AZ-900 : Microsoft Azure Fundamentals Practice Tests 2025 6 Flashcards
To begin using Azure Storage, you first create an Azure ________________ to store your data objects.
DNS
Resource Group
Storage Account
Storage Section
Storage Account
Explanation:
Azure Storage is a service that you can use to store files, messages, tables, and other types of information. Clients such as websites, mobile apps, desktop applications, and many other types of custom solutions can read data from and write data to Azure Storage. Azure Storage is also used by infrastructure as a service virtual machines, and platform as a service cloud services.
To begin using Azure Storage, you first create an Azure Storage account to store your data objects. You can create an Azure Storage account by using the Azure portal, PowerShell, or the Azure CLI. Your storage account will contain all of your Azure Storage data objects, such as blobs, files, and disks.
Reference: https://docs.microsoft.com/en-ca/learn/modules/azure-storage-fundamentals/azure-storage-accounts
Which of the following is a way that Azure AD Identity Protection helps to protect against identity-based attacks?
By automatically blocking all sign-in attempts from high-risk IP addresses
By requiring all users to use multi-factor authentication
By monitoring users’ device health and security posture
By enforcing strong passwords for all users
By monitoring users’ device health and security posture
Explanation:
Azure AD Identity Protection uses various signals, including device health and security posture, to detect identity-based attacks and suspicious activities. By monitoring these factors, it can assess the risk level of a user’s sign-in attempt or activity and take appropriate action, such as requiring additional authentication or blocking access.
Note that Azure AD Identity Protection is not a replacement for strong passwords, multi-factor authentication, or other security measures. Instead, it is an additional layer of security that helps to protect against identity-based attacks.
By enforcing strong passwords for all users: This is incorrect because enforcing strong passwords is not a specific feature of Azure AD Identity Protection, but rather a general best practice for secure password management.
By automatically blocking all sign-in attempts from high-risk IP addresses: This is incorrect because Azure AD Identity Protection does not automatically block sign-in attempts based on IP address, but instead uses a risk-based approach to evaluate sign-in attempts and assess the level of risk.
By requiring all users to use multi-factor authentication: This is incorrect because although Azure AD Identity Protection supports multi-factor authentication, it is not the only method used to protect against identity-based attacks.
Your team is planning to build a set of REST-based web APIs by using your choice of language and framework. The produced apps should be consumable from any HTTP or HTTPS based client.
Which of the following would be a great fit for this use case?
Azure App Service
Azure Kubernetes Service
Azure Container Instances
Azure Virtual Desktops
Azure Functions
Azure App Service
Explanation:
App Service enables you to build and host web apps, background jobs, mobile back-ends, and RESTful APIs in the programming language of your choice without managing infrastructure. It offers automatic scaling and high availability. App Service supports Windows and Linux and enables automated deployments from GitHub, Azure DevOps, or any Git repo to support a continuous deployment model. This platform as a service (PaaS) environment allows you to focus on the website and API logic while Azure handles the infrastructure to run and scale your web applications.
Which of the following is NOT an Azure Subscription type?
Pay As You Go
Pay For a Year
Member offers
Free Trial
Pay For a Year
Explanation:
You probably know that an Azure subscription provides you with access to Azure resources such as virtual machines (VMs), storage, and databases. The types of resources you use affect your monthly bill.
Azure offers both free and paid subscription options to fit your needs and requirements. They are:
Free trial
A free trial subscription provides you with 12 months of popular free services, a credit to explore any Azure service for 30 days, and more than 25 services that are always free. Your Azure services are disabled when the trial ends or when your credit expires for paid products, unless you upgrade to a paid subscription.
Pay-as-you-go
A pay-as-you-go subscription lets you pay for what you use by attaching a credit or debit card to your account. Organizations can apply for volume discounts and prepaid invoicing.
Member offers
Your existing membership to certain Microsoft products and services might provide you with credits for your Azure account, and reduced rates on Azure services. For example, member offers are available to Visual Studio subscribers, Microsoft Partner Network members, Microsoft for Startups members, and Microsoft Imagine members.
Which of the following is NOT a compute service available in Azure?
Azure Functions
Azure CosmosDB
Azure App Service
Azure Kubernetes
Azure CosmosDB
Explanation:
CosmosDB is a Database and not a compute option in Azure.
From the Official Azure Documentation:
Azure offers a number of ways to host your application code. The term compute refers to the hosting model for the computing resources that your application runs on. The following flowchart will help you to choose a compute service for your application.
If your application consists of multiple workloads, evaluate each workload separately. A complete solution may incorporate two or more compute services.
Which feature of Azure AD External Identities enables customers to sign up, sign in, and manage their own profiles using social accounts?
Azure Multi-Factor Authentication
Azure B2B Collaboration
Azure Active Directory B2C
Azure Active Directory Domain Services
Azure Active Directory B2C
Explanation:
Azure Active Directory B2C is designed to handle customer identities and enables them to sign up, sign in, and manage their profiles using social accounts or other identity providers, enhancing their experience with your applications.
What is the purpose of the Azure AD Identity Protection dashboard?
To provide an overview of all users’ activity logs.
To show a summary of the risk level of all users.
To enable administrators to manage and investigate risk events.
To allow administrators to manage users’ authentication methods.
To enable administrators to manage and investigate risk events.
Explanation:
The correct answer is - To enable administrators to manage and investigate risk events.
The purpose of the Azure AD Identity Protection dashboard is to provide administrators with a centralized view of all risky sign-ins, vulnerabilities, and compromised identities. It allows administrators to investigate and manage risk events by providing detailed information about the users, devices, and applications involved in the event. The dashboard also provides recommendations to improve the security posture of the organization, such as enabling multi-factor authentication for at-risk users.
To provide an overview of all users’ activity logs: This is incorrect because the Azure AD Identity Protection dashboard focuses on risk events, not activity logs.
To allow administrators to manage users’ authentication methods: This is incorrect because managing users’ authentication methods is a separate function that is not part of the Azure AD Identity Protection dashboard.
To show a summary of the risk level of all users: This is incorrect because while the dashboard provides a risk score for each user, its primary purpose is to enable administrators to investigate and manage risk events, not to provide a summary of the risk level of all users.
Which storage redundancy option offers the highest level of durability, with a remarkable 16 nines of durability?
Durable-redundant storage (DRS)
Geo-redundant storage (GRS)
Locally redundant storage (LRS)
Zone-redundant storage (ZRS)
Geo-redundant storage (GRS)
Explanation:
The storage redundancy option that provides the highest degree of durability, with 16 nines of durability, is “geo-redundant storage (GRS).” GRS copies your data synchronously within a single physical location in the primary region using locally redundant storage (LRS). It then copies your data asynchronously to a single physical location in the secondary region (the region pair) also using LRS. This combination of synchronous and asynchronous replication results in an extremely high level of durability, offering at least 16 nines (99.99999999999999%) of durability for Azure Storage data objects over a given year.
A __________________ contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
Route filter
Network security group (NSG)
Network gateway
Domain Name Service
Network security group (NSG)
Explanation:
You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
Network security group security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. A flow record is created for existing connections. Communication is allowed or denied based on the connection state of the flow record. The flow record allows a network security group to be stateful. If you specify an outbound security rule to any address over port 80, for example, it’s not necessary to specify an inbound security rule for the response to the outbound traffic. You only need to specify an inbound security rule if communication is initiated externally. The opposite is also true. If inbound traffic is allowed over a port, it’s not necessary to specify an outbound security rule to respond to traffic over the port.
_______________ is Microsoft’s cloud-based SIEM system. It uses intelligent security analytics and threat analysis.
Azure Sentinel
Azure Arc
Microsoft Defender for Cloud
Azure Key Vault
Azure Sentinel
Explanation:
Security management on a large scale can benefit from a dedicated security information and event management (SIEM) system. A SIEM system aggregates security data from many different sources (as long as those sources support an open-standard logging format). It also provides capabilities for threat detection and response.
Azure Sentinel is Microsoft’s cloud-based SIEM system. It uses intelligent security analytics and threat analysis.
Azure Sentinel enables you to:
Collect cloud data at scale Collect data across all users, devices, applications, and infrastructure, both on-premises and from multiple clouds.
Detect previously undetected threats Minimize false positives by using Microsoft’s comprehensive analytics and threat intelligence.
Investigate threats with artificial intelligence Examine suspicious activities at scale, tapping into years of cybersecurity experience from Microsoft.
Respond to incidents rapidly Use built-in orchestration and automation of common tasks.
What benefit does Infrastructure as Code (IaC) provide for disaster recovery scenarios?
It enables version control for application code.
It automates the creation of virtual machines.
It ensures consistent infrastructure configuration replication.
It accelerates the download speed of cloud resources.
It ensures consistent infrastructure configuration replication.
Explanation:
Infrastructure as Code (IaC) is a key DevOps practice that involves the management of infrastructure, such as networks, compute services, databases, storages, and connection topology, in a descriptive model. IaC allows teams to develop and release changes faster and with greater confidence. Benefits of IaC include:
Increased confidence in deployments
Ability to manage multiple environments
Improved understanding of the state of infrastructure
With IaC, you can create infrastructure configurations as code. This enables consistent replication of infrastructure settings, reducing the risk of configuration errors during disaster recovery scenarios.
In a scenario where you need to manage access, policies, and compliance for multiple subscriptions, which Azure service would you use?
Azure management groups
Azure resource groups
Azure Active Directory
Azure subscriptions
Azure management groups
Explanation:
Azure management groups is the correct answer.
In a scenario where you need to manage access, policies, and compliance for multiple subscriptions, you would use Azure management groups. Management groups provide a level of scope above subscriptions, allowing you to organize subscriptions into containers and apply governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.
Other options -
Azure Active Directory: While Azure AD is used for identity and access management, it does not directly manage policies and compliance for multiple subscriptions.
Azure subscriptions: Subscriptions are a unit of management, billing, and scale in Azure, but they do not provide a higher level of scope for managing multiple subscriptions.
Azure resource groups: Resource groups are used to organize resources within a subscription, but they do not provide a higher level of scope for managing multiple subscriptions.
Which of the following would you use to deploy and manage containerised applications to provide an integrated continuous integration and continuous delivery (CI/CD) experience and enterprise-grade security and governance.
Azure Container Instances
Azure Kubernetes
Azure Functions
Azure Batch
Azure Kubernetes
Explanation:
You can deploy and manage containerised applications more easily with a fully managed Kubernetes service. Azure Kubernetes Service (AKS) offers serverless Kubernetes, an integrated continuous integration and continuous delivery (CI/CD) experience and enterprise-grade security and governance. You can also unite your development and operations teams on a single platform to rapidly build, deliver and scale applications with confidence.
The Cool storage tier stores data offline and offers the lowest storage costs, but also the highest costs to rehydrate and access data.
False
True
False
Explanation:
Azure Storage offers different access tiers for your blob storage, helping you store object data in the most cost-effective manner. The available access tiers include:
Hot access tier: Optimized for storing data that is accessed frequently (for example, images for your website).
Cool access tier: Optimized for data that is infrequently accessed and stored for at least 30 days (for example, invoices for your customers).
Archive access tier: Appropriate for data that is rarely accessed and stored for at least 180 days, with flexible latency requirements (for example, long-term backups).
The following considerations apply to the different access tiers:
Only the hot and cool access tiers can be set at the account level. The archive access tier isn’t available at the account level.
Hot, cool, and archive tiers can be set at the blob level, during upload or after upload.
Data in the cool access tier can tolerate slightly lower availability, but still requires high durability, retrieval latency, and throughput characteristics similar to hot data. For cool data, a slightly lower availability service-level agreement (SLA) and higher access costs compared to hot data are acceptable trade-offs for lower storage costs.
Archive storage stores data offline and offers the lowest storage costs, but also the highest costs to rehydrate and access data.1`
Azure Pay-As-You-Go pricing is an example of Capex.
No
Yes
No
Explanation:
One of the major changes that you will face when you move from on-premises cloud to the public cloud is the switch from capital expenditure (buying hardware) to operational expenditure (paying for service as you use it).
What are the basic building block of Azure?
Resource groups
Subscriptions
Management groups
Resources
Resources
Explanation:
Resources are the basic building blocks of Azure. Anything you create, provision, deploy, etc. is a resource. Virtual Machines (VMs), virtual networks, databases, cognitive services, etc. are all considered resources within Azure.
Other options -
Resource groups are logical containers for resources deployed within an Azure subscription. They do not represent the individual components created in Azure.
Subscriptions are a unit of management, billing, and scale in Azure. They are used to organize resource groups and facilitate billing but are not the basic building blocks themselves.
Management groups are a higher-level organizational structure used to manage access, policies, and compliance for multiple subscriptions. They are not the basic building blocks of Azure.
What is the minimum number of Virtual Machines and minimum number of Availability Zones respectively that must be used to guarantee an SLA of 99.99%?
2 Virtual Machines , 2 Availability Zones
1 Virtual Machine, 1 Availability Zone
1 Virtual Machine, 2 Availability Zones
2 Virtual Machines, 1 Availability Zone
2 Virtual Machines , 2 Availability Zones
Explanation:
Azure offers industry best SLAs for VMs. However, to guarantee an SLA of 99.99%, you must have 2 or more instances deployed across 2 or more Availability Zones!
According to the official Azure documentation :
Reference : https://azure.microsoft.com/en-us/support/legal/sla/virtual-machines/v1_9/
An Azure Web App that queries an on-prem Oracle SQL Database is an example of a ____________________ cloud architecture.
multi-vendor
hybrid
private
public
hybrid
Explanation:
Since you are using both Azure, as well as on-prem resources ( A combination of both ) -> This is an example of a hybrid cloud!
From the Official Azure Documentation:
Reference: https://azure.microsoft.com/en-in/overview/what-is-hybrid-cloud-computing/
Which of the following is an event driven, compute-on-demand service , with capabilities to implement code triggered by events occurring in Azure or third party service as well as on-premises systems?
Azure Kubernetes
Azure Serverless
Azure Machine Learning Studio
Azure Policies
Azure CosmosDB
Azure Functions
Azure Functions
Explanation:
Azure Functions is a serverless solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running.
You focus on the pieces of code that matter most to you, and Azure Functions handles the rest.
Your organization needs to move all its data back to on-premises due to new government regulations. Which Azure service should you use to export data from Azure for this migration?
AzCopy
Azure Data Box
Azure Site Recovery
Azure Data Factory
Azure Data Box
Explanation:
The correct option is Azure Data Box. Azure Data Box is designed for transferring large amounts of data to and from Azure. In this scenario, where the organization needs to move all its data back to on-premises due to government regulations, Data Box is the most suitable choice. It provides a secure and efficient way to transfer large volumes of data without relying on limited or slow network connections.
Wrong options:
Azure Data Factory - Azure Data Factory is a cloud-based data integration service that allows you to create, schedule, and manage data workflows. While it can be used to move and transform data, it’s not the best option for large-scale data export to on-premises, especially with limited network connectivity.
Azure Site Recovery - Azure Site Recovery is a disaster recovery service that helps protect and recover on-premises and Azure-based virtual machines. It is not designed for exporting large amounts of data from Azure to on-premises environments.
AzCopy - AzCopy is a command-line utility for copying data to and from Azure Storage. While it can be used for data transfers, it relies on network connectivity, which may not be suitable for transferring large amounts of data back to on-premises locations.
You have an on-premises infrastructure and would like to extend its capabilities by making use of Azure services. Which type of cloud deployment is this an example of?
A Public Cloud
A private cloud
A hybrid cloud
An Internal cloud
A hybrid cloud
Explanation:
A hybrid cloud is a combination of a private cloud and a public cloud.
A hybrid cloud is a computing environment that combines a public cloud and a private cloud by allowing data and applications to be shared between them.
Hybrid cloud
Provides the most flexibility.
Organizations determine where to run their applications.
Organizations control security, compliance, or legal requirements
_____________ helps you estimate the cost savings of operating your solution on Azure over time compared to operating in your on-premises datacenter.
Azure TCO Calculator
Azure Advisor
Azure Blueprints
Azure Pricing Calculator
Azure TCO Calculator
Explanation:
The TCO Calculator helps you estimate the cost savings of operating your solution on Azure over time compared to operating in your on-premises datacenter.
The term total cost of ownership is used commonly in finance. It can be hard to see all the hidden costs related to operating a technology capability on-premises. Software licenses and hardware are additional costs.
With the TCO Calculator, you’ll enter the details of your on-premises workloads. Then you can review the suggested industry-average cost (which you can adjust) for related operational costs. These costs include electricity, network maintenance, and IT labor. You’re then presented with a side-by-side report. Using the report, you can compare those costs with the same workloads running on Azure.
A Senior Security Engineer in your company has enforced MFA for all users. How does MFA enhance security?
It requires a Password and a code through the Microsoft Authenticator App
It uses two passwords
It requires password complexity
It requires a Social Insurance Number and a Password
It requires a Password and a code through the Microsoft Authenticator App
Explanation:
Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.
If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password, or is it an attacker? When you require a second form of authentication, security is increased as this additional factor isn’t something that’s easy for an attacker to obtain or duplicate.
Azure AD Multi-Factor Authentication works by requiring two or more of the following authentication methods:
1) Something you know, typically a password.
2) Something you have, such as a trusted device that is not easily duplicated, like a phone or hardware key.
3) Something you are - biometrics like a fingerprint or face scan.
Users can register themselves for both self-service password reset and Azure AD Multi-Factor Authentication in one step to simplify the on-boarding experience. Administrators can define what forms of secondary authentication can be used. Azure AD Multi-Factor Authentication can also be required when users perform a self-service password reset to further secure that process.
You can enforce Azure AD Multi-Factor Authentication for all users via the Microsoft Authenticator app, phone call, or SMS code.
No
Yes
No
Explanation:
Azure AD Multi-Factor Authentication is a Microsoft service that provides multifactor authentication capabilities. Azure AD Multi-Factor Authentication enables users to choose an additional form of authentication during sign-in, such as a phone call or mobile app notification.
The Azure Active Directory free edition enables Azure AD Multi-Factor Authentication for administrators with the global admin level of access, via the Microsoft Authenticator app, phone call, or SMS code. You can also enforce Azure AD Multi-Factor Authentication for all users via the Microsoft Authenticator app only, by enabling security defaults in your Azure AD tenant.