Microsoft AZ-104 Microsoft Azure Administrator Exam Dumps and Practice Test Questions Set 12 Q166-180

Visit here for our full Microsoft AZ-104 exam dumps and practice test questions.

Question 166

You want to schedule automatic shutdown for non-production VMs to save costs. Which feature should you use?

A) Azure VM Auto-Shutdown
B) Azure Automation Runbooks
C) Azure Policy
D) Azure Monitor Alerts

Answer: A) Azure VM Auto-Shutdown

Explanation:

In Azure, managing virtual machine (VM) operational costs is a critical consideration, especially in development, testing, or non-production environments where resources may not need to run continuously. One effective strategy for reducing expenses is to automate the shutdown of VMs during off-hours. Azure provides several tools that could potentially address this need, but not all of them are designed specifically for scheduling VM shutdowns. Understanding the capabilities and limitations of each option is essential for implementing a cost-effective and reliable solution.

Azure VM Auto-Shutdown is a built-in feature designed specifically to allow users to schedule the automatic shutdown of virtual machines at specified times. This feature is particularly useful in development or test environments where VMs do not need to run 24/7. By configuring Auto-Shutdown, administrators can define a daily shutdown time for each VM, and optionally, specify notification emails to alert stakeholders before the shutdown occurs. The key advantage of this approach is its simplicity and native integration with the VM management interface. Auto-Shutdown eliminates the need for custom scripts or additional infrastructure, providing a straightforward method for reducing operational costs. It ensures that resources are powered off automatically during non-business hours, helping organizations save on compute charges without manual intervention.

Azure Automation Runbooks offer an alternative approach to automating VM shutdowns. Runbooks are scripts executed in the Azure Automation service that can perform a wide range of administrative tasks, including starting or stopping VMs. While runbooks provide flexibility and can implement complex logic, they require additional setup and management. Administrators must write, test, and maintain scripts to perform the shutdown operation, and ensure that schedules are correctly configured within the Automation account. This adds operational overhead compared to using the built-in Auto-Shutdown feature. While runbooks are powerful and extendable, they are not the most efficient or simple solution when the goal is purely to schedule VM shutdowns for cost optimization.

Azure Policy is another tool that might seem relevant but serves a different purpose. Policies are designed to enforce organizational standards and compliance rules across resources, such as requiring tags, restricting allowed VM sizes, or enforcing security configurations. While Azure Policy can ensure that VMs comply with certain rules, it does not have the capability to schedule power state changes, such as shutting down or starting VMs. Policy focuses on governance and compliance rather than operational automation, making it unsuitable for automated shutdown scheduling.

Azure Monitor Alerts is a service used to monitor metrics and logs from Azure resources and trigger notifications or automated actions when specific conditions are met. While alerts are useful for monitoring performance, availability, or operational thresholds, they are not intended for routine scheduling of VM shutdowns. Alerts can notify administrators of issues, but they do not natively control VM power states in a predictable, recurring schedule.

While Azure Automation Runbooks, Azure Policy, and Azure Monitor Alerts each provide valuable management and operational capabilities, they do not offer a simple, native solution for scheduling routine VM shutdowns. Azure VM Auto-Shutdown is the feature specifically designed for this purpose. It allows administrators to easily configure daily shutdown schedules, optionally notify stakeholders, and reduce compute costs without additional scripting or management overhead. For scenarios focused on cost optimization and predictable VM lifecycle management, Auto-Shutdown is the most efficient and effective solution.

Question 167

You need to provide secure RDP access to multiple VMs in a VNet without exposing public IP addresses. Which service should you use?

A) Azure Bastion
B) VPN Gateway
C) Network Security Group
D) Azure Firewall

Answer: A) Azure Bastion

Explanation:

In Azure, providing secure access to virtual machines (VMs) is a critical aspect of cloud operations, particularly when balancing convenience, security, and management simplicity. Traditionally, accessing a VM requires a public IP address and a client-based RDP (for Windows) or SSH (for Linux) connection. However, exposing VMs directly to the internet poses significant security risks, including potential brute-force attacks and unauthorized access. Azure provides multiple networking and security tools, but not all of them are designed to securely manage RDP/SSH access. Understanding the capabilities of each tool is essential to ensure both security and accessibility.

Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH connectivity to Azure virtual machines directly through the Azure portal. When a VM is deployed within a virtual network (VNet) with Azure Bastion configured, users can connect to the VM using their browser without requiring a public IP address on the VM. Bastion leverages TLS encryption to secure the session end-to-end, preventing exposure of sensitive credentials and protecting against network-level attacks. By removing the need for a public IP, Azure Bastion significantly reduces the attack surface of the virtual machines, ensuring that only authenticated users can establish a connection. Additionally, Bastion is fully managed by Microsoft, meaning that infrastructure maintenance, patching, and scaling are handled automatically, which reduces operational overhead and improves reliability.

VPN Gateway, on the other hand, is designed to provide secure network-level connectivity between on-premises networks and Azure VNets, or between VNets themselves. VPN Gateway uses protocols such as IPSec and IKE to establish encrypted tunnels over the public internet. While VPN Gateway ensures secure network traffic and can allow access to VMs indirectly by connecting a client machine to the Azure network, it does not provide direct RDP or SSH connectivity through a browser. Users must first establish a VPN connection and then use an RDP or SSH client to connect to the VM, making it less seamless compared to Azure Bastion for ad hoc or administrative access.

Network Security Groups (NSGs) are another critical component in Azure networking, providing traffic filtering at the subnet or network interface level. NSGs allow administrators to define inbound and outbound rules to control which IP addresses and ports can access resources. While NSGs are essential for restricting unauthorized traffic and securing the network, they do not provide any mechanism for managing RDP or SSH sessions themselves. NSGs complement services like Azure Bastion by enforcing network-level access policies but cannot replace the functionality of a secure connection service.

Azure Firewall is a managed, cloud-based network security service that monitors and controls traffic at the application and network levels. It provides centralized logging, filtering, and policy enforcement for inbound and outbound traffic across VNets. Although Azure Firewall improves overall network security, it does not provide direct VM access or manage RDP/SSH connections. Its role is to inspect and filter traffic rather than provide connectivity.

While VPN Gateway, NSGs, and Azure Firewall each play important roles in securing Azure environments and controlling access, they do not provide the seamless, secure RDP/SSH connectivity that administrators often require. Azure Bastion is the ideal solution because it allows direct browser-based access to VMs without exposing public IP addresses, leverages TLS encryption for secure sessions, and is fully managed, eliminating operational overhead. For secure internal access to virtual machines in Azure, Bastion combines security, simplicity, and centralized management, making it the correct choice for this scenario.

Question 168

You need to provide users in your organization temporary access to Azure resources without assigning permanent permissions. Which feature should you use?

A) Role-Based Access Control (RBAC)
B) Azure AD Privileged Identity Management (PIM)
C) Azure Policy
D) Management Groups

Answer: B) Azure AD Privileged Identity Management (PIM)

Explanation:

In Azure, managing administrative access securely is a critical aspect of governance and risk management. Organizations often need to provide users with elevated privileges for specific tasks, such as managing resources, performing updates, or troubleshooting issues. However, granting permanent administrative rights to users can introduce significant security risks, including accidental misconfigurations, malicious activity, or prolonged exposure of sensitive resources. Therefore, it is essential to implement a mechanism that provides just-in-time, temporary access to users who require elevated privileges, while minimizing the risk associated with standing administrative roles.

Role-Based Access Control (RBAC) is the primary mechanism in Azure for assigning permissions to users, groups, or service principals. RBAC enables administrators to define who can perform specific actions on Azure resources, such as reading data, creating virtual machines, or managing network configurations. Permissions are assigned through predefined roles, such as Contributor, Owner, or Virtual Machine Contributor, or via custom roles tailored to specific needs. While RBAC is highly effective for granting the necessary privileges to perform tasks, these assignments are typically permanent. Once a user is assigned a role, they retain those permissions until they are manually removed. This permanent access model increases the attack surface and potential for misuse, as users may retain elevated privileges longer than necessary. It also complicates audit and compliance efforts because all privileged users must be continuously monitored.

Azure AD Privileged Identity Management (PIM) addresses the limitations of traditional RBAC by introducing a just-in-time access model. PIM allows administrators to designate certain roles as “eligible” rather than permanently assigned. Users assigned eligible roles can activate their privileges only when needed and for a limited time period. This time-bound activation reduces the risk of prolonged exposure of administrative rights. Additionally, PIM provides approval workflows, requiring managerial or automated approvals before roles are activated, which further enhances governance. It also supports multi-factor authentication (MFA) during role activation, ensuring that only authorized users can elevate privileges. All activation and usage activities are logged, creating an auditable trail of who accessed which resources and when, helping organizations maintain regulatory compliance and strengthen security posture.

Azure Policy serves a different function by enforcing compliance and governance rules on resource configurations. Policies can restrict allowed VM sizes, enforce tagging, or prevent deployment of unapproved resources. While policies are critical for ensuring resources meet organizational standards, they do not provide mechanisms for managing user permissions or granting temporary administrative access.

Management Groups are another organizational construct in Azure, used to organize subscriptions hierarchically and scope policies or RBAC assignments across multiple subscriptions. Management Groups help structure governance and apply rules consistently, but they do not provide temporary role activation or just-in-time access capabilities. They are primarily for administrative organization and policy enforcement rather than user-level access control.

While RBAC, Azure Policy, and Management Groups provide important governance, compliance, and access management functionality, they do not address the need for time-limited administrative access. Azure AD Privileged Identity Management (PIM) is the correct solution for scenarios requiring temporary, secure elevation of privileges. PIM ensures that users can perform administrative tasks only when necessary, enforces approval workflows and MFA, logs all activities for auditing, and minimizes security risks by reducing the exposure of elevated privileges. For organizations seeking to implement just-in-time access and strengthen their security posture, Azure AD PIM provides a comprehensive and secure approach to managing privileged roles.

Question 169

You need to implement network security for VMs in a VNet to allow only HTTP and HTTPS traffic from the internet. Which service should you use?

A) Network Security Group (NSG)
B) Azure Firewall
C) Application Gateway
D) Azure DDoS Protection

Answer: A) Network Security Group (NSG)

Explanation:

In Azure, securing virtual machines (VMs) and controlling network traffic is a fundamental aspect of protecting workloads from unauthorized access and potential cyber threats. Among the various Azure networking and security services available, selecting the correct tool depends on the level of control, granularity, and simplicity required for managing access. One of the most effective and widely used tools for controlling inbound and outbound traffic to VMs is the Network Security Group (NSG). Understanding why NSGs are appropriate in this scenario requires examining their capabilities in comparison to other Azure security services.

Network Security Groups are designed to provide granular traffic filtering at the subnet or individual network interface card (NIC) level. They allow administrators to define inbound and outbound security rules that control network traffic based on source and destination IP addresses, ports, and protocols. For example, if the requirement is to allow only web traffic (ports 80 and 443) to a VM, an NSG can be configured with specific rules to permit those ports while denying all other inbound connections. This ensures that only authorized traffic reaches the VM while minimizing exposure to unnecessary or potentially harmful network traffic. NSGs are highly flexible, lightweight, and directly integrated into Azure VNets, making them an ideal solution for controlling access to individual resources or subnets efficiently.

In contrast, Azure Firewall provides more advanced, centralized network security. It can enforce both network-level and application-level rules across multiple VNets, including filtering by fully qualified domain names (FQDNs), protocols, and ports. While Azure Firewall is powerful for complex enterprise environments requiring centralized management and logging of traffic, it is generally more complex to configure for simple scenarios. If the requirement is merely to allow or deny specific ports like 80 and 443 to a VM, implementing Azure Firewall introduces unnecessary overhead compared to an NSG, which achieves the same outcome more directly and efficiently.

Azure Application Gateway is a Layer 7 (application layer) load balancer and web application firewall designed to manage HTTP and HTTPS traffic. It provides URL-based routing, SSL termination, session affinity, and protection against common web vulnerabilities. While Application Gateway is highly effective for controlling and securing web application traffic, it does not provide general-purpose network filtering for VMs. It cannot enforce rules on arbitrary ports or non-HTTP/HTTPS traffic, making it unsuitable for scenarios where the goal is to control basic VM network access at the transport layer.

Azure DDoS Protection serves a specialized purpose by defending against volumetric and protocol-based distributed denial-of-service attacks. It automatically mitigates large-scale attacks that could overwhelm network resources and disrupt services. While DDoS Protection enhances overall network security, it does not provide the ability to define port-level access rules or granular traffic controls for individual VMs. It focuses on attack mitigation rather than day-to-day access management.

While Azure Firewall, Application Gateway, and DDoS Protection each provide valuable security and traffic management features, they do not directly satisfy the requirement for simple, port-level access control for virtual machines. Network Security Groups are the most appropriate solution because they allow administrators to create precise inbound and outbound rules, control traffic at the subnet or NIC level, and enforce access to specific ports like 80 and 443 efficiently. NSGs combine simplicity, flexibility, and integration with Azure VNets, making them the ideal tool for managing VM network access while maintaining security and operational efficiency.

Question 170

You need to replicate Azure VMs to another region to protect against regional outages. Which feature should you use?

A) Azure Backup
B) Azure Site Recovery
C) Azure Availability Set
D) Azure Load Balancer

Answer: B) Azure Site Recovery

Explanation:

In Azure, ensuring business continuity and disaster recovery (DR) is a critical aspect of cloud architecture, particularly for mission-critical workloads that must remain available even in the event of regional outages or catastrophic failures. Azure provides multiple services for managing virtual machine (VM) data and availability, but each service addresses different aspects of reliability, backup, and redundancy. Understanding the distinctions between these services is essential for implementing a robust disaster recovery strategy.

Azure Backup is a managed service designed to protect data at rest by creating periodic snapshots or backups of virtual machines, databases, and other Azure resources. It allows administrators to define backup policies, including schedules, retention periods, and recovery points, and it supports file-level and full VM recovery depending on the configuration. While Azure Backup is highly effective for protecting against accidental data deletion, corruption, or localized system failures, it does not provide cross-region replication. In other words, if an entire Azure region experiences an outage, the backups stored in that region may also become temporarily inaccessible. Azure Backup is focused on data protection rather than full disaster recovery orchestration or ensuring continuous availability across regions.

Azure Site Recovery (ASR), in contrast, is designed specifically for disaster recovery scenarios. It enables replication of virtual machines, physical servers, and even on-premises workloads to a secondary Azure region or data center. ASR continuously replicates VM disks and configuration, maintaining near real-time copies of the workload in the target region. In the event of a regional outage or catastrophic failure, administrators can orchestrate a failover to the replicated environment, ensuring that business-critical workloads remain operational. Site Recovery also supports failback procedures, enabling workloads to return to the primary region once it becomes available. Unlike Azure Backup, ASR provides both replication and orchestration, making it a comprehensive solution for ensuring business continuity at a regional level.

Azure Availability Sets provide a different type of resilience within a single Azure region. They distribute virtual machines across multiple fault domains and update domains, which protects against hardware failures or maintenance events affecting a single rack or subset of infrastructure within a data center. Availability Sets improve uptime for workloads running within a single region but do not replicate workloads to another region. As a result, they cannot provide protection against a full regional outage or catastrophic disaster. While essential for high availability within a single data center, Availability Sets do not substitute for cross-region disaster recovery solutions.

Azure Load Balancer is another infrastructure service that ensures high availability for applications by distributing incoming traffic across multiple healthy VMs in a backend pool. Load Balancer monitors VM health and ensures that traffic is only directed to available instances, improving application resilience during localized VM failures. However, it does not replicate virtual machines, store backups, or provide disaster recovery orchestration. It functions at the traffic distribution level rather than at the data protection or cross-region replication level.

While Azure Backup, Availability Sets, and Load Balancer provide critical protections for data integrity, fault tolerance, and traffic management, they do not provide regional replication or automated failover capabilities. Azure Site Recovery is a service specifically designed for disaster recovery scenarios. It replicates VMs across regions, orchestrates failovers during regional outages, and ensures workloads remain operational in the event of catastrophic failures. For organizations that require cross-region redundancy and business continuity, Site Recovery is the appropriate choice, providing both replication and operational orchestration to maintain availability and minimize downtime.

Question 171

You want to enforce that VMs in a subscription use only approved operating system images. Which mechanism should you use?

A) VM Extensions
B) Custom Script Extension
C) Azure Policy – Image Whitelisting
D) Azure Monitor

Answer: C) Azure Policy – Image Whitelisting

Explanation:

In Azure, ensuring that virtual machines (VMs) are deployed using approved and secure operating system images is a key aspect of maintaining security, compliance, and operational consistency. Organizations often have policies that mandate the use of specific images—whether to meet internal security standards, comply with regulatory requirements, or ensure uniformity in configurations. Selecting the appropriate tool to enforce these image policies is critical because different Azure services provide different levels of control over VMs and their deployment.

VM Extensions are powerful tools designed to extend and customize the functionality of Azure virtual machines after they have been deployed. Extensions allow administrators to install software, configure settings, or run automation scripts directly on the VM. For instance, the Custom Script Extension can run PowerShell or shell scripts to perform post-deployment configuration tasks such as installing applications, applying security updates, or configuring system settings. While VM Extensions are highly effective for managing VM behavior and maintaining configuration consistency, they do not influence which OS images can be deployed in the first place. Extensions operate at the VM level after provisioning, so they cannot prevent the creation of virtual machines from unapproved or insecure images.

Similarly, the Custom Script Extension, while widely used for automating post-deployment tasks, cannot enforce image compliance. Its primary purpose is to execute scripts on a running VM to perform configuration or maintenance activities. Although this allows organizations to standardize configurations or apply security patches after deployment, it does not provide any mechanism to restrict which images users can select when creating new VMs. As a result, using the Custom Script Extension alone does not satisfy the requirement for image governance.

Azure Monitor, on the other hand, is focused on monitoring and observability. It collects telemetry, logs, and performance metrics from virtual machines and other Azure resources. Administrators can use Azure Monitor to gain insights into resource utilization, performance trends, and operational health. While Azure Monitor is an essential tool for maintaining operational visibility, it does not have the capability to enforce policies or restrict which VM images can be deployed. Monitoring alone cannot prevent non-compliant image usage or enforce organizational standards during provisioning.

Azure Policy, specifically with the Image Whitelisting feature, directly addresses the requirement for controlling which images can be used. Azure Policy is a governance tool that allows administrators to define and enforce rules across Azure resources. With Image Whitelisting, an organization can create a policy that specifies which images are approved for use when deploying VMs. If a user attempts to create a VM using an unapproved image, the deployment is automatically denied, ensuring that only compliant images are used. This capability helps maintain security, regulatory compliance, and operational consistency by preventing the introduction of unauthorized or insecure images into the environment. Azure Policy also provides auditing and compliance reporting, allowing administrators to track adherence to image standards across subscriptions.

While VM Extensions and the Custom Script Extension are valuable for post-deployment customization and configuration, and Azure Monitor provides visibility into performance and operations, none of these tools enforce image selection rules. Azure Policy with Image Whitelisting is the appropriate solution for ensuring that only approved operating system images are used during VM deployment. It enforces compliance at the point of provisioning, prevents unauthorized deployments, and supports audit and reporting requirements, making it the correct choice for governance and security of virtual machine images in Azure.

Question 172

You need to ensure that only users from your organization can access an Azure App Service, blocking all external users. What should you use?

A) Azure AD Authentication
B) Network Security Group
C) Application Gateway
D) Azure Front Door

Answer: A) Azure AD Authentication

Explanation:

Azure AD Authentication integrates the App Service with Azure Active Directory, allowing only authenticated users from the organization to access the app. It enforces identity-based access control.

Network Security Groups filter traffic at the network level but cannot authenticate users to a web application.

Application Gateway manages HTTP/HTTPS traffic routing and can provide WAF capabilities, but it does not authenticate users against Azure AD by itself.

Azure Front Door provides global routing and acceleration but does not authenticate users for internal access control.

Azure AD Authentication is correct because it enforces user identity verification for access.

Question 173

You need to deploy a solution that automatically scales Azure App Service instances based on incoming request load. Which feature should you use?

A) Manual Scaling
B) Auto Scale Rules
C) Availability Set
D) Azure Monitor Alerts

Answer: B) Auto Scale Rules

Explanation:

Manual Scaling requires administrators to adjust instance counts manually, which does not respond dynamically to workload changes.

Auto Scale Rules allow the App Service to automatically add or remove instances based on metrics like CPU usage, HTTP queue length, or memory. This ensures the application can handle increased traffic without manual intervention.

Availability Set distributes VMs across fault domains to ensure uptime but does not scale instances automatically.

Azure Monitor Alerts notify administrators when thresholds are reached but do not adjust the number of instances.

Auto Scale Rules is correct because it provides automated, dynamic scaling based on load.

Question 174

You need to ensure that Azure Storage account data is protected from accidental deletion. Which feature should you enable?

A) Storage Account Firewall
B) Soft Delete
C) Private Endpoint
D) Azure Policy

Answer: B) Soft Delete

Explanation:

Storage Account Firewall controls network access but does not protect against accidental deletion of blobs or containers.

Soft Delete preserves deleted blobs for a configurable retention period, allowing recovery if deletion was accidental. This ensures that data is recoverable even after accidental removal.

Private Endpoint provides private network access but does not protect data from deletion.

Azure Policy enforces compliance rules but does not automatically recover deleted blobs.

Soft Delete is correct because it protects against accidental deletion and allows restoration.

Question 175

You need to provide centralized monitoring for all Azure resources in a subscription, including logs, metrics, and alerts. Which service should you configure?

A) Azure Monitor
B) Log Analytics Workspace
C) Azure Security Center
D) Azure Advisor

Answer: A) Azure Monitor

Explanation:

In Azure, maintaining visibility into the performance, availability, and overall health of resources is critical for ensuring reliable operations and meeting organizational service-level objectives. Cloud environments are dynamic, with virtual machines, storage accounts, databases, and networking components continuously operating and scaling. To manage this complexity, organizations need a centralized monitoring solution that not only collects telemetry from all resources but also enables analysis, visualization, alerting, and automated response. Azure Monitor is the platform designed to meet these requirements, offering a comprehensive suite of monitoring and observability capabilities.

Azure Monitor acts as the central hub for collecting and analyzing metrics, logs, and telemetry from across all Azure resources. Metrics provide quantitative measurements such as CPU utilization, memory usage, disk I/O, and network throughput. Logs capture detailed operational information, including resource configuration changes, audit events, application activity, and diagnostic traces. By aggregating this data, Azure Monitor provides a holistic, centralized view of resource health and performance. Administrators and DevOps teams can use dashboards to visualize trends, identify bottlenecks, and detect anomalies. These dashboards can be customized to focus on specific resources, workloads, or business-critical applications, giving teams real-time insight into the environment’s operational state.

In addition to collection and visualization, Azure Monitor integrates seamlessly with alerts and automated actions. Alerts allow administrators to define thresholds or conditions for specific metrics or log events. For example, an alert can trigger when CPU usage on a virtual machine exceeds 80% for more than five minutes or when a particular error event is logged in an application. When alerts are triggered, Azure Monitor can notify stakeholders via email, SMS, or other communication channels, or even execute automated remediation tasks using Logic Apps, Azure Functions,

Question 176

You need to provide an Azure VM with secure access to a storage account without exposing the storage account publicly. Which feature should you use?

A) Shared Access Signature
B) Private Endpoint
C) Network Security Group
D) Azure Policy

Answer: B) Private Endpoint

Explanation:

In Azure, securing access to storage accounts is a critical requirement for organizations that handle sensitive or regulated data. While there are several tools and features that can help control access to storage resources, they serve different purposes, and not all of them guarantee that traffic remains private and isolated from the public internet. For scenarios where a virtual machine (VM) needs to access a storage account securely, without exposing the storage account to public endpoints, it is essential to choose a solution that provides dedicated, private connectivity. Azure Private Endpoint is the service designed to meet this requirement, and understanding why it is the correct choice requires a comparison with other available Azure options.

Shared Access Signatures (SAS) are one mechanism for granting delegated access to storage resources. With a SAS, administrators can provide temporary, scoped permissions to blobs, files, tables, or queues without sharing the primary storage account key. SAS tokens can restrict access by operations (read, write, list), time windows, and even IP address ranges. While SAS is highly useful for enabling fine-grained access to storage resources, it does not prevent the storage account from being exposed to the public internet. A SAS token still allows access over the public endpoint, meaning the data can travel across public networks if not further secured. Consequently, SAS alone does not fulfill the requirement for ensuring that all traffic between the VM and the storage account stays on a private network.

Azure Private Endpoint, on the other hand, addresses this requirement directly. A Private Endpoint assigns a private IP address from within a virtual network (VNet) to the storage account. This private IP acts as a direct, secure connection between the VM and the storage account, keeping all traffic within the Azure backbone network. By using Private Endpoints, the storage account is effectively isolated from the public internet, which greatly reduces exposure to potential threats such as data exfiltration, brute-force attacks, or interception during transit. Furthermore, Private Endpoints integrate with DNS so that requests to the storage account resolve to the private IP, ensuring seamless connectivity without requiring public access. This approach provides a robust security model while maintaining full functionality for accessing blobs, files, and other storage services.

Network Security Groups (NSGs) are another security tool that can control traffic at the subnet or network interface card (NIC) level. NSGs allow administrators to create rules that permit or deny traffic based on source and destination IPs, ports, and protocols. While NSGs can complement Private Endpoints by filtering traffic within the VNet, they do not provide a dedicated private path to a storage account. NSGs cannot replace private connectivity or ensure that traffic is completely isolated from the public internet, making them insufficient on their own for secure storage access.

Azure Policy enforces governance and compliance across resources, ensuring that configurations meet organizational standards. Policies can restrict certain resource types, enforce naming conventions, or require tagging. While valuable for compliance, Azure Policy does not provide secure connectivity between a VM and a storage account. It cannot guarantee that storage access will occur over a private network, nor can it prevent public exposure of endpoints.

While SAS provides controlled access, NSGs filter traffic, and Azure Policy enforces compliance, none of these options alone ensure private, isolated connectivity for a storage account. Azure Private Endpoint is the correct solution because it maps the storage account to a private IP within a VNet, keeping all traffic on the Azure backbone network and eliminating public exposure. It provides a secure, reliable, and fully integrated method for enabling private access to storage accounts from virtual machines.

Question 177

You need to prevent accidental deletion of an Azure subscription. Which feature should you use?

A) Resource Lock – CanNotDelete
B) Soft Delete
C) Azure Policy
D) Azure Backup

Answer: A) Resource Lock – CanNotDelete

Explanation:

In Azure, protecting critical resources and subscriptions from accidental or unauthorized deletion is a key aspect of cloud governance and operational security. Organizations often have resources that are essential to business continuity, and deleting them inadvertently can result in significant downtime, data loss, or compliance violations. Azure provides several mechanisms to safeguard resources and data, but each serves a distinct purpose, and selecting the appropriate method depends on the level of protection required. Among these mechanisms, the Resource Lock – CanNotDelete feature is specifically designed to prevent accidental deletion of critical resources, including entire subscriptions, while still allowing controlled, intentional removal when necessary.

A Resource Lock is a governance feature in Azure that can be applied at multiple scopes: individual resources, resource groups, or even subscriptions. There are two primary lock types: CanNotDelete and ReadOnly. The CanNotDelete lock is particularly useful for preventing accidental deletion. When applied, this lock ensures that resources or subscriptions cannot be deleted through the Azure portal, CLI, or APIs unless the lock is explicitly removed first. This means that even users with the necessary permissions to delete resources cannot do so inadvertently. By implementing CanNotDelete locks on critical subscriptions, administrators can safeguard the entire subscription environment, ensuring that key workloads, infrastructure, and associated resources remain intact until deliberate action is taken to remove the lock and delete the resources.

Soft Delete, while another protective feature, functions at the data level rather than the resource or subscription level. It is commonly applied to storage accounts, blobs, or databases, allowing administrators to recover accidentally deleted data within a retention period. Soft Delete is highly valuable for data protection, ensuring that deleted files or databases can be restored without relying on backups. However, Soft Delete does not prevent the deletion of an entire resource, resource group, or subscription. If a subscription were deleted, Soft Delete would not stop the removal of the resources or the subscription itself.

Azure Policy is another tool often considered for governance. Policies enforce configuration compliance by restricting which resources can be created, which locations they can reside in, or ensuring required tags and naming conventions. While Azure Policy is highly effective for ensuring organizational compliance and standardization, it does not prevent the deletion of a subscription or even individual resources directly. Policies focus on controlling the configuration and deployment behavior of resources rather than providing safeguards against deletion.

Azure Backup is designed to protect data by capturing point-in-time snapshots or recovery points of resources such as virtual machines, databases, or file shares. Backup ensures that, in the event of data corruption or accidental deletion, administrators can restore the resource to a previous state. However, Azure Backup does not prevent the deletion of resources themselves. A VM or subscription could still be deleted even if its data is backed up, and restoring the resource would require additional configuration.

While Soft Delete, Azure Policy, and Azure Backup provide valuable capabilities for protecting data, enforcing governance, and enabling recovery, none of these mechanisms prevent accidental or unauthorized deletion of entire subscriptions or critical resources. Resource Lock – CanNotDelete is the correct and most appropriate solution for safeguarding critical resources at the subscription, resource group, or resource level. It ensures that accidental deletion cannot occur, while still allowing intentional removal when the lock is deliberately removed, providing a balance of protection and operational flexibility. Implementing CanNotDelete locks is a best practice for organizations seeking to protect their most critical Azure resources and maintain operational continuity.

Question 178

You need to ensure that all Azure resources in a subscription include a specific tag for billing purposes. Which service should you use?

A) Azure Policy
B) Resource Locks
C) Azure Monitor
D) Management Groups

Answer: A) Azure Policy

Explanation:

Azure Policy can enforce tagging rules at creation time, ensuring every resource includes required tags. It can audit existing resources and automatically remediate non-compliant ones, ensuring consistent metadata for billing or organizational purposes.

Resource Locks prevent deletion or modification of resources but do not enforce tagging rules.

Azure Monitor collects metrics and logs but does not enforce resource tags.

Management Groups organize subscriptions for governance, but they do not enforce tags by themselves; they only allow scoping of policies.

Azure Policy is correct because it provides automatic enforcement of tags across all resources in the subscription.

Question 179

You need to provide just-in-time access to VMs for administrators to reduce attack exposure. Which service should you configure?

A) Azure Bastion
B) Azure AD Privileged Identity Management
C) Just-In-Time VM Access in Azure Security Center
D) Network Security Group

Answer: C) Just-In-Time VM Access in Azure Security Center

Explanation:

Azure Bastion allows secure RDP/SSH access through the portal but does not provide time-limited access controls.

Azure AD Privileged Identity Management manages Azure role assignments, not VM-level access.

Just-In-Time VM Access in Security Center restricts inbound traffic to VMs, granting temporary access for a defined time window. This reduces exposure to attacks while allowing necessary administrative access.

Network Security Groups can control inbound/outbound traffic but cannot enforce time-limited or request-based access.

Just-In-Time VM Access is correct because it provides temporary, controlled access to VMs.

Question 180

You need to monitor and diagnose application performance issues across multiple Azure App Services. Which service should you use?

A) Azure Monitor
B) Azure Application Insights
C) Azure Log Analytics
D) Azure Advisor

Answer: B) Azure Application Insights

Explanation:

Azure Monitor collects metrics and logs for resources but is not specialized for deep application-level performance diagnostics.

Azure Application Insights provides telemetry for applications, including request rates, response times, dependency tracking, and exceptions. It allows detailed analysis to identify performance bottlenecks.

Azure Log Analytics can query logs but requires data ingestion; it is not focused specifically on application performance.

Azure Advisor provides optimization recommendations but does not actively monitor application runtime performance.

Application Insights is correct because it provides detailed, end-to-end monitoring of application health and performance.