Microsoft AZ-800 Administering Windows Server Hybrid Core Infrastructure Exam Dumps and Practice Test Questions Set 5 Q61-75

Visit here for our full Microsoft AZ-800 exam dumps and practice test questions.

Question 61

You are managing a hybrid Windows Server environment where several on-premises file servers replicate critical data to Azure. You want to optimize storage costs by keeping frequently accessed files on local servers, while rarely accessed files are tiered to Azure. Users should still have seamless access to all files. Which solution should you implement?

A) Azure File Sync with cloud tiering
B) DFS replication
C) SMB Multichannel
D) Workgroup file shares

Answer:  A) Azure File Sync with cloud tiering

Explanation:

Azure File Sync with cloud tiering is a hybrid storage solution designed to provide seamless access to files while optimizing local storage usage. Frequently accessed files remain cached on-premises, providing low-latency access, while infrequently accessed files are automatically tiered to Azure Files. Users access all files through standard SMB paths, making the hybrid storage setup transparent. Tiered files are represented by stubs on local servers, which retrieve the data on-demand from Azure when accessed. Cloud tiering supports policies based on last access, file size, or other criteria, enabling administrators to optimize storage costs without impacting user experience. Centralized management allows monitoring of storage utilization, performance metrics, and file access patterns. Integration with Azure Backup ensures that both on-premises and cloud copies are secure and recoverable. Security is maintained through Azure encryption in transit and at rest, supporting compliance with regulatory and organizational standards.

DFS replication ensures multiple copies of data exist across servers for redundancy and availability but does not optimize storage. All replicated copies are fully stored on local servers, increasing storage costs and providing no automatic tiering to the cloud. DFS replication also does not enable seamless access to cloud-stored files.

SMB Multichannel enhances network throughput and provides redundant paths between SMB clients and servers. While it improves performance for file transfers, it does not manage data placement or storage optimization. SMB Multichannel alone cannot tier files to Azure or reduce local storage costs.

Workgroup file shares are unmanaged local shares without hybrid cloud integration, tiering, or centralized control. They provide no storage optimization, replication, or backup management, leaving administrators responsible for manual intervention.

Azure File Sync with cloud tiering is the correct solution because it allows transparent access to files, optimizes local storage usage, reduces costs, and provides centralized management. It combines on-premises performance with cloud scalability, ensures compliance, and supports seamless hybrid file access for enterprise environments.

Question 62

You are designing a hybrid Windows Server infrastructure where privileged accounts must be protected. Administrative credentials should be used only when necessary, require multifactor authentication, and be auditable across both on-premises servers and Azure VMs. Which solution should you implement?

A) Azure AD Privileged Identity Management with dedicated admin accounts
B) Local administrator accounts on each server
C) RDP connections with saved credentials
D) Workgroup administrative accounts

Answer:  A) Azure AD Privileged Identity Management with dedicated admin accounts

Explanation:

Azure AD Privileged Identity Management (PIM) with dedicated administrative accounts provides secure, centralized management of privileged access across hybrid environments. PIM allows just-in-time activation of administrative roles, reducing the risk of standing privileges being exploited. Dedicated accounts separate day-to-day user operations from administrative functions, preventing exposure of sensitive credentials during routine tasks. Multifactor authentication is enforced during activation, adding an extra layer of security. All administrative actions are logged and auditable, supporting compliance reporting and forensic investigation. PIM also supports approval workflows, conditional access policies, and time-bound assignments, ensuring privileged access is granted only when necessary and under controlled conditions. Integration across on-premises servers and Azure-hosted VMs provides a unified, consistent governance framework, simplifying management and enforcing enterprise security policies. PIM ensures reduced attack surface, mitigates insider threats, and enables administrators to monitor and respond to suspicious activity in real time.

Local administrator accounts on each server are unmanaged and lack MFA enforcement, centralized auditing, or just-in-time access. These accounts increase the risk of credential compromise, privilege abuse, and noncompliance.

RDP connections with saved credentials provide a high-risk attack surface. Credentials can be harvested by malware, and there is no centralized logging, MFA enforcement, or just-in-time activation. This method does not comply with enterprise security or hybrid governance standards.

Workgroup administrative accounts operate independently on each server, offering no MFA, centralized control, or audit capabilities. They increase operational complexity, reduce visibility, and expose hybrid infrastructure to elevated risk.

Azure AD PIM with dedicated administrative accounts is the correct solution because it enforces secure, time-bound, MFA-protected, and centrally auditable privileged access. It reduces risk, ensures compliance, and provides a scalable and secure framework for managing elevated access across hybrid Windows Server environments.

Question 63

You are responsible for backup and recovery of hybrid Windows Server workloads. Backups must be encrypted, centrally monitored, support long-term retention, and allow restores to both on-premises servers and Azure-hosted VMs. Which solution should you implement?

A) Azure Backup with the MARS agent
B) Local volume shadow copies
C) Manual Robocopy scripts
D) FTP-based cloud backup without encryption

Answer:  A) Azure Backup with the MARS agent

Explanation:

Azure Backup using the MARS agent provides a secure, automated, and centrally managed solution for hybrid Windows Server backups. It encrypts backup data both in transit and at rest, ensuring confidentiality and integrity. Administrators can configure retention policies for long-term compliance, allowing backups to be retained for months or years as required by regulatory or business standards. Azure Backup enables restoration to both on-premises servers and Azure-hosted VMs, providing operational flexibility for disaster recovery and business continuity. Centralized monitoring and reporting through the Recovery Services vault allows administrators to track backup health, generate compliance reports, and receive alerts for failed or incomplete backups. Incremental backup reduces network and storage consumption while ensuring full recoverability. Role-based access control ensures only authorized personnel can manage backup and restore operations. Integration with hybrid infrastructure ensures that both on-premises and cloud workloads are protected, meeting enterprise operational and regulatory requirements.

Local volume shadow copies provide basic point-in-time recovery on individual servers but lack centralized management, cloud integration, encryption, and long-term retention. They do not meet hybrid or compliance requirements and are vulnerable to ransomware or physical failures.

Manual Robocopy scripts copy files but provide no encryption, retention policies, or monitoring. They are error-prone, require ongoing maintenance, and cannot reliably meet enterprise hybrid backup standards.

FTP-based cloud backup without encryption exposes sensitive data to interception and unauthorized access. It provides no centralized management, auditing, retention, or compliance features and is unsuitable for hybrid enterprise environments.

Azure Backup with the MARS agent is the correct solution because it offers a fully managed, encrypted, hybrid-aware backup solution with centralized monitoring, long-term retention, and flexible restore options. It ensures operational continuity, regulatory compliance, and robust protection across both on-premises and Azure-hosted Windows Server workloads, making it the optimal choice for hybrid enterprise backup and disaster recovery.

Question 64

You are managing a hybrid Windows Server environment where developers need isolated virtual machines for testing applications. These VMs should not affect production workloads, require snapshots, updates, and policy management, and must integrate with Azure for centralized governance. Which solution should you implement?

A) Azure Stack HCI clusters with Azure Arc integration
B) Standalone Hyper-V workgroup hosts
C) Direct access to physical servers
D) File server-based VM storage

Answer:  A) Azure Stack HCI clusters with Azure Arc integration

Explanation:

Azure Stack HCI clusters combined with Azure Arc provide a comprehensive hybrid solution for running isolated virtual machines that require full control and enterprise-grade governance. Azure Stack HCI delivers a hyperconverged infrastructure that consolidates compute and storage, enabling high availability, scalability, and resiliency for both test and production workloads. Developers can deploy VMs independently of production servers, allowing snapshots, updates, and policy testing without affecting live operations. Azure Arc extends Azure management, enabling centralized monitoring, policy enforcement, compliance reporting, and automated operational workflows across hybrid environments. This approach allows IT teams to maintain security, operational control, and compliance while providing developers the flexibility to manage testing environments. The high availability and failover capabilities of Azure Stack HCI ensure minimal downtime and reliable operation, while cloud integration allows for centralized monitoring, backup, and disaster recovery.

Standalone Hyper-V workgroup hosts allow VM deployment but lack centralized governance, Azure integration, and automated policy enforcement. Each host must be managed individually, increasing administrative burden and reducing consistency.

Direct access to physical servers exposes production workloads to risk. Developers making changes on physical hardware may inadvertently impact live systems, compromising stability and security. Physical infrastructure lacks centralized management, monitoring, and compliance tools.

File server-based VM storage provides storage for virtual machines but does not include compute, orchestration, high availability, or hybrid governance. It cannot deliver isolated, fully managed test environments with integration into Azure for centralized monitoring and policy enforcement.

Azure Stack HCI clusters with Azure Arc integration are the correct solution because they provide isolated, fully managed test environments with centralized hybrid governance, high availability, and scalable compute and storage. It separates development workloads from production, ensures policy enforcement, supports snapshots and updates, and integrates seamlessly with Azure management, providing a robust, enterprise-ready solution for hybrid Windows Server testing environments.

Question 65

You are managing a hybrid Windows Server environment and must ensure that all administrative activities are logged in real time, including command execution, file access, and security events, across both on-premises and Azure-hosted servers. Which solution should you implement?

A) Microsoft Defender for Identity with Azure Sentinel integration
B) Local Event Viewer auditing only
C) Manual log collection via PowerShell scripts
D) SMB share logging

Answer:  A) Microsoft Defender for Identity with Azure Sentinel integration

Explanation:

Microsoft Defender for Identity integrated with Azure Sentinel provides centralized, real-time monitoring and auditing of administrative activities in hybrid Windows Server environments. Defender for Identity analyzes user behavior and authentication patterns to detect suspicious activity such as unauthorized access, privilege escalation, and lateral movement. By integrating with Azure Sentinel, logs are collected centrally, correlated, and analyzed for anomalies. This enables administrators to detect threats immediately and respond proactively. Logged events include command execution, file access, security changes, and authentication events, providing a comprehensive audit trail. Centralized monitoring and alerting allow organizations to maintain regulatory compliance and support forensic investigations. Automated incident response, dashboards, and real-time alerts reduce administrative overhead while maintaining enterprise-grade security. Integration across on-premises and Azure-hosted servers ensures consistent visibility and control, allowing IT teams to manage and audit administrative activity in a single pane.

Local Event Viewer auditing captures events only on individual servers, without centralized correlation. Administrators must manually gather and analyze logs, which is inefficient, prone to oversight, and difficult to scale in hybrid environments.

Manual log collection via PowerShell scripts allows periodic event extraction but lacks real-time monitoring, centralized correlation, or automated alerting. This method requires ongoing maintenance, is error-prone, and does not scale well in enterprise hybrid deployments.

SMB share logging captures file access over network shares but does not record administrative actions such as command execution, privilege changes, or authentication events. It cannot provide centralized reporting or meet compliance requirements for hybrid environments.

Microsoft Defender for Identity with Azure Sentinel integration is the correct solution because it provides real-time, centralized auditing of administrative activity across hybrid Windows Server environments. It ensures visibility, enables compliance, detects threats proactively, and allows automated response, providing a scalable and secure solution for enterprise hybrid infrastructures.

Question 66

You are responsible for backup and recovery of hybrid Windows Server workloads. Backups must be encrypted, centrally managed, support long-term retention, and allow restores to both on-premises servers and Azure-hosted VMs. Which solution should you implement?

A) Azure Backup with the MARS agent
B) Local volume shadow copies
C) Manual Robocopy scripts
D) FTP-based cloud backup without encryption

Answer:  A) Azure Backup with the MARS agent

Explanation:

Azure Backup using the MARS agent provides a secure, automated, and centralized solution for hybrid Windows Server backup and recovery. Data is encrypted both in transit and at rest, ensuring confidentiality and integrity. Administrators can define long-term retention policies to meet compliance requirements, ensuring backups remain available for months or years as required by regulations or business standards. Azure Backup allows restoration to on-premises servers or Azure-hosted VMs, providing flexibility for disaster recovery and business continuity scenarios. Centralized monitoring through the Recovery Services vault enables administrators to track backup health, generate compliance reports, and receive alerts for failed or incomplete backups. Incremental backups optimize network usage and storage while maintaining full recoverability. Role-based access control ensures that only authorized personnel can manage backup and restore operations, reducing the risk of unauthorized access. Integration with hybrid infrastructure provides unified management of both on-premises and cloud workloads, ensuring operational efficiency and compliance.

Local volume shadow copies provide only point-in-time recovery for individual servers and do not support centralized management, encryption, long-term retention, or cloud restores. They are insufficient for enterprise hybrid backup and cannot meet compliance or disaster recovery requirements.

Manual Robocopy scripts copy files but provide no encryption, retention policies, monitoring, or centralized management. Scripts are error-prone, require manual maintenance, and cannot reliably meet enterprise hybrid backup standards.

FTP-based cloud backup without encryption exposes sensitive data to unauthorized access, lacks centralized monitoring, auditing, retention policies, and disaster recovery capabilities, making it unsuitable for hybrid enterprise infrastructure.

Azure Backup with the MARS agent is the correct solution because it provides a fully managed, encrypted, hybrid-aware backup solution with centralized monitoring, long-term retention, and flexible restore options. It ensures operational continuity, regulatory compliance, and secure recovery for both on-premises and Azure-hosted Windows Server workloads, making it the optimal enterprise solution for hybrid backup and disaster recovery.

Question 67

You are managing a hybrid Windows Server environment where file shares must be highly available, provide fast access for frequently used files, and automatically offload rarely accessed files to Azure. Users should have seamless access to all files. Which solution should you implement?

A) Azure File Sync with cloud tiering
B) DFS replication
C) SMB Multichannel
D) Workgroup file shares

Answer:  A) Azure File Sync with cloud tiering

Explanation:

Azure File Sync with cloud tiering is a hybrid storage solution that allows administrators to optimize local storage usage while maintaining seamless access for users. Frequently accessed files are cached locally on-premises, ensuring low-latency access, while infrequently accessed files are automatically tiered to Azure Files. Users access all files through the same SMB share paths, making the transition between local and cloud storage transparent. Cloud tiering represents cloud-stored files as stubs locally, retrieving the full data on-demand when accessed. Administrators can define tiering policies based on last access, file size, or file type to optimize storage utilization and reduce costs. Integration with Azure Backup ensures that both on-premises and cloud copies are secure, encrypted, and recoverable, supporting compliance and disaster recovery requirements. Centralized monitoring provides visibility into storage usage, performance metrics, and file access patterns, helping organizations maintain operational efficiency and regulatory compliance. This solution balances performance, cost, and manageability in hybrid Windows Server environments, making it ideal for enterprises with large datasets and distributed offices.

DFS replication provides redundancy by replicating full copies of files across multiple servers, ensuring availability in case of server failure. However, it does not reduce storage usage or provide cloud integration. Replicated copies consume significant local storage, and users cannot access tiered files from the cloud seamlessly.

SMB Multichannel improves network throughput and reliability by enabling multiple network paths for SMB traffic. While it enhances file transfer performance, it does not manage storage location, tiering, or hybrid integration. SMB Multichannel alone cannot optimize storage costs or provide seamless access to cloud-stored files.

Workgroup file shares are unmanaged local shares that do not integrate with the cloud or provide tiering. They require manual administration, offer no redundancy, and are not suitable for enterprise hybrid environments.

Azure File Sync with cloud tiering is the correct solution because it optimizes local storage, ensures seamless access, integrates with Azure for cloud scalability, provides centralized monitoring, and supports compliance and disaster recovery requirements. This solution delivers high performance and operational efficiency in hybrid Windows Server environments.

Question 68

You are designing a hybrid Windows Server infrastructure where privileged administrative access must be strictly controlled. Administrative accounts should be used only when necessary, require multifactor authentication, and be auditable across on-premises servers and Azure VMs. Which solution should you implement?

A) Azure AD Privileged Identity Management with dedicated admin accounts
B) Local administrator accounts on each server
C) RDP connections with saved credentials
D) Workgroup administrative accounts

Answer:  A) Azure AD Privileged Identity Management with dedicated admin accounts

Explanation:

Azure AD Privileged Identity Management (PIM) with dedicated administrative accounts provides a secure and auditable approach for managing elevated access in hybrid Windows Server environments. PIM enables just-in-time activation of privileged roles, reducing the risk of standing privileges being exploited. Dedicated administrative accounts separate day-to-day operations from administrative activities, preventing exposure of sensitive credentials during routine tasks. Multifactor authentication is enforced during activation, adding an extra layer of security. All administrative actions are logged, monitored, and auditable, supporting compliance reporting and forensic analysis. PIM also provides approval workflows, conditional access, and time-bound assignments, ensuring that privileged access is granted only when necessary and under controlled conditions. Integration across on-premises servers and Azure-hosted VMs provides centralized visibility, governance, and policy enforcement, simplifying management and reducing the likelihood of insider threats or credential compromise. Organizations can monitor activation patterns, detect suspicious activity, and respond proactively to unauthorized attempts.

Local administrator accounts on each server lack MFA enforcement, centralized auditing, and just-in-time access. These accounts increase the risk of credential theft, privilege abuse, and inconsistent security policies, making them unsuitable for enterprise hybrid environments.

RDP connections with saved credentials are insecure because stored credentials can be stolen or intercepted. RDP does not provide centralized auditing, MFA, or time-bound access control, leaving privileged accounts exposed. This approach does not comply with modern hybrid governance and enterprise security standards.

Workgroup administrative accounts are independently managed on each server, offering no MFA, auditing, or centralized management. They increase operational complexity and reduce visibility into privileged access, making it difficult to enforce enterprise security and compliance policies.

Azure AD PIM with dedicated administrative accounts is the correct solution because it enforces time-limited, MFA-protected, auditable access for privileged accounts. It ensures centralized governance, reduces risk of credential compromise, supports compliance, and provides consistent management across hybrid environments. This solution aligns with zero-trust principles and enterprise security best practices for Windows Server infrastructure.

Question 69

You are responsible for backup and recovery of hybrid Windows Server workloads. Backups must be encrypted, centrally monitored, support long-term retention, and allow restores to both on-premises servers and Azure-hosted VMs. Which solution should you implement?

A) Azure Backup with the MARS agent
B) Local volume shadow copies
C) Manual Robocopy scripts
D) FTP-based cloud backup without encryption

Answer:  A) Azure Backup with the MARS agent

Explanation:

Azure Backup using the Microsoft Azure Recovery Services (MARS) agent provides a secure, centralized, and hybrid-aware solution for backup and recovery of Windows Server workloads. The MARS agent encrypts data both in transit and at rest, ensuring that sensitive information is protected from unauthorized access. Administrators can define retention policies to maintain long-term backups in compliance with regulatory or business requirements. Azure Backup enables restoration to both on-premises servers and Azure-hosted VMs, providing flexibility for disaster recovery, business continuity, and operational resilience. Centralized monitoring through the Recovery Services vault provides insights into backup health, reporting, and alerting for failed or incomplete backups. Incremental backup reduces storage and network consumption while maintaining full recoverability. Role-based access control ensures that only authorized personnel can manage backup and restore operations, reducing security risk. Integration with hybrid infrastructure allows organizations to manage both cloud and on-premises workloads from a single platform, ensuring consistency, security, and compliance.

Local volume shadow copies provide only point-in-time recovery for individual servers, lack centralized monitoring, encryption, cloud integration, and long-term retention, and are vulnerable to ransomware and hardware failure. They cannot meet enterprise backup and compliance requirements in hybrid environments.

Manual Robocopy scripts copy files but provide no encryption, retention policies, or centralized management. They are prone to human error, require continuous maintenance, and cannot reliably ensure compliance or operational recovery for hybrid infrastructure.

FTP-based cloud backup without encryption exposes sensitive data to interception, lacks centralized control, retention policies, monitoring, and audit capabilities. It is unsuitable for enterprise hybrid backup and disaster recovery needs.

Azure Backup with the MARS agent is the correct solution because it delivers fully managed, encrypted, centralized, and hybrid-aware backup with long-term retention, compliance reporting, and flexible restore options. It ensures operational continuity, security, and regulatory compliance for both on-premises and Azure-hosted Windows Server workloads.

Question 70

You are managing a hybrid Windows Server environment where multiple on-premises file servers need to synchronize data with Azure for backup and redundancy. You want to minimize local storage usage while ensuring users can access all files without disruption. Which solution should you implement?

A) Azure File Sync with cloud tiering
B) Distributed File System (DFS) replication
C) SMB Multichannel
D) Workgroup file shares

Answer:  A) Azure File Sync with cloud tiering

Explanation:

Azure File Sync with cloud tiering is designed to optimize hybrid storage by keeping frequently accessed files cached locally while tiering infrequently accessed files to Azure Files. This approach reduces on-premises storage requirements while maintaining seamless access for users. The solution represents cloud-stored files as stubs on local servers, which are automatically retrieved from Azure when accessed, providing transparent access. Administrators can define policies to tier files based on last access, file size, or file type. Centralized management allows monitoring of storage usage, tiering efficiency, and user activity. Integration with Azure Backup ensures that both on-premises and cloud copies of data are encrypted, secure, and recoverable, supporting compliance and disaster recovery objectives. Cloud tiering supports high availability, performance optimization, and cost reduction by shifting cold data to the cloud while keeping hot data locally for rapid access. This hybrid solution scales to multiple sites and is ideal for organizations seeking to reduce on-premises storage without impacting end-user experience.

DFS replication ensures redundancy by maintaining copies of files across multiple servers but does not optimize local storage or provide cloud integration. Replicated files consume full local storage, increasing costs and management overhead. DFS replication also does not provide automatic tiering or seamless cloud access.

SMB Multichannel is a feature of the Server Message Block (SMB) protocol designed to enhance network performance and reliability when accessing file shares over a network. It achieves this by allowing multiple network connections to be established simultaneously between an SMB client and server. By using multiple network interfaces, SMB Multichannel can aggregate bandwidth, significantly improving data transfer throughput, especially for large file transfers or workloads that require high network performance. Additionally, the feature provides redundancy for SMB traffic: if one network interface or path fails, SMB can automatically continue communication over the remaining active channels, ensuring uninterrupted access to shared files. This capability makes SMB Multichannel particularly valuable in enterprise environments where high availability and consistent performance are critical for business operations, such as virtualization, database access, and large-scale file sharing.

Despite its advantages in throughput and reliability, SMB Multichannel does not provide storage management capabilities. It does not handle data placement, meaning it cannot determine where data is stored across physical disks or storage arrays. It also does not implement tiering, so it cannot automatically move frequently accessed data to faster storage media or archive less-used data to lower-cost storage. SMB Multichannel’s focus is strictly on optimizing network transport for file access rather than managing the storage itself. As a result, while it can make file transfers faster and more resilient, it does not reduce the amount of on-premises storage required or improve storage efficiency. Organizations looking for storage optimization, automated tiering, or data lifecycle management must rely on complementary solutions, such as Storage Spaces, Storage Spaces Direct, or cloud-integrated tools like Azure File Sync, to achieve these goals.

Furthermore, SMB Multichannel does not provide native integration with cloud storage for hybrid scenarios. While it enhances performance for local network transfers, it cannot automatically offload data to Azure or other cloud platforms to reduce on-premises storage pressure or provide cloud-based redundancy. Any hybrid storage integration must be handled by additional tools or services that support replication, caching, or synchronization between on-premises servers and cloud storage.

SMB Multichannel is a network-focused enhancement of the SMB protocol that improves throughput and provides redundant communication paths for file transfers. Its value lies in optimizing the performance and resilience of SMB traffic rather than managing storage, optimizing data placement, or integrating with cloud services. It complements storage solutions by making access to files faster and more reliable, but does not replace storage management or hybrid cloud capabilities.

Workgroup file shares are unmanaged local shares without cloud integration or automated tiering. They require manual management, do not optimize storage, and lack redundancy and monitoring capabilities.

Azure File Sync with cloud tiering is the correct solution because it optimizes storage usage, maintains seamless access for users, integrates with Azure for cloud scalability, supports centralized management, and ensures security and compliance. It balances performance, cost, and operational efficiency in hybrid Windows Server environments.

Question 71

You are designing a hybrid Windows Server environment where privileged administrative access must be strictly controlled. Accounts should only be activated when needed, require multifactor authentication, and be auditable across both on-premises servers and Azure-hosted VMs. Which solution should you implement?

A) Azure AD Privileged Identity Management with dedicated admin accounts
B) Local administrator accounts on each server
C) RDP connections with saved credentials
D) Workgroup administrative accounts

Answer:  A) Azure AD Privileged Identity Management with dedicated admin accounts

Explanation:

Azure AD Privileged Identity Management (PIM) with dedicated administrative accounts provides secure, auditable, and centralized management of elevated privileges in hybrid Windows Server environments. PIM allows just-in-time activation of privileged roles, limiting exposure of sensitive credentials and preventing standing privileges from being misused. Dedicated accounts separate daily operations from administrative functions, reducing the risk of accidental or malicious changes. Multifactor authentication is enforced at activation, providing an additional security layer. All administrative actions are logged and auditable, supporting compliance reporting and forensic investigation. Approval workflows, time-bound access, and conditional access policies ensure that privileged access is granted only under controlled circumstances. Integration with both on-premises servers and Azure-hosted VMs provides centralized governance, visibility, and monitoring of privileged operations. This solution reduces insider threats, improves compliance, and provides a robust mechanism to enforce enterprise security policies.

Local administrator accounts on each server are unmanaged, do not enforce MFA, and offer no auditing. These accounts increase the risk of credential compromise and privilege misuse while providing inconsistent security controls across the hybrid environment.

RDP connections with saved credentials are insecure because stored credentials can be intercepted or stolen. They provide no centralized auditing, MFA, or just-in-time access control, leaving administrative accounts exposed.

Workgroup administrative accounts operate independently on each server with no MFA, auditing, or centralized management. They increase operational complexity, reduce visibility, and make it difficult to enforce enterprise security and compliance standards.

Azure AD PIM with dedicated administrative accounts is the correct solution because it enforces time-bound, MFA-protected, and auditable access for privileged accounts. It ensures centralized governance, reduces security risks, supports compliance, and provides consistent management across hybrid environments. This approach aligns with zero-trust security principles and enterprise best practices for Windows Server administration.

Question 72

You are responsible for backup and recovery of hybrid Windows Server workloads. Backups must be encrypted, centrally managed, support long-term retention, and allow restores to both on-premises servers and Azure-hosted VMs. Which solution should you implement?

A) Azure Backup with the MARS agent
B) Local volume shadow copies
C) Manual Robocopy scripts
D) FTP-based cloud backup without encryption

Answer:  A) Azure Backup with the MARS agent

Explanation:

Azure Backup using the Microsoft Azure Recovery Services (MARS) agent provides a secure, centralized, and hybrid-aware backup and recovery solution for Windows Server workloads. The MARS agent encrypts data in transit and at rest, ensuring the confidentiality and integrity of critical files. Administrators can define retention policies to support long-term compliance, ensuring backups remain available for months or years in accordance with regulatory and business requirements. Azure Backup allows restoration to on-premises servers or Azure-hosted VMs, providing flexible disaster recovery options. Centralized monitoring through the Recovery Services vault enables administrators to track backup health, generate compliance reports, and receive alerts for failed or incomplete backups. Incremental backup reduces network and storage consumption while ensuring full recoverability. Role-based access control ensures that only authorized personnel can manage backup and restore operations, reducing the risk of unauthorized access. Integration with hybrid infrastructure ensures both cloud and on-premises workloads are protected while providing centralized management and compliance reporting.

Local volume shadow copies provide only point-in-time recovery for individual servers and lack centralized management, encryption, cloud integration, and long-term retention. They cannot meet enterprise hybrid backup requirements or support regulatory compliance.

Manual Robocopy scripts allow file copies but provide no encryption, retention policies, monitoring, or centralized management. Scripts are error-prone, require ongoing maintenance, and cannot reliably meet enterprise hybrid backup standards.

FTP-based cloud backup without encryption exposes sensitive data to interception and unauthorized access. It lacks centralized monitoring, auditing, retention policies, and disaster recovery capabilities, making it unsuitable for hybrid enterprise infrastructure.

Azure Backup with the MARS agent is the correct solution because it provides fully managed, encrypted, hybrid-aware backup with centralized monitoring, long-term retention, compliance reporting, and flexible restore options. It ensures operational continuity, regulatory compliance, and secure recovery for both on-premises and Azure-hosted Windows Server workloads, making it the optimal enterprise solution for hybrid backup and disaster recovery.

Question 73

You are managing a hybrid Windows Server environment where several branch offices require file synchronization with central Azure storage. The solution must keep frequently accessed files local while rarely accessed files are automatically tiered to Azure. Users should have seamless access to all files without disruption. Which solution should you implement?

A) Azure File Sync with cloud tiering
B) DFS replication
C) SMB Multichannel
D) Workgroup file shares

Answer:  A) Azure File Sync with cloud tiering

Explanation:

Azure File Sync with cloud tiering is specifically designed for hybrid environments requiring seamless file access while optimizing storage. Frequently accessed files are cached locally on branch servers, providing low-latency access. Infrequently accessed files are automatically tiered to Azure Files, freeing local storage while remaining accessible to users. Files in the cloud are represented as stubs on local servers, retrieved from Azure on-demand when accessed, providing transparent access. Administrators can implement tiering policies based on last access, file type, or file size, which optimizes storage efficiency and reduces costs. Integration with Azure Backup ensures that both on-premises and cloud-stored files are encrypted, secure, and recoverable, supporting disaster recovery and regulatory compliance. Centralized monitoring enables administrators to track storage usage, access patterns, and tiering efficiency, while also providing alerts for potential issues. This hybrid solution scales across multiple offices, provides consistent user experience, and supports enterprise governance and compliance requirements.

DFS replication ensures redundancy by maintaining full copies of files across multiple servers. While it improves availability, it does not optimize storage because each server keeps a complete copy. DFS replication also does not tier files to the cloud or provide seamless access to cloud-stored files, increasing storage costs and management overhead.

SMB Multichannel improves network performance by allowing multiple simultaneous network paths between SMB clients and servers. While it enhances file transfer speed, it does not manage storage location, tiering, or provide hybrid cloud integration. It cannot reduce local storage usage or optimize costs.

Workgroup file shares are unmanaged local shares with no cloud integration, tiering, or centralized management. They require manual oversight, provide no storage optimization, and are not suitable for enterprise hybrid deployments.

Azure File Sync with cloud tiering is the correct solution because it maintains local performance for frequently accessed files, offloads cold data to Azure, ensures seamless access, supports centralized monitoring, encryption, compliance, and disaster recovery. This hybrid approach balances cost, performance, and manageability for enterprise Windows Server environments.

Question 74

You are designing a hybrid Windows Server environment where privileged administrative access must be strictly controlled. Administrative accounts should be used only when necessary, require multifactor authentication, and be auditable across both on-premises servers and Azure-hosted virtual machines. Which solution should you implement?

A) Azure AD Privileged Identity Management with dedicated admin accounts
B) Local administrator accounts on each server
C) RDP connections with saved credentials
D) Workgroup administrative accounts

Answer:  A) Azure AD Privileged Identity Management with dedicated admin accounts

Explanation:

Azure AD Privileged Identity Management (PIM) with dedicated administrative accounts provides a secure, auditable, and centralized mechanism for controlling elevated access in hybrid environments. PIM allows just-in-time activation of administrative roles, preventing standing privileges from being misused and reducing the risk of credential compromise. Dedicated accounts separate daily operational access from administrative access, reducing the exposure of sensitive credentials during routine work. Multifactor authentication is enforced during activation, adding an extra layer of security. All administrative actions are logged, monitored, and auditable, supporting compliance reporting, forensic analysis, and operational oversight. Approval workflows, time-bound access, and conditional access policies ensure that administrative privileges are granted only when required and under controlled conditions. Integration across on-premises servers and Azure-hosted VMs provides centralized visibility, governance, and monitoring, simplifying administration and reducing operational risk. PIM also allows IT teams to detect anomalous activation patterns and respond proactively to suspicious activities, aligning with enterprise security and zero-trust principles.

Local administrator accounts on each server lack MFA, centralized auditing, and just-in-time access control. They are unmanaged, increase the attack surface, and cannot enforce consistent security policies across a hybrid environment.

RDP connections with saved credentials are insecure because credentials can be intercepted or stolen. RDP does not provide centralized auditing, MFA, or time-bound activation, leaving privileged accounts exposed to compromise.

Workgroup administrative accounts operate independently on each server without MFA, auditing, or centralized governance. This increases operational complexity, reduces visibility, and undermines enterprise security and compliance requirements.

Azure AD PIM with dedicated administrative accounts is the correct solution because it enforces secure, time-bound, MFA-protected, and auditable privileged access. It ensures centralized governance, reduces risk, supports compliance, and provides consistent management across hybrid environments, aligning with enterprise security best practices.

Question 75

You are responsible for backup and recovery of hybrid Windows Server workloads. Backups must be encrypted, centrally managed, support long-term retention, and allow restores to both on-premises servers and Azure-hosted virtual machines. Which solution should you implement?

A) Azure Backup with the MARS agent
B) Local volume shadow copies
C) Manual Robocopy scripts
D) FTP-based cloud backup without encryption

Answer:  A) Azure Backup with the MARS agent

Explanation:

Azure Backup using the Microsoft Azure Recovery Services (MARS) agent provides a secure, automated, and centralized solution for hybrid Windows Server backup and recovery. The MARS agent encrypts backup data both in transit and at rest, ensuring the confidentiality and integrity of critical workloads. Administrators can define long-term retention policies to comply with regulatory requirements, retaining backups for months or years as needed. Azure Backup supports restoration to both on-premises servers and Azure-hosted virtual machines, providing flexible options for disaster recovery and business continuity. Centralized monitoring through the Recovery Services vault allows administrators to track backup health, generate compliance reports, and receive alerts for failed or incomplete backups. Incremental backup functionality optimizes network bandwidth and storage usage while maintaining full recoverability. Role-based access control ensures that only authorized personnel can perform backup and restore operations, enhancing security and reducing the risk of unauthorized access. Integration with hybrid infrastructure provides unified management for both cloud and on-premises workloads, improving operational efficiency, governance, and compliance.

Local volume shadow copies provide only point-in-time recovery for individual servers. They lack centralized monitoring, encryption, cloud integration, long-term retention, and auditing, making them inadequate for enterprise hybrid backup requirements.

Manual Robocopy scripts allow basic file copying but provide no encryption, retention policies, monitoring, or centralized management. Scripts are prone to error, require ongoing maintenance, and cannot reliably meet compliance or operational recovery requirements in hybrid environments.

FTP-based cloud backup without encryption exposes data to interception and unauthorized access. It lacks centralized monitoring, auditing, retention management, and disaster recovery integration, making it unsuitable for enterprise hybrid workloads.

Azure Backup with the MARS agent is the correct solution because it provides fully managed, encrypted, centralized, hybrid-aware backup with long-term retention, compliance reporting, and flexible restore options. It ensures operational continuity, data protection, regulatory compliance, and secure recovery for both on-premises and Azure-hosted Windows Server workloads.