Free Practice Exam 3

Answer: A. Use a smaller CIDR block in the Azure subnet to avoid overlap Explanation: Configuring the Azure subnet with a smaller, non-overlapping CIDR block (A) ensures that its IP range does not conflict with the on-premises network, allowing for seamless integration. This approach allows the company to create distinct IP ranges for both networks, preventing address conflicts. Assigning public IPs (B) is unnecessary for internal communication and would expose resources to the internet. Configuring dynamic IPs (C) does not address IP range conflicts, as it merely allocates addresses within the subnet’s assigned range. Network Security Groups (D) control traffic flow but do not resolve IP range conflicts between networks.

Answer: A Explanation: The organization should use Application Insights (A) within Azure Monitor, as it provides detailed performance metrics, such as request rates and error counts, for each component in a microservices architecture. This allows for targeted monitoring and troubleshooting of individual services. Option (B), Azure Monitor Logs, aids in log collection but lacks the specificity required for monitoring microservices metrics. Option (C), Service Health, provides updates on Azure service outages but not detailed performance data. Option (D), Resource Health, monitors resource status but does not deliver application-specific metrics needed for microservices.

Answer: B. E-Series Explanation: E-Series (B) VMs are optimized for high-memory workloads, making them ideal for simulations and data-intensive applications that the research institution needs. This VM family provides a balance of CPU and high memory without requiring long-term commitments, suitable for on-demand simulation runs. D-Series (A) VMs offer general-purpose resources but lack the high memory capacity needed for complex simulations. F-Series (C) are compute-optimized but do not offer the memory resources necessary for these workloads. B-Series (D) are burstable VMs with limited resources, which are unsuitable for memory-intensive applications like simulations.

Correct Answer: B Explanation: North Europe and West Europe (B) are Azure region pairs that both reside within the EU, ensuring compliance with European data residency regulations and enabling effective disaster recovery. This pair provides seamless failover within Europe, maintaining data compliance. North Europe and East US (A) would violate EU residency requirements due to the US location, and France Central and South Africa North (C) would move data outside Europe, creating compliance issues. East Asia and Southeast Asia (D) are Azure region pairs but are irrelevant to European data residency, making North Europe and West Europe the best option.

Answer: C. Cost Estimation within Server Assessment Explanation: Cost Estimation within Server Assessment (C) in Azure Migrate allows the healthcare company to evaluate the projected costs of running on-premises applications in Azure, providing an estimated monthly cost based on current configurations and Azure pricing models. This tool includes sizing recommendations and identifies potential savings, which aids in budgeting and decision-making. Database Migration (A) is for transferring databases, not cost estimation. Server Migration (B) handles migration processes, not cost assessments. Dependency Mapping (D) is used for mapping server relationships, not cost evaluation.

Correct Answer: B Explanation: Option (B) is correct because an Azure SQL Database reserved instance offers predictable monthly costs and reliable performance commitments, which aligns well with the business’s needs for budget management and reliability during peak times. Reserved instances ensure cost predictability and are suitable for long-term, high-reliability use cases. Option (A) is incorrect as auto-scaling adds unpredictable cost variables based on usage surges. Option (C) is incorrect because while Azure Cosmos DB supports global distribution, it does not align with the requirements for SQL Database or cost predictability. Option (D) is incorrect as geo-redundant backups enhance data availability but do not control operational costs or the primary database's reliability.

Correct Answer: A Explanation: Option (A) is correct because Azure AD Privileged Identity Management (PIM) provides just-in-time access to privileged roles and allows for strict role-based access, ensuring that only users with temporary, necessary permissions can access sensitive resources. This minimizes the risks associated with permanent administrative rights and aligns with regulatory requirements for controlled access. Option (B) is incorrect as Identity Protection focuses on detecting suspicious sign-ins, not on controlling role-based access. Option (C) is incorrect as Azure Policy enforces configuration rules but does not manage specific user roles or privileged access. Option (D) is incorrect as Azure Firewall manages network-level security but does not control role-based access to Azure resources.

Answer: A. The Security Reader role at the subscription level (A) is the most appropriate role for the cybersecurity team, as it allows them to review security-related information, audit logs, and access reports without the ability to make any modifications. The Contributor role at the subscription level (B) grants modification permissions, which is beyond the requirements. The Owner role at the resource group level (C) provides full control, including access to manage permissions within the resource group, which exceeds the needs. The Virtual Machine Contributor role (D) is limited to managing virtual machines and does not allow viewing of audit logs and access reports across the subscription.

Answer: B Explanation: The operations team should implement a Metric Alert (B) to monitor data storage usage in Azure SQL, which can be configured to trigger alerts if storage capacity approaches a defined threshold. Metric Alerts allow tracking of resource-specific metrics like storage, making them ideal for monitoring database growth. Option (A), a Log Analytics Alert, is suited for detailed log queries but not for direct storage monitoring. Option (C), Service Health Alerts, focus on regional or service-level outages rather than database-specific metrics. Option (D), Activity Log Alerts, track configuration changes rather than resource usage.

Answer: B. Explanation: Reserved Instances (B) are the ideal choice for this healthcare organization, as they offer cost predictability by locking in rates for a specified period, making budgeting easier. Reserved Instances also provide guaranteed availability, which is essential for a mission-critical application. (A) Spot Instances are unsuitable as they are interruptible, risking downtime for essential services. (C) Free Tier would not meet the organization’s needs due to resource limitations. (D) Pay-As-You-Go provides flexibility but can lead to unpredictable costs if the application runs continuously, making it less ideal for budget-sensitive planning.

Answer: A Explanation: Azure Advisor's Cost tab helps identify potential savings by suggesting adjustments like resizing or shutting down underutilized virtual machines (A). This directly aligns with Mark’s goal to reduce costs. Options (B) and (C) focus on security and redundancy, which may indirectly affect costs but are not specific to budget optimizations. While (D) scaling can reduce costs under certain conditions, it’s not as immediate or targeted for cost savings as eliminating underutilized resources.

Answer: C. Azure Data Box Explanation: Azure Data Box (C) is a physical device provided by Microsoft for secure, offline data transfer, allowing companies to move large datasets to Azure when network conditions are unsuitable for online transfers. The company can load data onto the Data Box, ship it to Microsoft, and have it uploaded to Azure Blob Storage, ensuring both security and reliability. Azure Site Recovery (A) is used for VM replication rather than bulk data transfer. Azure File Sync (B) enables file synchronization between on-premises servers and Azure Files but does not offer an offline option. Azure Storage Explorer (D) is a GUI-based tool for managing Azure Storage but requires a network connection for data transfer.

Answer: C. Azure Storage Explorer Explanation: Azure Storage Explorer (C) is ideal for quick data exploration, as it allows users to preview files and selectively download specific data without needing to download the entire dataset. This feature is essential for efficiently analyzing large datasets stored in Azure Blob Storage. Azure Data Box (A) is designed for bulk offline data transfers and is unsuitable for selective data exploration. AzCopy (B) provides command-line data transfer capabilities but lacks preview and selective download features. Azure File Sync (D) synchronizes on-premises files with Azure Files, which does not address the team’s need for exploring datasets in Blob Storage.

Answer: C. Azure Blob Storage (Cool Tier) Explanation: Azure Blob Storage Cool Tier (C) is ideal for data that is infrequently accessed but must be available for immediate access, balancing storage cost and access requirements. The Cool Tier offers lower storage costs than the Hot Tier, which is suited for more frequently accessed data, while maintaining accessibility. Archive Tier (B) would provide the lowest storage cost, but it requires several hours to retrieve data, making it unsuitable for situations where immediate access is necessary. Managed Disks (A) are designed for virtual machine storage, offering high-performance block-level storage, and would be an inefficient choice for low-access archive data. Azure File Storage (D) provides managed file shares and is optimized for file-based workloads, not for infrequently accessed, long-term archive storage.

Correct Answer: B Explanation: The correct answer is B. Azure Arc-enabled Kubernetes allows Azure’s management capabilities, including policy enforcement, monitoring, and role-based access control, to extend to Kubernetes clusters outside Azure. This enables organizations to centrally manage multiple clusters across hybrid and multi-cloud environments using Azure’s tools. Deploying AKS (A) is limited to Azure and does not address multi-cloud needs. Azure Resource Groups (C) are primarily organizational tools and do not provide cross-environment control. Azure Active Directory (D) can assist with access control but does not offer comprehensive policy and monitoring capabilities across Kubernetes clusters.

Answer: A. Azure Data Box Heavy Explanation: Azure Data Box Heavy (A) is designed for large-scale offline data transfers and supports up to 1 petabyte of data, making it ideal for transferring several terabytes of historical machine data in a single batch. This solution provides secure AES-256 encryption and minimizes network impact by eliminating the need for an online connection during transfer. Azure Data Box Gateway (B) is intended for continuous, online data transfer and not suitable for one-time large migrations. Azure Data Box Disk (C) has a lower capacity and would require multiple disks for this data volume, making it less efficient. Azure Storage Explorer (D) is a tool for managing storage but does not support offline transfers and requires an internet connection.

Answer: B. Site-to-Site VPN with VPN Gateway Explanation: A Site-to-Site VPN with VPN Gateway (B) provides a secure connection over the internet, allowing the organization to connect its on-premises datacenter with the Azure virtual network in a cost-effective manner. It establishes an encrypted tunnel, ensuring secure communication between cloud and local resources. ExpressRoute (A) provides a dedicated private connection but is more costly, as it bypasses the internet. Application Gateway with private endpoints (C) is designed for web application routing and doesn’t provide a direct link between on-premises networks and Azure VNets. Point-to-Site VPN (D) is intended for individual device connections to Azure rather than connecting entire on-premises networks.

Answer: A. The Regulatory Compliance Dashboard (A) in Microsoft Defender for Cloud allows the e-commerce business to continuously assess and track compliance with industry standards by monitoring resources and recommending remediation actions for compliance gaps. Identity Protection Alerts (B) are specific to identity risks, not regulatory compliance. Azure Policy Assignments (C) help enforce policies but do not provide a comprehensive view or continuous assessment of compliance. Application Gateway with Web Application Firewall (WAF) (D) protects web applications but does not monitor for regulatory compliance.

Correct Answer: A Explanation: Using Azure Tags on individual resources (A) allows the financial institution to organize resources according to business functions by adding metadata labels such as "Accounting," "Customer Support," and "Marketing." Tags make it easier to filter, report, and manage costs based on specific business units, especially when resources span across multiple resource groups or subscriptions. Option B (a single resource group) would not provide the functional organization required. Option C (separate storage accounts) is too narrow, as it does not support organizing other types of resources, and Option D (different virtual networks) is not suitable for function-based organization, making tagging the most practical solution.

Answer: B. Azure Functions Explanation: Azure Functions (B) provide a serverless environment where users only pay for execution time, and it automatically scales based on demand, which is ideal for transaction processing workloads that may fluctuate. This service eliminates infrastructure management, aligning well with the company's requirements. Azure Virtual Machines (A) offer more control but involve higher management overhead and charge even when idle. Azure Kubernetes Service (C) is effective for managing containers but involves setup and management complexity beyond what’s needed for serverless functionality. Azure Batch (D) is intended for large parallel processing tasks and is not optimized for real-time transaction processing.

Answer: C. Platform as a Service (PaaS) Explanation: Platform as a Service (PaaS) (C) is suitable for this firm as it offers a pre-configured environment for developers to quickly deploy and test applications with minimal infrastructure management. PaaS provides an integrated development and deployment environment with the ability to easily connect databases and APIs, enhancing the collaborative application-building process. SaaS (A) delivers complete applications, which is not flexible for custom development. IaaS (B) requires significant infrastructure management, conflicting with the firm’s requirement for minimal intervention. Serverless Computing (D) is designed for executing discrete code blocks in response to events, rather than supporting a full application development and deployment environment.

Answer: C. Software as a Service (SaaS) Explanation: Software as a Service (SaaS) (C) is the most appropriate model for a fully managed email and collaboration solution that the consultancy firm can access globally without managing servers or updates. SaaS email platforms, such as Microsoft 365, are hosted by the provider and include automatic updates and security features, fitting the firm’s requirement for accessibility and zero infrastructure management. Infrastructure as a Service (IaaS) (A) and Virtual Machines (D) require server management, contradicting their needs. Platform as a Service (PaaS) (B) provides an environment for custom app development, unsuitable for pre-built email solutions.

Answer: A. Passwordless Authentication with Microsoft Authenticator (A) is the best choice as it allows employees to authenticate using their mobile devices without needing passwords, aligning with the company’s goal to streamline sign-ins and enhance security without additional hardware. Windows Hello for Business (B) is an option but typically requires compatible hardware, making it less ideal for a company-wide rollout focused solely on mobile devices. Multi-Factor Authentication (MFA) (C) still requires passwords as part of the authentication process, contrary to the company’s objective of a passwordless environment. Password Hash Synchronization (D) syncs passwords but does not eliminate them.

Answer: A. Require Hybrid Azure AD-joined devices in the Conditional Access policy (A) is the most suitable choice as it restricts access to devices that are joined to the organization’s Active Directory and comply with its policies, ensuring that only managed devices can access specific applications. Azure AD B2B with limited permissions (B) is for external user access and does not enforce managed device requirements. Conditional Access with password reset requirements (C) is focused on password policies rather than device compliance. RBAC (D) manages permissions but does not enforce device-based restrictions.

Answer: A. Azure Data Box Explanation: Azure Data Box (A) provides a physical, offline data transfer solution that allows organizations to move large datasets to Azure without impacting network bandwidth. The Data Box is shipped to the customer, who loads data onto it and then returns it to Microsoft for direct uploading to Azure, making it ideal for scenarios where network constraints or transfer times are a concern. AzCopy (B) is an online transfer tool, which would not alleviate bandwidth concerns. Azure Site Recovery (C) is designed for disaster recovery and continuous replication, not data transfer. Azure File Sync (D) is primarily used for synchronizing on-premises file servers with Azure Files, not for large offline data migration to Blob Storage.

Answer: C. ExpressRoute with Global Reach Explanation: ExpressRoute with Global Reach (C) provides a secure, private connection that ensures data remains within a private network, not traversing the public internet, making it ideal for critical applications with strict compliance requirements. Global Reach also allows for connectivity across multiple branch offices, offering the flexibility needed by the government organization. ExpressRoute with Local Circuit (A) provides private connectivity within a local area but lacks the multi-branch connectivity offered by Global Reach. Azure VPN Gateway with Point-to-Site (B) relies on the internet and does not offer the same level of throughput or compliance. Site-to-Site VPN with forced tunneling (D) directs traffic through on-premises but uses the public internet, compromising security and compliance for critical applications.

Answer: B. /resume Explanation: The /resume option in AzCopy (B) allows for partially completed transfers to restart from where they left off if the connection is interrupted, which is essential in unreliable network scenarios. This feature reduces the need to restart the upload from the beginning, saving both time and bandwidth. The /check-md5 (A) option is used to verify file integrity but does not manage connection issues. /set-content-type (C) is for specifying file content types during transfer, which doesn’t address connectivity problems. The /cap-mbps (D) option limits the transfer speed but does not facilitate reconnections or resumption of interrupted uploads.

Correct Answer: A Explanation: The correct answer is A. ARM Templates enable the development team to define the complete infrastructure, including databases, networking, and virtual machines, in a single, declarative JSON file. This approach allows them to deploy consistent environments for testing that mirror production without manual setup, improving scalability and reducing errors. Manually configuring the environment in the Azure portal (B) is time-consuming and prone to inconsistencies. Azure Site Recovery (C) is designed for disaster recovery, not infrastructure replication, and Azure DevTest Labs (D) facilitates testing but is not an IaC tool, requiring manual setup for each resource.

Answer: A. Conditional Access Policies (A) allow the security team to enforce MFA based on specific conditions, such as access from unknown devices or untrusted locations, providing an extra layer of security without requiring MFA for every access attempt. Identity Protection (B) helps detect and remediate risks but does not enforce access conditions as directly as Conditional Access Policies. Azure AD Connect (C) synchronizes identities but does not control access based on conditions. Role-Based Access Control (RBAC) (D) assigns permissions but does not enforce conditional MFA.

Answer: C. Software as a Service (SaaS) Explanation: Software as a Service (SaaS) (C) is the optimal choice for this small business, as it provides a fully managed solution with automatic updates, compliance features, and minimal IT involvement, allowing them to focus on core business functions. SaaS offers ready-to-use applications, ideal for tasks like accounting and payroll that require security and regulatory compliance. Infrastructure as a Service (IaaS) (A) would require server management, adding complexity. Platform as a Service (PaaS) (B) focuses on development environments rather than packaged applications. Function as a Service (FaaS) (D) is not suited for complete applications and is better used for executing individual code snippets on-demand.

Answer: B Explanation: Emma should configure Service Health alerts (B), which will automatically send notifications of any service outages or disruptions affecting her specified region, ensuring her team is notified in real time. Option (A) would be ineffective due to the manual effort involved. While Option (C), Resource Health, provides resource-specific health insights, it does not proactively notify about regional outages. Option (D) in Azure Monitor focuses on specific resource metrics rather than Azure service disruptions in Emma’s region.

Correct Answer: B Explanation: Creating separate management groups for each department (B) and monitoring resources at the root management group level allows the IT team to apply department-specific policies and permissions while maintaining a single, centralized point for monitoring resources across all departments. This structure provides flexibility for access control and policy management at each departmental level while enabling centralized oversight. Option A (single management group with individual permissions) complicates access control and policy customization. Option C (one subscription with resource groups) lacks isolation for departments, and Option D (AAD roles without organizing subscriptions) does not provide the necessary structure for centralized policy and monitoring, making B the most effective setup.

Answer: A. MFA for the identity layer, firewalls for the network layer, and encryption for the data layer (A) aligns with the defense-in-depth model by implementing security measures at each appropriate layer: MFA secures user identity, firewalls protect the network perimeter, and encryption safeguards data. Firewalls at the application layer (B) and data layer (D) do not effectively secure the respective elements. Applying MFA at the perimeter or network layer (C and D) does not align with the defense-in-depth model, as identity measures target access authentication rather than network protection.

Correct Answer: A Explanation: Azure Cost Analysis (A) provides detailed insights into current and past Azure expenses and includes cost forecasting capabilities based on usage trends, making it ideal for the project team’s need to track and predict costs. This helps the team stay within budget by understanding spending patterns and adjusting resource usage accordingly. The Azure Reservations Calculator (B) is used for estimating costs for reserved instances but doesn’t offer expense tracking or forecasting features. Azure Advisor Recommendations (C) focuses on cost optimization suggestions rather than forecasting or detailed spend tracking. Azure Cost Alerts (D) can notify when spending reaches a threshold but does not provide forecasting capabilities.

Correct Answer: A Explanation: Option (A) is correct because Azure Policy enables the pharmaceutical organization to apply and audit configurations across all resources, ensuring that they comply with set standards and configurations. It also helps in tracking compliance status and alerts them if resources deviate from policies, making it ideal for managing configurations across subscriptions. Option (B) is incorrect as Key Vault is intended for securing secrets and keys, not for enforcing compliance or managing configurations. Option (C) is incorrect as Azure DevOps focuses on automating code deployment and CI/CD processes rather than enforcing policy compliance. Option (D) is incorrect because while Azure Monitor provides health insights, it does not manage or enforce configuration standards across subscriptions.

Answer: B. Explanation: Azure Functions (B) is ideal because it operates on a serverless, event-driven model, activating only when new data is received, and automatically scaling to handle high volume without incurring idle costs. This aligns with the financial institution’s goal of avoiding expenses during downtime while ensuring scalability for peak demands. (A) Azure Virtual Machines would incur ongoing costs even when idle, which is inefficient for event-driven needs. (C) Azure SQL Database supports data storage but does not provide serverless transaction processing. (D) Azure App Service is a managed platform for web apps but is less cost-effective than Functions for event-based, transaction processing tasks.

Answer: A. Explanation: Elasticity (A) is the ideal cloud computing benefit here, as it allows the e-commerce company to scale resources up or down based on real-time demand without needing to over-provision or manage physical hardware. This is critical during peak seasons where traffic may suddenly increase, enabling resources to expand accordingly and then decrease once the peak is over. (B) Agility is a broader cloud benefit related to accelerating time to market and adapting quickly to business changes but doesn’t specifically address on-demand scaling. (C) Fault Tolerance ensures system resilience during component failures, which is essential for reliability but does not relate to scaling capacity. (D) High Availability is critical to ensure that services are continuously operational, yet it does not involve dynamically scaling resources to match fluctuating workloads.

Answer: A. Azure Traffic Manager Explanation: Azure Traffic Manager (A), when integrated with Azure DNS, enables geo-distributed routing by directing users to the nearest regional endpoint based on DNS resolution. Traffic Manager uses DNS-based routing to improve performance and reliability by directing traffic to the most appropriate location, ideal for a global e-commerce platform. Azure Application Gateway (B) provides web traffic management within a region but does not support geo-routing. Azure Load Balancer (C) balances traffic within a single region or VNet and does not provide global DNS-based routing. Network Security Groups (D) manage traffic flow rules but are unrelated to DNS or routing.

Answer: B. GPU-enabled virtual machines in the host pool Explanation: GPU-enabled virtual machines in the host pool (B) are specifically designed to support graphic-intensive applications that require GPU processing alongside general-purpose CPU tasks. This configuration ensures that remote workers have the required GPU resources for demanding applications, which are commonly needed in fields such as design, engineering, and media. General-purpose VMs (A) are inadequate for graphic-intensive workloads, as they lack GPU support. Persistent desktops with high IOPS storage (C) improve storage performance but do not address the need for GPU processing. Basic session hosts with low-latency network options (D) may reduce latency but still do not provide the necessary GPU power for graphic-intensive applications.

Answer: B. Configure the VMs in an Availability Set Explanation: Configuring VMs in an Availability Set (B) is crucial for high availability, as it spreads VMs across multiple update and fault domains. This configuration minimizes the risk of downtime during Azure maintenance events by ensuring that updates affect only one domain at a time, allowing other VMs to stay operational. Availability Zones across regions (A) would provide redundancy but are generally more costly and suited for cross-region disaster recovery. Spot Pricing (C) is not ideal for applications needing high availability due to its interruptible nature. Using a single fault domain (D) keeps all VMs in the same domain, increasing the risk of simultaneous downtime.

Answer: D. Geo-Zone-Redundant Storage (GZRS) Explanation: Geo-Zone-Redundant Storage (GZRS) (D) is the most suitable option for this scenario, as it offers both intra-region zonal redundancy and cross-region replication, providing high availability in the primary region and backup in a secondary region for disaster recovery. This dual redundancy ensures that data remains accessible even if both a zone and an entire region experience an outage, meeting the compliance and disaster recovery requirements of the financial institution. Locally Redundant Storage (A) only protects data within a single data center, lacking geographic redundancy. Geo-Redundant Storage (B) replicates data to another region but does not include intra-region zone-level redundancy, which could reduce availability within the primary region. Zone-Redundant Storage (C) is confined to one region and lacks cross-region replication, failing to meet the disaster recovery requirement.

Correct Answer: B Explanation: The correct answer is B. Azure Cloud Shell provides a managed environment with the Azure CLI pre-configured and authenticated automatically, reducing setup time and mitigating risks associated with managing credentials locally. Local installations (A) require credential storage and configuration, posing greater security challenges. An Azure VM (C) would add unnecessary complexity and cost. Azure DevOps (D) with a service principal is suitable for automated pipelines but doesn’t provide the interactive flexibility needed for ad-hoc script execution in CLI.

Answer: A. Microsoft Entra Domain Services (A) provides domain join and Group Policy capabilities within Azure, allowing the organization to move Active Directory–dependent applications to the cloud without modifications. Conditional Access (B) does not support domain join or Group Policy. Azure Key Vault (C) securely stores secrets and keys but does not offer Active Directory features. Privileged Identity Management (PIM) (D) is designed to manage privileged role access and does not offer Group Policy or domain join capabilities.

Answer: C. Explanation: The consumption-based model allows the firm to scale resources on demand and pay based on actual usage (C), making it an ideal choice to manage variable traffic from ad campaigns. This ensures that the firm only pays for additional resources during traffic spikes and not during lower usage periods. (A) Monthly fees would charge the same amount regardless of traffic, leading to inefficient spending. (B) While scaling resources in advance may address some needs, it requires predicting traffic, which may not always be accurate, unlike dynamic on-demand scaling. (D) Fixed resources would limit flexibility, potentially causing issues during unexpected spikes.

Answer: C. Cool Tier Explanation: The Cool Tier (C) is designed for data that is infrequently accessed but still requires low latency for retrieval, making it a suitable choice for data that will be accessed a few times each year. It provides lower storage costs than the Hot Tier but still ensures quick access, unlike the Archive Tier, which requires several hours for data retrieval, rendering it unsuitable for on-demand data access. The Hot Tier (A) is more expensive and intended for data accessed frequently. The Premium Tier (D) is optimized for high-performance needs, typically transactional workloads, and is unnecessarily costly for data with infrequent access requirements.

Answer: B. Explanation: In an IaaS model, configuring network security groups for VMs (B) falls under the customer’s responsibility, as it is crucial for protecting the environment from unauthorized access and attacks. Azure manages the physical security of its data centers (A) and provides updates for its own software (C), but customers must handle configuration tasks, such as setting firewall rules and access permissions. Implementing identity management for Azure staff (D) is managed by Microsoft, so it is not the customer’s concern. The e-commerce team must focus on securing their specific IaaS resources, including configuring security measures around their virtual networks and machines.

Correct Answer: C Explanation: Consolidating resources within the same region (C) reduces inter-region data transfer fees, as data transfers within the same region are generally not subject to the same charges. By placing interconnected resources in the same region, the organization can reduce or avoid these additional costs while maintaining access and functionality. Enabling geo-redundant storage (A) enhances disaster recovery but can increase costs by replicating data across regions. Zone-redundant storage (B) helps with availability within a region but does not address inter-region data transfer fees. Increasing bandwidth (D) does not reduce transfer fees and may lead to higher expenses if bandwidth usage increases.

Correct Answer: C Explanation: US Gov Virginia (C) is part of the Azure Government cloud, designed specifically for U.S. government agencies and contractors, ensuring high compliance standards and data residency within the United States. This region provides a secure, isolated environment with enhanced regulatory compliance, making it well-suited for government-regulated workloads in the financial sector. North Europe (A) and East Asia (D) are standard public regions outside the U.S., failing to meet the U.S. government’s compliance requirements, and Canada Central (B), although in North America, does not provide the same level of isolation or U.S.-specific regulatory compliance as US Gov Virginia, which is optimized for sensitive data.

Correct Answer: C Explanation: Data Map (C) within Microsoft Purview serves as the central metadata store, offering data discovery, lineage, and compliance management across Azure services. It organizes metadata for easy retrieval, enhancing data management capabilities and facilitating regulatory compliance. Data Policy (A) focuses on managing governance policies, not serving as a central metadata repository. Data Insights (B) is intended for usage analytics rather than metadata storage. Azure Sentinel (D) is a security monitoring service and does not fulfill metadata management or data lineage requirements.

Correct Answer: B Explanation: Applying tags to each resource to indicate the application and geographical location (B) is the most effective approach, as tags provide a flexible way to categorize and manage resources based on custom attributes like application name and location. This allows the organization to filter and analyze costs by tags in Azure Cost Management, making it easier to track spending for each application and region. Grouping resources by region within subscriptions (A) is limited in flexibility and doesn’t allow for multi-dimensional categorization. Azure Blueprints (C) primarily helps in defining and deploying environments but doesn’t categorize costs. Multi-region billing (D) is not an Azure feature, as Azure costs are typically tracked within the region a resource is deployed without the need for a separate billing feature.

Answer: A. Azure AD B2B with One-Time Passcodes (OTP) (A) is the best solution for temporary access, as it allows third-party users to sign in with their own email accounts using a secure one-time passcode without needing permanent Azure accounts. Identity Protection (B) adds security layers but does not enable onboarding of external, temporary users. Pass-through Authentication (C) authenticates users against on-premises Active Directory but is not suitable for one-time passcodes or temporary external identities. Azure AD Connect (D) synchronizes identities but does not support temporary access for external users.

Answer: B. Use ExpressRoute instead of VPN Gateway Explanation: ExpressRoute (B) provides a private, dedicated connection that bypasses the public internet, offering improved reliability, lower latency, and higher performance compared to a VPN over the internet. This makes it ideal for the retail company’s need for a reliable and consistent connection. Azure VPN Gateway (A) uses an internet-based connection, which may not meet their reliability and latency requirements. Virtual Network Peering (C) is used for private connectivity within Azure VNets and does not connect on-premises networks to Azure. Application Gateway (D) manages web traffic but does not establish private, dedicated network connections to on-premises networks.

Correct Answer: C Explanation: The correct answer is C. Get-AzStorageAccount with Select-Object is used to retrieve specific properties of a storage account, including encryption settings, in Azure PowerShell. This allows the architect to review the encryption status and ensure compliance with security policies. Get-AzStorageAccountKey (A) only retrieves access keys for the storage account, not encryption settings. Get-AzResource (B) lists resources but doesn’t directly display encryption details for storage accounts. Check-AzStorageAccountEncryption (D) is not an actual PowerShell cmdlet, making it incorrect for this requirement.

Correct Answer: B Explanation: Distributing the platform across three Availability Zones and utilizing a load balancer (B) enables the gaming company to achieve minimal latency and high availability, as the load balancer can direct traffic to healthy instances even if one or more zones fail. This setup ensures that the platform remains online within the same region, providing a seamless experience for players. Option A (single zone deployment) lacks the redundancy needed, and Option C (one scale set with fault domains in a single zone) does not offer zone-level failover. Option D (different regions) may increase latency and operational complexity, making B the most effective solution for high demand and availability.

Correct Answer: B Explanation: A Read-Only Lock (B), also known as “ReadOnly,” is the correct choice because it restricts all actions except read-only operations, ensuring no modifications or deletions can be made. This is particularly useful during deployments to prevent accidental changes. A Modify Lock (A) is not an actual lock type in Azure, so it does not apply. A Delete Lock (C) only prevents deletions but allows other changes, which is insufficient for this requirement. Edit Lock (D) is also not a valid lock type in Azure, making it an incorrect option.

Answer: A. Custom Policies (A) in Azure AD B2C allow the gaming company to customize branding, terms of service, and user experience during login, helping them maintain compliance and enhance the brand experience. Azure AD Connect with identity synchronization (B) is not relevant, as it is designed for synchronizing on-premises identities. Multi-Factor Authentication (MFA) (C) provides added security but does not address branding or compliance customization. Password Hash Synchronization (D) ensures password consistency but is not applicable to consumer identity management.

Answer: C. Explanation: Hybrid Cloud (C) is the best choice for the retail company, as it allows critical financial data to remain on-premises in compliance with security policies while leveraging cloud resources for scalable infrastructure to handle high-traffic periods. During peak times, such as holiday sales, the cloud can dynamically provide additional resources to meet increased demand, reducing the need to over-invest in on-premises infrastructure. (A) Private Cloud would require extensive on-premises infrastructure, making it costly and inflexible for handling fluctuating traffic. (B) Public Cloud alone would not meet the security requirement to keep financial data on-premises. (D) Multi-Cloud can involve using multiple public clouds, which would add complexity without necessarily addressing the on-premises security need.

Answer: D. Dev/Test Subscription Explanation: The Dev/Test Subscription (D) provides a cost-effective solution specifically designed for development and testing purposes, offering significant savings over standard Pay-As-You-Go pricing for these workloads. This model is ideal for non-production environments that won’t run continuously. Pay-As-You-Go (A) would be flexible but more expensive than a Dev/Test subscription for ongoing testing needs. Reserved Instances (B) are better suited for long-term production workloads. Spot Instances (C) offer cost savings but could be deallocated at any time, which may disrupt the testing process.

Correct Answer: A Explanation: The correct answer is A. In the Azure portal, the Properties blade for a VM provides key details, such as the region, VM size, and status, making it the ideal place to verify configuration and deployment settings. Resource Health (B) focuses on the VM’s operational status, not location or size configurations. Metrics (C) provide performance data but do not include configuration details, and the Networking tab's Configuration section (D) is specific to network settings rather than the overall VM properties.

Answer: B. ExpressRoute Explanation: ExpressRoute (B) provides a private, dedicated connection between on-premises networks and Azure, bypassing the internet, which meets the healthcare company’s requirements for secure, high-throughput connectivity for sensitive data. ExpressRoute offers reliable and consistent connectivity suitable for workloads with high data transfer requirements. VPN Gateway (A) uses encrypted internet connections, which may not offer the same consistency and performance as ExpressRoute. Public IP for each resource (C) would expose resources to the internet, which is insecure for sensitive data. An Azure Virtual Network (D) is necessary for Azure internal networking but does not provide a direct link to on-premises networks.

Answer: C. F-Series Explanation: F-Series VMs (C) are optimized for compute-intensive tasks with a high CPU-to-memory ratio, making them suitable for applications requiring significant computational power, such as high-performance processing or simulation workloads. B-Series (A) are burstable VMs suited for low-intensity tasks, not high-performance applications. D-Series (B) are general-purpose VMs with a balanced CPU-to-memory ratio, which may not offer the CPU power needed for compute-bound tasks. E-Series (D) are memory-optimized VMs, which prioritize memory over CPU, making them a better fit for memory-intensive workloads rather than compute-focused applications.

Answer: A. Dynamic Groups (A) in Microsoft Entra ID allow automatic assignment of users to groups based on attributes, such as job title or contractor status, enabling the company to automate access management for employees and contractors based on defined criteria. Identity Protection (B) focuses on identifying and responding to risks rather than access control. Multi-Factor Authentication (MFA) (C) increases security but does not manage access based on role or group attributes. Role-Based Access Control (RBAC) (D) provides specific access controls but requires manual assignment unless paired with Dynamic Groups.

Answer: B Explanation: The team should set up Metric Alerts (B) in Application Insights, based on response time metrics, to automatically trigger notifications if response times exceed acceptable thresholds or if errors occur. Metric Alerts in Application Insights allow for proactive monitoring of application performance. Option (A), Availability Tests, can simulate requests but do not offer real-time alerting for actual user interactions. Option (C), Log Analytics, is effective for querying logs but is less direct than metric-based alerts. Option (D), Performance Counters, monitor resource metrics like CPU and memory but do not directly track response times or application-specific errors.

Answer: B. FIDO2 security keys (B) are ideal for shared lab environments because they allow students and staff to access Azure resources without passwords and without the need for repeated logins. Each user can authenticate with their personal security key across devices. Windows Hello for Business (A) is more suited to individual devices and may not be practical in a shared environment. Microsoft Authenticator passwordless sign-in (C) is designed for mobile devices and may not work as seamlessly on shared computers. Pass-through Authentication (D) does not provide a passwordless experience and requires passwords for each session.

Correct Answer: B Explanation: Establishing separate subscriptions for each data type and applying policies at the management group level (B) allows the agency to enforce centralized security policies across all subscriptions while keeping each data type’s environment isolated for compliance and billing. Management groups provide a centralized way to apply policies to multiple subscriptions, ensuring that all environments meet regulatory requirements. Option A (using resource groups and tags) does not provide true isolation at the subscription level, and Option C (single region with Availability Zones) does not separate data types at the subscription level. Option D (a single subscription with RBAC) lacks isolated billing and regulatory compliance at the data type level, making B the most appropriate configuration.