Microsoft AZ-104 Microsoft Azure Administrator Exam Dumps and Practice Test Questions Set 13 Q181-195

Visit here for our full Microsoft AZ-104 exam dumps and practice test questions.

Question 181

You are managing several Azure virtual machines that frequently require manual restarts after updates. You need to enable an automated method that restarts the VMs on a scheduled basis without logging into each machine. What should you use?

A) Azure Automation Runbook
B) Azure Monitor Alerts
C) Azure Policy
D) Azure Traffic Manager

Answer: A) Azure Automation Runbook

Explanation

Azure Automation Runbook provides a powerful method to automate recurring administrative tasks such as restarting virtual machines, applying updates, or performing maintenance activities. It can be scheduled, triggered by events, or run manually. It integrates deeply with Azure resources and allows you to write scripts in PowerShell or Python that execute actions at scale. This makes it ideal when consistent and repeatable administrative tasks are required.

Azure Monitor Alerts are used for detecting conditions such as performance thresholds, resource unavailability, or other operational anomalies. These alerts can trigger actions such as notifications or invoking an automated task, but they are not built for directly scheduling recurring restarts. Their purpose is event-driven rather than schedule-driven.

Azure Policy is intended for governance, compliance, and enforcing resource configurations across an environment. It ensures resources stay compliant with organizational standards such as allowed VM sizes, required tagging, or network restrictions. It cannot perform direct operational tasks like restarting virtual machines. Its focus is enforcement rather than task automation.

Azure Traffic Manager is a DNS-based load-balancing service that distributes traffic across global endpoints. It improves responsiveness and availability by directing users to the best-performing endpoint. It has nothing to do with virtual machine administrative automation and cannot restart VMs or schedule maintenance operations.

Considering these capabilities, the only service that directly enables scheduled automation such as restarting VMs at regular intervals is Azure Automation Runbook. It was designed specifically to handle repetitive operational processes across Azure environments with minimal human intervention. It supports complex workflows, credential management, and hybrid worker integration for on-premises tasks. It allows administrators to maintain control while reducing manual effort, ensuring consistent execution of tasks. Therefore, Azure Automation Runbook is the correct choice for automating scheduled VM restarts.

Question 182

You need to store large amounts of semi-structured data such as JSON documents and require horizontal scalability with a fully managed NoSQL solution. Which Azure service should you choose?

A) Azure SQL Database
B) Azure Cosmos DB
C) Azure Database for PostgreSQL
D) Azure Files

Answer: B) Azure Cosmos DB

Explanation

Azure Cosmos DB is a fully managed NoSQL database service that supports multiple APIs such as SQL, MongoDB, Cassandra, Table, and Gremlin, making it ideal for semi-structured data including JSON documents. It provides global distribution, elastic scalability of throughput and storage, low-latency access, and various consistency models. It is specifically engineered for large-scale NoSQL workloads, making it the ideal solution for storing JSON-based data.

Azure SQL Database is a relational database service designed for structured data stored in tables with a predefined schema. It does not natively store or query JSON documents efficiently at massive scale. While SQL can store JSON as text, it lacks the flexibility and scalability that a NoSQL database provides for document workloads. Its strengths lie in relational data modeling and transactional consistency.

Azure Database for PostgreSQL is another relational database service based on the PostgreSQL engine. Although PostgreSQL supports JSON fields, it is still fundamentally relational and does not offer the automatic partitioning, global distribution, or elastic scalability required for large-scale document workloads. It focuses on relational consistency rather than high-velocity NoSQL document operations.

Azure Files provides fully managed SMB and NFS file shares. It is designed for lift-and-shift workloads, shared application files, and storage that needs to be accessed like a traditional file system. It is not suitable for querying JSON or managing NoSQL data structures, and it cannot provide low-latency document-based operations.

Between these services, Azure Cosmos DB stands out as the only purpose-built NoSQL solution capable of handling large volumes of semi-structured JSON data with horizontal scalability, multi-region replication, and high performance. It aligns perfectly with NoSQL document workloads, making it the correct choice.

Question 183

You need to provide secure remote access to virtual machines without exposing any public IP addresses. Which Azure feature should you implement?

A) Azure Firewall
B) Azure Bastion
C) Azure Load Balancer
D) Azure Application Gateway

Answer: B) Azure Bastion

Explanation

Azure Bastion offers secure RDP and SSH access to virtual machines directly from the Azure portal over TLS without requiring a public IP address on the VMs. This reduces attack surface by eliminating direct exposure to the internet while still enabling administrative access. It is deployed in a virtual network and provides seamless and secure remote access entirely through the portal.

Azure Firewall is a cloud-native security service that filters network traffic based on rules. It protects workloads and enforces outbound and inbound policies but does not provide remote login capabilities. It cannot offer RDP or SSH access to VMs and therefore cannot serve as a replacement for secure remote access requirements.

Azure Load Balancer distributes network traffic among virtual machines or instances. It supports inbound and outbound NAT rules but requires public IPs when used for public-facing access. It does not provide interactive console access like RDP or SSH, nor does it protect VMs by removing the need for public IP addresses.

Azure Application Gateway is a layer 7 web traffic load balancer used for routing and protecting HTTP/HTTPS applications. It supports features such as SSL termination, Web Application Firewall, and URL routing. However, it is strictly for web traffic and cannot be used for remote access to virtual machines using RDP or SSH.

Because Azure Bastion eliminates public IP exposure while enabling secure browser-based RDP/SSH access, it is the only solution specifically designed for secure VM access without opening ports to the internet. Thus, Azure Bastion is the correct choice.

Question 184

You must allow a virtual machine to access a storage account privately over the Azure backbone network without exposing the storage account to the internet. What should you configure?

A) Service Endpoint
B) Public Endpoint
C) CDN Profile
D) Azure DNS Zone

Answer: A) Service Endpoint

Explanation

Service Endpoints in Azure provide a powerful way to enhance security while simplifying connectivity between virtual networks and Azure platform services. When you enable Service Endpoints, you essentially extend the identity of your virtual network to supported Azure services such as Azure Storage, Azure SQL Database, Cosmos DB, and many others. This extension allows resources inside the virtual network to communicate with these services privately, using Azure’s secure backbone network rather than the public internet. One of the biggest advantages of Service Endpoints is that although the service still uses a public IP on the backend, it becomes accessible only from the specified virtual network. This gives you a higher level of security without requiring you to manage complex NAT configurations or maintain additional gateways. The traffic remains entirely within Azure’s private network, minimizing exposure to external threats and ensuring lower-latency connectivity.

On the other hand, a Public Endpoint works very differently. A public endpoint exposes a resource—such as a storage account—to the internet by assigning it a publicly routable IP address. While public endpoints are useful for scenarios that require global, internet-based access, they completely contradict the requirement of keeping a storage account private. With a public endpoint enabled, anyone on the internet could potentially reach the endpoint unless further restrictions like firewalls or SAS tokens are applied. This undermines the goal of restricting access strictly to internal Azure resources or a specific virtual network. Therefore, using a public endpoint is unsuitable when the requirement is to ensure that the service is not exposed to the public internet under any circumstances.

A CDN Profile (Content Delivery Network) also fails to meet the connectivity and security requirements of the scenario. CDNs are used for accelerating the delivery of publicly accessible web content by caching it at global edge locations. They improve performance for end users accessing large files, static assets, or streaming content. However, CDNs always operate over the public internet and are designed for public consumption. They do not establish secure, private network connections between virtual networks and storage accounts. They also do not limit exposure; in fact, they increase public accessibility. Therefore, a CDN Profile is completely unrelated to creating a private, restricted route for a VM to connect to Azure Storage.

Similarly, an Azure DNS Zone plays no role in securing private connectivity. Azure DNS provides hosting for domain names and allows administrators to create and manage DNS records. However, DNS functions only as a naming and resolution service. It cannot enforce private routing, restrict network access, or influence how traffic is transported between resources. Even with DNS properly configured, the VM would still require a secure network path—something DNS alone cannot provide.

Considering all these factors, the only option that satisfies the requirement of enabling a virtual machine inside a virtual network to securely access an Azure Storage account without exposing the storage account to the public internet is configuring Service Endpoints. Service Endpoints offer private connectivity, enhanced security, and seamless integration with Azure services, making them the correct and most effective solution for this scenario.

Question 185

You need to ensure that a virtual machine automatically starts when the underlying host undergoes maintenance. What should you enable?

A) Automatic VM Guest Patching
B) VM Auto-Start
C) Availability Zones
D) Azure Backup

Answer: B) VM Auto-Start

Explanation

VM Auto-Start allows virtual machines to automatically power on after maintenance events or host restarts. This ensures that workloads become available again without manual intervention following platform-initiated shutdowns.

Automatic VM Guest Patching handles operating system updates inside the virtual machine. It ensures OS patches are applied automatically but has no role in restarting the VM after host maintenance. It deals with patch lifecycle, not power state recovery.

Availability Zones provide physical separation for high availability by distributing resources across geographically separated data center zones. While they protect against datacenter-level failures, they do not control VM startup behavior after maintenance. They address redundancy rather than startup automation.

Azure Backup creates restore points of your workloads, enabling recovery from accidental deletion, corruption, or ransomware. It does not control the runtime behavior of VMs or their startup after maintenance events. Its purpose is long-term data recovery, not power state management.

Since the requirement is specifically to ensure the VM automatically starts after host maintenance, VM Auto-Start is the only feature that fulfills this requirement.

Question 186

You are asked to deploy a solution that provides distributed denial-of-service protection automatically for all public IPs in your subscription at no additional cost. Which service accomplishes this?

A) Azure DDoS Protection Standard
B) Azure DDoS Protection Basic
C) Azure Front Door
D) Azure Security Center

Answer: B) Azure DDoS Protection Basic

Explanation

Azure DDoS Protection Basic is automatically enabled for all Azure public IP addresses at no additional cost. It provides always-on monitoring and mitigation for common network-layer DDoS attacks. It is included by default and requires no configuration.

Azure DDoS Protection Standard offers advanced detection, telemetry, mitigation, and cost protection features. However, it is not free and requires explicit configuration. It includes enhanced reporting and adaptive tuning, but its premium nature disqualifies it given the requirement for no additional cost.

Azure Front Door is a global application delivery and acceleration platform that provides layer 7 load balancing, WAF integration, and edge caching. While it can mitigate certain attack vectors, it is not the built-in free DDoS protection for public IPs and operates at the application layer rather than the network layer.

Azure Security Center provides security posture management across Azure workloads. It offers recommendations, threat detection, and compliance insights but does not provide dedicated DDoS-layer network protection.

Therefore, Azure DDoS Protection Basic is the correct answer because it is free, automatic, and protects all public IPs by default.

Question 187

You need to assign Azure AD roles to a temporary contractor for only two weeks, after which access should automatically expire. Which feature should you use?

A) Azure AD Privileged Identity Management
B) Azure Monitor
C) Azure Policy
D) Azure Advisor

Answer: A) Azure AD Privileged Identity Management

Explanation

Azure AD Privileged Identity Management (PIM) provides time-bound role assignments with automatic expiration. It allows just-in-time elevation, approval workflows, access reviews, and auditing. This is ideal for temporary contractors who require short-term access to privileged roles, ensuring access automatically revokes at the scheduled time.

Azure Monitor collects logs and metrics to help monitor performance and detect issues. It has no capability to assign or manage Azure AD roles. It is solely for observability, not access control or identity governance.

Azure Policy enforces compliance and resource configuration rules. It is used for governance, resource standards, and security validation. It cannot manage user roles, assign permissions, or enforce time-bound access. It operates at the resource governance level rather than identity governance.

Azure Advisor provides recommendations for best practices across cost, performance, reliability, and operational excellence. It does not deal with identity management or role expiration scheduling. It simply analyzes existing resources and provides suggestions.

Given the requirement for temporary role assignment with automatic expiration, Azure AD Privileged Identity Management is the only feature designed specifically for this purpose.

Question 188

You need to ensure that an Azure virtual machine receives a predictable private IP address that never changes, even if the VM is stopped or redeployed. What should you configure?

A) Dynamic Private IP
B) Static Private IP
C) Public IP (Basic SKU)
D) Azure DNS Private Zone

Answer: B) Static Private IP

Explanation

A static private IP ensures that an Azure virtual machine always retains the same private IP address, regardless of whether the VM is stopped, deallocated, or redeployed. This is particularly important for workloads that depend on fixed addresses, including domain controllers, database servers, or application servers requiring consistent network configuration. Azure allows administrators to select a specific private address within a virtual network’s subnet range, ensuring full control and predictability of internal addressing.

A dynamic private IP assigns an address automatically from the subnet range. Although this can remain the same during VM reboots, it is not guaranteed across deallocations or redeployments. When the VM is stopped and deallocated, the address may be returned to the pool and later reassigned to another resource. This unpredictability makes dynamic private addressing unsuitable for services requiring stability.

A public IP (Basic SKU) assigns a public-facing address for internet communication. It does not affect the internal private IP configuration of a virtual machine. Public addresses serve external access needs and are not used for internal network consistency or private communication within Azure virtual networks. This makes a public address entirely irrelevant to the requirement of retaining a private IP.

Azure DNS Private Zone enables name resolution within a virtual network without exposing DNS records to the internet. It is useful for internal DNS resolution, but it does not control or assign private IP addresses. Instead, it maps DNS names to existing addresses that already must be configured separately. Thus, while helpful for private resolution, it cannot guarantee predictable addressing.

Given these details, the only configuration that guarantees the virtual machine always retains a stable internal address is the use of a static private IP. This satisfies the need for reliability, predictable addressing, and consistent communication across internal components. Therefore, the correct answer is Static Private IP.

Question 189

You need to centrally store administrative scripts and securely control who can execute them across multiple Azure virtual machines. Which service should you use?

A) Azure Automation Account
B) Azure Blob Storage
C) Azure Repos
D) Azure Monitor Logs

Answer: A) Azure Automation Account

Explanation

Azure Automation Account is a robust, centralized platform designed to streamline administrative and operational tasks across Azure and hybrid environments. It provides a comprehensive solution that combines secure script storage, controlled execution, scheduling, credential management, and detailed logging, all within a single service. One of its core capabilities is the ability to host PowerShell and Python runbooks—scripts that can automate a wide range of administrative operations. These runbooks can interact not only with Azure resources but also with on-premises systems and other cloud environments, making Azure Automation a versatile tool for managing enterprise-scale infrastructures.

A key advantage of Azure Automation Account is its integration with Role-Based Access Control (RBAC). Administrators can assign specific roles that determine who is authorized to create, modify, or execute runbooks. This ensures that only trusted users can perform potentially sensitive operations, such as restarting virtual machines, deploying resources, or configuring network settings. By enforcing these access controls, Automation Accounts reduce the risk of accidental or malicious changes while enabling structured, auditable processes. Additionally, Azure Automation provides logging and monitoring for all runbook executions, allowing administrators to track actions, review results, and troubleshoot issues efficiently. Scheduling capabilities further enhance its utility by enabling scripts to run automatically at predefined times or in response to triggers, eliminating the need for manual intervention and ensuring consistent execution of repetitive tasks.

In contrast, Azure Blob Storage is simply a service for storing files and objects in the cloud. While it is possible to store scripts in Blob Storage, it provides no mechanisms for executing them, enforcing access permissions specific to execution, or orchestrating complex workflows. Administrators would need to manually retrieve, execute, and manage scripts, which introduces operational overhead and increases the potential for errors. Blob Storage lacks scheduling, credential management, and audit logging, making it unsuitable as a platform for centralized automation or administrative operations.

Azure Repos serves as a version control and source code management system. It is highly effective for tracking code changes, maintaining histories, and supporting collaborative development. However, it does not offer the ability to execute scripts, manage credentials, or schedule automated tasks within Azure. While Repos complements automation by providing a repository for scripts, it cannot replace the execution, orchestration, and governance features provided by Azure Automation Account. Scripts stored in Repos must still be manually executed or integrated into another automation platform to achieve operational efficiency.

Similarly, Azure Monitor Logs is focused on collecting and analyzing telemetry and diagnostic data from Azure resources. It provides insights into system performance, alerts, and trends but does not function as a platform for storing or running administrative scripts. Azure Monitor is valuable for monitoring and analytics, yet it cannot automate administrative tasks, schedule operations, or provide secure, controlled execution of scripts across the environment.

Considering all these factors, Azure Automation Account is clearly the optimal solution for centralized administrative automation. It combines secure script storage, RBAC-based execution, scheduling, orchestration, credential management, and logging into a single service. By leveraging Azure Automation, organizations can implement standardized, auditable processes, reduce operational overhead, and ensure that administrative tasks are executed securely, consistently, and efficiently across both cloud and hybrid environments.

Question 190

Your web application running on Azure Virtual Machines must remain accessible even if one VM or host fails. What should you configure?

A) Availability Set
B) Virtual Network Peering
C) Azure Backup
D) Azure Key Vault

Answer: A) Availability Set

Explanation

An availability set distributes virtual machines across multiple fault domains and update domains, ensuring that hardware failures or platform updates do not disrupt all instances simultaneously. When workloads are placed in an availability set, Azure guarantees a higher service-level agreement because at least one VM remains operational in the event of host failure or planned maintenance. This directly addresses the requirement for ensuring continuous application availability.

Virtual Network Peering connects two virtual networks and allows resources to communicate privately. While useful for multi-network architectures, it does not provide any form of redundancy or fault isolation for virtual machines. It cannot protect against host or VM failures in any significant way.

Azure Backup provides data recovery and restore points for virtual machines. It does not maintain uptime or application availability. Although critical for disaster recovery, it does not impact the real-time availability of an application when a VM host goes down.

Azure Key Vault protects secrets, certificates, and encryption keys. Its function relates to security, not availability. Key Vault does not distribute VMs or maintain redundancy. It plays no part in keeping a web application online during VM or host failures.

Therefore, only availability sets offer the necessary resiliency by distributing VMs across independent hardware groups. This ensures consistent uptime during failures or maintenance, making it the correct choice.

Question 191

You need to identify unused and underutilized Azure virtual machines to reduce costs. Which tool should you use?

A) Azure Advisor
B) Azure Monitor Metrics
C) Azure Resource Graph
D) Azure Blueprints

Answer: A) Azure Advisor

Explanation

Azure Advisor is a powerful, built-in recommendation engine designed to help organizations optimize their Azure environment across several dimensions, including cost, security, performance, and operational excellence. When it comes to cost optimization specifically, Azure Advisor plays a crucial role by thoroughly analyzing resource utilization patterns and identifying opportunities to eliminate unnecessary spending. It evaluates virtual machines, disks, public IP addresses, and other resources to determine whether they are underutilized, idle, or oversized. Based on this analysis, it provides actionable guidance such as resizing VMs to more appropriate tiers, shutting down or deallocating VMs that show very low activity, and removing unused resources like unattached disks or unused IP addresses. These insights directly support cost-reduction initiatives and enable organizations to run workloads more efficiently without compromising performance needs.

In contrast, Azure Monitor Metrics serves a different purpose. It focuses on collecting and visualizing real-time performance data related to Azure resources. Metrics such as CPU utilization, memory consumption, disk I/O, and network activity can be charted to assist administrators in troubleshooting performance issues or understanding workload behavior. However, Azure Monitor does not automatically interpret this data to generate cost-saving recommendations. Administrators must manually analyze the graphs and determine whether a resource is oversized or underused. While the tool is extremely valuable for diagnostics and monitoring, it lacks the intelligence and automation required to make specific cost optimization suggestions. Therefore, it cannot independently support initiatives aimed at reducing cloud spending.

Azure Resource Graph provides a fast and efficient way to query large-scale Azure environments. It enables administrators to explore resource properties and configurations across an entire tenant or subscription using queries similar to Kusto Query Language (KQL). This tool is particularly helpful in environments with thousands of resources where visibility and inventory management are essential. However, Resource Graph does not analyze usage patterns or provide recommendations. Its purpose is to retrieve metadata, not interpret it. While it can tell you which VMs exist or which disks are attached, it cannot determine whether those resources are underutilized or whether shutting them down would reduce costs. Resource Graph is therefore not suitable for automatic cost-optimization workflows.

Azure Blueprints, meanwhile, focuses on governance, standardization, and compliance. It allows organizations to define templates and policies that ensure resources are deployed in a consistent and compliant manner. Blueprints are helpful for enforcing organizational standards such as naming conventions, network configurations, or security policies across multiple environments. However, they are not designed to analyze usage or identify waste. Blueprints do not provide any insight into how efficiently resources are running or whether costs can be reduced. Their purpose is governance, not operational or cost analytics.

When comparing these services, Azure Advisor clearly stands out as the only tool explicitly designed to identify wasted cloud spending and recommend actionable steps to reduce it. By evaluating resource utilization and offering tailored recommendations, Azure Advisor empowers organizations to optimize cloud costs without requiring deep manual analysis or complex tooling. For scenarios focused on reducing expenses by identifying underutilized virtual machines, Azure Advisor is unquestionably the correct and most effective solution.

Question 192

You want to enable a virtual machine to access a storage account using a managed identity instead of account keys. What must you configure?

A) Assign RBAC role to the VM’s managed identity
B) Create a shared access signature
C) Enable firewall rules for the storage account
D) Add the storage account to a private endpoint

Answer: A) Assign RBAC role to the VM’s managed identity

Explanation

Assigning an Azure Role-Based Access Control (RBAC) role to a virtual machine’s managed identity provides a secure and efficient way for the VM to access Azure Storage without relying on keys or secrets. Managed identities are a feature of Azure Active Directory (Azure AD) that enable resources such as virtual machines, App Services, or functions to authenticate to other Azure services automatically. When a managed identity is created for a VM, Azure AD handles the lifecycle of the identity, including token issuance and renewal. By assigning a specific RBAC role—such as “Storage Blob Data Contributor” or “Storage Blob Data Reader”—to the managed identity, the VM gains access to the storage account based on the least privilege principle. This means the VM can only perform actions explicitly allowed by the role, significantly reducing the risk of unauthorized access. When the VM needs to interact with the storage account, it requests a token from Azure AD, which it then presents to the storage service to gain access. This eliminates the need to store or manage account keys or other credentials, enhancing both security and compliance.

Using a Shared Access Signature (SAS) is another method for granting temporary, token-based access to storage accounts. SAS tokens allow you to define permissions, resource types, and expiry times, offering fine-grained access control. However, SAS requires careful management of secrets and expiration policies. If a token is compromised or accidentally left active beyond its intended period, it can lead to unauthorized access. Furthermore, using SAS alongside managed identities undermines one of the key advantages of managed identities: the ability to avoid secret management entirely. While SAS is useful for scenarios such as granting external users temporary access, it introduces operational overhead and potential security risks that managed identities eliminate.

Firewall rules on a storage account control which network endpoints can access the resource, filtering by IP addresses, virtual networks, or subnets. While firewalls enhance security by limiting network exposure, they do not handle authentication. Even if a VM is allowed through firewall rules, it still requires proper identity-based authorization to perform any actions on the storage account. Without an RBAC assignment to its managed identity, the VM cannot access storage data securely, regardless of firewall configuration.

Similarly, creating a private endpoint allows the storage account to be accessible over a private IP within a virtual network, effectively securing traffic from exposure to the public internet. While private endpoints are excellent for network-level isolation, they do not replace authentication. The VM still needs to prove its identity to access the storage account. A private endpoint alone cannot provide the token-based access or enforce permissions associated with RBAC.

Considering these points, assigning an RBAC role to a VM’s managed identity is the most secure, streamlined, and compliant approach for keyless access to Azure Storage. It leverages Azure AD authentication, ensures the principle of least privilege, avoids the risks associated with key or token management, and provides full auditing capabilities. By combining managed identities with RBAC, organizations can enforce strict access control while simplifying credential management, making it the recommended best practice for secure, identity-based access to Azure resources.

Question 193

You need to ensure that application data stored in Azure Storage is encrypted using your own customer-managed key. What should you use?

A) Azure Key Vault with CMK
B) Azure Disk Encryption
C) Azure Files Premium
D) Azure Monitor

Answer: A) Azure Key Vault with CMK

Explanation

Azure Key Vault with customer-managed keys (CMK) provides organizations with complete control over the encryption of their data stored in Azure Storage. By default, Azure Storage uses Microsoft-managed keys for server-side encryption, which ensures that data at rest is encrypted automatically. However, some organizations, particularly those with strict compliance or regulatory requirements, require that they retain full control over the encryption keys themselves. Customer-managed keys address this need by allowing an organization to supply its own encryption keys and manage them through Azure Key Vault. This approach ensures that the organization has ownership over key rotation, revocation, lifecycle management, and auditing. By integrating Azure Storage with Key Vault and using CMK, administrators can configure storage accounts to use keys that are completely under the organization’s control. This guarantees that access to the data requires not only proper authorization but also the correct cryptographic key, enhancing security and compliance.

In contrast, Azure Disk Encryption (ADE) is designed to protect the operating system and data disks of virtual machines. It uses BitLocker for Windows VMs and DM-Crypt for Linux VMs to encrypt the data stored on the disks. While this encryption protects data stored on virtual machine disks, it does not extend to Azure Storage accounts, which host blobs, tables, queues, and files. Therefore, ADE does not meet the requirement for customer-controlled encryption of service-level storage. It is focused entirely on VM-level encryption and cannot be used to manage or control keys for storage accounts at a service level.

Azure Files Premium is another feature that is sometimes misunderstood in the context of encryption. Azure Files Premium is a high-performance tier of Azure Files, designed to deliver low latency, higher throughput, and better IOPS for file share workloads. While it enhances performance, it does not influence how data is encrypted or who manages the encryption keys. Using Azure Files Premium does not provide any mechanism for customer-managed encryption keys; the encryption of data at rest in this tier still relies on Microsoft-managed keys unless CMK is explicitly configured via Key Vault. Therefore, while it is a useful service for performance optimization, it is not relevant for organizations seeking control over encryption keys.

Azure Monitor, meanwhile, is a service for collecting, analyzing, and visualizing metrics and logs from Azure resources. It helps administrators monitor resource performance, detect anomalies, and gain insights into operational health. However, it does not provide any functionality related to encryption or key management. It neither creates, manages, nor enforces the use of encryption keys. As a result, Azure Monitor is not applicable in scenarios requiring customer-controlled encryption.

Given these considerations, Azure Key Vault with customer-managed keys is the correct solution for organizations that need to maintain full control over the encryption of their storage account data. By leveraging Key Vault, administrators can centrally manage keys, control who has access, perform rotations at defined intervals, revoke keys if necessary, and audit all key-related operations. This provides a higher level of security and ensures compliance with policies or regulations that mandate customer-held encryption keys. It combines strong encryption with full administrative control, making it the recommended and best practice approach for customer-controlled storage encryption in Azure.

Question 194

Your organization requires that only approved VM images can be deployed. How can you enforce this?

A) Azure Policy with allowed VM images
B) Azure Backup vault
C) Azure Virtual Network service endpoints
D) Azure Traffic Manager

Answer: A) Azure Policy with allowed VM images

Explanation

Azure Policy is a governance tool that allows administrators to enforce rules and ensure compliance across Azure resources. One of its key capabilities is to control the types of virtual machine images that can be deployed within a subscription or resource group. By configuring policies to allow only specific, approved images, organizations can prevent the use of unauthorized or non-compliant virtual machine images. This is particularly important in environments where security, regulatory compliance, or organizational standards dictate which operating systems, patches, or software configurations are acceptable. Without such controls, users could deploy unapproved images that may contain vulnerabilities, outdated software, or configurations that violate corporate policies, potentially introducing risk into the environment. Azure Policy continuously evaluates deployment requests against the defined rules. If a VM deployment does not meet the policy criteria—such as attempting to use an unapproved image—the deployment is denied automatically. This ensures that only compliant resources are provisioned, and it provides administrators with a consistent, automated mechanism for enforcing organizational standards.

In comparison, an Azure Backup vault is a service that stores backup data for virtual machines, databases, and other resources. Its primary purpose is to provide disaster recovery and data protection. While Azure Backup ensures that critical data is recoverable in the event of accidental deletion, corruption, or ransomware attacks, it does not influence which VM images can be deployed. A backup vault is not involved in compliance enforcement during resource provisioning, and it cannot prevent users from deploying non-compliant or unauthorized virtual machine images.

Similarly, Azure Virtual Network (VNet) service endpoints are designed to secure network traffic between virtual networks and Azure services. They allow resources in a VNet to privately access services such as storage accounts or SQL databases without exposing traffic to the public internet. While service endpoints enhance security at the network level and ensure that service traffic stays within the Azure backbone, they do not provide governance over virtual machine deployments. They cannot enforce which operating system images or application configurations are used on newly created VMs.

Azure Traffic Manager is another service that is unrelated to VM image compliance. Traffic Manager is used to route user traffic across multiple endpoints for purposes such as global load balancing, performance optimization, or geographic routing. While it is critical for ensuring application availability and responsiveness, it has no mechanism for controlling virtual machine image selection or preventing non-compliant deployments. It operates at the traffic-routing layer rather than the resource-provisioning layer.

Considering all of these options, Azure Policy is the only solution that can enforce VM image compliance automatically. By defining an “allowed images” policy, administrators gain a proactive way to prevent unapproved deployments and maintain a secure, standardized, and compliant Azure environment. Azure Policy not only blocks non-compliant VM deployments but also provides auditing and reporting capabilities, allowing administrators to monitor policy compliance across subscriptions and resource groups. This centralized governance capability ensures that organizational standards are consistently applied, reduces the risk of security vulnerabilities, and helps organizations meet regulatory or corporate requirements. For scenarios where controlling which VM images can be deployed is essential, Azure Policy with allowed images is clearly the most effective and appropriate tool.

Question 195

A development team needs temporary access to a production VM for emergency troubleshooting. Access must expire automatically after one hour. What should you use?

A) Just-in-Time VM Access
B) Azure VPN Gateway
C) Network Security Group
D) Azure Firewall

Answer: A) Just-in-Time VM Access

Explanation

Just-in-Time (JIT) VM Access is a security feature in Microsoft Defender for Cloud that provides controlled, time-limited access to virtual machines. Its purpose is to reduce exposure to attacks by ensuring that inbound management ports—such as RDP or SSH—remain closed by default. Cyberattacks often target these ports because they are commonly used for administrative access. JIT VM Access helps address this risk by opening the ports only when needed and only for the requested duration. When an administrator needs to access a VM, they submit a request specifying the port, the IP address from which they will connect, and the amount of time they require. Once the request is approved, JIT updates the Network Security Group (NSG) or Azure Firewall rules dynamically to allow inbound traffic for that limited window. After the time expires, the ports automatically close, restoring the VM to a protected state. This automated approach ensures that virtual machines are never left unintentionally exposed and that access is always temporary, controlled, and auditable.

In contrast, an Azure VPN Gateway is designed to create secure encrypted tunnels between on-premises networks and Azure virtual networks or between Azure VNets themselves. While it enables private, secure connectivity, it does not provide automatic, time-bound access to specific VM management ports. Once a VPN connection is established, it typically remains active until manually disconnected. The VPN Gateway does not manage or restrict administrative port access on a timed basis. Therefore, it cannot fulfill the requirement of granting short-term, expiring access to VM ports.

A Network Security Group (NSG) allows filtering of inbound and outbound traffic to and from Azure resources using a set of security rules. NSGs are effective for defining which IP addresses or subnets can reach a VM and which ports are open. However, they lack the ability to apply temporary rules automatically. Any change to open or close ports must be done manually by an administrator. If a port is accidentally left open, the VM remains exposed indefinitely. This manual approach increases operational risk and does not offer the automatic expiration capability required for secure, short-term access.

Similarly, an Azure Firewall provides centralized, stateful packet inspection and network filtering across virtual networks. It is useful for enforcing policies, monitoring traffic, and managing network segmentation. However, like NSGs, Azure Firewall does not include built-in timers or mechanisms for temporary, on-demand access. It cannot automatically open administrative ports for a short period and then close them again without human intervention. Any changes to firewall rules must be made manually or programmatically, which still leaves room for error and potential exposure.

Given these comparisons, Just-in-Time VM Access stands out as the only solution specifically designed to provide temporary, controlled, and automatically expiring administrative access. It significantly reduces the risk of malicious scanning, brute-force attacks, and unauthorized access by ensuring that management ports are never left open longer than necessary. Administrators gain convenience through automated rule handling, while security teams gain assurance through reduced attack surfaces and detailed access logs. For organizations seeking a secure and efficient way to manage VM access, JIT is clearly the most appropriate and effective choice.