Microsoft AZ-104 Microsoft Azure Administrator Exam Dumps and Practice Test Questions Set 8 Q141-160

Visit here for our full Microsoft AZ-104 exam dumps and practice test questions.

Question 141: 

You need to replicate Azure VMs to another region for disaster recovery while keeping minimal downtime in case of failure. Which service should you use?

A) Azure Site Recovery
B) Azure Backup
C) Log Analytics Workspace
D) Azure Monitor

Answer: A) Azure Site Recovery

Explanation: 

Azure Site Recovery provides continuous replication of VMs to a secondary region and allows failover with minimal downtime. Backup is point-in-time recovery, not replication. Log Analytics collects logs and Monitor tracks metrics but neither replicates workloads.

To replicate Azure virtual machines to another region for disaster recovery while minimizing downtime, the appropriate service to use is Azure Site Recovery. Azure Site Recovery continuously replicates VMs from a primary region to a secondary region, ensuring that a near real-time copy of the workload is maintained. In the event of an outage or disaster, you can perform a failover to the secondary region, allowing applications to continue running with minimal disruption. This service supports both planned and unplanned failovers, enabling organizations to maintain business continuity and meet recovery time objectives. Site Recovery also provides orchestration features, such as automated failover testing and recovery plans, which help ensure that applications are brought back online in the correct order and configuration after a disaster.

Azure Backup, while essential for data protection, provides point-in-time recovery rather than continuous replication. It allows restoring data or virtual machines to a previous state, but it does not maintain a live copy in another region for immediate failover.Log Analytics Workspace is a centralized platform for collecting, analyzing, and querying logs from various Azure resources. It is used for monitoring, auditing, and reporting but does not replicate or fail over workloads.Azure Monitor collects metrics, performance data, and telemetry for monitoring and alerting purposes. It helps track resource health and performance but does not provide disaster recovery or replication capabilities.Therefore, for continuous VM replication and minimal downtime failover, Azure Site Recovery is the correct solution.

Question 142: 

You need to enforce that all storage accounts use secure transfer (HTTPS) connections. Which Azure service allows this?

A) Azure Policy
B) Resource Locks
C) RBAC
D) Azure Monitor

Answer: A) Azure Policy

Explanation: 

Azure Policy can enforce secure transfer settings on all storage accounts. Resource Locks prevent deletion. RBAC controls access but does not enforce security settings. Monitor tracks activity but cannot enforce compliance.

To enforce that all Azure Storage accounts use secure transfer (HTTPS) connections, the appropriate service to use is Azure Policy. Azure Policy allows administrators to define rules and automatically evaluate compliance across all resources in a subscription. By creating a policy that requires secure transfer, organizations can ensure that storage accounts only accept HTTPS connections, protecting data in transit from being exposed over insecure channels. When a storage account is created or updated, Azure Policy can automatically audit or block non-compliant configurations, ensuring that all accounts meet security and regulatory requirements. This provides a centralized and consistent approach to enforcing secure transfer settings across multiple resources and subscriptions.

Resource Locks are used to prevent accidental deletion or modification of critical resources by applying delete or read-only locks. While they safeguard resources, they do not enforce configuration settings such as secure transfer.Role-Based Access Control, or RBAC, manages permissions for users, groups, and applications by assigning roles that determine what actions they can perform on Azure resources. RBAC controls access but does not enforce specific security configurations like HTTPS-only connections.Azure Monitor collects metrics, logs, and telemetry from Azure resources to track performance, detect anomalies, and generate alerts. Although it provides visibility into activity, it does not enforce compliance or configuration rules.Therefore, to ensure that all storage accounts require secure transfer, Azure Policy is the correct solution.

Question 143: 

You want to allow external partners to access specific resources in your Azure AD tenant without giving full access to internal resources. Which solution should you implement?

A) Azure AD Guest Users
B) Azure AD B2C
C) Conditional Access
D) Privileged Identity Management

Answer: A) Azure AD Guest Users

Explanation: 

Guest Users allow external partners limited access to selected resources. B2C is for customer-facing applications. Conditional Access enforces login policies but does not create accounts. PIM manages temporary elevated access.

To allow external partners to access specific resources in your Azure AD tenant without granting full access to internal resources, the appropriate solution is Azure AD Guest Users. Guest Users enable organizations to invite external users, such as business partners or contractors, into their Azure AD tenant while giving them restricted access to only the resources required for collaboration. This ensures that external users can work on shared applications, SharePoint sites, or other designated resources without having access to sensitive internal systems or full subscription permissions. Guest users can be managed similarly to internal users, with role assignments and group memberships controlling the scope of their access. Additionally, you can apply conditional access policies and multi-factor authentication to guest accounts, further enhancing security while maintaining controlled collaboration.

Azure AD B2C is designed for managing customer identities in consumer-facing applications. It allows external users to sign in and access services but is not intended for business partner collaboration within an organization’s internal resources.Conditional Access enforces policies such as requiring multi-factor authentication, device compliance, or location-based restrictions during sign-in. While it strengthens security for access, it does not create or manage accounts for external users.Privileged Identity Management, or PIM, manages temporary elevated access for internal users with administrative roles. It is useful for just-in-time access but does not facilitate controlled access for external partners.Therefore, to grant limited, secure access to external partners, Azure AD Guest Users is the correct solution.

Question 144: 

You need to ensure all new Azure VMs in a subscription automatically install the latest security updates. Which service should you use?

A) Azure Automation Update Management
B) Azure Policy
C) Azure Monitor
D) RBAC

Answer: A) Azure Automation Update Management

Explanation: 

Update Management allows scheduling of automatic OS patching for Windows and Linux VMs. Policy enforces configuration but does not install updates. Monitor tracks performance metrics. RBAC controls access.

To ensure that all new Azure virtual machines in a subscription automatically install the latest security updates, the appropriate service to use is Azure Automation Update Management. Update Management enables administrators to schedule and automate operating system patching for both Windows and Linux VMs. It allows defining maintenance windows, approving updates, and automatically deploying required patches, ensuring that all VMs remain up to date with the latest security fixes. Additionally, Update Management provides compliance reporting, so administrators can track which VMs are patched and identify any that are non-compliant. This automation reduces administrative overhead, improves security posture, and ensures consistency across multiple VMs in different subscriptions or resource groups.

Azure Policy is primarily used to enforce organizational or regulatory standards by auditing or restricting resource configurations. While it can ensure that VMs are enrolled in Update Management, it does not perform the actual installation of updates.Azure Monitor collects telemetry, metrics, and logs from Azure resources to track performance, detect anomalies, and trigger alerts. While useful for monitoring, it does not provide automated patching or update deployment.Role-Based Access Control, or RBAC, manages permissions and determines who can perform actions on resources. RBAC secures access but does not handle patch management or enforce update compliance.Therefore, to automatically install the latest security updates on all new Azure VMs, Azure Automation Update Management is the correct solution.

Question 145: 

You are designing a solution to encrypt data at rest in Azure SQL Database using customer-managed keys stored in Azure Key Vault. Which two services are required?

A) Azure Key Vault and customer-managed key encryption in SQL Database
B) Azure Backup and RBAC
C) Resource Locks and Azure Policy
D) Azure Monitor and RBAC

Answer: A) Azure Key Vault and customer-managed key encryption in SQL Database

Explanation: 

Azure Key Vault stores the customer-managed keys and SQL Database allows encryption using these keys. Backup protects data but does not encrypt it. Policy enforces usage but does not store keys. RBAC and Monitor do not encrypt data.

To encrypt data at rest in Azure SQL Database using customer-managed keys, the two required services are Azure Key Vault and customer-managed key encryption in SQL Database. Azure Key Vault provides a secure and centralized repository for storing cryptographic keys, secrets, and certificates. By storing customer-managed keys in Key Vault, organizations maintain full control over key lifecycle, access policies, and auditing. This ensures that only authorized users or services can access the keys used to encrypt sensitive data.

Customer-managed key encryption in SQL Database, also known as Transparent Data Encryption (TDE) with Bring Your Own Key (BYOK), allows the database to use the keys stored in Azure Key Vault to encrypt data at rest. This enables organizations to meet compliance requirements, implement strict security controls, and manage key rotation or revocation independently of the platform-managed encryption keys provided by Azure.

Azure Backup is designed to protect and restore data but does not provide encryption using customer-managed keys. Resource Locks prevent accidental deletion or modification of resources, and Azure Policy enforces configurations, but neither stores or manages encryption keys. Azure Monitor collects metrics and telemetry for monitoring purposes, while RBAC manages permissions, but neither encrypts data.Therefore, to achieve encryption at rest with customer-managed keys in Azure SQL Database, Azure Key Vault and customer-managed key encryption in SQL Database are the correct solution.

Question 146: 

You need to restore a deleted Key Vault and its secrets within the retention perioD) Which feature allows this?

A) Soft Delete with Purge Protection
B) Resource Lock
C) Azure Policy
D) RBAC

Answer: A) Soft Delete with Purge Protection

Explanation: 

Soft Delete retains deleted Key Vaults and secrets for a retention period, and Purge Protection ensures they cannot be permanently deleted until the retention expires. Resource Lock prevents deletion proactively. Policy enforces settings. RBAC controls access.

To restore a deleted Azure Key Vault and its secrets within a retention period, the appropriate feature to use is Soft Delete with Purge Protection. Soft Delete ensures that when a Key Vault or its secrets are deleted, they are not immediately removed permanently. Instead, they are retained in a recoverable state for a configurable retention period, allowing administrators to restore the Key Vault and all associated secrets if the deletion was accidental or premature. This provides a safety net for critical cryptographic keys and secrets, ensuring business continuity and data protection.

Purge Protection enhances Soft Delete by preventing the permanent deletion of a Key Vault or its secrets until the retention period expires. This means that even users with high-level permissions cannot bypass the retention period and permanently remove the Key Vault, offering an additional layer of protection against malicious or accidental data loss.

Resource Locks can be applied to prevent accidental deletion or modification of resources by enforcing read-only or delete restrictions. However, Resource Locks act proactively and do not allow recovery once a Key Vault is deleted.Azure Policy enforces compliance and configuration rules across Azure resources, such as requiring encryption or tagging. While useful for governance, it does not enable restoration of deleted resources.Role-Based Access Control, or RBAC, manages who can perform actions on resources but does not provide the ability to recover deleted Key Vaults or secrets.Therefore, Soft Delete with Purge Protection is the correct solution to enable recovery of deleted Key Vaults and their secrets within the retention period.

Question 147: 

You need to monitor failed login attempts and risky sign-ins in Azure AD) Which service provides this capability?

A) Azure AD Identity Protection
B) Azure Monitor Metrics
C) Azure Policy
D) Resource Locks

Answer: A) Azure AD Identity Protection

Explanation: 

Identity Protection tracks risky sign-ins, failed login attempts, and unusual behavior, allowing administrators to respond to potential security threats. Monitor tracks metrics. Policy enforces compliance. Resource Locks prevent deletion but do not monitor sign-ins.

To monitor failed login attempts and risky sign-ins in Azure Active Directory, the appropriate service to use is Azure AD Identity Protection. Identity Protection provides advanced security monitoring and risk detection for user accounts in Azure AD. It analyzes sign-in activities and user behaviors to identify potentially compromised accounts, suspicious sign-ins, and unusual login patterns. By tracking failed login attempts, impossible travel scenarios, and sign-ins from unfamiliar locations or devices, administrators can proactively respond to potential threats and take corrective actions, such as requiring multi-factor authentication or resetting passwords. Identity Protection also provides risk scores for users and sign-ins, enabling prioritization of high-risk incidents and supporting security investigations.

Azure Monitor Metrics collects numerical data about resource performance, availability, and usage. While it is valuable for tracking infrastructure health and operational metrics, it does not detect or analyze risky sign-ins or failed login attempts.Azure Policy enforces organizational and regulatory compliance rules, such as requiring encryption, tagging, or configuration standards. It does not provide monitoring or security intelligence for user authentication events.Resource Locks are designed to prevent accidental deletion or modification of critical Azure resources. They help protect resources but do not offer any capabilities for monitoring sign-ins or identifying risky behaviors.Therefore, for monitoring failed login attempts, risky sign-ins, and other identity-related threats, Azure AD Identity Protection is the correct solution.

Question 148: 

You are tasked with deploying an application that automatically scales across multiple virtual machines based on CPU usage. Which service should you use?

A) VM Scale Sets with autoscale rules
B) Azure Automation
C) Resource Locks
D) Azure Policy

Answer: A) VM Scale Sets with autoscale rules

Explanation: 

VM Scale Sets provide automatic scaling of VMs based on metrics such as CPU or memory usage. Automation can run scripts but does not provide dynamic scaling. Resource Locks prevent deletion. Policy enforces configuration.

To deploy an application that automatically scales across multiple virtual machines based on CPU usage, the appropriate service to use is VM Scale Sets with autoscale rules. VM Scale Sets allow you to deploy and manage a group of identical virtual machines that can automatically increase or decrease in number depending on defined metrics or schedules. By configuring autoscale rules, you can monitor metrics such as CPU utilization, memory usage, or custom application metrics, and scale out additional VMs when demand increases. When demand decreases, the scale set can reduce the number of VMs to optimize costs, ensuring efficient resource utilization while maintaining application performance. This provides high availability, fault tolerance, and flexibility for applications with fluctuating workloads.

Azure Automation is designed to execute scripts and automate administrative tasks, such as updates, configuration management, or operational workflows. While it improves operational efficiency, it does not provide dynamic scaling of virtual machines based on resource metrics.Resource Locks help prevent accidental deletion or modification of critical resources by applying delete or read-only locks. They protect resources but do not manage scaling or adjust capacity.Azure Policy enforces organizational standards and compliance rules across resources, such as requiring encryption or tagging. Although it ensures governance, it does not handle automatic scaling or respond to changes in workload demand.Therefore, for dynamic scaling of VMs based on CPU usage, VM Scale Sets with autoscale rules is the correct solution.

Question 149: 

You need to audit all changes made to Azure resources for regulatory compliance. Which service should you use?

A) Azure Activity Logs
B) Azure Monitor Metrics
C) Azure Policy
D) RBAC

Answer: A) Azure Activity Logs

Explanation: 

Activity Logs track all write operations performed on Azure resources, including who performed them and when. Monitor tracks performance metrics. Policy enforces compliance but does not log changes. RBAC controls access but does not provide auditing.

To audit all changes made to Azure resources for regulatory compliance, the appropriate service to use is Azure Activity Logs. Activity Logs provide a detailed record of all write operations performed on Azure resources, including who initiated the action, when it occurred, and the status of the operation. This makes it possible to track configuration changes, deployments, deletions, and other modifications across your subscription, supporting auditing, compliance, and forensic investigations. Administrators can query, filter, and analyze Activity Logs to identify suspicious activities, generate reports, and maintain a comprehensive history of resource changes, which is essential for meeting regulatory and internal governance requirements.

Azure Monitor Metrics collects numerical performance data, such as CPU usage, memory consumption, disk I/O, and network traffic. While it provides insights into resource performance and health, it does not capture the details of configuration changes or who performed them.Azure Policy is used to enforce organizational or regulatory standards by auditing or restricting resource configurations, such as requiring encryption or enforcing tagging. Although it helps maintain compliance, it does not log changes or provide historical auditing of actions.Role-Based Access Control, or RBAC, manages permissions and access to resources by assigning roles to users, groups, or service principals. RBAC controls who can perform actions but does not provide auditing or historical tracking of resource changes.Therefore, for auditing all changes to Azure resources, Azure Activity Logs is the correct solution.

Question 150: 

You need to allow only corporate-approved devices to access Azure resources. Which service allows this control?

A) Conditional Access with device compliance
B) Azure AD Privileged Identity Management
C) Azure Policy
D) Resource Locks

Answer: A) Conditional Access with device compliance

Explanation: 

Conditional Access policies can enforce that only compliant devices meeting organizational requirements can sign in. PIM manages temporary privileged access. Policy enforces configuration. Resource Locks prevent deletion but do not control access.

To ensure that only corporate-approved devices can access Azure resources, the appropriate service to use is Conditional Access with device compliance. Conditional Access allows administrators to define access policies that evaluate conditions such as device compliance, location, user risk, and sign-in behavior before granting access to Azure resources. By integrating with Microsoft Intune or another device management solution, Conditional Access can verify whether a device meets organizational requirements, such as having the latest security updates, encryption enabled, or approved configurations. If a device is not compliant, access can be blocked or restricted, ensuring that only secure, authorized devices can interact with sensitive resources. This helps protect corporate data, reduce the risk of security breaches, and maintain compliance with organizational policies.

Azure AD Privileged Identity Management, or PIM, is designed to manage temporary elevated privileges for administrative accounts. It allows just-in-time access to high-privilege roles and provides monitoring of privileged activities, but it does not enforce device compliance or restrict access based on device state.Azure Policy is used to enforce resource configuration standards, such as requiring encryption, tags, or specific network settings. While it ensures governance, it does not control which devices can access resources.Resource Locks are applied to prevent accidental deletion or modification of critical resources. They protect resources but do not provide access control based on device compliance.Therefore, Conditional Access with device compliance is the correct solution for allowing only corporate-approved devices to access Azure resources.

Question 151: 

You are designing a multi-tier application in Azure that requires automatic failover across physical locations within a single region. Which feature should you implement?

A) Availability Zones
B) Availability Sets
C) VM Scale Sets
D) Resource Groups

Answer: A) Availability Zones

Explanation: 

Availability Zones provide physically separate datacenters within a region for high availability. Availability Sets provide redundancy within a single datacenter. VM Scale Sets provide scaling but not location-based failover. Resource Groups organize resources but do not provide availability.

To design a multi-tier application in Azure that requires automatic failover across physical locations within a single region, the appropriate feature to implement is Availability Zones. Availability Zones are physically separate datacenters within an Azure region, each with independent power, networking, and cooling. By deploying virtual machines and other resources across multiple Availability Zones, applications gain high availability and resilience against datacenter-level failures. In the event of an outage in one zone, resources in other zones can continue operating, ensuring minimal downtime and uninterrupted service. This makes Availability Zones suitable for mission-critical applications that require high uptime and fault tolerance.

Availability Sets, in contrast, provide redundancy within a single datacenter by distributing VMs across fault domains and update domains. They protect against hardware failures and planned maintenance within the datacenter but do not provide protection if the entire datacenter becomes unavailable.VM Scale Sets enable automatic scaling of virtual machines based on metrics such as CPU usage or queue length. While they improve performance and manage workload demand, they do not inherently provide failover across separate physical locations.Resource Groups are logical containers for organizing and managing Azure resources. They help with resource management, monitoring, and access control, but they do not provide high availability or failover capabilities.Therefore, for automatic failover across physical locations within a region, Availability Zones is the correct solution.

Question 152: 

You need to ensure that all Azure SQL Databases in a subscription have auditing enabled automatically. Which service should you use?

A) Azure Policy with remediation
B) RBAC
C) Resource Lock
D) Azure Monitor

Answer: A) Azure Policy with remediation

Explanation: 

Azure Policy can detect non-compliant databases and trigger automated remediation to enable auditing. RBAC controls access. Resource Locks prevent deletion but do not enforce auditing. Monitor tracks metrics but does not enforce compliance.

To ensure that all Azure SQL Databases in a subscription have auditing enabled automatically, the appropriate service to use is Azure Policy with remediation. Azure Policy allows administrators to define and enforce rules across Azure resources to maintain compliance with organizational or regulatory requirements. By creating a policy that requires auditing on all SQL Databases, Azure can automatically detect any databases that are non-compliant. With remediation tasks configured, the policy can apply the required settings to enable auditing without manual intervention. This ensures that all databases adhere to auditing standards, helping organizations meet compliance and security requirements consistently while reducing administrative overhead.

Role-Based Access Control, or RBAC, is used to manage permissions for users, groups, and applications. While RBAC determines who can perform actions on resources, it does not enforce configuration settings or enable auditing automatically.Resource Locks protect critical resources from accidental deletion or modification by applying delete or read-only locks. They ensure resource stability but do not enforce auditing or compliance rules.Azure Monitor collects metrics, logs, and telemetry from resources to track performance, detect anomalies, and generate alerts. While it provides visibility into database activity, it does not enforce auditing or automatically remediate non-compliant resources.Therefore, to automatically ensure auditing is enabled on all Azure SQL Databases, Azure Policy with remediation is the correct solution.

Question 153: 

You want to replicate an on-premises Hyper-V VM to Azure for disaster recovery with minimal downtime. Which service should you use?

A) Azure Site Recovery
B) Azure Backup
C) Azure Monitor
D) Azure Automation

Answer: A) Azure Site Recovery

Explanation: 

Site Recovery replicates VMs to Azure for disaster recovery and failover. Backup provides point-in-time recovery, not continuous replication. Monitor collects telemetry. Automation runs scripts but does not replicate workloads.

To replicate an on-premises Hyper-V virtual machine to Azure for disaster recovery with minimal downtime, the appropriate service to use is Azure Site Recovery. Azure Site Recovery continuously replicates on-premises VMs to Azure, maintaining a near real-time copy of the workload in a secondary location. In the event of an outage or disaster, administrators can initiate a failover to the replicated VM in Azure, allowing applications to continue running with minimal disruption. Site Recovery supports both planned and unplanned failovers and includes orchestration features such as automated failover testing and recovery plans, which help ensure that multi-tier applications are restored in the correct order and configuration. This solution provides business continuity and meets recovery time objectives without requiring manual intervention for replication.

Azure Backup, while essential for data protection, provides point-in-time recovery rather than continuous replication. It allows restoring VMs or files to a previous state but does not maintain a live, continuously synchronized copy for immediate failover.

Azure Monitor collects telemetry, metrics, and logs from Azure resources, enabling performance monitoring and alerting. It does not replicate workloads or provide disaster recovery capabilities.Azure Automation is used to run scripts and automate operational tasks, such as maintenance or configuration management. While it improves efficiency, it does not replicate VMs or provide failover functionality.Therefore, to replicate on-premises Hyper-V VMs to Azure with minimal downtime, Azure Site Recovery is the correct solution.

Question 154: 

You need to track CPU and memory usage for all Azure VMs and trigger alerts when thresholds are exceedeD) Which service should you configure?

A) Azure Monitor with metrics and alerts
B) Azure Policy
C) Resource Locks
D) RBAC

Answer: A) Azure Monitor with metrics and alerts

Explanation: 

Azure Monitor collects performance metrics and allows configuration of alerts when thresholds are exceeded. Policy enforces configurations. Resource Locks prevent deletion. RBAC controls access but does not monitor performance.

To track CPU and memory usage for all Azure virtual machines and trigger alerts when thresholds are exceeded, the appropriate service to configure is Azure Monitor with metrics and alerts. Azure Monitor collects performance metrics, logs, and telemetry data from Azure resources, including virtual machines. By using metrics, administrators can monitor key performance indicators such as CPU utilization, memory usage, disk I/O, and network activity. Alerts can be configured based on specific thresholds or conditions, so that when a VM exceeds a defined CPU or memory usage level, notifications can be sent to administrators or automated actions can be triggered to remediate the issue. This enables proactive management of resources, ensures optimal performance, and helps prevent service disruptions.

Azure Policy is used to enforce organizational or regulatory compliance rules, such as requiring encryption, tagging, or configuration standards across resources. While it ensures governance, it does not collect performance metrics or trigger alerts.

Resource Locks are applied to prevent accidental deletion or modification of critical resources. They help maintain resource stability but do not monitor performance or generate alerts.Role-Based Access Control, or RBAC, manages permissions by assigning roles to users, groups, or service principals. RBAC determines who can access and modify resources but does not provide monitoring or alerting capabilities.Therefore, to monitor CPU and memory usage and respond to threshold breaches, Azure Monitor with metrics and alerts is the correct solution.

Question 155: 

You need to encrypt data in transit between Azure services. Which feature provides this capability?

A) TLS/SSL encryption
B) Transparent Data Encryption
C) Azure Policy
D) Resource Locks

Answer: A) TLS/SSL encryption

Explanation: 

TLS/SSL ensures encryption of data in transit between Azure services. Transparent Data Encryption protects data at rest. Policy enforces configuration. Resource Locks prevent deletion but do not encrypt data.

To encrypt data in transit between Azure services, the appropriate feature to use is TLS/SSL encryption. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), provide secure communication channels by encrypting data transmitted between clients, servers, and services. This ensures that sensitive information such as authentication credentials, personal data, and application traffic is protected from interception, tampering, or eavesdropping while traversing the network. Azure services such as Azure Storage, Azure SQL Database, and Azure App Service natively support TLS/SSL for secure connections, and certificates can be used to establish trust between endpoints. Using TLS/SSL is essential for maintaining data confidentiality and integrity, meeting compliance requirements, and securing communications across public and private networks.

Transparent Data Encryption, or TDE, protects data at rest by encrypting database files and backups, ensuring that stored data cannot be accessed without proper decryption keys. While it secures stored data, it does not encrypt data while it is being transmitted between services.Azure Policy is used to enforce organizational or regulatory compliance rules, such as requiring encryption or specific configurations on resources. Although it can mandate the use of TLS/SSL, it does not itself encrypt data.Resource Locks prevent accidental deletion or modification of critical resources by applying read-only or delete restrictions. They ensure resource stability but do not provide encryption for data in transit.Therefore, to secure data moving between Azure services, TLS/SSL encryption is the correct solution.

Question 156: 

You want to automatically remediate storage accounts that are not configured with secure transfer. Which service allows this?

A) Azure Policy with remediation tasks
B) Azure Automation
C) RBAC
D) Azure Monitor

Answer: A) Azure Policy with remediation tasks

Explanation: 

Azure Policy can detect non-compliant resources and automatically remediate them, such as enabling secure transfer on storage accounts. Automation runs scripts but does not enforce compliance automatically. RBAC controls access. Monitor provides alerts but cannot remediate.

To automatically remediate storage accounts that are not configured with secure transfer, the appropriate service to use is Azure Policy with remediation tasks. Azure Policy allows administrators to define rules and enforce organizational standards across Azure resources. By creating a policy that requires secure transfer for storage accounts, Azure can continuously evaluate compliance and detect any resources that do not meet the policy requirements. With remediation tasks configured, non-compliant storage accounts can be automatically updated to enable secure transfer, ensuring that all data in transit is encrypted and reducing the risk of unauthorized access. This approach provides a consistent, automated way to maintain security best practices and meet compliance requirements without relying on manual intervention.

Azure Automation is designed to run scripts or workflows to automate administrative tasks, such as configuration updates or maintenance operations. While Automation can remediate resources, it does not automatically enforce compliance policies across all resources without additional configuration.

Role-Based Access Control, or RBAC, manages permissions and determines who can perform actions on Azure resources. RBAC controls access but does not automatically detect or remediate non-compliant settings.Azure Monitor collects metrics, logs, and telemetry from Azure resources, providing visibility and alerting capabilities. Although Monitor can notify administrators of non-compliance, it does not enforce or remediate configuration issues.Therefore, for automatic detection and remediation of storage accounts lacking secure transfer, Azure Policy with remediation tasks is the correct solution.

Question 157: 

You need to allow on-premises users to authenticate to Azure AD without storing passwords in the clouD) Which solution should you implement?

A) Pass-through Authentication
B) Password Hash Synchronization
C) Azure AD B2C
D) Conditional Access

Answer: A) Pass-through Authentication

Explanation: 

Pass-through Authentication validates passwords against on-premises Active Directory without storing them in Azure AD) Password Hash Synchronization stores password hashes in Azure AD) B2C is for customer-facing applications. Conditional Access enforces sign-in conditions but does not authenticate users.

To allow on-premises users to authenticate to Azure Active Directory without storing passwords in the cloud, the appropriate solution is Pass-through Authentication. Pass-through Authentication enables users to sign in to Azure AD using their existing on-premises credentials. When a user attempts to authenticate, the credentials are securely validated against the on-premises Active Directory, without replicating or storing the password in Azure AD. This approach ensures that sensitive password data remains within the corporate network, helping organizations meet security and compliance requirements while providing a seamless sign-in experience for users. Pass-through Authentication integrates with existing on-premises identity infrastructure and supports single sign-on for cloud applications, maintaining centralized authentication control.

Password Hash Synchronization, in contrast, involves storing a hashed version of user passwords in Azure AD. While it enables users to authenticate using the same credentials in the cloud, it does involve cloud storage of password hashes, which may not meet security or regulatory requirements for organizations that want to keep passwords exclusively on-premises.

Azure AD B2C is designed for customer-facing applications, allowing external users to sign in and access consumer services. It is not intended for authenticating corporate on-premises users.Conditional Access enforces policies such as multi-factor authentication, device compliance, and location-based restrictions. While it strengthens security during sign-in, it does not perform authentication or prevent passwords from being stored in Azure AD.Therefore, Pass-through Authentication is the correct solution for authenticating on-premises users without storing passwords in the cloud.

Question 158: 

You need to deploy a virtual machine using a custom image stored in a shared image gallery across multiple regions. Which service should you use?

A) Shared Image Gallery
B) Azure Marketplace
C) Azure Policy
D) VM Scale Sets

Answer: A) Shared Image Gallery

Explanation:

Shared Image Gallery allows replication of custom VM images across multiple regions. Marketplace provides standard images. Policy enforces usage but does not host images. VM Scale Sets deploy multiple VMs but require an image from the gallery or Marketplace.

To deploy a virtual machine using a custom image stored in a shared image gallery across multiple regions, the appropriate service to use is Shared Image Gallery. Shared Image Gallery enables organizations to create, manage, and share custom VM images efficiently. One of its key benefits is the ability to replicate images across multiple Azure regions, allowing consistent and fast deployment of virtual machines in different locations while maintaining version control. This ensures that all deployed VMs are based on the same configuration, improving operational consistency and simplifying updates or patching. Administrators can also define image versions and manage image distribution, making it easier to scale deployments across regions without manually copying images or creating separate storage accounts.

Azure Marketplace provides a catalog of standard images, applications, and solutions that can be deployed directly to Azure. While useful for common workloads, Marketplace does not host customer-specific custom images or provide replication across regions for those images.Azure Policy is used to enforce organizational rules and compliance across resources, such as requiring encryption, tagging, or specific configurations. Policy ensures governance but does not host or manage VM images.VM Scale Sets allow deployment of multiple identical VMs and enable autoscaling based on metrics. While Scale Sets can deploy VMs from images, they require the image to come from a source such as Shared Image Gallery or Marketplace.Therefore, to deploy VMs using a custom image replicated across multiple regions, Shared Image Gallery is the correct solution.

Question 159: 

You need to restrict outbound internet access from Azure VMs to only specific destinations while maintaining internal network connectivity. Which solution should you implement?

A) Azure Firewall with network rules
B) Network Security Group
C) Route Table
D) Private Endpoint

Answer: A) Azure Firewall with network rules

Explanation: 

Azure Firewall allows centralized control of outbound traffic, including restriction to specific IP addresses or FQDNs. NSGs filter traffic at subnet or NIC level but are less flexible for complex outbound rules. Route Tables manage routing paths. Private Endpoints control access to services but not general outbound traffic.

To restrict outbound internet access from Azure virtual machines to only specific destinations while maintaining internal network connectivity, the appropriate solution is Azure Firewall with network rules. Azure Firewall is a fully managed, cloud-based network security service that provides centralized control over both inbound and outbound traffic. By configuring network rules, administrators can specify allowed or denied IP addresses, ports, and fully qualified domain names (FQDNs) for outbound traffic from VMs. This ensures that virtual machines can communicate internally within the virtual network while restricting internet access to only approved destinations. Azure Firewall also provides logging, monitoring, and threat intelligence-based filtering, allowing organizations to maintain security and compliance standards.

Network Security Groups, or NSGs, filter inbound and outbound traffic at the subnet or network interface level. While NSGs are effective for basic traffic filtering, they are less flexible for complex outbound restrictions based on FQDNs or centralized management across multiple subnets.Route Tables control the routing of network traffic within a virtual network or to external networks. They determine the path of packets but do not provide traffic filtering or restriction capabilities.Private Endpoints allow secure, private access to Azure services by assigning a private IP within a VNet. They control access to specific services but do not manage general outbound internet traffic from virtual machines.Therefore, to enforce granular outbound restrictions while maintaining internal connectivity, Azure Firewall with network rules is the correct solution.

Question 160: 

You need to track all administrative actions performed in a subscription for auditing purposes. Which service should you use?

A) Azure Activity Logs
B) Azure Monitor Metrics
C) Azure Policy
D) RBAC

Answer: A) Azure Activity Logs

Explanation: 

Activity Logs provide audit information on management operations, including who performed changes and when. Monitor tracks metrics. Policy enforces compliance. RBAC controls access but does not log actions.

To track all administrative actions performed in an Azure subscription for auditing purposes, the appropriate service to use is Azure Activity Logs. Activity Logs provide a detailed record of all management operations on Azure resources, including create, update, delete, and other write actions. They capture information about who performed each action, when it occurred, and the status of the operation, making them essential for auditing, compliance, and forensic analysis. Administrators can filter logs by resource type, operation type, or user identity to quickly identify changes, track trends, and investigate suspicious activity. Activity Logs also integrate with other services such as Azure Monitor, Log Analytics, and Event Hubs, enabling centralized monitoring, alerting, and long-term retention of audit data.

Azure Monitor Metrics collects performance and operational metrics from Azure resources, such as CPU usage, memory consumption, and network activity. While Monitor provides insights into resource performance and availability, it does not track administrative actions or provide auditing details.Azure Policy is used to enforce organizational or regulatory compliance by auditing or restricting resource configurations, such as enforcing encryption, tagging, or allowed locations. Policy ensures governance but does not log who made changes or when.

Role-Based Access Control, or RBAC, manages permissions for users, groups, and service principals, controlling who can perform actions on resources. RBAC defines access but does not provide auditing or historical logs of administrative activities.Therefore, to track and audit all administrative actions in a subscription, Azure Activity Logs is the correct solution.