Practice Questions

Question 1

(Select 2)

You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1. You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Question 2

You recently created a new Azure subscription that contains a user named Admin1. Admin1 attempts to deploy an Azure Marketplace resource by using an Azure Resource Manager template. Admin1 deploys the template by using Azure PowerShell and receives the following error message: User failed validation to purchase resources. Error message: Legal terms have not been accepted for this item on this subscription. To accept legal terms, please go to the Azure portal (http://go.microsoft.com/fwlink/?LinkId=534873) and configure programmatic deployment for the Marketplace item or create it there for the first time.` You need to ensure that Admin1 can deploy the Marketplace resource successfully. What should you do?

Question 3

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups. Another administrator plans to create several network security groups (NSGs) in the subscription. You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks. Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider. Does this meet the goal?

Question 4

You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN gateway named VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1. On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1. You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2. You need to ensure that you can connect Client1 to VNet2. What should you do?

Question 5

Your company has a main office in London that contains 100 client computers. Three years ago, you migrated to Azure Active Directory (Azure AD). The company's security policy states that all personal devices and corporate-owned devices must be registered or joined to Azure AD. A remote user named User1 is unable to join a personal device to Azure AD from a home network. You verify that User1 was able to join devices to Azure AD in the past. You need to ensure that User1 can join the device to Azure AD. What should you do?

Want to practice all questions on the go?

Download Cloud Pass for free — includes practice tests, progress tracking & more.

Question 6

You have an Azure web app named App1. App1 has the deployment slots shown in the following table:

diagram

In webapp1-test, you test several changes to App1. You back up App1. You swap webapp1-test for webapp1-prod and discover that App1 is experiencing performance issues. You need to revert to the previous version of App1 as quickly as possible. What should you do?

Question 7

You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources in the following table: Name Type storage1 Storage account RG1 Resource group container1 Blob container share1 File share Another administrator deploys a virtual machine named VM1 and an Azure Storage account named storage2 by using a single Azure Resource Manager template. You need to view the template used for the deployment. From which blade can you view the template that was used for the deployment?

Question 8

You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines. You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text. What should you create to store the password?

Question Analysis

Core concept: This question tests secure secret handling in Azure Resource Manager (ARM) templates when deploying compute resources at scale. ARM templates are declarative JSON files, and embedding credentials directly (even as parameters) risks exposure via source control, template exports, deployment history, or logs. Why the answer is correct: Azure Key Vault is Azure’s purpose-built service for storing and controlling access to secrets (passwords, keys, certificates). In an ARM template, you can reference a Key Vault secret using a parameter with a Key Vault reference (or use a linked template/secure parameter pattern). This prevents the password from being stored in plain text in the template file. An access policy (or Azure RBAC permissions, depending on vault configuration) grants the deployment identity (user, service principal, or managed identity) permission to read the secret at deployment time. Key features and best practices: - Secret storage: Key Vault stores secrets encrypted at rest and supports versioning and rotation. - Access control: Use least privilege via Key Vault access policies or RBAC (e.g., “Get” permission for secrets). For ARM deployments, ensure the deploying principal can read the secret. - Secure parameters: ARM supports the “secureString” parameter type, but that only prevents echoing in outputs; it does not solve the problem of where the value is stored if you hardcode it or commit parameter files. Key Vault is the recommended secure external store. - Well-Architected Framework alignment: This supports the Security pillar (protect secrets, least privilege, centralized secret management) and Operational Excellence (repeatable deployments without manual password handling). Common misconceptions: - “secureString is enough”: It helps mask values during deployment, but if you store the value in a parameter file or template, it can still be exposed. Key Vault avoids storing the secret in the template. - “Storage account with policies”: Storage is not a secret management system; access policies don’t provide secret-specific controls, auditing, or rotation. Exam tips: For ARM/Bicep deployments needing passwords, connection strings, or keys, the go-to answer is almost always Azure Key Vault. Remember: use Key Vault references and grant the deployment identity permission to read secrets. This is especially important when scaling deployments (e.g., 100 VMs) to keep credentials centralized and manageable.

Question 9

HOTSPOT - You have an Azure subscription that contains the resource groups shown in the following table.

diagram

RG1 contains the resources shown in the following table.

VM1 is running and connects to NIC1 and Disk1. NIC1 connects to VNET1. RG2 contains a public IP address named IP2 that is in the East US location. IP2 is not assigned to a virtual machine. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:

Part 1:

storage1 is a Storage account located in West US.

Part 2:

VNet1 is a Virtual network located in West US.

Part 3:

NIC1 is a Network interface located in West US.

Part 4:

Disk1 is a Disk located in West US.

Part 5:

VM1 is a Virtual machine located in West US.

Part 6:

You can move storage1 to RG2.

Part 7:

You can move NIC1 to RG2.

Part 8:

If you move IP2 to RG1, the location of IP2 will change.

Question 10

HOTSPOT - You have Azure subscriptions named Subscription1 and Subscription2. Subscription1 has following resource groups:

diagram

RG1 includes a web app named App1 in the West Europe location. Subscription2 contains the following resource groups: Name Region Lock type RG3 East Europe Delete RG4 Central US none For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:

Part 1:

App1 can be moved to RG2

Part 2:

App1 can be moved to RG3

Part 3:

App1 can be moved to RG4

Practice Test #4

Triple AI-Verified Answers & Explanations

Practice Questions

Other Practice Tests

Practice Test #1

Practice Test #2

Practice Test #3

Practice Test #5

Practice Test #6

Practice Test #7

Practice Test #8

Practice Test #9

Start Practicing Now