Microsoft AZ-104 Microsoft Azure Administrator Exam Dumps and Practice Test Questions Set 5 Q81-100

Visit here for our full Microsoft AZ-104 exam dumps and practice test questions.

Question 81: 

You need to implement Azure AD single sign-on for an on-premises application that cannot directly integrate with Azure AD) Which solution allows secure authentication without storing passwords in the cloud?

A) Pass-through Authentication
B) Password Hash Synchronization
C) Azure AD B2C
D) Conditional Access

Answer: A) Pass-through Authentication

Explanation: 

Pass-through Authentication allows users to sign in to Azure AD using their on-premises passwords. Authentication requests are securely validated against on-premises Active Directory. Password Hash Synchronization replicates password hashes to Azure AD, which stores them in the clouD) B2C is for external customer identities, and Conditional Access controls sign-in conditions but does not provide authentication itself.

To implement Azure AD single sign-on (SSO) for an on-premises application that cannot directly integrate with Azure AD, the appropriate solution is Pass-through Authentication (PTA). PTA allows users to authenticate against Azure AD using their on-premises Active Directory credentials without storing passwords in the cloud. When a user signs in, authentication requests are securely sent to an on-premises agent that validates the credentials against Active Directory. This approach provides seamless SSO while maintaining security, as passwords never leave the on-premises environment. It is particularly useful for legacy applications or scenarios where storing password hashes in the cloud is not acceptable due to compliance or security requirements.

Password Hash Synchronization, by contrast, replicates users’ password hashes from on-premises Active Directory to Azure AD. While this method enables authentication in the cloud, it involves storing password information in Azure AD, which may not meet certain security or regulatory standards. Azure AD B2C is a service for managing customer and external identities, offering SSO for consumer-facing applications, but it is not designed for internal on-premises application integration. Conditional Access provides policies to control when and how users can sign in based on conditions such as location, device compliance, or risk, but it does not handle authentication by itself. Therefore, Pass-through Authentication is the correct solution for providing secure SSO to on-premises applications without storing passwords in the cloud, combining convenience, security, and compliance.

Question 82: 

You need to implement a backup solution for Azure SQL Managed Instances with point-in-time recovery. Which feature provides this functionality?

A) Automated backups with retention
B) Azure Site Recovery
C) Azure Storage snapshot
D) Log Analytics Workspace

Answer: A) Automated backups with retention

Explanation: 

Azure SQL Managed Instances provide automated backups that enable point-in-time restore within a configured retention perioD) Azure Site Recovery replicates VMs but not managed databases. Storage snapshots store specific points of blob datA) Log Analytics Workspace collects logs but does not provide backup.

To implement a backup solution for Azure SQL Managed Instances with point-in-time recovery, the appropriate feature to use is automated backups with retention. Azure SQL Managed Instances automatically create full, differential, and transaction log backups of databases, allowing administrators to restore a database to any point in time within the configured retention period. This provides protection against accidental data deletion, corruption, or operational errors. Automated backups simplify database maintenance because they do not require manual intervention, and they ensure that backups are securely stored and managed by Azure. The retention period can be configured to meet business and compliance requirements, providing flexibility for short-term or long-term recovery scenarios.

Azure Site Recovery is primarily used for replicating virtual machines and orchestrating disaster recovery between regions, but it does not support point-in-time restores for managed databases. Azure Storage snapshots capture specific points of blob storage data at a moment in time, which can be used for data recovery, but they are not designed for full database point-in-time recovery of SQL Managed Instances. Log Analytics Workspace collects telemetry, logs, and metrics to provide monitoring and insights into database performance and operations, but it does not provide backup or restoration capabilities. Therefore, automated backups with retention is the correct solution for Azure SQL Managed Instances, enabling reliable point-in-time recovery and ensuring data protection without manual backup management.

Question 83: 

You need to prevent specific users from deleting virtual machines in a subscription while allowing full access to others. Which solution should you implement?

A) Resource Locks with CanNotDelete
B) RBAC assignment with Reader role
C) Azure Policy enforcement
D) Azure Monitor alerts

Answer: A) Resource Locks with CanNotDelete

Explanation: 

Resource Locks with CanNotDelete prevent the deletion of resources while still allowing normal operations. RBAC assignment could restrict access entirely, but assigning Reader role removes modification capabilities. Policy enforces configuration but does not block deletion directly. Monitor alerts only notify about actions.

To prevent specific users from deleting virtual machines in a subscription while allowing full access to others, the appropriate solution is to implement Resource Locks with the CanNotDelete option. A CanNotDelete lock ensures that protected resources, such as virtual machines, cannot be accidentally or intentionally deleted. Users can still perform all other operations, including starting, stopping, and modifying the VM, but any attempt to delete the resource is blocked. This approach provides a safeguard for critical resources while maintaining operational flexibility for authorized personnel, reducing the risk of accidental data loss or service disruption. Resource Locks can be applied at the resource, resource group, or subscription level, giving administrators granular control over which resources are protected.

Assigning RBAC roles, such as the Reader role, could prevent users from deleting resources, but it also restricts their ability to modify or manage the VM, which may be overly restrictive and limit necessary operations. Azure Policy is used to enforce compliance and organizational standards, such as requiring certain configurations, but it does not directly block deletion actions on individual resources. Azure Monitor can track operations and generate alerts when deletion attempts occur, but it cannot prevent the action from taking place. Therefore, applying Resource Locks with CanNotDelete is the most effective solution for protecting virtual machines from deletion while allowing users to perform all other required tasks.

Question 84: 

You are tasked with monitoring failed sign-in attempts in Azure AD to identify potential security threats. Which service should you use?

A) Azure AD Sign-in Logs
B) Azure Monitor Metrics
C) Azure Policy
D) RBAC audit

Answer: A) Azure AD Sign-in Logs

Explanation: 

Azure AD Sign-in Logs record authentication attempts, including failures, conditional access evaluations, and device compliance. Azure Monitor Metrics tracks performance, Policy enforces rules, and RBAC audit tracks role assignments rather than sign-ins.

To monitor failed sign-in attempts in Azure AD and identify potential security threats, the appropriate service to use is Azure AD Sign-in Logs. Sign-in Logs provide detailed records of authentication activity for all users in the directory, including successful and failed login attempts. These logs capture information such as user identity, application accessed, location, device, and conditional access evaluations. By analyzing failed sign-ins, administrators can detect unusual or suspicious activity that may indicate potential security threats, such as brute-force attacks, compromised accounts, or unauthorized access attempts. Azure AD Sign-in Logs can be integrated with security information and event management (SIEM) systems for advanced monitoring, alerting, and automated response, enhancing the organization’s overall security posture.

Azure Monitor Metrics focuses on tracking numerical performance data, such as CPU usage, memory, and network throughput, but it does not provide detailed authentication or sign-in information. Azure Policy is a governance tool used to enforce organizational compliance rules, such as requiring encryption or specific configurations on resources, and does not track user authentication activity. RBAC audit logs record role assignments and changes in permissions, providing insights into who has access to which resources, but they do not capture sign-in attempts. Therefore, Azure AD Sign-in Logs is the correct service for monitoring failed authentication attempts and supporting proactive security monitoring and incident response for Azure AD environments.

Question 85: 

You want to automatically deploy identical virtual machines across multiple regions with consistent configuration. Which feature should you use?

A) Azure Resource Manager templates
B) Azure Policy
C) VM Scale Sets
D) Azure Automation

Answer: A) Azure Resource Manager templates

Explanation: 

ARM templates allow declarative deployment of identical resources with pre-defined configurations across regions. VM Scale Sets provide identical VMs but are region-specific. Policy enforces configuration compliance but does not deploy resources. Automation executes scripts but is procedural.

To automatically deploy identical virtual machines across multiple regions with consistent configuration, the appropriate feature to use is Azure Resource Manager (ARM) templates. ARM templates provide a declarative way to define and deploy infrastructure and configuration in Azure. Using JSON-based templates, administrators can specify the exact VM size, networking, storage, extensions, and other settings required for each deployment. These templates can be deployed repeatedly across different regions, ensuring that all virtual machines are created with the same configuration, which simplifies management, reduces errors, and enforces consistency. Additionally, ARM templates support parameterization, allowing the reuse of templates with different values for resource names, locations, or sizes while maintaining standard configurations.

VM Scale Sets allow deployment of multiple identical virtual machines, but they are limited to a single region and are primarily intended for scaling compute resources automatically rather than multi-region deployments. Azure Policy is used to enforce compliance and organizational standards, such as requiring specific configurations or tagging, but it does not deploy resources. Azure Automation provides a procedural approach to executing scripts and tasks, such as starting or stopping VMs, but it is not inherently declarative and does not guarantee consistent resource deployment across regions. Therefore, ARM templates are the optimal solution for automatically provisioning identical virtual machines in multiple regions while maintaining consistency, repeatability, and compliance.

Question 86: 

Your organization needs end-to-end monitoring of a web application hosted in Azure including performance, errors, and user behavior. Which service provides these capabilities?

A) Application Insights
B) Azure Monitor Metrics
C) Azure Policy
D) Azure Backup

Answer: A) Application Insights

Explanation: 

Application Insights collects application telemetry, performance data, exceptions, and user interactions. Azure Monitor Metrics tracks resource performance, Policy enforces configuration, and Backup protects data but does not monitor applications.

To achieve end-to-end monitoring of a web application hosted in Azure, including performance metrics, error tracking, and user behavior insights, the appropriate service is Application Insights. Application Insights is an application performance management (APM) service that collects detailed telemetry from applications, enabling developers and administrators to monitor application health in real time. It captures performance data such as response times, dependency calls, and request rates, as well as exceptions and failures, helping teams quickly identify and diagnose issues. Additionally, Application Insights tracks user interactions, including page views, session durations, and custom events, providing valuable insights into how users engage with the application. This combination of monitoring, diagnostics, and usage analytics allows organizations to improve application reliability, optimize performance, and enhance the user experience.

Azure Monitor Metrics, by comparison, focuses on numeric resource-level metrics such as CPU utilization, memory consumption, or network throughput. While it provides visibility into resource performance, it does not capture detailed application-level telemetry or user behavior. Azure Policy is a governance tool designed to enforce organizational rules and compliance across Azure resources, and it does not provide application monitoring. Azure Backup ensures data protection by creating backups of workloads, but it does not collect performance data or track user interactions. Therefore, Application Insights is the correct solution for comprehensive, end-to-end monitoring of web applications, combining performance tracking, error diagnostics, and behavioral analytics in a single service.

Question 87: 

You need to encrypt sensitive data in transit between Azure services. Which feature ensures this?

A) TLS/SSL encryption
B) Storage Service Encryption
C) Transparent Data Encryption
D) Resource Locks

Answer: A) TLS/SSL encryption

Explanation: 

TLS/SSL provides encryption in transit, protecting data sent between Azure services. Storage Service Encryption and Transparent Data Encryption secure data at rest. Resource Locks prevent deletion but do not encrypt data.

To encrypt sensitive data in transit between Azure services, the appropriate feature to use is TLS/SSL encryption. Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) provide secure communication channels by encrypting data as it travels across networks. This ensures that information such as credentials, personal data, or application messages cannot be intercepted, read, or tampered with by unauthorized parties during transmission. TLS/SSL is widely used in Azure services, including Azure App Service, Azure SQL Database, and Azure Storage, to protect communications between clients, services, and APIs. By enforcing TLS/SSL, organizations can meet compliance requirements, safeguard sensitive information, and reduce the risk of man-in-the-middle attacks.

Storage Service Encryption, in contrast, secures data at rest within Azure Storage accounts. It automatically encrypts blobs, files, queues, and tables when stored, but it does not protect data while it is being transmitted between services. Transparent Data Encryption (TDE) is designed for Azure SQL Databases and Managed Instances, encrypting the database files and backups at rest to protect against unauthorized access. Resource Locks prevent accidental or intentional deletion of critical resources but have no role in encrypting data in transit. Therefore, TLS/SSL encryption is the correct solution for ensuring that sensitive data moving between Azure services is securely encrypted during transit, protecting the data from eavesdropping and tampering.

Question 88: 

You need to ensure that an Azure virtual network can only communicate with a specific Azure SQL Database securely over private connectivity. Which configuration should you implement?

A) Private Endpoint
B) Service Endpoint
C) Network Security Group
D) Route Table

Answer: A) Private Endpoint

Explanation: 

Private Endpoints assign a private IP to Azure SQL Database within a virtual network, allowing secure, private connectivity. Service Endpoints extend network access but still use public IPs. NSGs filter traffic but do not create private connections. Route Tables manage routing, not security.

To ensure that an Azure virtual network can communicate securely with a specific Azure SQL Database over private connectivity, the appropriate configuration is a Private Endpoint. A Private Endpoint assigns a private IP address from the virtual network to the Azure SQL Database, allowing traffic to flow securely within the network without traversing the public internet. This approach ensures that all communication remains private, encrypted, and isolated from external networks, reducing the risk of exposure to threats. Private Endpoints also integrate with Azure DNS, enabling seamless name resolution for the database within the virtual network, and can be combined with network policies and firewalls for additional security.

Service Endpoints, while providing extended network access to Azure services, still route traffic over public IP addresses. They allow you to restrict access by subnet but do not provide a private IP address within the virtual network, which limits their ability to fully isolate traffic from the public internet. Network Security Groups (NSGs) control inbound and outbound traffic by filtering based on IP addresses, ports, and protocols, but they do not establish private connectivity. Route Tables define how traffic is routed within and between networks but do not enforce secure, private access. Therefore, implementing a Private Endpoint is the correct solution for providing secure, private connectivity from a virtual network to an Azure SQL Database, ensuring traffic remains isolated and protected from external networks.

Question 89: 

You need to identify and remediate non-compliant Azure resources automatically across a subscription. Which service allows this?

A) Azure Policy with remediation tasks
B) Azure Monitor Alerts
C) Resource Locks
D) RBAC

Answer: A) Azure Policy with remediation tasks

Explanation: 

Azure Policy can detect non-compliant resources and trigger remediation tasks, such as deploying missing tags or enabling encryption. Monitor alerts notify but do not remediate. Resource Locks prevent actions but do not enforce compliance. RBAC controls access.

To identify and remediate non-compliant Azure resources automatically across a subscription, the appropriate service to use is Azure Policy with remediation tasks. Azure Policy allows administrators to define compliance rules for resources, such as requiring encryption, enforcing specific tagging, or mandating particular configuration settings. When resources do not meet the defined policies, they are flagged as non-compliant. With remediation tasks enabled, Azure Policy can automatically correct non-compliant resources by deploying the required configuration or applying missing settings, reducing manual effort and ensuring continuous compliance across the environment. This approach provides both visibility into policy compliance and automated enforcement, helping organizations maintain security, operational standards, and regulatory requirements efficiently.

Azure Monitor Alerts can notify administrators when specific conditions occur, such as high CPU usage or non-compliant configurations detected through metrics, but it does not take automated corrective action to remediate the resource. Resource Locks protect critical resources by preventing deletion or modification, but they do not enforce compliance or configure resources automatically. Role-Based Access Control (RBAC) defines who can access or manage Azure resources, providing access control but not policy enforcement or remediation capabilities. Therefore, Azure Policy with remediation tasks is the correct solution for automatically identifying and correcting non-compliant resources, ensuring consistent compliance and operational efficiency across an Azure subscription.

Question 90: 

You are designing a solution where on-premises workloads must connect to Azure virtual networks over a dedicated line with higher bandwidth and lower latency than public internet. Which service should you use?

A) ExpressRoute
B) VPN Gateway
C) Private Endpoint
D) Network Security Group

Answer: A) ExpressRoute

Explanation: 

ExpressRoute provides private connectivity between on-premises networks and Azure over a dedicated circuit. VPN Gateway uses encrypted tunnels over the public internet. Private Endpoint connects individual services privately. NSG filters traffic but does not provide connectivity.

To connect on-premises workloads to Azure virtual networks over a dedicated line with higher bandwidth and lower latency than the public internet, the appropriate service to use is ExpressRoute. ExpressRoute establishes a private, dedicated connection between an organization’s on-premises network and Azure data centers. This dedicated circuit bypasses the public internet, providing more reliable, predictable network performance and enhanced security for data in transit. ExpressRoute supports higher throughput, lower latency, and consistent connectivity, making it ideal for scenarios that require large-scale data transfer, real-time applications, or hybrid cloud workloads with strict performance requirements. Additionally, ExpressRoute can be integrated with multiple Azure regions, offering flexibility for disaster recovery, multi-region deployments, and global connectivity strategies.

VPN Gateway, by contrast, provides secure site-to-site or point-to-site connections using encrypted tunnels over the public internet. While VPN Gateway ensures encryption and secure connectivity, it is subject to internet variability, higher latency, and lower throughput compared to ExpressRoute. Private Endpoints allow private connectivity to individual Azure services, such as Azure SQL Database or Storage, but they do not provide full network connectivity between on-premises environments and Azure VNets. Network Security Groups (NSGs) control and filter traffic to and from resources within a virtual network based on IP addresses, ports, and protocols, but they do not establish connectivity. Therefore, ExpressRoute is the correct solution for private, high-performance, and reliable connectivity between on-premises workloads and Azure virtual networks.

Question 91: 

You need to ensure that all Azure virtual machines automatically install operating system updates without user intervention. Which service should you configure?

A) Azure Automation Update Management
B) Azure Policy
C) Azure Monitor
D) VM Scale Sets

Answer: A) Azure Automation Update Management

Explanation:

Update Management allows automatic patching of Windows and Linux VMs, including scheduling and compliance reporting. Policy enforces configurations but does not install updates. Monitor tracks metrics. VM Scale Sets provide scaling, not patching.

To ensure that all Azure virtual machines automatically install operating system updates without user intervention, the appropriate service to configure is Azure Automation Update Management. Update Management enables administrators to manage operating system updates for both Windows and Linux virtual machines, whether they are running in Azure, on-premises, or in other cloud environments. It allows scheduling of update deployments, selecting specific update classifications, and targeting specific groups of VMs. Additionally, it provides compliance reporting, showing which updates have been applied and which remain pending, helping organizations maintain security and operational standards. By automating patching, Update Management reduces the risk of vulnerabilities due to missing updates, ensures consistent system configurations, and minimizes administrative overhead.

Azure Policy is primarily used to enforce compliance rules and configuration standards across Azure resources, such as requiring encryption, specific VM sizes, or tagging conventions, but it does not perform operating system updates. Azure Monitor collects metrics, logs, and alerts from resources, providing visibility into performance and health, but it does not execute updates. VM Scale Sets allow automatic scaling of identical virtual machines based on demand but do not inherently manage operating system patching. Therefore, Azure Automation Update Management is the correct solution for automatically applying operating system updates to virtual machines, ensuring both compliance and security while reducing manual intervention.

Question 92: 

You need to track resource usage and generate cost reports across multiple subscriptions for budgeting purposes. Which service should you use?

A) Azure Cost Management + Billing
B) Azure Monitor
C) Azure Policy
D) Resource Groups

Answer: A) Azure Cost Management + Billing

Explanation: 

Cost Management + Billing allows tracking usage, costs, and budgets across multiple subscriptions. Monitor tracks performance, Policy enforces rules, and Resource Groups organize resources but do not provide cost reporting.

To track resource usage and generate cost reports across multiple Azure subscriptions for budgeting and financial management, the appropriate service to use is Azure Cost Management + Billing. This service provides a comprehensive view of resource consumption, spending patterns, and cost trends across subscriptions, management groups, and even hybrid cloud environments. Administrators and finance teams can create budgets, set alerts for overspending, analyze cost drivers, and generate detailed reports to understand where resources are being consumed and how costs are allocated. By using Cost Management + Billing, organizations can optimize cloud spending, identify underutilized resources, and implement cost-saving strategies while maintaining visibility into multi-subscription usage.

Azure Monitor focuses on collecting telemetry, metrics, and logs from resources to provide operational insights and performance monitoring. While it helps track resource health and performance, it does not provide detailed cost reporting or budgeting capabilities. Azure Policy enforces compliance rules and configuration standards across resources, such as ensuring encryption or required tags, but it does not track costs or generate financial reports. Resource Groups allow administrators to logically organize and manage related resources, making it easier to control access or manage deployments, but they do not provide usage or cost reporting functionality. Therefore, Azure Cost Management + Billing is the correct solution for tracking resource usage, monitoring spending, and generating cost reports across multiple subscriptions, enabling effective budgeting and financial oversight in Azure environments.

Question 93: 

You need to ensure that Azure VMs in a subscription are deployed only in approved regions. Which service should you configure?

A) Azure Policy
B) RBAC
C) Resource Locks
D) Azure Monitor

Answer: A) Azure Policy

Explanation: 

Azure Policy can restrict resource deployment to specific regions, ensuring compliance. RBAC controls permissions but not locations. Resource Locks prevent deletion but not deployment in unauthorized regions. Monitor only tracks metrics.

To ensure that Azure virtual machines in a subscription are deployed only in approved regions, the appropriate service to configure is Azure Policy. Azure Policy allows administrators to define and enforce rules that control how resources are deployed and configured within an Azure environment. By creating a policy that restricts the allowed locations for virtual machines, organizations can ensure compliance with regulatory, operational, or organizational requirements. Any attempt to deploy a VM in a non-approved region will be blocked, or if configured in audit mode, flagged as non-compliant for review. This provides both enforcement and visibility into resource deployment practices, helping prevent misconfigurations and ensuring governance across multiple subscriptions.

Role-Based Access Control (RBAC) is designed to manage who can perform actions on Azure resources, such as creating, modifying, or deleting VMs, but it does not control where resources can be deployed. Resource Locks prevent accidental deletion or modification of critical resources, ensuring that important assets are protected, but they do not restrict deployment to specific regions. Azure Monitor provides monitoring, logging, and alerting capabilities for resource performance and health but does not enforce deployment restrictions or governance rules. Therefore, Azure Policy is the correct solution for restricting Azure VM deployments to approved regions, enabling consistent compliance, governance, and operational control across the organization.

Question 94: 

You need to create a highly available Azure Load Balancer configuration that supports automatic failover and distributes traffic to multiple VMs in different availability zones. Which solution should you implement?

A) Standard Load Balancer with zone redundancy
B) Application Gateway
C) VM Scale Set with autoscale
D) Network Security Group

Answer: A) Standard Load Balancer with zone redundancy

Explanation: 

Standard Load Balancer can distribute traffic across VMs in multiple availability zones and supports zone-redundant high availability. Application Gateway is for HTTP/HTTPS traffic. VM Scale Sets provide scaling but not direct load balancing. NSGs filter traffic.

To create a highly available Azure Load Balancer configuration that supports automatic failover and distributes traffic to multiple virtual machines across different availability zones, the appropriate solution is a Standard Load Balancer with zone redundancy. The Standard Load Balancer allows you to distribute both inbound and outbound network traffic evenly across multiple backend virtual machines, providing high availability and resiliency. When configured with zone redundancy, the load balancer can span multiple availability zones within a region, ensuring that even if one zone experiences an outage, traffic is automatically routed to VMs in the remaining zones. This configuration guarantees minimal downtime, seamless failover, and optimized performance for mission-critical applications.

Application Gateway, while offering layer 7 load balancing for HTTP and HTTPS traffic, is designed for web applications and provides features such as SSL termination, cookie-based session affinity, and application-level routing. It does not directly provide zone-redundant, layer 4 load balancing for general network traffic. VM Scale Sets allow automatic scaling of virtual machines based on demand and can integrate with load balancers, but the scale set itself does not provide direct traffic distribution or zone-redundant failover without an accompanying load balancer. Network Security Groups (NSGs) control inbound and outbound traffic by filtering based on IP addresses, ports, and protocols, but they do not distribute traffic or provide high availability. Therefore, implementing a Standard Load Balancer with zone redundancy is the correct solution for achieving highly available, fault-tolerant traffic distribution across multiple VMs in different availability zones.

Question 95: 

You need to audit all changes made to Azure resource configurations to comply with regulatory requirements. Which service should you use?

A) Azure Activity Logs
B) Azure Monitor Metrics
C) Azure Policy
D) RBAC

Answer: A) Azure Activity Logs

Explanation: 

Activity Logs track all write operations performed on resources, including who made changes and when. Monitor Metrics tracks performance, Policy enforces configuration, and RBAC manages permissions but does not audit changes.

To audit all changes made to Azure resource configurations and comply with regulatory requirements, the appropriate service to use is Azure Activity Logs. Activity Logs provide a comprehensive record of all write operations performed on Azure resources, including resource creation, modification, and deletion. They capture critical details such as who initiated the change, when the action occurred, and which resource was affected. This detailed auditing capability allows organizations to maintain visibility over administrative activities, meet compliance standards, and investigate any unauthorized or unexpected modifications. Activity Logs can also be integrated with Azure Monitor, Log Analytics, or third-party security information and event management (SIEM) systems to enhance reporting, alerting, and analysis.

Azure Monitor Metrics focuses on collecting numeric performance and usage data, such as CPU utilization, memory consumption, and network throughput. While valuable for monitoring resource health and performance trends, it does not provide detailed information about configuration changes or the users performing them. Azure Policy is used to enforce organizational standards and compliance rules across resources, such as requiring encryption or specific tagging, but it does not log individual configuration changes. Role-Based Access Control (RBAC) manages who can perform actions on resources and assigns permissions, but it does not provide a history of changes or an audit trail. Therefore, Azure Activity Logs is the correct solution for auditing changes to Azure resources, enabling regulatory compliance and operational transparency.

Question 96: 

You need to implement geo-redundant storage for Azure Blob Storage to ensure resilience in case of regional failures. Which replication type should you choose?

A) Geo-Redundant Storage
B) Locally Redundant Storage
C) Read-Access Geo-Redundant Storage
D) Zone-Redundant Storage

Answer: A) Geo-Redundant Storage

Explanation: 

Geo-Redundant Storage replicates data to a secondary region for disaster recovery. Read-Access GRS also allows read access from secondary but is optional. Locally Redundant Storage replicates within a single datacenter. Zone-Redundant Storage replicates across zones within the same region.

To implement geo-redundant storage for Azure Blob Storage and ensure resilience in case of regional failures, the appropriate replication type is Geo-Redundant Storage (GRS). GRS automatically replicates data to a secondary Azure region, geographically distant from the primary region. This replication provides a high level of durability and protection against regional outages or disasters, ensuring that data can be recovered even if the primary region becomes unavailable. GRS maintains six copies of data: three in the primary region and three in the secondary region, allowing organizations to meet stringent business continuity and disaster recovery requirements.

Read-Access Geo-Redundant Storage (RA-GRS) extends GRS by allowing read operations from the secondary region, which can be beneficial for scenarios where data availability for read operations is required even during a primary region outage, but read access from the secondary is optional depending on the use case. Locally Redundant Storage (LRS) replicates data three times within a single datacenter in the same region, providing protection against hardware failures but not against regional outages. Zone-Redundant Storage (ZRS) replicates data across multiple availability zones within the same region, offering resilience against datacenter-level failures but not geographic disasters. Therefore, for full regional disaster recovery and geo-redundancy, Geo-Redundant Storage is the correct choice, providing robust protection and ensuring business continuity across regions.

Question 97: 

You need to track and alert on CPU and memory usage for all Azure virtual machines in a subscription. Which service should you use?

A) Azure Monitor with metrics and alerts
B) Azure Policy
C) Resource Locks
D) RBAC

Answer: A) Azure Monitor with metrics and alerts

Explanation: 

Azure Monitor collects performance metrics and allows configuration of alerts based on thresholds. Policy enforces configurations. Resource Locks prevent deletion. RBAC controls permissions.

To track and alert on CPU and memory usage for all Azure virtual machines in a subscription, the appropriate service to use is Azure Monitor with metrics and alerts. Azure Monitor collects a wide range of performance and diagnostic data from Azure resources, including virtual machines. It tracks metrics such as CPU utilization, memory consumption, disk I/O, and network activity. Administrators can create alerts based on predefined thresholds or dynamic conditions, ensuring proactive monitoring of resource performance. These alerts can trigger notifications through email, SMS, or integration with IT service management tools, enabling rapid response to performance issues or potential resource bottlenecks. Additionally, Azure Monitor allows aggregation of metrics across multiple VMs, providing a centralized view of resource utilization and operational health.

Azure Policy is used to enforce compliance and configuration standards across resources, such as requiring encryption, specific VM sizes, or tagging conventions, but it does not collect performance metrics or generate alerts based on resource usage. Resource Locks prevent accidental or intentional deletion or modification of critical resources but do not monitor performance. Role-Based Access Control (RBAC) manages who can perform actions on resources and what level of access they have, but it does not provide monitoring or alerting capabilities. Therefore, Azure Monitor with metrics and alerts is the correct solution for tracking CPU and memory usage and proactively managing the performance of Azure virtual machines across a subscription.

Question 98: 

You are designing a solution to allow external partners to access specific resources in Azure AD without giving them full access to internal resources. Which feature should you implement?

A) Azure AD Guest Users
B) Azure AD B2C
C) Conditional Access
D) Privileged Identity Management

Answer: A) Azure AD Guest Users

Explanation: 

Guest Users allow external partners to access selected resources with limited permissions. B2C is for customer identities. Conditional Access controls login conditions. PIM manages temporary elevated access.

To allow external partners to access specific resources in Azure AD without granting full access to internal resources, the appropriate feature to implement is Azure AD Guest Users. Guest Users enable organizations to invite external users, such as partners, contractors, or vendors, into their Azure AD tenant with limited permissions. These users can access only the resources and applications explicitly shared with them, ensuring that sensitive internal data and services remain protected. Guest accounts integrate seamlessly with Azure AD access controls, allowing administrators to apply role-based access control (RBAC), group memberships, and conditional policies to manage what these users can see and do. This approach provides secure collaboration while maintaining organizational security and compliance standards.

Azure AD B2C is designed for managing customer identities and providing authentication for consumer-facing applications. While it offers secure access, it is not intended for managing external business partners or internal resource access. Conditional Access allows administrators to define rules that control access based on conditions such as location, device compliance, or risk, but it does not create or manage external user accounts. Privileged Identity Management (PIM) manages temporary elevated access for internal users, enabling just-in-time administrative privileges, but it is not used for external partner access. Therefore, Azure AD Guest Users is the correct solution for granting controlled access to external partners, enabling secure collaboration without exposing internal resources unnecessarily.

Question 99: 

You need to restore a deleted Azure Key Vault and its contents within the retention perioD) Which feature allows this?

A) Soft Delete with Purge Protection
B) Azure Policy
C) Resource Lock
D) RBAC

Answer: A) Soft Delete with Purge Protection

Explanation: 

Soft Delete retains deleted Key Vaults and secrets for a configurable period, and Purge Protection ensures they cannot be permanently deleted until the retention period expires. Policy enforces configuration. Resource Lock prevents deletion but does not restore deleted objects. RBAC controls access.

To restore a deleted Azure Key Vault and its contents within the retention period, the appropriate feature to use is Soft Delete with Purge Protection. Soft Delete ensures that when a Key Vault or any of its objects, such as secrets, keys, or certificates, is deleted, it is retained in a recoverable state for a configurable retention period, typically 90 days by default. During this period, administrators can recover the deleted Key Vault or its contents, preventing accidental or malicious permanent loss of critical secrets and cryptographic keys. Purge Protection adds an additional layer of security by preventing permanent deletion of the Key Vault or its objects until the retention period expires. This ensures that sensitive data cannot be irreversibly removed by mistake or unauthorized actions, providing a secure recovery window for critical resources.

Azure Policy can enforce that Soft Delete and Purge Protection are enabled on Key Vaults, helping organizations comply with security and compliance requirements, but it does not itself restore deleted resources. Resource Locks can prevent accidental deletion of Key Vaults while they exist, but they cannot recover a Key Vault that has already been deleted. Role-Based Access Control (RBAC) manages who can access or modify Key Vaults and their contents, ensuring appropriate permissions, but it does not provide restoration capabilities. Therefore, enabling Soft Delete with Purge Protection is the correct solution to securely retain and restore deleted Azure Key Vaults and their contents within the retention period, ensuring data protection and regulatory compliance.

Question 100:

You need to restrict outbound internet traffic from Azure VMs to only specific destinations while maintaining internal network connectivity. Which solution should you implement?

A) Azure Firewall with network rules
B) Network Security Group
C) Route Table
D) Private Endpoint

Answer: A) Azure Firewall with network rules

Explanation: 

Azure Firewall can restrict outbound traffic to allowed IP addresses or FQDNs while maintaining internal connectivity. NSG can filter per subnet or VM but is less flexible for complex outbound rules. Route Tables manage routing, and Private Endpoints control access to specific services.

To restrict outbound internet traffic from Azure virtual machines to only specific destinations while maintaining internal network connectivity, the appropriate solution is Azure Firewall with network rules. Azure Firewall is a fully managed, cloud-native network security service that enables centralized control over inbound and outbound traffic. By creating network rules, administrators can define which IP addresses, ranges, or fully qualified domain names (FQDNs) are allowed for outbound traffic from VMs. This ensures that VMs can access only authorized external destinations while continuing to communicate freely within the internal virtual network. Azure Firewall also provides threat intelligence, logging, and monitoring capabilities, allowing organizations to enforce security policies consistently across multiple subnets or VNets.

Network Security Groups (NSGs) can filter inbound and outbound traffic at the subnet or NIC level based on IP addresses, ports, and protocols. While NSGs provide basic filtering capabilities, they are less flexible for complex outbound rules, such as allowing traffic to specific FQDNs or applying centralized policies across multiple VNets. Route Tables control how traffic is routed between subnets, VNets, or external destinations but do not enforce security restrictions or limit outbound access. Private Endpoints provide private, secure access to specific Azure services by assigning a private IP, but they do not manage general outbound internet traffic. Therefore, implementing Azure Firewall with network rules is the correct approach for restricting outbound connectivity to approved destinations while preserving internal network communication.