AZ-900 : Microsoft Azure Fundamentals Practice Tests 2025 3 Flashcards
The concept of sharing resources among multiple users or tenants, allowing for cost savings and increased efficiency, is known as _______.
Multi-Tenancy
Redundancy
Autonomy
Monolithic architecture
Multi-Tenancy
Explanation:
The concept of sharing resources among multiple users or tenants, allowing for cost savings and increased efficiency, is known as “multi-tenancy”.
Other options -
Redundancy: It refers to the duplication of critical system components to ensure continued operation in case of a failure. While redundancy is an important attribute of many cloud systems, it is not specifically related to the concept of sharing resources among multiple users.
Autonomy: It refers to the ability of a system or organization to operate independently, with minimal external control or interference. While autonomy can be an important attribute of cloud systems, it is not specifically related to the concept of multi-tenancy.
Monolithic architecture: It architecture refers to a software architecture pattern in which all components of an application are tightly integrated and deployed as a single unit. While monolithic architecture can be used in cloud systems, it is not specifically related to the concept of multi-tenancy, which involves the sharing of resources among multiple users or tenants.
_____________ devices can easily move data to Azure when busy networks aren’t an option.
Azure File Sync
Azure Storage Explorer
Azure Migrate
Azure Data Box
Azure Data Box
Explanation:
Azure Data Box devices easily move data to Azure when busy networks aren’t an option. Move large amounts of data to Azure when you’re limited by time, network availability, or costs, using common copy tools such as Robocopy. All data is AES-encrypted, and the devices are wiped clean after upload, in accordance with NIST Special Publication 800-88 revision 1 standards.
It’s possible to deploy a new Azure VM from a Google Chromebook by using PowerAutomate.
No
Yes
No
Explanation:
Tricky question! PowerAutomate is not the same as PowerShell.
PowerAutomate moreover isn’t a part of Azure! It falls under the Microsoft umbrella of offerings, just like PowerApps.
Hence, this statement is definitely False. You can use the Azure portal to provision Virtual Machines, or even the CLI.
What is the maximum allowed number of tags per Azure resource?
50
15
10
30
50
Explanation:
Azure allows users to assign name-value pairs, called tags, to each resource, resource group, and subscription. The maximum number of tag name-value pairs that can be assigned to each of these entities is 50. If you need to apply more tags than the allowed number, you can use a JSON string to include multiple values for a single tag name. Each resource group or subscription can contain numerous resources, each with their own set of 50 tag name-value pairs.
The members of your organization have been complaining about having to enter their password too many times which is frustrating. Moreover, users also tend to forget their passwords which leads to reset overhead. Which of the following services in Azure can help with this?
Azure Active Directory SeamlessAuth
Azure Active Directory Passwordless
Azure ExpressRoute
Azure Arc
Azure Active Directory Passwordless
Explanation:
Features like multifactor authentication (MFA) are a great way to secure your organization, but users often get frustrated with the additional security layer on top of having to remember their passwords. Passwordless authentication methods are more convenient because the password is removed and replaced with something you have, plus something you are or something you know.
What is the maximum number of virtual network rules and IP network rules allowed per storage account in Azure?
500
200
150
300
500
Explanation;
The current maximum number of virtual networks per storage account are 200!
What is the primary objective of the “Secure” aspect of Defender for Cloud?
To focus on Azure Security Benchmark compliance.
To provide protection against physical attacks on datacenters.
To deploy Log Analytics agents on all virtual machines.
To ensure secure configurations of workloads and resources.
To ensure secure configurations of workloads and resources.
Explanation:
The “Secure” aspect of Defender for Cloud aims to ensure that workloads and resources are securely configured. It provides policies and guidelines to help achieve Azure Security Benchmark compliance and secure configurations.
How does the syntax of commands differ between Azure PowerShell and the Azure CLI?
Azure PowerShell uses PowerShell commands, while the Azure CLI uses Bash commands.
Azure PowerShell uses Python scripts, while the Azure CLI uses Ruby scripts.
There is no difference in command syntax between Azure PowerShell and the Azure CLI.
Azure PowerShell uses Bash scripts, while the Azure CLI uses JSON configuration files.
Azure PowerShell uses PowerShell commands, while the Azure CLI uses Bash commands.
Explanation:
The Azure CLI is functionally equivalent to Azure PowerShell, with the primary difference being the syntax of commands. While Azure PowerShell uses PowerShell commands, the Azure CLI uses Bash commands.
The Azure CLI provides the same benefits of handling discrete tasks or orchestrating complex operations through code. It’s also installable on Windows, Linux, and Mac platforms, as well as through Azure Cloud Shell.
Due to the similarities in capabilities and access between Azure PowerShell and the Bash based Azure CLI, it mainly comes down to which language you’re most familiar with.
Which of the following are valid Azure purchasing options?
Github website
Microsoft Partner
Azure website
Microsoft representative
Microsoft Partner
Azure website
Microsoft representative
Explanation:
You can choose the purchasing option that works best for your organisation. Or, use any of the options simultaneously.
What is the primary purpose of applying resource locks in Azure?
To prevent accidental deletion or modification of critical resources.
To restrict access to Azure resources to a specific user.
To prevent any modifications to resources, including read access.
To ensure resources are automatically deleted after a specific time period.
To prevent accidental deletion or modification of critical resources.
Explanation:
As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions.
You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only. In the command line, these locks are called CanNotDelete and ReadOnly.
CanNotDelete means authorized users can read and modify a resource, but they can’t delete it.
ReadOnly means authorized users can read a resource, but they can’t delete or update it. Applying this lock is similar to restricting all authorized users to the permissions that the Reader role provides.
Unlike role-based access control (RBAC), you use management locks to apply a restriction across all users and roles. To learn about setting permissions for users and roles, see Azure RBAC.
Therefore, Resource locks in Azure are used to prevent accidental deletion or modification of important resources. They help maintain the integrity of critical resources by preventing unwanted changes.
______________ is a set of capabilities in Azure Active Directory (AAD) that enables organizations to secure and manage any outside user, including customers and partners.
Sentinel
External Identities
External Profiles
External User Management
External Identities
Explanation:
External Identities is a set of capabilities that enables organizations to secure and manage any external user, including customers and partners. Building on B2B collaboration, External Identities gives you more ways to interact and connect with users outside your organization.
The ability to provision and deprovision cloud resources quickly, with minimal management effort, is known as _______.
Resiliency
Scalability
Sustainability
Elasticity
Scalability
Explanation:
The correct answer is Scalability. It specifically refers to the ability to provision and deprovision cloud resources quickly and with minimal management effort.
Yes or No: Azure Site Recovery can only be used to replicate and recover virtual machines within Azure.
Yes
No
No
Explanation:
The answer is No. Azure Site Recovery can be used to replicate and recover virtual machines not only within Azure, but also from on-premises datacenters to Azure, and between different datacenters or regions.
Azure Site Recovery is a disaster recovery solution that provides continuous replication of virtual machines and physical servers to a secondary site, allowing for rapid recovery in case of a disaster. It supports a wide range of scenarios, including replication from VMware, Hyper-V, and physical servers to Azure, as well as replication between Azure regions or datacenters.
Which of the following is a good usage of tags?
Using tags for data classification
Making business groups aware of cloud resource consumption requires IT to understand the resources and workloads each team is using
Using Tags to quickly locate resources associated with specific workloads, environments, ownership groups, or other important information.
To help identify the assets required to support a single workload.
All of these
All of these
Overall explanation
All of the above can help leverage the power of tags in one way or the other.
From the official Azure docs:
Organizing cloud-based resources is a crucial task for IT, unless you only have simple deployments. Use naming and tagging standards to organize your resources for the following reasons:
Resource management: Your IT teams need to quickly locate resources associated with specific workloads, environments, ownership groups, or other important information. Organizing resources is critical to assigning organizational roles and access permissions for resource management.
Cost management and optimization: Making business groups aware of cloud resource consumption requires IT to understand the resources and workloads each team is using.
Operations management: Visibility for the operations management team about business commitments and SLAs is an important aspect of ongoing operations. For operations to be managed well, tagging for mission criticality is required.
Security: Classification of data and security impact is a vital data point for the team, when breaches or other security issues arise. To operate securely, tagging for data classification is required.
Governance and regulatory compliance: Maintaining consistency across resources helps identify changes from agreed-upon policies. Prescriptive guidance for resource tagging demonstrates how one of the following patterns can help when deploying governance practices. Similar patterns are available to evaluate regulatory compliance using tags.
Automation: A proper organizational scheme allows you to take advantage of automation as part of resource creation, operational monitoring, and the creation of DevOps processes. It also makes resources easier for IT to manage.
Workload optimization: Tagging can help identify patterns and resolve broad issues. Tag can also help identify the assets required to support a single workload. Tagging all assets associated with each workload enables deeper analysis of your mission-critical workloads to make sound architectural decisions.
What is network latency?
The cost incurred by the data travelling over the network
The maximum amount of data that can travel over the network
The distance the data travel over the network
The time it takes for data to travel over the network
The time it takes for data to travel over the network
Explanation:
Network latency is the time it takes for data or a request to go from the source to the destination. Latency in networks is measured in milliseconds.
Which of the following services allows you to easily run popular open source frameworks including Apache Hadoop, Spark, and Kafka for open source analytics?
Azure Data Lake Analytics
Azure Cosmos DB
Azure Cognitive Services
Azure HDInsight
Azure HDInsight
Explanation:
We can easily run popular open source frameworks—including Apache Hadoop, Spark, and Kafka—using Azure HDInsight, a cost-effective, enterprise-grade service for open source analytics. Effortlessly process massive amounts of data and get all the benefits of the broad open source ecosystem with the global scale of Azure.
You are an IT manager and want to ensure that you are notified when the Azure spending reaches a certain threshold. Which feature of Azure Cost Management should you use?
Cost analysis
Department spending quota alerts
Budgets
Cost alerts
Budgets
Explanation:
Budgets is the correct answer. Budgets in Azure Cost Management allow you to set a spending limit for Azure based on a subscription, resource group, service type, or other criteria. You can also set a budget alert, which will notify you when the budget reaches the defined alert level.
How does the “compute” layer contribute to the defense-in-depth strategy?
It ensures that services are secure and free of vulnerabilities.
It focuses on securing virtual machines and access to them.
It prevents unauthorized physical access to hardware.
It secures access to physical data centers.
It focuses on securing virtual machines and access to them.
Explanation:
From the official docs: The focus in this layer is on making sure that your compute resources are secure and that you have the proper controls in place to minimize security issues.
At this layer, it’s important to:
Secure access to virtual machines.
Implement endpoint protection on devices and keep systems patched and current.
Therefore, the “compute” layer in the defense-in-depth model concentrates on securing access to virtual machines and ensuring they are properly protected. It involves implementing security controls and measures within the virtual machine environment. This is the best option out of the ones given.
A Network Security Group (NSG) has the ability to encrypt data at rest and in transit.
No
Yes
No
Explanation:
No, a Network Security Group (NSG) DOES NOT encrypt traffic.
In an Azure virtual network, which of the following is used to filter network traffic between subnets?
Azure Load Balancer
Azure Firewall
Network Security Group
Azure Application Gateway
Network Security Group
Explanation:
Network Security Group is the correct answer.
A Network Security Group (NSG) is a basic form of firewall that can be used to filter network traffic between subnets in an Azure virtual network. NSGs are used to define inbound and outbound traffic rules that control the flow of traffic to and from resources in a virtual network.
Other options -
Azure Firewall: It is a firewall service that can be used to filter network traffic, and is typically used to protect virtual networks from external threats and to enforce network security policies. However, Azure Firewall is not typically used to filter network traffic between subnets in an Azure virtual network. This is because Network Security Group (NSG) is the recommended method for filtering network traffic within a virtual network.
Azure Application Gateway: It provides application-level load balancing and routing, but is not used to filter network traffic between subnets in an Azure virtual network. It is focused on providing routing and load balancing for web traffic, rather than network traffic.
Azure Load Balancer: It can be used to distribute incoming traffic across multiple virtual machines or instances within a Virtual Network, but is not used to filter network traffic between subnets in an Azure virtual network. It provides a load balancing service, rather than a filtering service.
ExpressRoute connections go over the public Internet, and they offer more reliability, faster speeds, and lower latencies than typical Internet connections.
No
Yes
No
Explanation:
No, it is false that ExpressRoute connections go over the public Internet. However, they do offer more reliability, faster speeds, and lower latencies than typical Internet connections.
Which of the following Azure services offers a dedicated physical server to host your virtual machines?
Azure Bare Metal
Azure Virtual Dedicated Host
Azure Virtual Machines
Azure Dedicated Host
Azure Dedicated Host
Explanation:
Azure Dedicated Host is the correct answer.
Azure Dedicated Host is an Azure service that offers a dedicated physical server to host your virtual machines. With Azure Dedicated Host, you can control the underlying host infrastructure and manage host maintenance operations such as updates and reboots. You can also select the number of cores, amount of memory, and types of storage devices that best suit your workloads.
Other options -
Azure Virtual Machines: This is a cloud-based infrastructure as a service (IaaS) offering that provides virtual machines for running applications and services. However, Azure Virtual Machines do not offer dedicated physical servers.
Azure Virtual Dedicated Host: This is not a valid Azure service.
Azure Bare Metal: This is a term that generally refers to a physical server or machine without a hypervisor layer. While Azure provides access to virtual machines with a range of hardware specifications, Azure Bare Metal is not a specific service that provides dedicated physical servers.
Microsoft Azure services operated by ____________ in China.
Alibaba
Xiaomi
21Vianet
Morgan Stanley
21Vianet
Explanation:
Microsoft Azure operated by 21Vianet is the first international public cloud service that has been commercialized in China in compliance with Chinese laws and regulations.
_________________ is a hosting service for Domain Name System domains that provides name resolution by using Microsoft Azure infrastructure.
Azure ExpressRoute
Azure DNS
Azure VPN Gateway
Azure Virtual Subnets
Azure DNS
Explanation:
Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records by using the same credentials, APIs, tools, and billing as your other Azure services.
Azure Service Health allows us to define the critical resources that should never be impacted due to outages and downtimes.
Yes
No
No
Explanation:
Azure Service Health notifies you about Azure service incidents and planned maintenance so you can take action to mitigate downtime. Configure customisable cloud alerts and use your personalised dashboard to analyse health issues, monitor the impact to your cloud resources, get guidance and support, and share details and updates.
How can JSON strings be used to assign more than the maximum number of allowed tags to an Azure resource?
By creating additional resource groups
By creating additional tag names
By creating additional subscriptions
By including multiple values for a single tag name
By including multiple values for a single tag name
Explanation:
When you need to assign more than the maximum number of allowed tags to an Azure resource, you can use JSON strings to include multiple values for a single tag name. This approach allows you to apply more tag values than the limit allows while maintaining compliance with Azure’s tag limit. The JSON string should be added as the tag value, and it should contain a comma-separated list of values that you want to apply to the tag.
A(n) ______________ lets you run legacy applications in the cloud that can’t use modern authentication methods, or where you don’t want directory lookups to always go back to an on-premises AD DS environment
Azure Active Directory External Identities
Azure Single Sign On (SSO)
Azure Migrate deployment
Azure Active Directory Domain Services
Azure Active Directory Domain Services
Explanation:
Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.
An Azure AD DS managed domain lets you run legacy applications in the cloud that can’t use modern authentication methods, or where you don’t want directory lookups to always go back to an on-premises AD DS environment. You can lift and shift those legacy applications from your on-premises environment into a managed domain, without needing to manage the AD DS environment in the cloud.
You can use Azure DNS to buy a domain name.
Yes
No
No
Explanation:
Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records by using the same credentials, APIs, tools, and billing as your other Azure services.
You can’t use Azure DNS to buy a domain name. For an annual fee, you can buy a domain name by using App Service domains or a third-party domain name registrar. Your domains then can be hosted in Azure DNS for record management. For more information, see Delegate a domain to Azure DNS.
______________ is a command-line utility that you can use to copy blobs or files to or from a storage account.
AzMove
AzReplicate
AzMigrate
AzCopy
AzCopy
Explanation:
AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.
Azure provides native support for IaC via the ________________ model.
Azure Arc
Azure Templates
Azure Tags
Azure Resource Manager
Azure Resource Manager
Explanation:
Azure provides native support for IaC via the Azure Resource Manager model. Teams can define declarative ARM templates that specify the infrastructure required to deploy solutions.
Upon applying a Tag to a Resource Group, all Resources inside it inherit that Tag.
Yes
No
No
Explanation:
Tags applied to the resource group or subscription aren’t inherited by the resources. To apply tags from a subscription or resource group to the resources, see Azure Policies - tags.
A startup has deployed a set of Virtual Machines which are critical for their day-to-day operations. They need to ensure their availability even if a single data center goes down.
One of their interns has suggested that deploying these VMs using a Scale Set would solve the problem. Do you agree?
Yes
No
No
Explanation:
This answer does not specify that the scale set will be configured across multiple data centers so this solution does not meet the goal.
Azure virtual machine scale sets let you create and manage a group of load balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. Scale sets provide high availability to your applications, and allow you to centrally manage, configure, and update many VMs.
Virtual machines in a scale set can be deployed across multiple update domains and fault domains to maximize availability and resilience to outages due to data center outages, and planned or unplanned maintenance events.
How do resource locks affect Azure resources?
Resource locks prevent modifications but allow read access.
Resource locks restrict any access to the resources.
Resource locks enforce automatic scaling of resources.
Resource locks completely hide the resources from the Azure portal.
Resource locks prevent modifications but allow read access.
Explanation:
As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions.
You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only. In the command line, these locks are called CanNotDelete and ReadOnly.
CanNotDelete means authorized users can read and modify a resource, but they can’t delete it.
ReadOnly means authorized users can read a resource, but they can’t delete or update it. Applying this lock is similar to restricting all authorized users to the permissions that the Reader role provides.
Based on these definitions, we can still READ but not modify/delete the resources. This allows you to view resource configurations without accidentally altering them.
Azure ____________ is an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources.
Policies
Locks
Role Based Access Control (RBAC)
Resource Groups
Role Based Access Control (RBAC)
Explanation:
Access management for cloud resources is a critical function for any organization that is using the cloud. Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources.
What can you do with Azure RBAC?
Here are some examples of what you can do with Azure RBAC:
Allow one user to manage virtual machines in a subscription and another user to manage virtual networks
Allow a DBA group to manage SQL databases in a subscription
Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets
Allow an application to access all resources in a resource group
If your application experiences sudden high demand, what type of scaling would involve adding more virtual machines or containers?
Static scaling
Horizontal scaling
Downscaling
Vertical scaling
Horizontal scaling
Explanation:
With horizontal scaling, if you suddenly experienced a steep jump in demand, your deployed resources could be scaled out (either automatically or manually). For example, you could add additional virtual machines or containers, scaling out. In the same manner, if there was a significant drop in demand, deployed resources could be scaled in (either automatically or manually), scaling in.
You are the lead of a Data Science team at your organization, and your management wants to utilize cloud capabilities to modernize your work stream.
What should the company use to build, test, and deploy predictive analytics solutions?
Azure App Service
Azure Machine Learning Studio
Azure Logic Apps
Azure Batch
Azure Machine Learning Studio
Explanation:
Azure Machine Learning Studio is an enterprise-grade service for the end-to-end machine learning lifecycle.
It empower data scientists and developers to build, deploy, and manage high-quality models faster and with confidence. It accelerates time to value with industry-leading machine learning operations (MLOps), open-source interoperability, and integrated tools. Innovate on a secure, trusted platform designed for responsible AI applications in machine learning.
After taking a lot of courses and understanding cloud fundamentals, you’ve realized that migrating your business resources to Azure makes the most sense. Based on your understanding, which of the following would you need to create first?
A resource lock
A resource group
A subscription
A virtual network
A subscription
Explanation:
A subscription needs to be created first and foremost.
The Azure account is what lets you access Azure services and Azure subscriptions. It is possible to create multiple subscriptions in our Azure account to create separation for billing or management purposes. In your subscription(s) you can manage resources in resources groups.
Azure Advisor provides a cloud score to assess how well-architected your workloads are AND can also provide ‘Step-by-Step’ guidance and quick actions for fast remediation.
No
Yes
Yes
Explanation:
Azure Advisor helps in quick and easy optimization of your Azure deployments. Azure Advisor analyses your configurations and usage telemetry and offers personalised, actionable recommendations to help you optimise your Azure resources for reliability, security, operational excellence, performance and cost.
Which of the following enables centralizing your organization’s file shares in Azure Files, while keeping the flexibility, performance, and compatibility of a Windows file server?
Azure File Manager
Azure File Sync
Azure File Explorer
Azure File Storage
Azure File Sync
Explanation:
Azure File Sync enables centralizing your organization’s file shares in Azure Files, while keeping the flexibility, performance, and compatibility of a Windows file server. While some users may opt to keep a full copy of their data locally, Azure File Sync additionally has the ability to transform Windows Server into a quick cache of your Azure file share. You can use any protocol that’s available on Windows Server to access your data locally, including SMB, NFS, and FTPS. You can have as many caches as you need across the world.
Your company makes use of several SQL databases. However, you want to increase their efficiency because of varying and unpredictable workloads. Which of the following can help you with this?
Elastic Pools
Region Pairs
Scale Sets
Resource Tags
Elastic Pools
Explanation:
Just like Azure VM Scale Sets are used with VMs, you can use Elastic Pools with Azure
SQL Databases!
SQL Database elastic pools are a simple, cost-effective solution for managing and scaling multiple databases that have varying and unpredictable usage demands. The databases in an elastic pool are on a single Azure SQL Database server and share a set number of resources at a set price. Elastic pools in Azure SQL Database enable SaaS developers to optimize the price performance for a group of databases within a prescribed budget while delivering performance elasticity for each database.
Which of the following is the strongest way to protect sensitive customer data?
Don’t store sensitive data at all.
Encrypt the data at rest.
Encrypt the data in transit.
Encrypt the data both at rest and in transit.
Encrypt the data both at rest and in transit.
Explanation:
To help protect data in the cloud, you need to account for the possible states in which your data can occur, and what controls are available for that state. Best practices for Azure data security and encryption relate to the following data states:
_______________ copies your data synchronously across three Azure availability zones in the primary region. For applications requiring high availability.
Locally redundant storage (LRS)
Geo-zone-redundant storage (GZRS)
Planet-redundant storage (PRS)
Zone Redundant Storage (ZRS)
Zone Redundant Storage (ZRS)
Explanation:
Data in an Azure Storage account is always replicated three times in the primary region. Azure Storage offers two options for how your data is replicated in the primary region:
Locally redundant storage (LRS) copies your data synchronously three times within a single physical location in the primary region. LRS is the least expensive replication option, but isn’t recommended for applications requiring high availability or durability.
Zone-redundant storage (ZRS) copies your data synchronously across three Azure availability zones in the primary region. For applications requiring high availability, Microsoft recommends using ZRS in the primary region, and also replicating to a secondary region.
Geo-zone-redundant storage (GZRS) combines the high availability provided by redundancy across availability zones with protection from regional outages provided by geo-replication. Data in a GZRS storage account is copied across three Azure availability zones in the primary region and is also replicated to a secondary geographic region for protection from regional disasters.
Which of the following services meets both criteria?
1) Monitoring of traffic patterns 24 hours a day, 7 days a week, looking for indicators of attacks.
2) Detailed reports in five-minute increments during an attack, and a complete summary after the attack ends.
3) Engagement of a dedicated team for help with attack investigation and analysis.
A network security group (NSG)
DDoS protection
Azure Information Protection
Azure Policies
DDoS protection
Explanation:
Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers that are moving their applications to the cloud. A DDoS attack attempts to exhaust an application’s resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.
Azure DDoS Protection enables you to protect your Azure resources from denial of service (DoS) attacks with always-on monitoring and automatic network attack mitigation. There is no upfront commitment, and your total cost scales with your cloud deployment.
Suppose the lead architect in your company has asked your team to implement a IaaS based solution in Azure for a quick Proof-of-Concept (POC) to senior management. One of your colleagues goes ahead and creates an Azure Virtual Network and 3 Azure Virtual machines.
Would you agree with this implementation?
Yes
No
Yes
Explanation:
Azure Virtual Machines and Azure Virtual Networks both fall under the IaaS category, and therefore this solution would meet the lead architect’s ask.
An Azure ________________ is a connection between two Azure Regions within the same geographic region for disaster recovery purposes.
Region Pair
Region
Availability Zone
Geography
Region Pair
Explanation:
Regional Pairs are 2 connected Azure Regions for Disaster Recovery within the same Geography.
Many organizations require both high availability provided by availability zones that are also supported with protection from large-scale phenomena and regional disasters. As discussed in the resiliency overview for regions and availability zones, Azure regions are designed to offer protection against local disasters with availability zones. But they can also provide protection from regional or large geography disasters with disaster recovery by making use of another region that uses cross-region replication.
To ensure customers are supported across the world, Azure maintains multiple geographies. These discrete demarcations define a disaster recovery and data residency boundary across one or multiple Azure regions.
Cross-region replication is one of several important pillars in the Azure business continuity and disaster recovery strategy. Cross-region replication builds on the synchronous replication of your applications and data that exists by using availability zones within your primary Azure region for high availability. Cross-region replication asynchronously replicates the same applications and data across other Azure regions for disaster recovery protection.
What is the key difference between vertical scaling and horizontal scaling?
Vertical scaling only applies to virtual machines, while horizontal scaling applies to containers.
Vertical scaling adjusts the number of resources, while horizontal scaling adjusts capabilities.
Vertical scaling is automatic, while horizontal scaling requires manual intervention.
Vertical scaling adds more processing power, while horizontal scaling increases storage capacity.
Vertical scaling adjusts the number of resources, while horizontal scaling adjusts capabilities.
Explanation:
Vertical scaling involves adjusting the number of resources, such as CPUs or RAM. Horizontal scaling, on the other hand, involves adding or subtracting resources to adjust capabilities, such as adding more virtual machines.
It’s possible to deploy an Azure VM from a MacOS based system by using which of the following options?
Azure CLI
Azure Cloudshell
Azure Powershell
Azure Portal
Azure CLI
Azure Cloudshell
Azure Powershell
Azure Portal
Explanation:
All of the above can be used to manage Azure resources on a MacOS based system!
Azure Portal - Available for all Operating Systems
Azure CLI - Available for MacOS, Windows and Linux
Azure Powershell - Available to install on MacOS, Windows, Linux, Docker, and Arm (Subset of Azure Cloudshell)
Azure Cloudshell - Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources. It provides the flexibility of choosing the shell experience that best suits the way you work, either Bash or PowerShell.
Which Azure service should you use to store certificates?
Azure Key Vault
Azure Security Center
Azure Information Protection
An Azure Storage account
Azure Key Vault
Explanation:
Azure Key Vault helps solve the following problems:
1) Secrets Management - Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets
2) Key Management - Azure Key Vault can also be used as a Key Management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data.
3) Certificate Management - Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internal connected resources.
Azure Key Vault has two service tiers: Standard, which encrypts with a software key, and a Premium tier, which includes hardware security module(HSM)-protected keys
Azure strives to ensure a minimum distance of ______________ miles between datacenters in enabled regions, although it isn’t possible across all geographies.
Your answer is incorrect
200
300
500
400
300
Explanation:
Azure strives to ensure a minimum distance of 300 miles (483 kilometers) between datacenters in enabled regions, although it isn’t possible across all geographies. Datacenter separation reduces the likelihood that natural disaster, civil unrest, power outages, or physical network outages can affect multiple regions. Isolation is subject to the constraints within a geography, such as geography size, power or network infrastructure availability, and regulations.
What types of threats does Defender for Cloud help detect across Azure PaaS services?
Denial of service (DoS) attacks against network resources.
Physical security breaches within datacenters.
Threats related to physical hardware vulnerabilities.
Threats targeting Azure services like Azure App Service, Azure SQL, and Azure Storage Account.
Threats targeting Azure services like Azure App Service, Azure SQL, and Azure Storage Account.
Explanation:
Defender for Cloud helps detect threats targeting various Azure services, such as Azure App Service, Azure SQL, and Azure Storage Account - these are PaaS services anyway. It provides monitoring and protection for these services to enhance their security.
Which of the following can be included as artifacts in an Azure Blueprint? (Select all that apply)
Role assignments
Policy assignments
Azure Resource Manager templates
Resource groups
Role assignments
Policy assignments
Azure Resource Manager templates
Resource groups
Explanation:
All the options are correct. From the official docs: Azure Blueprints deploy a new environment based on all of the requirements, settings, and configurations of the associated artifacts. Artifacts can include things such as:
Role assignments
Policy assignments
Azure Resource Manager templates
Resource groups
Your Azure account contains several policies and you wish to group/organize them. Which of the following can help you achieve this?
Resource Groups
Azure Active Directory
Initiatives
Network Security Groups
Initiatives
Explanations:
An initiative definition is a collection of policy definitions that are tailored towards achieving a singular overarching goal. Initiative definitions simplify managing and assigning policy definitions. They simplify by grouping a set of policies as one single item. For example, you could create an initiative titled Enable Monitoring in Azure Security Center, with a goal to monitor all the available security recommendations in your Azure Security Center.
____________ copies your data synchronously three times within a single physical location in the primary region.
Zone-redundant storage (ZRS)
Geo-zone-redundant storage (GZRS)
Worldwide Redundant Storage (WRS)
Locally redundant storage (LRS)
Locally redundant storage (LRS)
Explanation:
Azure Storage always stores multiple copies of your data so that it’s protected from planned and unplanned events, including transient hardware failures, network or power outages, and massive natural disasters. Redundancy ensures that your storage account meets its availability and durability targets even in the face of failures.
_______________. You’re also responsible for their security.
information , network controls
devices, operating system
data, physical network
data , identities
data , identities
Explanation:
As you consider and evaluate public cloud services, it’s critical to understand the shared responsibility model and which security tasks are handled by the cloud provider and which tasks are handled by you. The workload responsibilities vary depending on whether the workload is hosted on Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), or in an on-premises datacenter.
You are looking to link resources together in your on-premises environment and within your Azure subscription but don’t want the connection to travel over the internet. Which of the following can you use?
Azure Site-to-Site VPN
Azure ExpressRoute
Azure Bastion
Azure Point-to-Site VPN
Azure Sentinel
Azure ExpressRoute
Explanation:
Azure virtual networks enable you to link resources together in your on-premises environment and within your Azure subscription. In effect, you can create a network that spans both your local and cloud environments. There are three mechanisms for you to achieve this connectivity:
Point-to-site virtual private networks The typical approach to a virtual private network (VPN) connection is from a computer outside your organization, back into your corporate network. In this case, the client computer initiates an encrypted VPN connection to connect that computer to the Azure virtual network.
Site-to-site virtual private networks A site-to-site VPN links your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network. The connection is encrypted and works over the internet.
Azure ExpressRoute For environments where you need greater bandwidth and even higher levels of security, Azure ExpressRoute is the best approach. ExpressRoute provides a dedicated private connectivity to Azure that doesn’t travel over the internet.
Which tab of the Azure pricing calculator would you use to calculate your estimate?
Machines
Storage
Products
Estimate
Products
Explanation:
The Products tab allows us to choose certain services, and configure a solution. We then get an estimated cost for deploying our solution.
You require to seamlessly connect two Virtual Networks in Azure without a lot of hassle. Which of the following services would make sense to use?
Virtual Network Integration Service
Virtual Network Connector
Virtual Network Peering
Virtual Network Subnets
Virtual Network Peering
Explanation:
Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed through Microsoft’s private network only.
Azure supports the following types of peering:
Virtual network peering: Connecting virtual networks within the same Azure region.
Global virtual network peering: Connecting virtual networks across Azure regions.
Your streaming website experiences a burst of heavy traffic whenever you launch a new web-series, but relatively moderate traffic on other days. Which of the following would be a great benefit if you migrate your setup to Azure?
Elasticity
High Availibility
Load Balancing
Low Latency
Elasticity
Explanation:
Elastic computing is the ability to quickly expand or decrease computer processing, memory, and storage resources to meet changing demands without worrying about capacity planning and engineering for peak usage. Typically controlled by system monitoring tools, elastic computing matches the amount of resources allocated to the amount of resources actually needed without disrupting operations.
With cloud elasticity, a company avoids paying for unused capacity or idle resources and doesn’t have to worry about investing in the purchase or maintenance of additional resources and equipment.
________________ is a cloud-based platform for creating and running automated workflows that integrate your apps, data, services, and systems.
Azure Logic Apps
Azure Events Hub
Azure App Service
Azure DevOps
Azure Logic Apps
Explanation:
Azure Logic Apps is a cloud service that helps you schedule, automate, and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations.
A _______________ can enable branch offices to share sensitive information between locations.
VPN
Bastion
Bridge
DNS
VPN
Explanation:
VPNs use an encrypted tunnel within another network. They’re typically deployed to connect two or more trusted private networks to one another over an untrusted network (typically the public internet). Traffic is encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks.
VPNs can enable branch offices to share sensitive information between locations. For example, let’s say that your offices on the East coast region of North America need to access your company’s private customer data, which is stored on servers that are physically located in a West coast region. A VPN can connect your East coast offices to your West coast servers allowing your company to securely access your private customer data.
Yes or No:
The Azure Q/A forums is a paid service.
No
Yes
No
Explanation:
The Q/A forums is a free service offered by Azure. There is no cost associated with it.
You can get answers to common questions, and even filter by product to limit the results!
Which of the following is a free tool to conveniently manage your Azure cloud storage resources from your desktop?
Azure Data Box
Azure AzCopy
Azure Migrate
Azure Storage Explorer
Azure FileSync
Azure Storage Explorer
Explanation:
Azure Storage Explorer is a free tool to conveniently manage your Azure cloud storage resources from your desktop.
In Azure, when you set a budget, what happens when the budget alert level is reached?
The budget is automatically increased by 10%
An invoice is sent to the account owner
A budget alert is triggered
The resource usage is suspended
A budget alert is triggered
Explanation:
A budget alert is triggered is the correct option!
Other options -
The budget is automatically increased.by 10%: This is incorrect because reaching the budget alert level does not cause the budget to automatically increase. The purpose of the alert is to notify you when the spending reaches a certain threshold.
The resource usage is suspended: This is incorrect because a budget alert by itself does not suspend resource usage. It simply provides a notification that the alert threshold has been reached. However, you can configure advanced automation to suspend or modify resources based on budget conditions, but this is not the default behavior.
An invoice is sent to the account owner: This is incorrect because reaching the budget alert level does not trigger an invoice to be sent to the account owner. The budget alert is intended to inform you about the spending level, not to generate an invoice.
Which of the following alert types are available in the Cost Management service? (Select all that apply)
Department spending quota alerts
Credit alerts
Resource usage alerts
Budget alerts
Department spending quota alerts
Credit alerts
Budget alerts
Explanation:
Budget alerts: Correct. Budget alerts notify you when spending, based on usage or cost, reaches or exceeds the amount defined in the alert condition of the budget.
Credit alerts: Correct. Credit alerts notify you when your Azure credit monetary commitments are consumed. Monetary commitments are for organizations with Enterprise Agreements (EAs).
Department spending quota alerts: Correct. Department spending quota alerts notify you when department spending reaches a fixed threshold of the quota. Spending quotas are configured in the EA portal.
Other options -
Resource usage alerts: Incorrect. Resource usage alerts are not part of the Cost Management service. Cost Management focuses on costs, budgets, and spending alerts.
Which of the following Azure Storage would you use to store different types of files such as videos, audios, text in a highly cost effective and scalable manner?
Azure PostgreSQL
Azure SQL Database
Azure Cosmos DB
Azure Blob Storage
Azure Blob Storage
Explanation:
A blob is a binary, large object and a storage option for any type of data that you want to store in a binary format. Learn about blob types.
Azure Blob storage is Microsoft’s object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that doesn’t adhere to a particular data model or definition, such as text or binary data.
Blob storage is designed for:
1) Serving images or documents directly to a browser.
2) Storing files for distributed access.
3) Streaming video and audio.
4) Writing to log files.
5) Storing data for backup and restore, disaster recovery, and archiving.
6) Storing data for analysis by an on-premises or Azure-hosted service.
Azure Service Health has the ability to configure cloud alerts to notify you about active and upcoming service issues
Yes
No
Yes
Explanation:
Azure Service Health notifies you about Azure service incidents and planned maintenance so you can take action to mitigate downtime. Configure customisable cloud alerts and use your personalised dashboard to analyse health issues, monitor the impact to your cloud resources, get guidance and support, and share details and updates.
________________ is the process of verifying a user’s credentials.
Federation
Authorization
Authentication
Ticketing
Authentication
Explanation:
Authentication is the process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are.
A Resource can only access other resources in the same resource group.
Yes
No
No
Explanation:
A resource can connect to resources in other resource groups. This scenario is common when the two resources are related but don’t share the same lifecycle. For example, you can have a web app that connects to a database in a different resource group.
Which of the following is the mission-critical cloud deployment available only to US Federal, State, Local and Tribal Governments and their partners?
Azure Nation
Azure Federal
Azure Government
ISO
Azure Government
Explanation:
Azure Government is the mission-critical cloud, delivering breakthrough innovation to US government customers and their partners. Only US federal, state, local and tribal governments and their partners have access to this dedicated instance, operated by screened US citizens. Azure Government offers the broadest level of certifications of any cloud provider to simplify even the most critical government compliance requirements.
_____________ notifies you about Azure service incidents and planned maintenance so you can take action to mitigate downtime.
Azure Health Bot
Azure Chaos Studio
Azure Service Health
Azure Percept
Azure Service Health
Explanation:
Azure Service Health notifies you about Azure service incidents and planned maintenance so you can take action to mitigate downtime. Configure customisable cloud alerts and use your personalised dashboard to analyse health issues, monitor the impact to your cloud resources, get guidance and support, and share details and updates.
A team in your organization wants to implement a solution involving basic Artificial Intelligence (AI), but they have basic API and programming knowledge / background to implement this solution.
As an experienced Azure Architect, which of the following would be your suggestion?
Azure DevOps
Azure Active Directory
Azure Cognitive Services
Azure Machine Learning Studio
Azure Cognitive Services
Explanation:
Cognitive Services brings AI within reach of every developer and data scientist. With leading models, a variety of use cases can be unlocked. All it takes is an API call to embed the ability to see, hear, speak, search, understand, and accelerate advanced decision-making into your apps. Enable developers and data scientists of all skill levels to easily add AI capabilities to their apps.
As the Lead Security Engineer of your organization, you’re worried that someone may mistakenly delete mission critical resources in Azure. What can you do to prevent this from accidentally happening?
Apply the DoNotTouch Lock on the resources
Use Azure ExpressRoute
Apply the CanNotDelete Lock on the resources
Use Azure Monitor to define policies
Use an Azure Virtual Subnet
Apply the CanNotDelete Lock on the resources
Explanation:
Applying a delete lock to the resource group will prevent the resources inside it from being deleted.
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have.
You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively:
1) CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
2) ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Yes or No:
Having a hybrid cloud solution in place could be useful when regulations or policies do not permit moving specific data or workloads to the cloud.
Yes
No
Yes
Explanation:
When organizations move workloads and data to the cloud, their on-premises datacenters often continue to play an important role. The term hybrid cloud refers to a combination of public cloud and on-premises datacenters, to create an integrated IT environment that spans both. Some organizations use hybrid cloud as a path to migrate their entire datacenter to the cloud over time. Other organizations use cloud services to extend their existing on-premises infrastructure.
____________ is a bridge that extends the Azure platform to help you build applications and services with the flexibility to run across datacenters, at the edge, and in multicloud environments. It also simplifies governance and management by delivering a consistent multi-cloud and on-premises management platform.
Azure Sentinel
Azure Bridge
Azure Arc
Azure DNS
Azure Arc
Explanation:
Azure Arc is a bridge that extends the Azure platform to help you build applications and services with the flexibility to run across datacenters, at the edge, and in multicloud environments. Develop cloud-native applications with a consistent development, operations, and security model. Azure Arc runs on both new and existing hardware, virtualization and Kubernetes platforms, IoT devices, and integrated systems.
You can link virtual networks together by using ________________.
Virtual Network Seeding
Virtual Network Proxy
Virtual Network Peering
Virtual Network Hub
Virtual Network Peering
Explanation:
You can link virtual networks together by using virtual network peering. Peering enables resources in each virtual network to communicate with each other. These virtual networks can be in separate regions, which allows you to create a global interconnected network through Azure.
User-defined routes (UDR) are a significant update to Azure’s Virtual Networks that allows for greater control over network traffic flow. This method allows network administrators to control the routing tables between subnets within a VNet, as well as between VNets.
A recent unapproved size change to one of the Virtual Machines (VMs) in your company has led to a huge unexpected bill. Which of the following services can help you identify the user who made this unapproved change?
Azure Information Protection (AIP)
Azure Activity Log
Azure Service Health
Azure Event Hubs
Azure Xamarin
Azure Activity Log
Explanation:
The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified or a virtual machine is started. You can view the activity log in the Azure portal or retrieve entries with PowerShell and the Azure CLI. This article provides information on how to view the activity log and send it to different destinations.
_______________ is a workflow-based risk assessment tool that helps you track, assign, and verify your organization’s regulatory compliance activities related to Microsoft Cloud services.
The Microsoft community Forums website
Compliance Manager from the Service Trust Portal
The TCO portal
The Azure Arc Portal
Compliance Manager from the Service Trust Portal
Explanation:
Compliance Manager in the Service Trust Portal is a workflow-based risk assessment tool that helps you track, assign, and verify your organization’s regulatory compliance activities related to Microsoft Cloud services, such as Microsoft 365, Dynamics 365, and Azure.
____________ is made up of one or more datacenters equipped with independent power, cooling, and networking. It is set up to be an isolation boundary. If one zone goes down, the other continues working.
Database racks
Scale Set
Region
Availability Zone
Availability Zone
Explanation:
Which of the following Azure resource types does NOT support tagging?
Azure Container Registry
Azure Cosmos DB
Azure App Service
Virtual Machines
Azure Container Registry
Explanation:
Azure provides the ability to apply metadata tags to resources to help organize and manage resources. These tags consist of name-value pairs that can be used to categorize resources based on common attributes. Azure supports tagging for most of its resource types, but some do not support tagging. Azure Container Registry is correct as Azure Container Registry does not support tagging. Container Registry is a private registry for storing and managing container images and does not currently support metadata tags.
Which of the following is an example of a security layer in the defense-in-depth model?
A dedicated intrusion detection system (IDS).
A single firewall at the network perimeter.
The physical locks on server room doors.
A strong password policy for user accounts.
A dedicated intrusion detection system (IDS).
Explanation:
From the official documentation: “At Microsoft Azure, our security approach focuses on defense in depth, with layers of protection built throughout all phases of design, development, and deployment of our platforms and technologies. We also focus on transparency, making sure customers are aware of how we’re constantly working to learn and improve our offerings to help mitigate the cyberthreats of today and prepare for the cyberthreats of tomorrow.”
Which Azure service should you use to correlate events from multiple resources into a centralized repository?
Azure Blueprint
Azure Event Hubs
Azure Cosmos DB
Azure Log Analytics
Azure Event Hubs
Explanation:
Event Hubs is a fully managed, real-time data ingestion service that’s simple, trusted and scalable. Stream millions of events per second from any source to build dynamic data pipelines and immediately respond to business challenges. Keep processing data during emergencies using the geo-disaster recovery and geo-replication features.
An Azure Firewall has the ability to encrypt data at rest as well as in transit.
Yes
No
No
Explanation:
A Firewall is used to mainly filter the traffic.
From the Official Azure Documentation:
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics.
To learn about Azure Firewall features, see Azure Firewall features.
Which of the following tools is NOT available within the Azure Security Center for vulnerability management?
Azure Firewall Manager
Azure Defender
Azure Policy
Azure Advisor
Azure Firewall Manager
Explanation:
Azure Firewall Manager is not a tool for vulnerability management within the Azure Security Center. Instead, Azure Firewall Manager is a centralized security management service that provides a single pane of glass to manage multiple Azure Firewall instances and virtual networks across different regions and subscriptions. It allows you to configure and deploy Azure Firewall instances, create and apply security policies, and view security alerts and reports.
Yes or No: Cloud services provide greater control over the physical security of your data compared to on-premises infrastructure.
Yes
No
No
Explanation:
Cloud services and on-premises infrastructure have different security models, with unique strengths and weaknesses. While cloud services provide greater control over some aspects of data security, such as network security and access control, they also require a greater degree of trust in the cloud provider to maintain physical security of the data centers where the data is stored. In contrast, on-premises infrastructure provides greater control over physical security, as the organization has direct control over the physical security measures and can ensure that the data is physically secure.
