AZ-104 Cheat Sheet
Identity and Governance
Entra Users and Groups
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- A user's member-or-guest type is fixed by origin, not by a setting
A member user is native to your tenant (created in the cloud or synced from on-premises Active Directory by Entra Connect); a guest user is invited from another directory through B2B collaboration and signs in with their own home credentials. The type is decided by how the account entered the directory and is not something you toggle on the user. You widen or narrow a user's actual access by assigning roles, not by changing the type.
- Invite external collaborators as B2B guests so you never manage their password
When an outside partner needs access, invite them as a B2B guest rather than creating a member account. The guest authenticates against their own home tenant or identity provider, so you issue no credential and reset no password, and you scope them with roles and group membership. A guest's UPN takes the form alice_contoso.com#EXT#@yourtenant.onmicrosoft.com, and by default guests have restricted directory permissions.
Trap Creating a member account for an external partner: it forces you to manage a credential and grants the broad default member permissions a partner shouldn't have.
- Guest users get restricted directory permissions by default
By default a guest can manage their own profile and read only limited directory data; they cannot enumerate the full list of users or groups the way a member can. Members, by contrast, can read most directory information and by default register applications, create groups, and invite other guests. You can tighten these defaults for all members or all guests in the directory's user settings.
- Security groups gate access; Microsoft 365 groups enable collaboration
Pick a security group to manage access to resources, roles, and applications: its members can be users, devices, service principals, and even other groups (nesting). Pick a Microsoft 365 group when the need is a shared workspace (mailbox, calendar, SharePoint), but note its members can be users only. The decisive test is the requirement: resource or role access points to a security group, a team workspace points to a Microsoft 365 group.
Trap Choosing a Microsoft 365 group to control access to a resource: that group type is for collaboration, and only a security group can be used for group-based licensing.
- Only a security group can hold non-user members
A security group's membership can include users, devices, service principals, and nested groups, which is why it is the vehicle for assigning resource access and roles. A Microsoft 365 group accepts users only: no devices or service principals. When a scenario needs a group of devices (for example to target Intune policy through dynamic device membership), the group must be a security group.
Trap Trying to add devices to a Microsoft 365 group: that type takes users only, so a device group must be a security group.
- Assigned vs dynamic membership decides who maintains the member list
Assigned membership means an administrator or group owner adds each member by hand; dynamic membership uses an attribute rule to add and remove members automatically as their attributes change. Choose Assigned for a fixed, hand-picked roster and dynamic when membership should track an attribute such as department. Dynamic keeps the roster accurate without manual upkeep but trades away the ability to pin or exclude an individual outside the rule.
- A group owner can edit members only when membership is Assigned
Group ownership lets you manage a group's properties and its membership, but the membership part applies only to Assigned groups. A dynamic group's members are governed entirely by its rule, so even the owner cannot add or remove a member directly: you change membership by changing user attributes or the rule itself. Editing a dynamic membership rule additionally requires the Groups Administrator, Intune Administrator, or User Administrator role.
Trap Assuming a group owner can add a member to any group: for a dynamic group the rule controls membership and the owner cannot override it.
- A dynamic group targets users OR devices, never both
When you create a dynamic membership group you choose Dynamic User or Dynamic Device, and a single group cannot do both. A device rule may reference only device attributes: you cannot build a device group from the device owners' attributes. If a requirement mixes users and devices, you need two separate dynamic groups.
Trap Building one dynamic group whose rule mixes user and device attributes: Entra ID requires the membership target to be users only or devices only.
- Dynamic membership requires Microsoft Entra ID P1
Attribute-rule (dynamic) group membership is a premium feature: it requires Microsoft Entra ID P1 for every user in scope of the rule. Assigned membership works on the free tier. In a scenario set in a trial or free tenant, automatic department-based membership is unavailable, so the answer falls back to an Assigned group plus manual upkeep, or acquiring P1.
Trap Proposing dynamic membership in a free/trial tenant: dynamic groups need Entra ID P1 and aren't available on the free tier.
3 questions test this
- Your company has a Microsoft Entra ID Free subscription. You need to create a group that automatically adds users based on their department…
- You have a Microsoft Entra tenant. You plan to create dynamic membership groups. You have 2,000 users who will be members of various…
- You have a Microsoft Entra tenant with 500 users. You plan to create dynamic membership groups. Your tenant has a Microsoft Entra ID Free…
- Set a user's Usage location before assigning any license
A license cannot be assigned to a user until that user has a Usage location set, because Microsoft licenses are subject to regional availability. If a direct license assignment fails for a freshly created user, the missing Usage location attribute is the usual cause. Set it on the user profile, then assign the license.
- Use group-based licensing to keep licenses in step with membership
Group-based licensing attaches one or more product licenses to a security group; Entra ID then licenses every member automatically and removes the license when a member leaves the group. Pair it with a dynamic group and licensing tracks org structure with zero scripting. It works on security groups only, and you must hold at least one license for every unique member of a licensed group.
- Group-based licensing requires Entra ID P1 for each benefiting user
Group-based licensing itself is a premium capability: you need Microsoft Entra ID P1 (or a qualifying Microsoft 365 / Office 365 plan such as Business Premium or Office 365 E3) for every user who benefits from it. This is separate from the product licenses being assigned: the P1 entitlement pays for the automation, while the product licenses cover the services the members consume.
- License assignment moved out of the Azure portal on September 1, 2024
Since September 1, 2024 the Microsoft Entra admin center and the Azure portal no longer expose license assignment in their UI; assignment for both users and groups is done in the Microsoft 365 admin center. The change is UI-only: Microsoft Graph and PowerShell still assign licenses programmatically. If a question says the license-assignment option is missing from the Azure portal, that is expected, not a bug.
Trap Looking for the license-assignment blade in the Entra/Azure portal: it was removed in September 2024; assign licenses in the Microsoft 365 admin center or via Graph/PowerShell.
- SSPR needs at least one registered method; the policy requires one or two to reset
Self-service password reset lets users reset or unlock their own password with no help-desk call, but each user must first register authentication methods: choices include Microsoft Authenticator, OATH tokens, SMS, voice call, email OTP, and security questions. The administrator policy sets how many registered methods a reset requires, a value of one or two. A user who has registered fewer than the required number cannot use SSPR and must contact an administrator.
7 questions test this
- You have a Microsoft Entra tenant. You configure self-service password reset (SSPR) with the following settings: Number of methods required…
- Your company has a Microsoft Entra tenant with self-service password reset (SSPR) enabled. The SSPR policy is configured to require two…
- You are configuring self-service password reset (SSPR) for your Microsoft Entra tenant. The security team requires users to verify their…
- You have a Microsoft Entra tenant. You configure self-service password reset (SSPR) with the following settings: Self service password…
- You have a Microsoft Entra tenant with SSPR enabled. A user named User1 is enabled for SSPR and has registered mobile phone and alternate…
- You have a Microsoft Entra tenant with SSPR enabled. Users have registered for SSPR using mobile phone and email as authentication methods.…
- You are configuring SSPR authentication methods for your Microsoft Entra tenant. You set the 'Number of methods required to reset' to 2. A…
- Administrator accounts are forced onto a stronger two-method SSPR policy
Even if the tenant SSPR policy requires only one method for ordinary users, accounts holding an Azure administrator role are subject to a stronger two-gate password reset policy and cannot use the relaxed single-method setting. This is automatic and not configurable down: Microsoft enforces it because admin accounts are higher-value targets.
Trap Assuming a one-method SSPR policy applies to administrators: admin-role accounts are always held to the stronger two-method reset policy.
5 questions test this
- You have a Microsoft Entra tenant with self-service password reset (SSPR) enabled for all users. A user named Admin1 has the Global…
- You have a Microsoft Entra tenant with self-service password reset (SSPR) enabled. A user named User1 has the Global Administrator role…
- You have a Microsoft Entra tenant that contains a user named Admin1 who has the Global Administrator role assigned. Admin1 needs to reset…
- You have a Microsoft Entra tenant with self-service password reset (SSPR) enabled for a group of users. The SSPR policy requires two…
- You have a Microsoft Entra tenant with self-service password reset (SSPR) enabled for all users. The SSPR policy requires two…
- SSPR is free, but password writeback to on-premises AD requires P1
Self-service password reset is available on Microsoft Entra ID Free for cloud-managed users. SSPR password writeback, which pushes a cloud-initiated reset back down to on-premises Active Directory for a federated, pass-through-auth, or password-hash-synced user, requires Microsoft Entra ID P1. Without writeback, a hybrid user whose password is mastered on-premises is told to contact their administrator instead of resetting.
Trap Expecting plain SSPR to reset a synced on-premises user's password: that needs SSPR password writeback, which requires Entra ID P1.
4 questions test this
- Your company has a hybrid identity deployment with Microsoft Entra ID synchronized to on-premises Active Directory. You plan to configure…
- You have a Microsoft Entra tenant with a hybrid identity environment using Microsoft Entra Connect. You enable self-service password reset…
- You have a hybrid environment with Microsoft Entra Connect configured for password hash synchronization. You need to enable self-service…
- Your organization has a hybrid environment with an on-premises Active Directory Domain Services (AD DS) synchronized to Microsoft Entra ID…
- Reset, change, and writeback are three different password operations
A password reset recovers a forgotten password (the SSPR scenario, where the user proves identity with registered methods); a password change updates a password the user already knows and is signed in with; password writeback is the hybrid mechanism that carries either operation back to on-premises AD. It is not a separate end-user action. Conflating reset with writeback is the usual source of confusion in hybrid scenarios.
- Personal Microsoft accounts used as guests cannot use Entra SSPR
A guest who signs in with a personal Microsoft account (Outlook.com, Hotmail) cannot use your tenant's Entra SSPR; they recover through their own Microsoft account instead. B2B guests from a partner Microsoft Entra tenant or self-service sign-up users, by contrast, can reset using the email they registered, subject to the partner tenant's own SSPR policy. So SSPR support for a guest depends on what kind of account backs them.
Trap Expecting your tenant's SSPR policy to reset a personal-Microsoft-account guest's password: those accounts recover through their own Microsoft account, not your tenant.
- Bulk user creation uses a fixed CSV template with four required fields
Bulk user creation in the Microsoft Entra admin center downloads a CSV template whose only required values are Name, User principal name, Initial password, and Block sign in (Yes/No). Extra columns you add are ignored and not processed, and a bulk operation can fail if it doesn't complete within about an hour, so split very large imports into smaller batches.
4 questions test this
- You plan to use bulk user creation in the Microsoft Entra admin center to create 50 new user accounts. You download the CSV template and…
- Your organization is performing a bulk user creation operation in the Microsoft Entra admin center. The operation involves creating 2,000…
- You have a Microsoft Entra tenant. The HR department provides you with a spreadsheet that lists 200 new employees who must each receive a…
- You have a Microsoft Entra tenant. You are creating multiple users by using a CSV file and the bulk create feature in the Azure portal. You…
- Use -in for multiple values and minimize -match/-contains for fast dynamic groups
When a dynamic membership rule tests one property against several values, the single -in operator (for example user.department -in ["Sales","Marketing"]) is more efficient than chaining many -or/-eq expressions. Microsoft advises minimizing the -match and -contains operators as much as possible for better dynamic group processing times; prefer -eq or -startsWith where you can.
5 questions test this
- You have a Microsoft Entra tenant that contains multiple dynamic membership groups. You discover that dynamic group processing is taking…
- You are creating a dynamic membership rule for a Microsoft Entra security group. The group must include all users whose department value is…
- You are creating a dynamic membership rule in Microsoft Entra ID to include users from multiple departments. The rule must include users…
- You have a Microsoft Entra tenant. You need to create a dynamic membership rule for a user group that includes users from multiple cities.…
- You have a Microsoft Entra tenant with Microsoft Entra ID P1 licenses. You need to create a dynamic user group that includes all users…
- Manage Entra users with New-MgUser, Get-MgUser, and Update-MgUser
In the Microsoft Graph PowerShell SDK, New-MgUser creates a user (its PasswordProfile parameter takes a hash table such as @{Password='...'}), Update-MgUser edits an existing user's properties, and Get-MgUser piped to Update-MgUser bulk-updates a filtered set. Connect-MgGraph must request the User.ReadWrite.All scope to create or modify users.
Trap Passing PasswordProfile as a string, or requesting only User.Read.All (read-only) when you need to write.
8 questions test this
- You are preparing to use Microsoft Graph PowerShell to create and manage users in Microsoft Entra ID. You need to connect to Microsoft…
- You have a Microsoft Entra tenant with multiple user accounts. You need to use PowerShell to change the usage location for all users in the…
- You have a Microsoft Entra tenant. You need to use PowerShell to create a new user account named User1 with a specified password. The user…
- You manage user accounts in Microsoft Entra ID using the Microsoft Graph PowerShell SDK. You need to update the department property for an…
- You need to create a new cloud user account in Microsoft Entra ID using the Microsoft Graph PowerShell SDK. You plan to run the New-MgUser…
- You need to use PowerShell to update the Department property for multiple users in Microsoft Entra ID. You plan to use the Microsoft Graph…
- You have a Microsoft Entra tenant that contains 200 users. You need to update the Department property for all users whose current…
- You need to create a PowerShell script that creates and manages user accounts in Microsoft Entra ID using the Microsoft Graph PowerShell…
- External collaboration settings decide who may invite guests
Guest invitations are governed in External collaboration settings: you can restrict them so only users assigned to specific admin roles can invite, and the built-in Guest Inviter role grants invite rights (even when that restriction is on) without other user-management privileges. Collaboration restrictions can allow or block invitations to specific named domains (for example only fabrikam.com).
Trap Assigning User Administrator just to let someone invite guests when the least-privilege Guest Inviter role suffices.
4 questions test this
- You have a Microsoft Entra tenant. You need to configure external collaboration settings to allow only users with the User Administrator or…
- You have a Microsoft Entra tenant that collaborates with several partner companies by inviting their users as guests. Recently, regular…
- You have a Microsoft Entra tenant. Your company collaborates only with a partner organization whose users belong to the fabrikam.com…
- You have a Microsoft Entra tenant named contoso.com. You need to allow a user named User1 to invite external guest users to the tenant.…
- Pilot SSPR with the Selected scope and force registration at sign-in
Self-service password reset can be enabled for None, Selected, or All users; choose Selected and pick one security group to pilot it before a wider rollout. Turning on 'Require users to register when signing in' prompts users to supply authentication contact info at next sign-in, and the re-confirmation interval accepts 0 to 730 days (0 means users are never asked to re-confirm).
Trap Leaving SSPR set to All when only a pilot group is intended.
5 questions test this
- You have a Microsoft Entra tenant. You plan to implement self-service password reset (SSPR). You need to enable SSPR for a specific group…
- You have a Microsoft Entra tenant that has Microsoft Entra ID P1 licenses. You have enabled self-service password reset (SSPR) for all…
- You plan to enable combined registration for Microsoft Entra multifactor authentication and self-service password reset (SSPR) in your…
- You are configuring self-service password reset (SSPR) in Microsoft Entra ID. You want to enable SSPR for a pilot group of users before…
- You are configuring SSPR registration settings in Microsoft Entra ID. You want users to periodically reconfirm their authentication…
Azure RBAC
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Subscriptions and Governance
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Storage
Storage Access
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Storage Accounts
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Standard general-purpose v2 is the default account kind, and it hosts all four services
A Standard general-purpose v2 (StorageV2) account supports Blob, Azure Files, Queue, and Table storage together, and it is Microsoft's recommended kind for almost all new work. The premium kinds are single-purpose: premium block blobs (block/append blobs), premium file shares (Azure Files), and premium page blobs. Reach for a premium kind only when one service needs SSD-backed low latency or high transaction rates; otherwise StorageV2 keeps everything in one account.
The Standard performance tier runs on hard-disk drives and is the cost-effective choice for general blob, file, queue, and table workloads. The Premium tier runs on solid-state drives for low, consistent latency and high throughput, and it costs more. Pick Premium when a workload is latency-sensitive or has a high transaction rate against small objects; pick Standard for everything else.
- Account kind and performance tier are fixed at creation. You can't change them in place
You choose the account kind and performance tier when you create a storage account, and you cannot convert an account to a different type afterward. To move from Standard to Premium (or change kind), you create a new account and copy the data across with a tool like AzCopy. The single exception is the one-way in-place upgrade of a legacy general-purpose v1 or BlobStorage account to general-purpose v2.
Trap Assuming you can switch a Standard account to Premium in the portal. There is no in-place tier change; you must create a new account and copy the data.
- Storage account names are 3–24 lowercase alphanumeric characters and globally unique
A storage account name must be between 3 and 24 characters, contain only lowercase letters and numbers (no hyphens, underscores, or uppercase), and be unique across all of Azure because it forms the subdomain of every endpoint, such as account.blob.core.windows.net. A name that is taken anywhere in Azure, or that uses an illegal character, is rejected at creation.
- Redundancy answers two questions: spread within the primary region, and whether to add a second region
Within the primary region you choose LRS (three copies in one datacenter) or ZRS (synchronous copies across three availability zones). Layering a distant secondary region on top gives the geo options: GRS (LRS in primary + async copy to the paired region) or GZRS (ZRS in primary + async copy). The redundancy setting is account-wide, so every service in the account shares one durability profile.
- LRS keeps three copies in one datacenter. It survives hardware failure, not a datacenter loss
Locally redundant storage replicates data three times within a single physical datacenter in the primary region and gives at least eleven 9s (99.999999999%) of durability over a year. It is the lowest-cost option and protects against drive, server, and rack failures, but if that datacenter is destroyed, every replica is lost. Choose it only when data is easily reconstructed or residency rules forbid leaving the region and a zone outage is acceptable.
Trap Treating LRS as protection against a datacenter or zone outage. All three LRS copies sit in one datacenter, so losing it loses everything.
- ZRS spreads three synchronous copies across three availability zones
Zone-redundant storage writes data synchronously across three availability zones in the primary region (each a separate datacenter with independent power, cooling, and networking) and gives at least twelve 9s (99.9999999999%) durability. Reads and writes keep working through a full zone outage. It is the right within-region choice when you must survive losing a whole datacenter but data must stay in the region.
- GRS and GZRS add a distant secondary region; they differ only in how the primary spreads copies
Both geo options copy data asynchronously to a paired secondary region hundreds of miles away and give at least sixteen 9s (99.99999999999999%) durability. The only difference is the primary region: GRS uses LRS there, GZRS uses ZRS there (so GZRS also survives a primary-region zone outage). In the secondary region both always use LRS. Use a geo option to survive a region-wide disaster.
Trap Thinking GRS and GZRS differ in the secondary region. Both use LRS in the secondary; the difference (LRS vs ZRS) is entirely in the primary region.
3 questions test this
- A logistics company runs a critical application in an Azure region that supports availability zones. The storage solution must remain…
- You are designing storage for a global retail platform hosted in an Azure region that supports availability zones. The solution must keep…
- A mission-critical application stores data in an Azure Storage account. The solution must keep the data available if a single availability…
- The paired secondary region is fixed by your primary and can't be chosen
When you create a geo-redundant account you pick the primary region; Azure determines the paired secondary region automatically, and it cannot be changed. The pairing is a hundreds-of-miles-away region in the same geography, so you can't, for example, point a West Europe account's secondary at a US region. If a scenario needs a specific secondary, geo-redundancy can't deliver it.
- Geo-replication is asynchronous, so a primary disaster can lose recent writes (non-zero RPO)
Writes commit in the primary region first and replicate to the secondary asynchronously, so the secondary trails the primary. The gap between the last primary write and the last write that reached the secondary is the recovery point objective (RPO), and it is non-zero: a disaster that destroys the primary before it catches up loses that window of data. This is the inherent trade for cross-region protection.
- A GRS/GZRS secondary isn't readable or writable until you initiate account failover
With plain GRS or GZRS the secondary copy exists for durability but is inaccessible during normal operation; you cannot read or write it. If the primary region is lost, you trigger a customer-managed account failover, after which the secondary becomes the new primary and serves reads and writes. To read the secondary before any failover, you instead need the read-access variant.
Trap Expecting to read a plain GRS account's secondary copy during a primary outage. GRS gives no secondary read access; that requires RA-GRS, or an account failover first.
- RA-GRS and RA-GZRS add read-only access to the secondary via the -secondary endpoint
The read-access variants RA-GRS and RA-GZRS let an application read the secondary copy at any time (including before a failover) through a read-only endpoint formed by appending -secondary to the account name (e.g. myaccount-secondary.blob.core.windows.net), using the same access keys. Choose RA- when the app must keep serving reads during a primary-region outage without waiting for failover.
4 questions test this
- You are designing storage for a global retail platform hosted in an Azure region that supports availability zones. The solution must keep…
- You are designing an Azure Storage account in a region that supports availability zones. A reporting application in another region must be…
- Your company runs a business-critical web application that stores customer data in an Azure Storage account in the East US region.…
- Your organization runs reporting workloads that read large volumes of data from an Azure Storage account in the West Europe region. If the…
- Azure Files can't use RA-GRS or RA-GZRS
Azure Files supports LRS, ZRS, and the geo options GRS and GZRS, but it does not support read access to the secondary region: there is no RA-GRS or RA-GZRS for file shares. If a requirement asks to read a file share's secondary copy before failover, it cannot be satisfied; plan failover-based recovery instead. (RA- read access applies to Blob, Queue, and Table.)
Trap Choosing RA-GRS for an Azure Files share to get secondary read access. Azure Files doesn't support the RA- variants, only LRS/ZRS/GRS/GZRS.
- The archive blob tier needs LRS, GRS, or RA-GRS, never a ZRS-based option
The archive access tier for block blobs is supported only on LRS, GRS, and RA-GRS accounts. It is not supported on ZRS, GZRS, or RA-GZRS. So if a scenario both requires zone redundancy and uses the archive tier, those constraints conflict and you can't have both on the same account.
Trap Putting archive-tier blobs in a GZRS or ZRS account. The archive tier isn't supported on any zone-redundant option; use LRS, GRS, or RA-GRS.
3 questions test this
- You have an Azure Storage account configured with zone-redundant storage (ZRS). You plan to use lifecycle management policies to move…
- You have an Azure Storage account configured with zone-redundant storage (ZRS). You plan to create a lifecycle management policy to…
- You have an Azure Storage account with the following configuration: Account type: General-purpose v2. Redundancy: Zone-redundant storage…
- Object replication asynchronously copies block blobs from a source account to a destination account
Object replication is a blob feature, separate from account redundancy: it asynchronously copies block blobs from a source storage account to a destination account you can read and use directly, to cut read latency in a distant region, distribute compute, or stage results. It is one-directional, and the source and destination can be in the same or different regions, subscriptions, or even Microsoft Entra tenants.
- Object replication requires versioning on both accounts and change feed on the source
Before object replication works, blob versioning must be enabled on both the source and destination accounts, and change feed must be enabled on the source (Azure reads the change feed to discover new writes to replicate). Both accounts must be general-purpose v2 or premium block blob. Miss any of these prerequisites and the policy won't replicate.
Trap Enabling object replication without turning on blob versioning on both accounts and change feed on the source. Those are hard prerequisites, not optional.
- Object replication handles block blobs only, not append or page blobs
Object replication supports block blobs exclusively; append blobs and page blobs are not replicated, and accounts with a hierarchical namespace (Data Lake Storage) aren't supported. If a workload needs to replicate page or append blobs, object replication is the wrong tool. By default a rule copies only new block blobs written after the rule is created, though you can opt to also copy existing blobs.
Trap Expecting object replication to copy page or append blobs. It copies block blobs only; the others are unsupported.
- The object replication destination container is read-only while the policy is active
Object replication is one-directional: once a policy is active, the destination container rejects writes with HTTP 409 (Conflict). Reads and deletes are allowed, but to write to the destination you must first remove the rule or the whole policy. You create the policy on the destination account (Azure assigns a policy ID), then apply that same policy ID on the source so both ends match.
- Encryption at rest is always on (256-bit AES) and cannot be disabled
Every storage account encrypts all data at rest automatically with 256-bit AES service-side encryption, which is FIPS 140-2 compliant and covers blobs, files, queues, and tables (including metadata, every access tier, and both primary and secondary regions). There is no option and no cost to turn it off: the only thing you configure is who controls the key.
Trap Treating storage encryption at rest as an optional setting you enable. It is always on and can't be disabled; only key management is configurable.
- Microsoft-managed keys are the default; customer-managed keys give you control
By default a storage account encrypts with a Microsoft-managed key (Microsoft stores and rotates it, zero config). Switch to a customer-managed key (CMK) when you must control rotation, auditing, or revocation. You can switch between Microsoft-managed and customer-managed keys at any time, and applying a CMK to an existing account takes effect immediately without re-encrypting your data.
- A customer-managed key lives in Key Vault or Managed HSM, reached via a managed identity
A customer-managed key must be stored in Azure Key Vault or Azure Key Vault Managed HSM, and that vault must have both soft delete and purge protection enabled. The storage account accesses the key through a managed identity (system-assigned or user-assigned) that holds get, wrapKey, and unwrapKey permissions on the key. The CMK wraps the account's root encryption key rather than encrypting data directly, so disabling the key in the vault revokes access (operations then fail 403) without re-encrypting anything.
Trap Configuring a CMK on a key vault without soft delete and purge protection enabled. Both are required, or the configuration is rejected.
- Infrastructure encryption double-encrypts, but only if enabled at account creation
Infrastructure encryption adds a second layer: data is encrypted twice, once at the service level and once at the infrastructure level, with two different 256-bit AES keys and algorithms, so a single compromised key or algorithm still leaves data protected. The infrastructure layer always uses a separate Microsoft-managed key even if the service layer uses your CMK. The catch: it can only be enabled when the account is created, you can't add it to an existing account.
Trap Planning to enable infrastructure (double) encryption on an existing account. It's a create-time-only option; you'd have to make a new account and copy the data.
- AzCopy is the CLI for scripted, high-throughput transfers; Storage Explorer is the GUI for ad hoc work
AzCopy is a cross-platform command-line utility (Windows, Linux, macOS) for copying data to, from, or between storage accounts, the right tool for scripted, repeatable, or bulk transfers. Azure Storage Explorer is a free desktop GUI for point-and-click browsing and management, ideal for occasional interactive work; it uses AzCopy under the hood for its bulk transfers. Choose AzCopy when a scenario says 'script', 'automate', or 'large/efficient'; choose Storage Explorer for an occasional manual upload.
Trap Reaching for Storage Explorer's GUI to move terabytes in a repeatable script. That's AzCopy's job; Storage Explorer is for interactive, ad hoc use.
7 questions test this
- Your operations team must transfer several hundred gigabytes of blobs between two containers in different storage accounts. The team wants…
- You support a marketing analyst who works on a Windows workstation and has no scripting or command-line experience. The analyst…
- A build server runs an existing PowerShell automation workflow each night. You need to add a step that transfers a large set of generated…
- A newly hired administrator needs to organize blobs in an Azure storage account by visually navigating a tree-style view and dragging and…
- You need to interactively inspect and manage blobs, file shares, queues, and tables, and create stored access policies, across several…
- A consultant on a short-term engagement is given a shared access signature (SAS) URI to a single container. The consultant needs to…
- You support a help-desk team that occasionally needs to view individual queue messages and table entities in an Azure storage account and…
- azcopy copy moves data; azcopy sync makes the destination match the source
AzCopy's two core commands: azcopy copy copies source data to a destination (local-to-Azure, Azure-to-local, or account-to-account server-to-server), and azcopy sync performs one-directional synchronization so the destination ends up matching the source, transferring only what changed on re-runs. Use sync when you must keep a destination continuously aligned with a source rather than copying everything each time.
- AzCopy authenticates with Microsoft Entra ID (azcopy login) or a SAS token on the URL
AzCopy supports two authorization methods: Microsoft Entra ID (run azcopy login once and reuse the credential across commands) or a shared access signature (SAS) token appended to each source or destination URL. Owning the storage account does not by itself grant data access, so you must provide one of these. Entra ID suits interactive or managed-identity use; a SAS token suits handing scoped, time-limited access to a script without sign-in.
- A key expiration policy is a rotation reminder, and you must rotate each key once before setting it
A key expiration policy sets an interval and surfaces a reminder in the portal when the access keys haven't been rotated in time. It does not rotate keys automatically. You cannot create the policy until each access key has been rotated at least once; if keyCreationTime is null the Set rotation reminder option is greyed out. The built-in Azure Policy 'Storage account keys should not be expired' then reports which accounts are out of compliance.
7 questions test this
- You have an Azure Storage account named storage1. You plan to configure a key expiration policy to ensure that storage account access keys…
- You have an Azure subscription that contains a storage account named storage1. You plan to manually rotate the access keys for storage1…
- You have an Azure storage account named storage1. You need to configure a key expiration policy that sets a reminder to rotate the access…
- You have an Azure storage account named storage1. You plan to manually rotate access keys on a regular schedule. You need to configure a…
- You have an Azure Storage account named storage1. You need to configure a policy that will display a reminder in the Azure portal when the…
- You have an Azure subscription that contains multiple storage accounts. You need to use Azure Policy to monitor whether storage account…
- Your organization's governance team requires that the access keys on all Azure storage accounts be rotated at least every 90 days, and they…
Files and Blob Storage
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Compute Resources
ARM Templates and Bicep
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Virtual Machines
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- An availability set needs 2+ VMs to earn the 99.95% SLA
An availability set is a single-datacenter grouping that spreads VMs across fault and update domains, but the 99.95% Azure SLA applies only when you place two or more VMs in the set: a set with one VM gives no redundancy and no set-level SLA. The set itself is free; you pay only for the VM instances. Because the spreading is inside one datacenter, it protects against hardware, power, and switch failures but not a datacenter-wide outage.
Trap Expecting the 99.95% availability-set SLA from a single VM in the set. The SLA requires two or more VMs across the fault domains.
- Availability zones cross datacenters for the 99.99% SLA
Availability zones are physically separate zones within a region, each with independent power, cooling, and networking, and every zone-enabled region has three of them. Spreading a workload's VMs across two or more zones earns the 99.99% SLA and survives the loss of a whole datacenter, the resilience an availability set cannot provide. The cost is slightly higher VM-to-VM latency than an availability set, whose VMs are physically closer.
8 questions test this
- You have an Azure subscription that contains a virtual network named VNet1 in the West US 2 region. The region supports three availability…
- You have an Azure subscription that contains a region that supports Availability Zones. You plan to deploy a highly available application…
- You have an Azure subscription that contains a resource group named RG1. You plan to deploy eight virtual machines that will host a highly…
- You have an Azure subscription that contains a web application running on multiple virtual machines. The virtual machines are deployed in…
- You plan to deploy several virtual machines that will host a business-critical web application in the East US Azure region. The application…
- You have an Azure subscription. You plan to deploy a highly available application that requires low latency between virtual machines. The…
- Your company has a business-critical application that requires the highest possible virtual machine availability within a single Azure…
- Your company is deploying a critical web application in Azure. You need to achieve the highest possible SLA for virtual machine…
Azure grants a 99.9% single-instance VM SLA, but only when the OS and all data disks are Premium SSD or Ultra Disk; a VM using Standard storage gets no single-instance SLA. This is the floor option with no redundancy grouping, appropriate only when an outage of that one VM is tolerable. For anything that must stay up, spread VMs across an availability set or zones.
Trap Claiming a single VM with Standard HDD/SSD disks carries the 99.9% SLA. The single-instance SLA requires Premium SSD or Ultra Disk on every disk.
- An availability set has up to 3 fault domains and 20 update domains, fixed at creation
Azure assigns each VM in an availability set a fault domain (a group sharing a power source and network switch, up to 3) and an update domain (a group rebooted together during planned maintenance, up to 20). Only one update domain reboots at a time, with 30 minutes to recover before the next. Both counts are set when the availability set is created and cannot be changed afterward, so size them up front.
3 questions test this
- You have an Azure subscription that contains an availability set named AVSet1. AVSet1 is configured with 2 fault domains and 10 update…
- You are configuring an availability set for a new deployment. You need to configure the maximum number of fault domains and update domains…
- You have an Azure subscription. You plan to create an availability set named AS1 to host virtual machines for a critical database…
- Fault domains isolate hardware failure; update domains isolate maintenance reboots
The two domain types answer different failure modes. A fault domain is a physical boundary: VMs in different fault domains don't share a power source or network switch, so a hardware fault hits only one. An update domain is a maintenance boundary: Azure reboots update domains one at a time during host updates, so a planned reboot never takes the whole set down at once. An availability set distributes VMs across both simultaneously.
3 questions test this
- You are designing the compute layer for a line-of-business application. The application includes a single database server that maintains…
- You are creating an availability set for a new application deployment. You need to configure the availability set to protect against both…
- You have an Azure availability set configured with 5 update domains. You deploy 12 virtual machines to this availability set. Azure…
- Availability sets can't autoscale. Use a scale set when capacity must follow demand
Availability sets provide redundancy but have no automatic scaling: the instance count is whatever you deployed. When a workload must add instances under load and remove them when idle, you need a Virtual Machine Scale Set, which autoscales horizontally on a metric (such as average CPU) or a schedule. Reach for the availability set only when the instance count is fixed and you just need redundancy.
Trap Choosing an availability set for a workload that must scale out and in with demand. Availability sets never autoscale; a Virtual Machine Scale Set does.
- Flexible orchestration is the recommended VMSS mode and is fixed at creation
A Virtual Machine Scale Set's orchestration mode is chosen at creation and can never be changed. Flexible orchestration is Microsoft's recommended mode: it manages standard IaaS VMs with the normal VM APIs, scales to 1,000 instances, can mix VM sizes, operating systems, and Spot with on-demand instances, and spreads instances across fault domains and availability zones. Uniform orchestration instead deploys identical instances from one profile for very large, homogeneous fleets.
Trap Planning to switch a scale set from Uniform to Flexible later. Orchestration mode is immutable after the scale set is created.
- VMSS autoscale is horizontal; changing a VM's size is a separate resize
Autoscale on a Virtual Machine Scale Set is horizontal: it adds instances (scale out) when a metric crosses a threshold and removes them (scale in) when load drops, or follows a schedule. Increasing an individual VM's vCPU/memory is vertical scaling and is a resize operation, not autoscale. A question describing 'more power per instance' points to a resize; 'more instances under load' points to scale-set autoscale.
Trap Treating a VM resize (bigger SKU) as autoscale. Autoscale changes the instance count horizontally, while a resize changes one VM's size vertically.
- Managed disks come in five types; Ultra and Premium SSD v2 can't be the OS disk
The five managed disk types in ascending performance are Standard HDD, Standard SSD, Premium SSD, Premium SSD v2, and Ultra Disk, with IOPS ceilings of about 2,000–3,000, 6,000, 20,000, 80,000, and 400,000 respectively. The OS disk must be Premium SSD, Standard SSD, or Standard HDD: Ultra Disk and Premium SSD v2 are data-disk-only. A high-IOPS database VM therefore pairs a Premium SSD OS disk with an Ultra or Premium SSD v2 data disk.
Trap Selecting Ultra Disk or Premium SSD v2 as the OS disk. Both can only be attached as data disks; the OS disk falls back to Premium SSD, Standard SSD, or Standard HDD.
- Ultra Disk doesn't support availability sets. Only single VM or availability zones
Ultra Disk supports single-VM and availability-zone deployments but not availability sets. A scenario that needs both the highest disk IOPS (Ultra Disk) and platform redundancy must use an availability zone, not an availability set. This pairs with Ultra's other limits: it can't be an OS disk and doesn't support disk caching.
Trap Attaching an Ultra Disk to a VM in an availability set. Ultra Disk is unsupported there; use a single VM or an availability zone instead.
- The temp disk is non-persistent. Never store durable data on it
Every VM has a temp disk (drive D: on Windows, /dev/sdb on Linux) for scratch data such as a page or swap file. It is local to the host, not a managed disk, and its contents are wiped on deallocation or when Azure migrates the VM to another host. Anything that must survive belongs on the OS disk or a data disk, both of which are persistent managed disks.
Trap Placing application data or a database file on the temp disk. It is wiped on deallocation/host migration, so durable data must go on a managed OS or data disk.
- Server-side encryption is always on but doesn't cover the temp disk
Server-side encryption (SSE), also called encryption-at-rest, is always enabled on managed disks and can't be turned off; it encrypts the OS and data disks with platform-managed keys, or customer-managed keys when you attach a Disk Encryption Set (DES). Its boundary is the testable point: SSE does not encrypt the temp disk or disk caches. To cover those, layer on encryption at host.
Trap Assuming default SSE encrypts the temp disk and caches. It covers only the persisted OS and data disks; the temp disk needs encryption at host.
- Encryption at host covers temp disk and caches without using VM CPU
Encryption at host extends SSE so the temp disk, disk caches, and data flowing between the VM and storage are all encrypted, and it runs on the Azure host rather than inside the guest, so it consumes no VM CPU. It is Microsoft's recommended encryption option for new VMs and is what Microsoft Defender for Cloud's 'encrypt temp disks, caches, and data flows' recommendation detects. Choose it when the temp disk must be encrypted without a guest agent.
- Azure Disk Encryption uses BitLocker/DM-Crypt in the guest and needs a Key Vault
Azure Disk Encryption (ADE) encrypts the OS and data disks from inside the guest OS (BitLocker on Windows, DM-Crypt on Linux) and integrates with Azure Key Vault to store the disk-encryption keys, so an ADE deployment requires a Key Vault. Because it runs in the guest, ADE uses the VM's CPU and doesn't work for custom Linux images. A stem naming BitLocker or DM-Crypt is describing ADE specifically.
Trap Configuring ADE without an Azure Key Vault. ADE stores its keys in Key Vault, so the deployment fails without one.
- Prefer encryption at host over ADE. ADE retires September 15, 2028
Azure Disk Encryption is scheduled for retirement on September 15, 2028, after which ADE-encrypted disks will fail to unlock on reboot. Microsoft directs new VMs to encryption at host, which covers more (temp disk and caches) without using VM CPU. For a new long-lived VM, encryption at host is the forward-looking answer; ADE remains only for the specific BitLocker/DM-Crypt-in-guest requirement.
- Moving a VM by resource group or subscription never changes its region
Moving a VM to another resource group or subscription only re-parents it: the physical region is unchanged and the VM keeps running. To relocate a VM to a different region you must replicate it with Azure Resource Mover or Azure Site Recovery; the move-resource-group operation can't change a resource's region. A question asking how to move a VM 'to another region' is testing that distinction.
Trap Using a move-to-resource-group or move-to-subscription operation to relocate a VM to a new region. Those never change the region; use Azure Resource Mover or Site Recovery.
3 questions test this
- Your organization uses two Azure subscriptions named Sub1 and Sub2 that are associated with the same Microsoft Entra tenant. A virtual…
- You have an Azure subscription that contains a virtual machine named VM1 located in the East US region. Because of new data residency…
- You have an Azure subscription that contains two resource groups named RG1 and RG2 in the same subscription and the same region. A virtual…
- A cross-subscription move requires the same Entra tenant and locks both resource groups
Moving a VM across subscriptions requires both subscriptions to belong to the same Microsoft Entra ID (formerly Azure Active Directory) tenant, and the VM must move together with its dependent resources (disks, NIC, and virtual network). During the move both the source and target resource groups are locked for up to four hours, so you can't create, delete, or resize resources in them while it runs.
Trap Expecting a cross-subscription move to work across two different Entra tenants. Both subscriptions must share one tenant first (transfer billing ownership otherwise).
3 questions test this
- Your organization uses two Azure subscriptions named Sub1 and Sub2 that are associated with the same Microsoft Entra tenant. A virtual…
- You have an Azure subscription that contains a virtual machine named VM4 in a resource group named RG-Old. VM4 uses managed disks, a…
- Your organization has two Azure subscriptions named Sub1 and Sub2. Sub1 is associated with a Microsoft Entra tenant named Tenant1, and Sub2…
- A move changes the resource ID and orphans role assignments
Because a resource ID embeds the subscription and resource group, moving a VM changes its ID: any scripts, dashboards, or templates referencing the old ID must be updated. Azure role assignments are not carried across the move and become orphaned, so you must recreate them on the moved resource. Plan to re-point references and re-grant RBAC after a move.
- Resizing across VM families may force a deallocation
A VM's size (SKU) fixes its vCPU, memory, and feature support, and sizes are grouped into families by purpose (general purpose, compute optimized, memory optimized, storage optimized, GPU). You can resize a running VM if its current host cluster supports the target size; if it doesn't (often when moving to a different family) the VM must be stopped (deallocated) first and restarts on a new cluster. Not every size is offered in every region.
Trap Assuming any resize is hot. Moving to a size the current host cluster doesn't support requires deallocating the VM first.
- The scale set and availability set resources are free; you pay for instances
Neither a Virtual Machine Scale Set nor an availability set carries a charge for the grouping construct itself: billing is purely for the VM instances they contain (plus their disks and networking). This means the redundancy or autoscaling capability is free to adopt; cost scales only with the number and size of running instances.
- The Custom Script Extension times out after 90 minutes
A Custom Script Extension run is allowed up to 90 minutes; a script that runs longer fails the extension with a timeout. For long jobs, split the work into scripts that each finish inside 90 minutes. This 90-minute limit is an exception to the shorter timeout most other VM extensions use.
Trap Assuming the Custom Script Extension shares the shorter timeout of most VM extensions and letting a long job run past 90 minutes; it caps at 90 minutes and then fails with a timeout.
5 questions test this
- You have an Azure subscription that contains a Linux virtual machine named VM1. You deploy the Custom Script Extension to VM1 to run a…
- You have an Azure virtual machine named VM1 that runs Ubuntu 22.04. You deploy the Custom Script Extension to VM1 to run a Bash script for…
- You deploy an Azure virtual machine running Windows Server. You need to use the Custom Script Extension to run a PowerShell script that…
- You have an Azure virtual machine named VM1 that runs Windows Server. You plan to use the Custom Script Extension to run a PowerShell…
- You deploy a Windows virtual machine in Azure and use the Custom Script Extension to run a post-deployment configuration script. The script…
- VM extensions need a healthy Azure VM Agent and access to 168.63.129.16
The Azure VM Agent must be installed and reporting Ready for any extension to install or run; if it is missing or unhealthy, extensions fail. The agent signals readiness over the Azure platform IP 168.63.129.16 (WireServer, ports 80/tcp and 32526/tcp), so a guest firewall or NSG that blocks it breaks extensions. An extension already in a failed provisioning state will also block any new extension until it is fixed.
Trap Blaming a failed extension on the script while a guest firewall or NSG blocks 168.63.129.16 or the VM Agent is unhealthy; the agent must report Ready and reach the WireServer IP first.
4 questions test this
- You have an Azure subscription that contains a Windows Server virtual machine named VM1. You need to install and run the Custom Script…
- You plan to deploy VM extensions to multiple Azure virtual machines. You discover that extensions are failing to install on several VMs.…
- You have an Azure virtual machine named VM1. VM1 has a VM extension named Extension1 that is in a Failed provisioning state. You attempt to…
- You are deploying an Azure virtual machine by using an ARM template. The template includes the Custom Script Extension to configure the VM…
- Azure Disk Encryption needs a same-region Key Vault enabled for disk encryption and a supported VM size
Azure Disk Encryption requires a Key Vault in the same region and subscription as the VM, with the vault's 'Enabled for disk encryption' access policy turned on. ADE is not supported on Basic or A-series VMs (or VMs with under 2 GB RAM), and you set VolumeType=All to encrypt both OS and data disks. You cannot apply ADE to a VM whose disks use server-side encryption with customer-managed keys (SSE + CMK).
Trap ADE (in-guest BitLocker/DM-Crypt) and SSE with customer-managed keys are mutually exclusive. Pick one.
5 questions test this
- You have an Azure subscription that contains a Windows virtual machine named VM1 with a Premium SSD managed disk. You need to enable Azure…
- You have an Azure subscription that contains a virtual machine named VM1 running Windows Server 2019. VM1 has a Premium SSD managed disk…
- You have an Azure subscription that contains a Windows virtual machine named VM1. You need to enable Azure Disk Encryption on VM1. You plan…
- You have an Azure subscription that contains an Azure virtual machine named VM1 running Windows Server 2022. You plan to enable Azure Disk…
- You have an Azure subscription that contains a Windows virtual machine named VM1. You need to enable Azure Disk Encryption on VM1 using the…
- You can only place a VM in an availability set at creation. Change it by recreating the VM
A VM's availability set is fixed at creation; you cannot add or move an existing VM into (or between) availability sets. To do it, delete the VM while keeping its managed disks, then recreate the VM from those disks specifying the target availability set, which preserves the data.
Trap Expecting to move an already-running VM into an availability set in place; the set is fixed at creation, so you must delete and recreate the VM from its disks.
4 questions test this
- You have an Azure subscription that contains a virtual machine named VM1. VM1 was deployed without specifying an availability set. You need…
- You have an Azure subscription that contains a virtual machine named VM1. VM1 is in an availability set named AS1. You need to move VM1 to…
- You have an existing Azure virtual machine named VM1 that is running in a resource group named RG1. VM1 is not associated with any…
- You have an Azure subscription that contains a virtual machine named VM1. VM1 was deployed without using an availability set. You need to…
- Default availability set: 3 fault domains, 5 update domains; use the Aligned SKU for managed disks
A new availability set defaults to 3 fault domains and 5 update domains (update domains can be raised up to 20). For VMs with managed disks, set the availability set sku.name to Aligned so storage fault domains align with compute. The maximum managed-disk fault domains varies by region (some regions support only 2) so configure no more fault domains than the region allows.
Trap Leaving an availability set on the default Classic SKU for managed-disk VMs; managed disks require the Aligned SKU so storage fault domains align with compute.
3 questions test this
- You are creating an Azure Resource Manager template to deploy an availability set for virtual machines that will use managed disks. You…
- You have an Azure subscription that contains an availability set named AS1. AS1 was created with the default settings for fault domains and…
- You are creating an availability set for virtual machines that will use managed disks in the West US 2 region. The region supports 2…
Containers
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
App Service
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Virtual Networking
Virtual Networks
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- A VNet lives in one region and one subscription but spans every zone in that region
An Azure virtual network is scoped to a single region and a single subscription, yet it automatically spans all availability zones in that region, so you never split or size a VNet by zone. Resources in different subnets of the same VNet route to each other by default with no configuration. To connect VNets that are in different regions or subscriptions, you use peering, not a single larger VNet.
- Azure reserves 5 addresses in every subnet, so a /24 yields 251 usable hosts
Every subnet loses five addresses to Azure: the network address (.0), the default gateway (.1), two for Azure-mapped DNS (.2 and .3), and the broadcast address (last). A /24 therefore gives 251 usable host IPs, not 256, and the smallest usable subnet is a /29 (8 minus 5 = 3 usable). This is why a /29 handed to you in a stem holds 3 VMs, not 6.
Trap Assuming a /29 gives 6 usable IPs by counting only the .0 and broadcast: Azure reserves three more (gateway and two DNS), leaving just 3.
- Subnet delegation hands a subnet to a PaaS service to inject its instances
Subnet delegation designates a subnet for a specific Azure PaaS service (such as Azure SQL Managed Instance or App Service integration) so that service can deploy its own instances into the subnet and manage relevant subnet settings. A delegated subnet is dedicated to that service. Use it when a managed service requires VNet injection rather than just a service or private endpoint.
7 questions test this
- You have an Azure subscription that contains a virtual network named VNet1 with a subnet named Subnet1. You plan to delegate Subnet1 to an…
- You have an Azure virtual network named VNet1 that contains a subnet named Subnet1. You need to configure Subnet1 to allow Azure App…
- You have an Azure virtual network named VNet1 that contains a subnet named Subnet1. You plan to delegate Subnet1 to Azure NetApp Files.…
- You have an Azure subscription that contains a virtual network named VNet1. You plan to deploy Azure Database for PostgreSQL Flexible…
- You have an Azure subscription that contains an Azure virtual network named VNet1. You need to deploy an App Service Environment that will…
- You have an Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 is delegated to Microsoft.Web/serverFarms for…
- You plan to deploy Azure NetApp Files in your Azure subscription. You need to create a subnet that will host the Azure NetApp Files…
- Peering keeps traffic on the Microsoft backbone with no gateway or encryption
VNet peering connects two virtual networks so resources reach each other by private IP, with traffic staying entirely on the Microsoft backbone: no public internet, no VPN gateway, and no encryption are involved. Regional peering connects VNets in the same region; global peering connects VNets across regions. Both can cross subscriptions and Microsoft Entra tenants and carry a nominal ingress/egress data charge.
Trap Assuming peering needs a VPN gateway or that traffic traverses the public internet: peered traffic is private on the Azure backbone with no gateway required.
- VNet peering is non-transitive, so spokes can't reach each other through a hub
If A peers with hub H and H peers with B, A still cannot reach B: peering never routes transitively through an intermediate VNet. To make a hub-and-spoke route spoke-to-spoke or spoke-to-on-premises, you put a network virtual appliance or firewall in the hub and steer traffic to it with user-defined routes (service chaining), or use Azure Virtual Network Manager / Virtual WAN. This non-transitivity is the single most-tested peering property.
Trap Assuming a spoke peered to a hub automatically reaches the hub's other peers: transit requires an NVA/gateway in the hub plus UDRs, not peering alone.
- Peered VNets must have non-overlapping address spaces
You cannot peer two VNets whose CIDR ranges overlap: for example two 10.0.0.0/16 networks. Plan address spaces up front, or re-IP / resize one VNet's range before creating the peering. Overlapping spaces make the routes ambiguous, so Azure blocks the peering.
Trap Trying to peer two VNets that both use 10.0.0.0/16: overlapping ranges are rejected; one side must be re-addressed first.
- Share a hub gateway with 'Allow gateway transit' on the hub and 'Use remote gateways' on the spoke
Because a VNet can have at most one gateway, gateway transit lets spokes use the hub's VPN or ExpressRoute gateway instead of deploying one each. It is a per-peering setting on both ends: enable Allow gateway transit on the hub side and Use remote gateways on the spoke side. A spoke that uses a remote gateway must not have its own gateway, and transit works on both regional and global peering.
Trap Setting Use remote gateways on a spoke that already has its own gateway: a VNet can have only one gateway, so the configuration is invalid.
- New public IPs are Standard SKU: Basic was retired in September 2025
The Basic public IP SKU was retired on September 30, 2025, so every new design uses the Standard SKU. Standard differs in three ways: allocation is always static, it is secure by default, and it is zone-redundant by default in zone-enabled regions. A public IP is a separate resource you attach for inbound internet connectivity; outbound already works through an Azure-assigned ephemeral address without one.
- Standard public IPs are always static, so the address never changes on stop/start
A Standard SKU public IP uses static allocation: the address is fixed at creation and stays until you delete the resource. This matters whenever something external depends on a stable address: firewall allow-lists, DNS A records, IP-based security models, or TLS certificates bound to the IP. (Basic's dynamic IPv4 could change when a VM was stopped and started, the classic 'why did my IP change?' cause.)
- A Standard public IP is closed inbound until an NSG rule allows it
Standard SKU public IPs are secure by default: attaching one to a VM does not open inbound traffic. the resource stays closed until a network security group rule explicitly permits it. If a VM with a Standard public IP is unreachable, a missing NSG allow rule is the first thing to check. (Basic public IPs were open by default, which is the behavior people wrongly expect from Standard.)
Trap Expecting a Standard public IP to be reachable as soon as it's attached: it's secure by default, so inbound is blocked until an NSG rule allows it.
- Azure builds a system route table for every subnet that you can't delete
Each subnet automatically gets system routes: a Virtual network route for intra-VNet traffic, a 0.0.0.0/0 route to the Internet, and None routes that drop the RFC 1918 private ranges. You cannot create or delete system routes, but you can override specific ones with user-defined routes. Azure also adds optional system routes (Virtual network peering, Virtual network gateway) as you enable those features.
- A UDR's next hop is one of five types, and peering/service-endpoint are not options
User-defined routes live in a route table you create and associate to a subnet (each subnet has zero or one table). A UDR's next hop is exactly one of: Virtual appliance, Virtual network gateway, Virtual network, Internet, or None. You cannot specify Virtual network peering or a service endpoint as a UDR next hop: Azure creates those route types only when you configure the feature itself.
Trap Trying to set 'Virtual network peering' or a service endpoint as a UDR next hop: only Azure creates those routes; they aren't selectable next-hop types in a UDR.
- Force all outbound traffic through a firewall with a UDR for 0.0.0.0/0 (forced tunneling)
Forced tunneling overrides Azure's default internet route by adding a UDR for 0.0.0.0/0 whose next hop is a firewall appliance or the VPN/ExpressRoute gateway, then associating the route table to the subnet. All outbound traffic is then sent to that next hop for inspection or on-premises egress instead of going directly to the internet. This is the canonical use of a UDR.
3 questions test this
- You have an Azure virtual network that contains a subnet named Subnet1 and a network virtual appliance (NVA) named NVA1 that performs…
- You have an Azure virtual network named VNet1 that contains two subnets named Subnet1 and Subnet-NVA. You deploy a network virtual…
- You have a virtual network that contains a subnet named Subnet1. You deploy a network virtual appliance (NVA) that performs traffic…
- A subnet can have at most one route table
You associate a single route table to a subnet, never two. Consolidate all custom routes into one table; longest-prefix-match and the UDR-over-system priority resolve precedence within it. A route table can be associated to many subnets, but each subnet points to only one table.
Trap Trying to attach two route tables to one subnet to combine rule sets: a subnet supports only one; merge the routes into a single table.
- Longest prefix match wins first; only on an exact prefix tie does source priority decide
Azure selects a route by longest-prefix-match: 10.0.0.0/24 beats 10.0.0.0/16 for 10.0.0.5 because it is more specific, regardless of where each route came from. Source priority (user-defined route, then BGP route, then system route) is the tiebreaker only when two routes share the same prefix. That tie rule is exactly why a UDR for 0.0.0.0/0 overrides the default internet route.
Trap Assuming a UDR always beats a system route: a more-specific system prefix still wins by longest-prefix-match; UDR priority applies only on an exact prefix tie.
5 questions test this
- You have an Azure virtual network that is connected to your on-premises network through an ExpressRoute circuit. The ExpressRoute gateway…
- You have an Azure virtual network connected to an on-premises network through a VPN gateway. The VPN gateway propagates routes via BGP. You…
- You have an Azure virtual network that contains the following route configurations for a subnet: A system route with address prefix…
- You have an Azure virtual network with a subnet that has a route table associated with it. The route table contains the following…
- You have an Azure virtual network connected to an on-premises network through ExpressRoute. The on-premises network advertises the route…
- VNet, peering, and service-endpoint routes are preferred and can't be overridden by a UDR
Routes for the VNet itself, for VNet peerings, and for virtual-network service endpoints are preferred system routes that a UDR cannot override, even with a more-specific prefix. In particular a service-endpoint route always wins for that service's addresses. This is the exception to the normal 'UDR overrides system route' rule.
Trap Writing a UDR to redirect service-endpoint or peering traffic: those preferred system routes can't be overridden, so the UDR is ignored for them.
- Read effective routes on a NIC to see which route actually wins
The routes you author aren't necessarily the routes that run: Azure merges your UDRs with system and BGP routes and applies the selection rules, and the result is the effective routes on a network interface. View them per NIC (Portal Effective routes, or az network nic show-effective-route-table) to confirm the final next hop for a destination. A present 'Virtual network peering' route here is also your proof that a peering exists and is synced.
- Every VNet resource gets outbound internet access by default, no public IP needed
All resources in a VNet can reach the internet outbound by default, through an Azure-assigned ephemeral IP, even with no public IP attached. A public IP (or public load balancer) is required only for inbound reachability. This is why outbound connectivity 'just works' but a VM is not reachable from the internet until you give it a public endpoint.
- A VM acting as an NVA needs IP forwarding enabled to forward traffic
Azure delivers a packet to a NIC only when the destination matches that NIC's own IP, so a VM used as a network virtual appliance silently drops forwarded traffic unless IP forwarding is enabled on its NIC. A Linux/Windows NVA must also enable forwarding inside the guest OS, not just on the Azure NIC.
Trap A correct UDR pointing at the NVA's private IP still black-holes traffic if NIC (or OS) IP forwarding is off.
4 questions test this
- You have an Azure virtual network named VNet1 that contains three subnets named Subnet1, Subnet2, and Subnet3. Subnet1 contains a virtual…
- You have an Azure subscription that contains a virtual network named VNet1. VNet1 has three subnets: Subnet-Web, Subnet-App, and…
- You have an Azure virtual network that contains three subnets named Subnet1, Subnet2, and NVA-Subnet. A virtual machine named VM-NVA is…
- You have an Azure virtual network that contains three subnets: Subnet1, Subnet2, and Subnet3. You deploy a virtual machine named NVA1 to…
Network Security
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
DNS and Load Balancing
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Monitor and Maintain
Azure Monitor
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Metrics are numeric time series; logs are queryable table rows
Azure Monitor stores telemetry as two types. Metrics are numeric values sampled at regular intervals into a time-series database, so they are lightweight and near-real-time and you read them in Metrics Explorer. Logs are richer records held in a Log Analytics workspace and queried with Kusto Query Language (KQL). A number trending over time (CPU %, request count) is a metric; event-level detail (who deleted what, every failed request) is a log.
Trap Reaching for Log Analytics/KQL to chart a simple numeric trend: it works but needs data routed to a workspace first; Metrics Explorer already has platform metrics for free.
- Platform metrics and the activity log are automatic; resource logs are not
Platform metrics (built-in numeric counters) and the activity log (subscription control-plane events) are collected automatically with no configuration. Resource logs, the detailed per-operation logs a service emits, are off by default and produce nothing to query until you create a diagnostic setting. This gap is why a resource shows metrics instantly but its detailed logs are missing from your workspace.
Trap Assuming resource logs appear automatically because metrics did: only metrics and the activity log are automatic; resource logs need a diagnostic setting first.
- A diagnostic setting is what collects resource logs and routes any source to a destination
A diagnostic setting does two jobs: it starts collecting resource logs, and it routes platform metrics, the activity log, or resource logs to a durable destination. Even auto-collected sources need a diagnostic setting to send them somewhere they outlive their default window. You opt platform metrics into a destination with the AllMetrics category, and pick log categories individually or via a category group (audit or allLogs).
- A resource can have at most five diagnostic settings
Each Azure resource supports a maximum of five diagnostic settings. A single setting can send to several destinations at once but only one of each type, so two Log Analytics workspaces (or two storage accounts) require two separate settings, and you cannot exceed five total per resource.
Trap Trying to add a second workspace to one diagnostic setting: a setting allows only one destination of each type, so a second workspace needs a second setting (up to five).
- Pick the diagnostic-setting destination by the verb: query, archive, or stream
The four destinations map to distinct jobs. A Log Analytics workspace is for querying and correlating with KQL, building workbooks, and firing log alerts. An Azure Storage account is the cheapest archive, kept indefinitely, for audit and compliance. Azure Event Hubs is the only destination that streams telemetry live to an external system such as a non-Microsoft SIEM. A partner solution hands off to an integrated third-party platform.
Trap Choosing a Storage account or Log Analytics workspace to feed a real-time external SIEM: only Event Hubs streams out; the others store data for later retrieval.
- Stream to a SIEM with Event Hubs, archive cheaply with a Storage account
When security needs Azure logs streamed into a third-party SIEM in real time, route the diagnostic setting to Azure Event Hubs: the SIEM reads from the hub. When the requirement is keeping audit logs cheaply for years, route to an Azure Storage account, which can be kept indefinitely and supports an immutability policy for tamper-proof records. Storage and Log Analytics hold data; only Event Hubs pushes a live stream.
- Metrics Explorer offers exactly five aggregation types
When reading a metric you choose one of five aggregations: Sum (total of all values in the interval, a.k.a. Total), Count (number of samples, ignoring their values), Average (the values' mean, normally Sum/Count), Min (smallest value), and Max (largest value). Picking the wrong aggregation misreads the data: Count on a request-duration metric tells you how many samples there were, not how long requests took.
- Average is recalculated from Sum and Count, so Min/Max expose spikes it hides
Sum, Count, Min, and Max are pre-aggregated and stored, but Average is never stored: it is recomputed as Sum ÷ Count for the chosen grain. A short spike can vanish from Average and Sum at coarse granularity while still showing in Min and Max, so to catch transient anomalies inspect Max rather than trusting Average alone.
Trap Using Average to detect a brief spike: averaging smooths it out across the interval; Max is the aggregation that still surfaces the peak.
- Metric granularity bottoms out at 1 minute; widen it to cut alert noise
The minimum time granularity (time grain) for charting metrics is 1 minute; coarser grains are computed from the stored 1-minute values. Widening the grain trades detail for noise reduction, which is usually what you want before wiring a metric to an alert so a momentary CPU blip doesn't page you but a sustained one does.
- Split a metric by a dimension to find which instance caused a spike
Dimensions are name-value pairs attached to a metric (for example a per-instance breakdown). In Metrics Explorer you split a chart by a dimension to see each value as its own line, or filter to show only some. Splitting is how you turn an aggregated line that shows a spike into the specific instance responsible for it.
- One Log Analytics workspace lets a single log search alert span subscriptions and regions
Logs from many resources can land in one Log Analytics workspace regardless of their subscription or region, and KQL queries that workspace across all of them. That is why a single log search alert can monitor resources spread across subscriptions and regions at once, whereas a metric alert is generally scoped to resources of one type in one region.
- An alert rule = target + signal/condition + action group
An alert rule binds three things: the target resource to watch, the signal and condition (a metric threshold, a KQL log query, or an activity-log event filter), and an action group to invoke when it fires. Keeping the action group separate from the rule means one action group serves many rules, so you maintain recipients in one place.
- Three alert types map to three signals: metric, log search, activity log
Metric alerts evaluate a metric against a static or dynamic threshold at regular intervals: fast and numeric. Log search alerts run a KQL query against workspace logs at a set frequency, for event detail and cross-resource conditions. Activity log alerts fire on a new control-plane event matching a filter. Resource Health and Service Health alerts are themselves activity log alerts.
Trap Treating Resource Health or Service Health as their own alert category: both are implemented as activity log alerts.
- An action group bundles reusable notifications and actions
An action group is a named, reusable set of notifications (email, SMS, push, voice) and actions (webhook, secure webhook, Azure Function, Logic App, ITSM, automation runbook, Event Hub). Many alert rules reference the same action group, so the on-call list or remediation runbook is defined once and changed in one place rather than per rule.
3 questions test this
- You have an Azure subscription. You need to configure alerts to notify your operations team when Azure performs planned maintenance that…
- You are configuring an action group in Azure Monitor to notify your operations team when alerts are triggered. You need to configure…
- You are an Azure administrator for your company. You need to configure alerts to notify your team when Azure service issues or planned…
- An alert carries a system condition (fired/resolved) and a user response (New/Acknowledged/Closed)
Each fired alert has two independent states. The monitor condition is system-set: fired while the condition holds, then resolved when it clears (a stateful metric alert resolves after the condition is unmet for three consecutive checks). The user response, New, Acknowledged, or Closed, is set by you and never changes on its own. Alert instances are retained for 30 days.
Trap Assuming closing an alert (a user response) clears the underlying problem: the monitor condition only becomes resolved when the actual condition clears, independent of your response.
- Suppress maintenance-window noise with an alert processing rule, not by disabling alerts
An alert processing rule modifies alerts as they fire, by filter and on a schedule, without touching any alert rule. Its two jobs are suppressing notifications (silence a resource group during planned maintenance: rules keep evaluating, only the noise is muted, and suppression lifts automatically) and adding an action group to many alerts at once. Use it instead of disabling or deleting the alert rules.
Trap Disabling each alert rule (or deleting the action group) to go quiet during maintenance: that loses the rule/breaks it for other rules; an alert processing rule suppresses temporarily and reverts on its own.
3 questions test this
- You have an Azure subscription that contains several resource groups. You need to suppress all alert notifications for resources in a…
- You have an Azure subscription that contains several resource groups. Multiple alert rules exist across different resource groups, and each…
- You have an Azure subscription with several resource groups containing critical virtual machines. You need to configure notifications so…
- Creating an alert rule needs Monitoring Contributor; Monitoring Reader can only view
To create alert rules you need Monitoring Contributor (read on the target resource, write on the resource group holding the rule). Monitoring Reader can view alerts and read resources but cannot create rules. These are the two built-in roles supported at all Resource Manager scopes for alerting.
- Insights are curated, ready-made monitoring views for a resource type
Azure Monitor Insights are Microsoft-curated monitoring experiences (preconfigured dashboards, workbooks, and sometimes alerts) built on the same metrics and Log Analytics data you could assemble yourself. The ones an administrator reaches for are VM Insights (VM and scale-set performance, processes, and a dependency map), Storage Insights (account performance, capacity, availability), Network Insights (health and metrics across network resources), and Container Insights (AKS workloads). Use an Insight when you want the page already built.
- Network Watcher diagnoses IaaS network paths, not PaaS, and is regional
Azure Network Watcher is a regional service for monitoring and diagnosing the network of IaaS resources (VMs, VNets, gateways, load balancers); it is not designed for PaaS monitoring or web analytics. It is auto-enabled per region when you create a VNet, and there is exactly one Network Watcher instance per region per subscription.
Trap Choosing Network Watcher to monitor a PaaS service's own health: it targets IaaS network paths; for PaaS use that service's metrics, resource logs, and Insights.
- IP flow verify names the NSG rule allowing or denying a packet
IP flow verify checks whether a packet to or from a VM is allowed or denied based on the effective network security group rules, and it tells you which security rule made the decision. Reach for it when traffic is blocked and you need to identify the exact NSG rule responsible, rather than reading rules by hand.
Trap Using Next hop to find a blocking firewall rule: Next hop diagnoses routing (where traffic goes), while IP flow verify is the tool that names the allow/deny security rule.
- Next hop diagnoses routing; Connection Troubleshoot tests connectivity once
Next hop returns the next hop type and IP for traffic from a VM to a destination, so it diagnoses routing problems such as a misconfigured user-defined route. Connection Troubleshoot tests whether a source can actually reach a destination right now, reporting latency and hops. Next hop answers 'where does this route send the traffic?'; Connection Troubleshoot answers 'can it connect at this moment?'.
- Connection Monitor watches connectivity continuously; Connection Troubleshoot is a one-time test
Connection Monitor provides ongoing end-to-end connectivity monitoring between endpoints, with metrics and alerts over time. Connection Troubleshoot performs the same kind of check but only at a single point in time. When a scenario needs continuous monitoring with alerting, choose Connection Monitor; for a one-off diagnosis, Connection Troubleshoot.
Trap Using Connection Troubleshoot for ongoing connectivity SLA monitoring: it tests once at that moment; Connection Monitor is the continuous, alert-capable tool.
- Migrate NSG flow logs to VNet flow logs before the 2027 retirement
Network Watcher flow logs record IP traffic for traffic analysis. NSG flow logs are being retired: no new ones can be created after June 30, 2025, and they are fully retired on September 30, 2027. Virtual network (VNet) flow logs are the successor and address NSG flow log limitations, so new logging should use VNet flow logs.
Trap Creating new NSG flow logs for traffic logging: they are end-of-life (no new ones after June 30, 2025; retired September 30, 2027); use virtual network flow logs instead.
- VM Insights needs a Log Analytics workspace, the Azure Monitor Agent, and a DCR
Before VM Insights can collect performance data it needs a Log Analytics workspace (data lands in the InsightsMetrics table), the Azure Monitor Agent on the VM, and a data collection rule (DCR) that tells the agent what to collect. The default VM Insights DCR gathers guest performance only: it does not collect Windows event logs or Syslog, so add a separate DCR for those. A VM Insights DCR must already exist before you assign an Azure Policy initiative to onboard VMs at scale.
Trap VM Insights does not collect event logs/Syslog out of the box; you create an additional DCR rather than editing the VM Insights one.
9 questions test this
- You have an Azure subscription that contains multiple virtual machines. You plan to enable VM Insights for all the virtual machines. You…
- You have an Azure subscription that contains multiple virtual machines. You enable VM Insights on all virtual machines. You need to…
- You have an Azure subscription that contains 50 virtual machines. You plan to enable VM Insights on all virtual machines by using Azure…
- You have an Azure virtual machine named VM1 that has VM Insights enabled. A data collection rule (DCR) named MSVMI-workspace1 is associated…
- You have an Azure subscription that contains a virtual machine named VM1. You plan to enable VM Insights on VM1 to monitor performance. You…
- You have an Azure subscription that contains a virtual machine named VM1. You enable VM Insights on VM1 using the Azure portal. VM Insights…
- You have an Azure subscription that contains a virtual machine named VM1. You enable VM Insights for VM1 and need to store the collected…
- You have an Azure subscription that contains a virtual machine named VM1. You enable VM Insights for VM1 from the Azure portal and accept…
- You have an Azure subscription that contains 10 virtual machines. You plan to enable VM insights for all the virtual machines. You need to…
- The VM Insights Map feature requires the Dependency Agent; performance does not
VM Insights has two features: Performance (Azure Monitor Agent only) and Map. The Map view of processes and application dependencies needs the Dependency Agent (the 'processes and dependencies' option) installed in addition to the Azure Monitor Agent. The portal's default data collection rule enables guest performance but leaves processes-and-dependencies (Map) disabled, so by default only the Azure Monitor Agent is installed and the Map view shows no data.
Trap Empty Map view with working Performance data means the Dependency Agent is missing, not a workspace or DCR problem.
5 questions test this
- You have an Azure subscription that contains multiple virtual machines. You plan to enable VM Insights to monitor the virtual machines. You…
- You have an Azure virtual machine named VM1 with VM Insights enabled. Users report that the Performance tab displays data, but no data…
- You plan to enable VM Insights on an Azure virtual machine using the Azure portal. The default data collection rule is created during…
- You have an Azure subscription that contains a virtual machine named VM1. You enable VM insights for VM1 and configure a data collection…
- You have an Azure subscription that contains a virtual machine named VM1 running Windows Server. You plan to enable VM Insights to monitor…
- KQL essentials: summarize with bin() for time buckets, project to pick columns, render to chart
In Log Analytics KQL, summarize aggregates rows and bin(TimeGenerated, 1h) buckets results into time intervals (e.g. hourly average per Computer). project selects, renames, or drops specific columns. render (e.g. render timechart) must be the last operator and turns query results into a visualization.
Trap bin() groups the time axis inside summarize: it is not the operator that draws the chart (that is render).
5 questions test this
- You are running a KQL query in Log Analytics and need to visualize the results as a time-based line chart. The query calculates the count…
- You have an Azure subscription that contains a Log Analytics workspace. You need to write a KQL query that returns the average CPU…
- You are writing a KQL query to analyze security events in a Log Analytics workspace. You need to return only the TimeGenerated, Computer,…
- You have an Azure subscription that contains several virtual machines. You configure the virtual machines to send performance metrics and…
- You have an Azure subscription that contains a Log Analytics workspace. You write the following KQL query: AzureActivity | where…
- Azure Workbooks combine logs, metrics, Resource Graph, text, and parameters into one interactive report
Azure Workbooks are the tool when you must blend Azure Monitor Logs, metrics, and Azure Resource Graph data in a single interactive report with embedded text, then let users filter via parameters (time range, resource selectors) and export to PDF. Azure Resource Graph is a supported data source for querying resource inventory and metadata (location, tags) across subscriptions to scope a report.
Trap Parameters (not editing the KQL) are what let consumers filter a workbook interactively.
8 questions test this
- Your organization needs to create custom reports for monitoring Azure resources. You need to recommend a solution based on the following…
- You plan to create a custom visualization solution in Azure to display monitoring data from multiple Azure services. The solution must…
- You are creating an Azure Workbook that needs to query multiple data sources to provide a comprehensive view of your Azure environment.…
- You are designing an Azure Workbook to create a visualization that combines Azure resource inventory data with performance metrics. You…
- You have an Azure subscription that contains several virtual machines. You need to create an Azure Workbook that combines data from Azure…
- You are creating an Azure Workbook to monitor virtual machine performance across multiple subscriptions. You need to include data that…
- You have an Azure Workbook that queries data from multiple Azure resources. You need to allow users to filter the displayed data by…
- You have an Azure subscription that contains several resources. You need to create a visualization solution that allows analysts to…
- Action group notifications are rate limited: email 100/hour, SMS and voice 1 per 5 minutes
Azure Monitor rate-limits action group notifications per recipient: email is capped at no more than 100 emails per hour to each email address (per region), and SMS and voice calls at no more than one notification every five minutes per phone number. Once the limit is hit, further notifications are dropped until the window expires, which is the usual reason an admin stops receiving alerts even though alerts are firing.
Trap Missing notifications with alerts clearly firing usually means rate limiting, not a wrong email/phone or an unsubscribe.
5 questions test this
- You have an Azure subscription that contains multiple resources. You create an action group named AG1 that includes email notifications to…
- You have an Azure subscription with multiple resources. You configure an action group to send SMS notifications to an administrator's phone…
- You have an Azure subscription that contains multiple virtual machines. You create an action group named AG1 that sends SMS notifications…
- You have an Azure subscription that contains an action group configured with email notifications. Users report that they are not receiving…
- Your company uses Azure Monitor to send alert notifications. You configure an action group that sends email notifications to a security…
- Service Health alerts need a Global action group; inactive events stay in Health History for 90 days
Azure Service Health reports subscription-wide event types including Service issues, Planned maintenance, Health advisories, Security advisories, and Billing updates. To be notified of planned maintenance you create a Service Health (activity log) alert plus an action group, and the action group region must be set to Global for Service Health alerts to work. Inactive Service Health events are retained in Health History for up to 90 days after they become inactive.
Trap An action group used for a Service Health alert must be in the Global region, not a specific Azure region.
6 questions test this
- You have an Azure subscription. You need to configure alerts to notify your operations team when Azure performs planned maintenance that…
- You have an Azure subscription that contains multiple resources. You need to view historical health events for your resources in Azure…
- You have an Azure subscription that contains multiple resources across several regions. Your organization requires proactive notification…
- Your organization needs to track health events that have affected your Azure resources over the past 60 days for compliance reporting…
- You need to configure Service Health alerts for your Azure subscription. You want the alerts to trigger notifications via email and SMS.…
- You are an Azure administrator for your company. You need to configure alerts to notify your team when Azure service issues or planned…
- Resource Health reports a single resource's availability and whether an issue was platform- or user-initiated
Resource Health shows the health of an individual resource (such as one VM) and its reason type tells you whether unavailability was platform-initiated (Azure maintenance/host issue) or user-initiated (e.g. a manual stop or deallocate). A Resource Health status of Unknown means Azure has had no data about the resource for over 10 minutes, which commonly happens when a VM is deallocated.
Trap Service Health is for subscription-wide Azure incidents; Resource Health is the one that drills into a specific resource instance.
5 questions test this
- You have an Azure subscription that contains several virtual machines across multiple regions. You need to identify which Azure Service…
- You have an Azure subscription that contains several virtual machines. You notice that one of your virtual machines becomes unavailable.…
- You have an Azure subscription that contains multiple virtual machines and storage accounts. A user reports that one of the virtual…
- You have an Azure subscription that contains a virtual machine named VM1. You access Resource Health for VM1 and notice the status shows…
- You have an Azure subscription that contains a virtual machine named VM1. You deallocated VM1 to stop costs associated with the VM. A few…
Backup and Recovery
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.