AZ-104 Mock Exam

40 questions — 150 minutes allowed

Simulate real exam conditions: no notes, no hints. Record your answers, then check explanations at the end.

Score guide: 32–40 = pass-ready | 26–31 = review weak domains | < 26 = more study needed

Instructions

  • Answer all 40 questions without peeking at explanations
  • Note your confidence level (certain / unsure / guessing) next to each answer
  • Expand explanations after finishing all questions

Domain 1 — Identities & Governance (~7 questions)

Q1

Your organization uses Microsoft Entra ID. A contractor needs access to a specific Azure virtual machine for 30 days. You must follow the principle of least privilege. Which approach is most appropriate?

  • A. Add the contractor to the Global Administrator Entra role
  • B. Create a user account and assign the Virtual Machine Contributor RBAC role scoped to the VM's resource group
  • C. Create a user account and assign the Owner RBAC role at the subscription scope
  • D. Share the subscription admin credentials
Answer + Explanation

Correct: B

Virtual Machine Contributor scoped to the resource group grants the minimum permissions needed to work with the VM. Owner at subscription scope is excessive. Global Administrator is an Entra role with no Azure resource access. Sharing credentials violates accountability and least privilege.

Q2

You assign a Deny policy that prevents creation of public IP addresses in a resource group. A Contributor tries to deploy a VM with a public IP. What happens?

  • A. The deployment succeeds because RBAC Contributor overrides Azure Policy
  • B. The deployment fails with RequestDisallowedByPolicy
  • C. The deployment succeeds but the public IP is automatically removed after creation
  • D. The policy only applies to existing resources, not new deployments
Answer + Explanation

Correct: B

Azure Policy with Deny effect blocks non-compliant resource creation at the ARM layer — before the resource is created. RBAC and Policy are independent; Policy takes precedence for what is allowed. Deny effect prevents creation, unlike Audit which just logs.

Q3

A user needs to be able to assign Azure RBAC roles to other users in a resource group, but must NOT be able to modify or delete resources. Which built-in role satisfies this?

  • A. Contributor
  • B. Owner
  • C. User Access Administrator
  • D. Role Based Access Control Administrator
Answer + Explanation

Correct: D — Role Based Access Control Administrator

RBAC Administrator can manage role assignments but has no data-plane permissions (cannot modify resources). Owner can manage role assignments AND has full resource access (too broad). User Access Administrator also allows role assignment management but is the older equivalent — both D and C are valid for role assignment, but RBAC Administrator is more scoped. If both appear, prefer D as the more recently introduced least-privilege option.

Note: Some exam versions may accept C. Know both.

Q4

You apply a ReadOnly lock to an Azure storage account. A user with the Owner role tries to list the storage account access keys. What is the result?

  • A. The keys are listed successfully — Owner overrides locks
  • B. The operation fails — ReadOnly locks prevent listKeys operations
  • C. The keys are listed but not displayed to the user
  • D. The lock must be removed by a Global Administrator first
Answer + Explanation

Correct: B

listKeys is classified as a write-equivalent operation (it modifies effective access). ReadOnly locks prevent all operations that aren't read-only, including listKeys. Locks override RBAC — even Owners are blocked. Only someone with management permissions over the lock (Owner or User Access Administrator) can remove the lock first.

Q5

You need to apply the same Azure Policy across all subscriptions in your organization, including subscriptions added in the future. What is the most scalable approach?

  • A. Assign the policy to each subscription individually
  • B. Use a script to assign the policy to new subscriptions when they're created
  • C. Assign the policy at the Management Group scope
  • D. Assign the policy at the tenant root subscription
Answer + Explanation

Correct: C

Management Groups provide a scope above subscriptions. Policies assigned at the management group level automatically apply to all current and future child subscriptions. This is the exam-standard answer for "apply consistently across all subscriptions."

Q6

You create a user-assigned managed identity and attach it to a VM. The VM is deleted and recreated. What happens to the managed identity?

  • A. The managed identity is deleted with the VM
  • B. The managed identity persists independently and can be attached to the new VM
  • C. The managed identity must be recreated but retains its role assignments
  • D. The managed identity is automatically transferred to the new VM
Answer + Explanation

Correct: B

User-assigned managed identities are standalone Azure resources — their lifecycle is independent of the VMs they're attached to. When the VM is deleted, the identity persists. You attach it to the new VM. System-assigned managed identities (the alternative) are tied to the VM's lifecycle and are deleted when the VM is deleted.

Q7

A Global Administrator assigns themselves the Contributor role on a subscription via Entra ID Privileged Identity Management. A colleague with only User Access Administrator on the subscription tries to remove this assignment. Will they succeed?

  • A. Yes — User Access Administrator can remove any role assignment in scope
  • B. No — only a Global Administrator can remove assignments made by another Global Administrator
  • C. No — PIM-activated assignments can only be removed by the PIM service
  • D. Yes — Contributor is a lower role than User Access Administrator, so UAA can remove it
Answer + Explanation

Correct: A

User Access Administrator (and Owner) can manage role assignments at their scope. The source of the assignment (PIM vs direct) doesn't restrict who can remove it — only RBAC scope matters. UAA at the subscription scope can remove any role assignment at or below that scope, regardless of who made it.

Domain 2 — Storage (~8 questions)

Q8

You have a GPv2 storage account with blobs in the Hot tier. You want to automatically move blobs to Cool tier after 30 days and Archive after 90 days. What should you configure?

  • A. Storage account replication policy
  • B. Lifecycle management policy
  • C. Soft delete retention policy
  • D. Access tier policy in Diagnostic Settings
Answer + Explanation

Correct: B

Lifecycle management policies define rules that automatically tier or delete blobs based on age (last modified or last accessed). You can configure: Cool at 30 days, Archive at 90 days, Delete at 365 days — all in one policy.

Q9

A user generates a Shared Access Signature (SAS) token with a 24-hour expiry directly from the storage account key. Two hours later, the security team realizes the SAS has been leaked. How should you revoke the SAS?

  • A. Delete the SAS token from the storage account portal
  • B. Rotate the storage account access key that was used to sign the SAS
  • C. Enable soft delete on the storage account
  • D. Change the storage account replication type to LRS
Answer + Explanation

Correct: B

An account-key-signed SAS cannot be individually revoked — it's just a cryptographic signature. To invalidate it, you must rotate the storage account key that was used to sign it. This invalidates ALL SAS tokens signed with that key. This is why SAS tokens linked to Stored Access Policies are preferred — you revoke by deleting the policy.

Q10

Your company stores compliance records in Azure Blob Storage. Regulations require that no one — not even storage administrators — can delete or modify records for 7 years. What feature should you configure?

  • A. Soft delete with 7-year retention
  • B. Resource lock (CanNotDelete) on the container
  • C. WORM (Write Once, Read Many) immutability policy with time-based retention
  • D. Storage account firewall to block all write operations
Answer + Explanation

Correct: C

WORM immutability policies (available as time-based retention policies or legal holds on containers) prevent modification or deletion of data for the retention period — immutable to everyone, including storage admins and subscription owners. Soft delete has a maximum retention of 365 days, not 7 years. Resource locks can be removed by Owners.

Q11

You have a storage account with GRS replication. The primary region fails. You want to read data from the secondary region immediately while failover is pending. What must be true?

  • A. The storage account must use RA-GRS (Read-Access Geo-Redundant Storage)
  • B. Any GRS storage account allows secondary read during primary failure
  • C. The storage account must have geo-failover pre-configured
  • D. You must contact Azure support to enable secondary access
Answer + Explanation

Correct: A

With standard GRS, the secondary region is only accessible after a failover completes. With RA-GRS, the secondary region has a read-only endpoint available at all times: <account>.secondary.blob.core.windows.net. If you need secondary reads without waiting for failover, RA-GRS is required.

Q12

A developer needs to access a specific blob in an Azure storage container without exposing the storage account key. The access should be valid for exactly 2 hours with read-only permissions. Which solution is most secure?

  • A. Account SAS with read permission, 2-hour expiry, signed with account key
  • B. User delegation SAS signed with Entra ID credentials, 2-hour expiry, read permission
  • C. Service SAS for the specific blob, 2-hour expiry, signed with account key
  • D. Share the container's anonymous access URL
Answer + Explanation

Correct: B

User delegation SAS is signed with Entra ID (Microsoft Entra) credentials rather than storage account keys — it doesn't expose the account key and is the most secure SAS option. It also supports Entra-based auditing. Account key-signed SAS (options A and C) work but are less secure because they require access to the account key.

Q13

An Azure blob is moved to the Archive tier. A developer immediately tries to read the blob. What happens?

  • A. The read succeeds after a 1-second delay
  • B. The blob is automatically rehydrated within 1 minute and then readable
  • C. The read fails — Archive blobs are offline and must be rehydrated first (1–15 hours)
  • D. Reading an archived blob is not possible — it must be deleted and re-uploaded
Answer + Explanation

Correct: C

Archive blobs are stored offline — they cannot be read directly. Rehydration is required first: either by changing the tier to Hot or Cool (1–15 hours for standard priority, up to 1 hour for high priority). Only after rehydration completes can the blob be read. Always factor this into DR or restore scenarios.

Q14

Which Azure Files protocol requires the client to use port 445 (outbound) to the storage account?

  • A. NFS 4.1
  • B. REST API
  • C. SMB 3.x
  • D. iSCSI
Answer + Explanation

Correct: C

SMB (Server Message Block) uses TCP port 445. Many ISPs and corporate firewalls block outbound port 445, which is the #1 reason Azure Files SMB mounting fails from on-premises or home networks. NFS uses port 2049. The storage REST API uses HTTPS (port 443).

Q15

A blob storage container has public anonymous access disabled. A developer generates a Service SAS with Read permission on the container. Another developer uses that SAS to try to upload (write) a new blob. What happens?

  • A. The upload succeeds because the SAS provides access to the container
  • B. The upload fails — the SAS only grants Read permission; Write is denied with 403
  • C. The upload fails because public access is disabled
  • D. The upload succeeds but the blob is marked as read-only
Answer + Explanation

Correct: B

SAS tokens are scoped to the permissions specified at creation time. A Read-only SAS only allows read operations — any write, delete, or list operation (if not included) returns 403 Forbidden. Public access being disabled doesn't affect SAS-authenticated operations.

Domain 3 — Compute (~10 questions)

Q16

You need to deploy 50 identical VMs that automatically scale based on CPU load. The VMs run a stateless web application. Which service is most appropriate?

  • A. 50 individual VMs with Azure Autoscale
  • B. Azure Virtual Machine Scale Set (VMSS)
  • C. Azure Container Instances (ACI) with 50 containers
  • D. Azure Kubernetes Service (AKS)
Answer + Explanation

Correct: B

VMSS is specifically designed for deploying and managing groups of identical VMs with autoscaling. It manages the lifecycle (create, update, delete) of instances automatically. Individual VMs with autoscale don't exist as a native Azure feature — you'd manage this yourself.

Q17

You deploy a VM in an Availability Set. A few months later, you want to move the VM to an Availability Zone for higher SLA. What must you do?

  • A. Change the availability configuration in the VM settings
  • B. Stop the VM and reassign it to an availability zone
  • C. You cannot change availability configuration after VM creation — recreate the VM
  • D. Detach the VM from the availability set, then assign it to a zone
Answer + Explanation

Correct: C

Availability set and zone membership are set at VM creation and cannot be changed afterward. You must delete the VM (keeping the disk), then recreate it with the new availability configuration. Availability sets and zones are also mutually exclusive.

Q18

An ARM template includes this expression:

"location": "[resourceGroup().location]"

What does this expression evaluate to?

  • A. The location of the Azure subscription
  • B. The location where the template is being deployed (the deployment command's --location)
  • C. The Azure region of the resource group where the template is being deployed
  • D. The default location configured in the user's Azure CLI profile
Answer + Explanation

Correct: C

resourceGroup().location returns the Azure region of the resource group into which the template is being deployed. This is the canonical way to ensure all resources in a template deploy to the same region as the resource group without hardcoding a region name.

Q19

You deploy an App Service web app on a Basic (B1) plan. The app traffic doubles and you need to scale out to 3 instances. What must you do?

  • A. Enable autoscale on the Basic plan
  • B. Scale the instance count manually from 1 to 3 on the Basic plan
  • C. Upgrade the App Service plan to Standard or above, then enable autoscale
  • D. Create two additional App Service plans and configure traffic splitting
Answer + Explanation

Correct: B

Basic plan supports manual scaling — you can set the instance count manually (1 to 3 instances for B1). What Basic does NOT support is autoscaling (automatic scale-out based on rules). For autoscale, you need Standard or above. The question says "scale out to 3 instances" — not autoscale — so Basic manual scaling works.

Careful: If the question says "automatically scale," the answer is C. Here it says "scale out to 3 instances," which Basic can do manually.

Q20

A VM that runs SQL Server needs the highest possible disk IOPS with low latency. You don't need zone redundancy. Which managed disk SKU should you choose?

  • A. Standard HDD
  • B. Standard SSD
  • C. Premium SSD v2
  • D. Ultra Disk
Answer + Explanation

Correct: D — Ultra Disk

Ultra Disk provides up to 160,000 IOPS and sub-millisecond latency — the highest performance tier. Ultra Disk is locked to a single zone (not zone-redundant), but the question states zone redundancy is not required. Premium SSD v2 is high-performance but Ultra exceeds it.

Note: If the question adds zone redundancy as a requirement, Premium SSD (zone-redundant) would be the answer.

Q21

You are deploying Azure Bastion and encounter a deployment validation error. The VNet has a subnet named AzureBastion with a /26 prefix. What is causing the error?

  • A. The subnet prefix is too small — Bastion requires a /25
  • B. The subnet must be named exactly AzureBastionSubnet — the name AzureBastion is invalid
  • C. Bastion requires an NSG on the dedicated subnet
  • D. The VNet must have at least 3 subnets for Bastion to deploy
Answer + Explanation

Correct: B

Azure Bastion requires the subnet to be named exactly AzureBastionSubnet — case-sensitive. AzureBastion (missing "Subnet") fails validation immediately. The /26 prefix meets the minimum size requirement.

Q22

A development team wants to run a containerized data pipeline job. The job runs for 2–3 hours nightly and then terminates. They want zero idle cost when the job isn't running. Which compute option best fits?

  • A. Azure Kubernetes Service with one node pool (1 node)
  • B. Azure App Service on a Basic plan
  • C. Azure Container Instances (ACI)
  • D. Azure VM with Docker installed
Answer + Explanation

Correct: C

ACI bills per second of actual execution. When the container stops, billing stops entirely — zero idle cost. AKS requires a node pool (VMs) that incur cost even when idle. App Service has an always-on minimum cost. A VM costs as long as it's running.

Q23

You deploy an ARM template with what-if and see a resource listed as ~ Modify. What does this indicate?

  • A. The resource will be deleted and recreated with a new configuration
  • B. The resource will be updated in place with new property values
  • C. The resource has conflicting configurations that must be resolved before deployment
  • D. The resource is outside the template scope and will not be affected
Answer + Explanation

Correct: B

what-if output symbols:

  • + Create — resource doesn't exist and will be created
  • ~ Modify — resource exists and will be updated in place
  • - Delete — resource exists but is not in the template (Complete mode)
  • = Nochange — no changes
  • × Unsupported — Azure can't determine the effect

Q24

You configure a VMSS autoscale rule: scale in by 2 instances when CPU < 20% for 10 minutes. The current instance count is 4 (minimum is 2). After 10 minutes of < 20% CPU, how many instances remain?

  • A. 2 — scale in by 2, hitting the minimum
  • B. 3 — scale in by 1 (can't go below minimum, so only removes 1)
  • C. 4 — scale-in rules only fire once per hour
  • D. 2 — scale in removes all instances below the average threshold
Answer + Explanation

Correct: A

The rule says scale in by 2. Current count is 4, minimum is 2. After scale-in: 4 - 2 = 2. This equals the minimum, so the action is valid and completes. If scale in by 2 would go below the minimum (e.g., current = 3, min = 2, scale-in by 2), Azure caps the result at the minimum.

Q25

Which statement about system-assigned vs user-assigned managed identities is correct?

  • A. System-assigned identities can be shared across multiple VMs
  • B. User-assigned identities are deleted when the associated VM is deleted
  • C. User-assigned identities have a lifecycle independent of the resource they're attached to
  • D. System-assigned identities can be assigned custom RBAC roles but user-assigned cannot
Answer + Explanation

Correct: C

User-assigned managed identities are standalone Azure resources — you create them independently and attach to one or more resources. They survive VM deletion. System-assigned identities are enabled directly on a resource and are deleted when that resource is deleted. Both types can be assigned RBAC roles.

Domain 4 — Networking (~9 questions)

Q26

Two VMs in the same VNet (different subnets) cannot communicate. Which is the most likely cause?

  • A. VMs in different subnets cannot communicate by default
  • B. A Network Security Group rule is blocking the traffic
  • C. The subnets are in different availability zones
  • D. VNet routing requires VPN Gateway for intra-VNet traffic
Answer + Explanation

Correct: B

By default, Azure routes traffic between subnets within the same VNet automatically. VMs in different subnets CAN communicate by default unless an NSG explicitly blocks it. Availability zones don't affect routing. VPN is for external connectivity.

Q27

You need to allow traffic on port 443 from a specific application server group to a database group, regardless of IP addresses, so that you don't have to update NSG rules when IPs change. What should you use?

  • A. Service Tags
  • B. Application Security Groups (ASGs)
  • C. Custom route tables
  • D. Private Link Service
Answer + Explanation

Correct: B

ASGs let you group VMs by logical role (e.g., AppServers, DBServers) and reference them in NSG rules. When a VM's IP changes or a new VM is added to the group, no NSG rule changes are needed — the logical group handles it. Service Tags represent Azure services, not your own VM groups.

Q28

You create a VNet-to-VNet connection between VNet-East (East US) and VNet-West (West US) using VPN Gateway. What type of VPN should you use?

  • A. Policy-based VPN
  • B. Route-based VPN
  • C. ExpressRoute circuit
  • D. Global VNet peering
Answer + Explanation

Correct: B

VNet-to-VNet connections require route-based VPN. Policy-based VPN is limited to a single tunnel and doesn't support VNet-to-VNet or P2S connections. ExpressRoute is for on-premises connectivity. Global VNet peering also works for cross-region VNet connectivity and is often simpler — but if the question specifies VPN Gateway, route-based is the answer.

Q29

You configure a Standard Load Balancer with a health probe on HTTP port 80. Backend VMs run a web app on port 80 but also have an NSG on their NIC blocking all inbound traffic (default deny only). Users cannot reach the application. What change fixes this?

  • A. Change the health probe from HTTP to TCP
  • B. Add an NSG rule allowing inbound from the AzureLoadBalancer service tag on port 80
  • C. Upgrade the LB SKU to Premium
  • D. Associate the NSG with the subnet instead of the NIC
Answer + Explanation

Correct: B

Standard Load Balancer traffic passes through the NIC NSG. The NIC NSG's default deny blocks both health probe traffic and user traffic. Adding an inbound rule allowing the AzureLoadBalancer service tag on port 80 permits both health probes and load-balanced traffic. Option D (moving NSG to subnet) would also work but is not the minimal change — and the question asks what change "fixes" it, implying the minimal correct fix.

Q30

Your organization has a hub VNet with a VPN Gateway and multiple spoke VNets. Spoke A needs to communicate with on-premises resources via the hub's VPN Gateway. You've configured peering from Hub to Spoke A. What additional settings must be configured?

  • A. Enable useRemoteGateways on the Hub-to-SpokeA peering
  • B. Enable allowGatewayTransit on the Hub-to-SpokeA peering AND useRemoteGateways on the SpokeA-to-Hub peering
  • C. Create a VPN Gateway in Spoke A as well
  • D. Enable global peering on both peering connections
Answer + Explanation

Correct: B

Gateway transit requires:

  • Hub side (Hub-to-SpokeA): allowGatewayTransit = true — "I share my gateway with this peer"
  • Spoke side (SpokeA-to-Hub): useRemoteGateways = true — "I want to use the hub's gateway"

Both must be set on their respective peering connections.

Q31

You create a Private Endpoint for an Azure SQL server in your VNet. A VM in the VNet tries to connect to contoso.database.windows.net and reaches the public IP. What is likely misconfigured?

  • A. The Private Endpoint is in the wrong subnet
  • B. DNS is not resolving to the private IP — the DNS zone for the private endpoint is not linked to the VNet
  • C. The NSG on the VM's subnet is blocking SQL traffic
  • D. Private Endpoints only work for Blob storage, not SQL
Answer + Explanation

Correct: B

Private endpoints work by adding a private IP to your VNet AND updating DNS so the FQDN resolves to that private IP. If the Private DNS zone (privatelink.database.windows.net) is not linked to the VNet, DNS still resolves to the public IP, and traffic bypasses the private endpoint entirely. The connection reaches the public endpoint — not the private one.

Q32

You have a subnet with a route table containing:

  • Route 1: 0.0.0.0/0 → next hop VirtualAppliance10.0.0.4
  • Route 2: 10.1.0.0/16 → next hop VirtualNetwork

Traffic to 10.1.5.10 takes which path?

  • A. Through the VirtualAppliance at 10.0.0.4 (route 1 applies because 0.0.0.0/0 is the catch-all)
  • B. Directly within the VNet (route 2 applies because 10.1.0.0/16 is more specific)
  • C. Dropped — conflicting routes cause traffic to be black-holed
  • D. Split 50/50 between both routes (Azure load-balances equal routes)
Answer + Explanation

Correct: B

Azure routing uses longest prefix match. 10.1.0.0/16 is more specific than 0.0.0.0/0, so route 2 wins. Traffic to 10.1.5.10 goes directly within the VNet. Route 1 handles all other internet-bound traffic not matched by more specific routes.

Q33

You need to allow on-premises users to access an Azure Storage account privately — using its private IP — over an existing ExpressRoute circuit. Which feature enables this?

  • A. Service Endpoint for Storage
  • B. Private Endpoint for the Storage account
  • C. ExpressRoute Microsoft Peering
  • D. Storage account network firewall rule for ExpressRoute
Answer + Explanation

Correct: B

Private Endpoint assigns a private IP to the storage account within your VNet. On-premises networks connected via ExpressRoute (private peering) can reach this private IP. Service Endpoints don't provide a private IP — the storage account still uses its public IP, and service endpoints don't work over ExpressRoute private peering for on-premises clients.

Q34

An NSG has these inbound rules:

  • Priority 100: Allow TCP 80 from Internet
  • Priority 200: Deny All from Internet
  • Priority 65500: DenyAllInBound (default)

Traffic on TCP port 80 from the internet — what happens?

  • A. Allowed — rule 100 (Allow TCP 80) is evaluated first and matches
  • B. Denied — rule 200 (Deny All) also matches and overrides rule 100
  • C. Denied — the default deny rule at 65500 applies to all internet traffic
  • D. Allowed only if the VM also has an NSG on its NIC
Answer + Explanation

Correct: A

NSG rules are evaluated by priority — lowest number first. Rule 100 matches TCP port 80 from Internet → Allow. Evaluation stops at the first matching rule. Rule 200 (Deny All) is never reached for port 80 traffic because rule 100 already matched. Port 443 or any other port from Internet would hit rule 200 and be denied.

Domain 5 — Monitor & Maintain (~6 questions)

Q35

You want to receive an email notification when a VM in a production resource group is deleted by any user. Which alert type and scope should you configure?

  • A. Metric alert scoped to the VM
  • B. Activity log alert scoped to the resource group
  • C. Log query alert using AzureMetrics table
  • D. Resource health alert scoped to the subscription
Answer + Explanation

Correct: B

VM deletion is a management plane operation — it appears in the Activity Log. Activity log alerts trigger when specific operations occur within the defined scope. Scoping to the resource group catches any VM deletion within it. Metric alerts are for numeric thresholds; resource health is for platform-detected VM health states.

Q36

A Log Analytics query returns an empty result set immediately after you enable Diagnostic Settings on a new VM. What is the most likely explanation?

  • A. The VM must be restarted to begin sending logs
  • B. Data ingestion has a delay of 5–10 minutes after enabling Diagnostic Settings
  • C. The KQL query syntax is incorrect
  • D. Log Analytics workspaces only accept data from VMs in the same region
Answer + Explanation

Correct: B

Log Analytics ingestion is not real-time — there is typically a 5–10 minute delay between activity occurring and data appearing in the workspace. Newly configured diagnostic settings take time for the first data to flow through. Always wait before concluding data isn't flowing.

Q37

Your organization's RTO is 30 minutes and RPO is 1 hour for a critical VM. Which service should you use?

  • A. Azure Backup with hourly backup policy
  • B. Azure Site Recovery with continuous replication
  • C. Azure Backup with daily backup + geo-redundant vault
  • D. Availability Zones with Standard Load Balancer
Answer + Explanation

Correct: B

Azure Site Recovery replicates continuously (RPO ~15 minutes, well within the 1-hour RPO). Failover typically completes in minutes with pre-staged recovery plans (achieves the 30-minute RTO). Azure Backup with hourly policy would give RPO of up to 1 hour — borderline — but backup restore (RTO) takes longer than 30 minutes for a full VM. ASR is the correct answer for both RPO and RTO requirements in DR scenarios.

Q38

A KQL query in Log Analytics:

AzureActivity
| where TimeGenerated > ago(24h)
| summarize count() by OperationNameValue
| order by count_ desc
| top 5 by count_

What does this query return?

  • A. All Azure activity in the last 24 hours
  • B. The 5 most frequent Azure management operations in the last 24 hours
  • C. The 5 most recent Azure management operations
  • D. A summary of all operation types with counts, sorted alphabetically
Answer + Explanation

Correct: B

Step by step:

  1. AzureActivity — query the activity log table
  2. where TimeGenerated > ago(24h) — last 24 hours only
  3. summarize count() by OperationNameValue — count occurrences of each operation type
  4. order by count_ desc — sort by count, highest first
  5. top 5 by count_ — return only the top 5 rows

Result: the 5 operation types with the highest occurrence count in the last 24 hours.

Q39

You delete a backup item from a Recovery Services vault. 10 days later, you realize you need the data. Is recovery possible?

  • A. No — backup data is permanently deleted immediately when the item is removed
  • B. Yes — soft delete retains deleted backup data for 14 days by default
  • C. Yes — only if you had geo-redundant vault replication enabled
  • D. No — Recovery Services vaults do not support soft delete for VM backups
Answer + Explanation

Correct: B

Azure Backup's soft delete is enabled by default on Recovery Services vaults. When backup data is deleted, it enters a soft-delete state for 14 days. During this window, you can "undelete" the backup item to restore it to active protection. After 14 days, it's permanently purged. Since 10 days have passed and the default retention is 14 days, recovery is still possible.

Q40

Azure Advisor identifies that a VM is running at < 5% average CPU over the past 14 days. What type of recommendation does Advisor provide for this VM?

  • A. Security recommendation — disable unused VM extensions
  • B. Cost recommendation — right-size or shut down the underutilized VM
  • C. Operational Excellence recommendation — enable diagnostic settings
  • D. Performance recommendation — increase VM CPU allocation
Answer + Explanation

Correct: B

Azure Advisor's Cost category identifies underutilized resources. A VM running at < 5% CPU for 14 days is flagged as a candidate for right-sizing (smaller VM size) or shutdown. This falls squarely in the Cost recommendations category — not performance (which would recommend more resources).

Score Yourself

DomainQuestionsYour Score
Domain 1 — Identities & GovernanceQ1–Q7 (7)/7
Domain 2 — StorageQ8–Q15 (8)/8
Domain 3 — ComputeQ16–Q25 (10)/10
Domain 4 — NetworkingQ26–Q34 (9)/9
Domain 5 — Monitor & MaintainQ35–Q40 (6)/6
Total40/40

Passing Score Analysis

ScoreAction
32–40 (80–100%)Ready to schedule — book within 2 weeks
26–31 (65–77%)Review domains where you missed 2+ questions
< 26 (< 65%)Return to domain chapters for weak areas, redo labs

Weak Area Guidance

If you missed Q...Revisit
Q1, Q3, Q7Domain 1 — RBAC & Governance
Q2, Q5Domain 1 — Azure Policy
Q4, Q6Domain 1 — Locks & Managed Identities
Q8, Q10, Q13Domain 2 — Blob Tiers & Lifecycle
Q9, Q12Domain 2 — SAS & Access Control
Q11, Q14Domain 2 — Redundancy & Files
Q16, Q24Domain 3 — VMSS
Q17, Q21Domain 3 — Availability & Bastion
Q18, Q23Domain 3 — ARM Templates
Q19, Q22Domain 3 — App Service & ACI
Q26, Q29, Q34Domain 4 — NSGs
Q27, Q31Domain 4 — ASGs & Private Endpoints
Q28, Q30Domain 4 — VPN & Peering
Q32, Q33Domain 4 — UDR & Private Endpoints
Q35, Q36, Q38Domain 5 — Monitor & Alerts
Q37, Q39Domain 5 — Backup & ASR
Q40Domain 5 — Azure Advisor