestrate workflows and integrate multiple services, which is ideal for business process automation but does not natively manage VM scaling. Azure Monitor Alerts can notify administrators when thresholds are reached or anomalies occur but do not automatically trigger scaling actions on their own.

By using VM Scale Sets with autoscale rules, organizations can implement a resilient, responsive, and cost-efficient infrastructure that automatically adjusts to changing workloads, ensuring applications remain performant without manual intervention.

Question 34: 

You need to track and retain audit logs of all Azure AD activities for compliance purposes. Which feature should you configure?

A) Azure AD Audit Logs
B) Azure Monitor Metrics
C) Azure Policy
D) Resource Locks

Answer: A) Azure AD Audit Logs

Explanation:

Audit Logs in Azure AD record all user and administrator activities, including sign-ins, group modifications, and role assignments. Azure Monitor tracks resource metrics, Policy enforces rules, and Resource Locks prevent modifications.

To track and retain audit logs of all Azure Active Directory (Azure AD) activities for compliance purposes, Azure AD Audit Logs is the most appropriate feature. Audit Logs provide a detailed record of user and administrator activities, including sign-ins, group and role modifications, application registrations, and directory changes. These logs help organizations maintain visibility over changes in their environment, monitor for suspicious activity, and meet regulatory and compliance requirements. Audit Logs can be retained for extended periods, exported to storage accounts, or integrated with SIEM solutions for centralized monitoring and analysis.

Azure Monitor Metrics focuses on collecting and analyzing numerical data about the performance and health of Azure resources, such as CPU usage, memory consumption, or network throughput. While useful for operational monitoring, it does not provide a detailed record of user or administrative actions in Azure AD. Azure Policy is designed to enforce compliance and governance by ensuring that resources follow organizational rules and standards, such as requiring tags or restricting resource types, but it does not track or log user activities. Resource Locks prevent accidental or unauthorized modifications or deletions of critical Azure resources but do not provide auditing capabilities.

By configuring Azure AD Audit Logs, organizations can ensure a comprehensive, centralized record of all directory activities, supporting security monitoring, operational oversight, and adherence to compliance requirements while enabling investigation and reporting on historical changes.

Question 35: 

Your team wants to enforce multi-region disaster recovery for Azure SQL Database with minimal downtime. Which feature should you enable?

A) Active Geo-Replication
B) Backup Retention
C) Read-Scale Out
D) Azure Monitor

Answer: A) Active Geo-Replication

Explanation:

Active Geo-Replication allows an Azure SQL Database to replicate asynchronously to a secondary region, providing near real-time failover during disasters. Backup retention only stores point-in-time datA) Read-scale out improves read performance, not DR. Monitor tracks metrics but does not provide failover.

To enforce multi-region disaster recovery for Azure SQL Database with minimal downtime, enabling Active Geo-Replication is the most suitable option. Active Geo-Replication allows a primary Azure SQL Database to asynchronously replicate data to one or more secondary databases in different Azure regions. This setup ensures that in the event of a regional outage or disaster, the secondary database can be promoted to primary, providing near real-time failover and minimizing application downtime. The replication is continuous, keeping the secondary databases almost in sync with the primary, which supports high availability and business continuity across geographic locations.

Backup retention, while essential for point-in-time recovery, only stores database snapshots for a specified period. It is useful for restoring data after accidental deletion or corruption, but it does not provide automatic failover or support near real-time disaster recovery across regions. Read-scale out enhances performance by allowing read-only queries to be offloaded to readable replicas, improving read performance for workloads, but it does not address disaster recovery or failover scenarios. Azure Monitor provides monitoring, metrics, and alerts for database health and performance, offering visibility into operational issues, but it does not provide replication or failover capabilities.

By enabling Active Geo-Replication, organizations can achieve multi-region disaster recovery, maintain high availability, and ensure minimal downtime during regional failures, supporting critical applications and compliance requirements.

Question 36: 

You need to ensure that all Azure VMs use managed disks instead of unmanaged disks. Which feature helps enforce this across a subscription?

A) Azure Policy
B) Resource Locks
C) RBAC
D) Azure Monitor

Answer: A) Azure Policy

Explanation:

Azure Policy can enforce the use of managed disks during VM creation. RBAC only controls permissions. Resource Locks prevent deletion/modification. Monitor tracks resource activity but does not enforce configuration.

To ensure that all Azure virtual machines (VMs) use managed disks instead of unmanaged disks, Azure Policy is the most effective feature to implement. Azure Policy allows administrators to define and enforce rules across a subscription or resource group to ensure compliance with organizational standards. By creating a policy that requires managed disks for all VM deployments, any attempt to create a VM with unmanaged disks will be blocked or flagged as non-compliant. This helps maintain consistency, simplifies management, and improves security and performance, as managed disks offer benefits such as better reliability, easier scaling, and automatic storage management.

Role-Based Access Control (RBAC) manages who can access and perform actions on Azure resources but does not enforce specific configuration requirements, such as mandating the use of managed disks. Resource Locks provide protection against accidental deletion or modification of resources by restricting operations, but they do not dictate how new resources are configured. Azure Monitor tracks metrics, logs, and operational activity across resources, providing visibility and alerting capabilities, but it does not enforce compliance with configuration standards or prevent non-compliant deployments.

By leveraging Azure Policy, organizations can proactively enforce the use of managed disks for all VMs, ensuring standardization, enhancing data durability, and reducing administrative overhead. Policies also provide compliance reporting, helping track adherence across the subscription and supporting governance initiatives effectively.

Question 37: 

You need to automate routine Azure tasks such as stopping VMs during off-hours to save costs. Which tool should you use?

A) Azure Automation
B) Logic Apps
C) Azure Policy
D) Azure Advisor

Answer: A) Azure Automation

Explanation:

Azure Automation allows scheduling runbooks to automate tasks like starting/stopping VMs, patching, or backups. Logic Apps is for workflows, Policy enforces compliance, and Advisor recommends optimizations but cannot execute automation.

To automate routine Azure tasks such as stopping virtual machines (VMs) during off-hours to save costs, Azure Automation is the most suitable tool. Azure Automation provides a platform for creating, scheduling, and managing runbooks—scripts that can perform administrative and operational tasks automatically. For example, a runbook can be scheduled to stop VMs during nights or weekends and start them again during business hours, reducing unnecessary resource consumption and optimizing costs. Additionally, Azure Automation can handle tasks like patch management, configuration updates, and backup orchestration, providing a centralized and consistent approach to operational automation.

Logic Apps, while useful for automating workflows and integrating multiple services, is primarily focused on orchestrating business processes rather than performing system-level administrative operations on Azure resources. Azure Policy enforces compliance and governance rules, such as requiring tags or specific configurations, but it does not execute automated actions to manage resources. Azure Advisor provides recommendations for optimizing performance, cost, and security, offering guidance on potential improvements, but it does not directly automate operational tasks or schedule actions on resources.

By leveraging Azure Automation, organizations can streamline operational processes, enforce consistency in routine tasks, and reduce manual intervention. Automating tasks like stopping and starting VMs ensures cost efficiency, improves resource management, and allows IT teams to focus on higher-value activities while maintaining reliable and predictable system operations.

Question 38: 

Your organization requires Azure AD B2B collaboration with external partners while ensuring they do not have full access to internal resources. Which feature should you implement?

A) Azure AD Guest Users
B) Azure AD B2C
C) RBAC Contributor Role
D) Privileged Identity Management

Answer: A) Azure AD Guest Users

Explanation:

Guest Users allow external partners to access selected resources in Azure AD, ensuring limited privileges. B2C is for customer-facing identity management. RBAC controls access but does not differentiate external vs internal identities. PIM is for temporary privileged roles.

To enable Azure AD B2B collaboration with external partners while ensuring they do not have full access to internal resources, Azure AD Guest Users is the most suitable feature. Guest Users allow organizations to invite external users, such as partners or contractors, to access specific applications or resources within the tenant while maintaining limited privileges. By assigning appropriate roles and access policies, external users can collaborate securely without gaining the same level of access as internal employees. This approach ensures that sensitive corporate data and critical systems remain protected while enabling necessary collaboration.

Azure AD B2C is designed for customer-facing identity management, allowing organizations to provide secure authentication for external customers, but it is not intended for internal resource sharing or B2B collaboration. Role-Based Access Control (RBAC) assigns permissions to users based on roles, controlling what actions they can perform on Azure resources. While RBAC is critical for access management, it does not differentiate between internal employees and external partners, and without guest user configuration, external users might not be properly isolated. Privileged Identity Management (PIM) provides temporary access to privileged roles and is used for managing elevated permissions, but it does not facilitate external collaboration for standard resource access.

By leveraging Azure AD Guest Users, organizations can maintain secure boundaries, enforce least privilege access, and support seamless collaboration with external partners, ensuring both productivity and protection of internal resources.

Question 39: 

You need to protect an Azure Key Vault against accidental deletion while allowing normal access to secrets. Which feature should you configure?

A) Soft Delete + Purge Protection
B) Azure Policy
C) RBAC
D) Azure Monitor Alerts

Answer: A) Soft Delete + Purge Protection

Explanation:

Soft Delete ensures deleted Key Vaults or secrets can be recovered, and Purge Protection prevents permanent deletion until a retention period expires. Policy enforces rules but does not protect deletion. RBAC controls access. Monitor alerts only notify.

To protect an Azure Key Vault against accidental deletion while still allowing normal access to secrets, configuring Soft Delete and Purge Protection is the most effective approach. Soft Delete ensures that if a Key Vault or any secrets within it are deleted, they are retained for a configurable retention period, allowing recovery without permanent loss. Purge Protection adds an additional layer of security by preventing the permanent deletion of the Key Vault or its contents until the retention period has expired. Together, these features safeguard critical keys, secrets, and certificates against accidental or malicious deletion while maintaining operational access for authorized users.

Azure Policy is designed to enforce governance rules, such as requiring certain configurations or tags on resources, but it does not prevent deletion of Key Vaults or their secrets. Role-Based Access Control (RBAC) manages permissions, controlling who can read, write, or modify secrets, but it does not inherently protect against accidental deletion if a user has sufficient privileges. Azure Monitor Alerts provides notifications based on events, metrics, or changes in resources, offering visibility into potential issues, but it cannot block or recover deleted Key Vaults or secrets.

By enabling Soft Delete and Purge Protection, organizations can maintain a secure, resilient Key Vault environment, ensuring that secrets remain safe from accidental deletion while authorized users continue to perform normal operations without interruption. This combination provides both operational flexibility and strong protection for sensitive information.

Question 40: 

You need to restrict Azure Storage Account access to only traffic originating from specific VNets. Which feature should you use?

A) Firewall and Virtual Network Rules
B) NSG
C) Azure Policy
D) Private Endpoint

Answer: A) Firewall and Virtual Network Rules

Explanation:

Storage Accounts can have firewall rules restricting access to specific VNets or IP ranges. NSG filters traffic at the VM or subnet level, not directly to storage accounts. Policy can enforce configuration but does not filter traffic. Private Endpoint allows private access but is not a rule-based restriction.

To restrict access to an Azure Storage Account so that only traffic originating from specific virtual networks (VNets) is allowed, configuring Firewall and Virtual Network Rules is the most appropriate solution. Azure Storage Accounts provide built-in firewall capabilities that allow administrators to define rules based on IP address ranges or VNets. By specifying the trusted VNets, only resources within those networks can access the storage account, ensuring that traffic from untrusted networks or the public internet is blocked. This approach enhances security by enforcing network-level access control while allowing authorized applications and services to interact with the storage account seamlessly.

Network Security Groups (NSGs) are used to filter traffic at the subnet or virtual machine level, controlling inbound and outbound traffic for those resources. While NSGs are effective for protecting individual VMs or subnets, they do not directly enforce access restrictions at the storage account level. Azure Policy can enforce organizational standards, such as requiring specific tags or configurations on storage accounts, but it cannot filter traffic or restrict network access. Private Endpoints provide a private IP connection to the storage account within a VNet, allowing secure access without traversing the public internet, but they do not function as rule-based restrictions and do not inherently block traffic from unauthorized VNets.

Using Firewall and Virtual Network Rules ensures that storage accounts are protected from unauthorized access, enforcing secure connectivity from only trusted VNets while maintaining operational flexibility for applications and services that need access.