This article compiles real AZ-900 (Microsoft Azure Fundamentals) exam questions from May 2026 dumps, fully deduplicated and verified. Every question includes the correct answer and a detailed explanation written to help you understand why the answer is correct — not just memorize it.
The AZ-900 exam covers four domains: Cloud Concepts, Core Azure Services, Security, Compliance & Identity, and Azure Pricing & Support. All question types are included: multiple choice, true/false evaluation, Yes/No tables, and matching questions with original screenshots.
Cloud Concepts
What are two characteristics of the public cloud? Each correct answer presents a complete solution.
A. Dedicated hardware
B. Unsecured connections
C. Limited storage
D. Metered pricing
E. Self-service management
✓ Correct Answer: D and E
Public cloud services are characterized by metered pricing (pay-as-you-go) and self-service management (you provision resources without involving the provider). Public cloud does NOT use dedicated hardware (shared infrastructure), connections are secured (HTTPS/TLS), and storage is virtually unlimited.
Evaluate the underlined text: An organization that hosts its infrastructure in a private cloud can decommission its data center.
A. No change is needed.
B. In a hybrid cloud
C. In the public cloud
D. On a Hyper-V host
✓ Correct Answer: C — In the public cloud
A private cloud is hosted in your own data center — you still own the physical infrastructure, so you cannot decommission it. Only migrating to the public cloud (e.g., Azure) allows you to fully decommission on-premises hardware, because the provider owns and manages all physical infrastructure. A hybrid cloud still requires some on-premises infrastructure.
For each statement, select Yes if true, otherwise No.
✓ Answers: Yes, No, Yes
| Statement | Answer |
|---|---|
| Azure provides flexibility between capital expenditure (CapEx) and operational expenditure (OpEx). | Yes |
| If you create two Azure virtual machines that use the B2S size, each virtual machine will always generate the same monthly costs. | No |
| When an Azure virtual machine is stopped, you continue to pay storage costs associated to the virtual machine. | Yes |
Explanation: Azure is primarily OpEx (pay-as-you-go), but reserved instances provide a CapEx-like model — both models are supported (Yes). Two B2S VMs do NOT always have identical costs because costs vary by region, OS license (Windows vs Linux), and reserved vs on-demand pricing (No). When a VM is stopped/deallocated, compute charges stop, but storage charges for managed disks continue (Yes).
Evaluate the underlined text: When planning to migrate a public website to Azure, you must plan to pay to transfer all the website data to Azure.
A. No change is needed
B. Deploy a VPN
C. Pay to transfer all the website data to Azure
D. Reduce the number of connections to the website
✓ Correct Answer: A — No change is needed
When migrating a website to Azure, you DO need to plan for monthly usage costs (compute, bandwidth, storage). The statement "pay monthly usage costs" is correct — so no change is needed. Note: Azure inbound data transfer (ingress to Azure) is free, but egress (outbound from Azure) is charged. The overall statement about planning for monthly costs is accurate.
Core Azure Services
To what should an application connect to retrieve security tokens?
A. An Azure Storage account
B. Azure Active Directory (Azure AD)
C. A certificate store
D. An Azure key vault
✓ Correct Answer: B — Azure Active Directory (Azure AD)
Azure Active Directory acts as the OAuth 2.0 / OpenID Connect authorization server. Applications connect to Azure AD's token endpoints to retrieve access tokens, ID tokens, and refresh tokens. These tokens authenticate the app against Azure resources and APIs. Storage accounts store data, certificate stores store X.509 certificates, and Key Vault stores secrets/keys — none issue authentication tokens.
Your company plans to deploy an AI solution in Azure. What should the company use to build, test, and deploy predictive analytics solutions?
A. Azure Logic Apps
B. Azure Machine Learning Studio
C. Azure Batch
D. Azure Cosmos DB
✓ Correct Answer: B — Azure Machine Learning Studio
Azure Machine Learning Studio provides a visual drag-and-drop interface to build, train, and deploy ML models and predictive analytics solutions. It is purpose-built for this use case. Azure Logic Apps automates workflows, Azure Batch handles large-scale parallel computing, and Azure Cosmos DB is a NoSQL database — none are designed for ML model development.
You plan to map a network drive from several Windows 10 computers to Azure Storage. What should you create?
A. An Azure SQL database
B. A virtual machine data disk
C. A Files service in a storage account
D. A Blobs service in a storage account
✓ Correct Answer: C — A Files service in a storage account
Azure Files provides managed cloud file shares using the SMB protocol, natively supported by Windows 10. You can map an Azure file share as a network drive via standard Windows tools. Azure Blob Storage requires API access (cannot be mapped as a drive). VM data disks are only accessible to their attached VM. Azure SQL is a relational database, not a file share.
Several support engineers plan to manage Azure using the computers shown. Which Azure management tools can be used from each computer?
✓ Correct Answer: All computers — The Azure CLI, the Azure portal, and Azure PowerShell
All three Azure management tools are cross-platform: Azure CLI installs on Windows, Ubuntu, and macOS. Azure portal is browser-based, works on any OS. Azure PowerShell (Az module) runs on Windows, Linux, and macOS via PowerShell Core. All three computers can use all three management tools.
An Azure administrator plans to run a PowerShell script. Solution: Run from a Linux computer with the Azure CLI installed. Does this meet the goal?
A. Yes
B. No
✓ Correct Answer: B — No
The Azure CLI and PowerShell are separate tools. Azure CLI uses az commands; PowerShell scripts use cmdlets from the Az module. Installing the Azure CLI does NOT enable running PowerShell scripts. To run PowerShell on Linux, you must install PowerShell Core (pwsh) and the Az PowerShell module separately.
An Azure administrator plans to run a PowerShell script. Solution: Run from a macOS computer with PowerShell Core 6.0 installed. Does this meet the goal?
A. Yes
B. No
✓ Correct Answer: A — Yes
PowerShell Core 6.0 (and later PowerShell 7+) is cross-platform and runs natively on Windows, macOS, and Linux. A macOS machine with PowerShell Core and the Az module installed can execute PowerShell scripts that create Azure resources. This is a fully supported Microsoft configuration.
An Azure administrator plans to run a PowerShell script. Solution: Run from a Chrome OS computer using Azure Cloud Shell. Does this meet the goal?
A. Yes
B. No
✓ Correct Answer: A — Yes (some older dumps mark this as No — that appears to be an error)
Azure Cloud Shell is browser-based and accessible from any modern browser, including Chrome OS. It provides both a Bash and a PowerShell environment with all Azure modules pre-installed. Running a PowerShell script via Azure Cloud Shell from Chrome OS fully meets the goal — no local PowerShell installation is required.
Which Azure service should you use to correlate events from multiple resources into a centralized repository?
A. Azure Event Hubs
B. Azure Analysis Services
C. Azure Monitor
D. Azure Log Analytics
✓ Correct Answer: D — Azure Log Analytics
Azure Log Analytics (part of Azure Monitor) collects, stores, and queries log and metric data from multiple Azure and on-premises resources in a centralized workspace. Use KQL (Kusto Query Language) to correlate events across resources. Event Hubs streams real-time data; Analysis Services is for BI modeling; Azure Monitor is the broader platform — Log Analytics is the specific query/correlation tool.
Your company has several business units each requiring 20 different Azure resources. You need to automate the creation of those resources. What should you recommend?
A. Azure Resource Manager templates
B. Virtual machine scale sets
C. Azure API Management service
D. Management groups
✓ Correct Answer: A — Azure Resource Manager templates
ARM templates define infrastructure as code in JSON. Each business unit can run the same template to consistently deploy all 20 resources with correct configuration. VM scale sets only auto-scale VMs; API Management manages APIs; management groups organize subscriptions — none automate multi-resource deployments.
Evaluate the underlined text: Azure policies provide a common platform for deploying objects to a cloud infrastructure and for implementing consistency across the Azure environment.
A. No change is needed
B. Resource groups provide
C. Azure Resource Manager provides
D. Management groups provide
✓ Correct Answer: C — Azure Resource Manager provides
Azure Resource Manager (ARM) is the management layer for Azure — it provides the common platform for deploying, updating, and managing all resources. All Azure interactions go through ARM. Azure Policy enforces compliance rules; resource groups organize resources; management groups organize subscriptions — none of these are the "common deployment platform."
You need an Azure database that can: (1) add data concurrently from multiple regions, and (2) store JSON documents. Which service should you deploy?
✓ Correct Answer: Azure Cosmos DB
Azure Cosmos DB is a globally distributed NoSQL database with native multi-region write support and JSON document storage via its SQL API and MongoDB API. It is the only Azure database satisfying both requirements simultaneously. Azure SQL Database is relational and doesn't support multi-region concurrent writes out of the box.
You need to deploy a critical application with 99.99% guaranteed availability. What is the minimum number of virtual machines and availability zones required?
✓ Correct Answer: Minimum 3 virtual machines across 3 availability zones
Azure VM SLA tiers: 1 VM = 99.9% | 2+ VMs in Availability Set = 99.95% | 3+ VMs across 3 Availability Zones = 99.99%. Availability Zones are separate data centers within a region with independent power, cooling, and networking. Distributing across 3 zones means a single-zone failure still leaves 2 zones fully operational.
You need to view a list of planned maintenance events that can affect the availability of an Azure subscription. Which blade should you use from the Azure portal?
✓ Correct Answer: Service Health
Azure Service Health provides personalized Azure service information including: active outages, planned maintenance events, and health advisories. It shows maintenance events specific to your subscriptions and services. Access via: Azure Portal search "Service Health" or All services → Monitoring → Service Health. You can also configure alerts to be notified before maintenance begins.
Networking & Infrastructure
You need to limit the types of connections from web servers to database servers in Azure. What should you include in the recommendation?
A. Network security groups (NSGs)
B. Azure Service Bus
C. A local network gateway
D. A route filter
✓ Correct Answer: A — Network security groups (NSGs)
Network Security Groups (NSGs) filter network traffic at Layer 4 using rules based on source/destination IP, port, and protocol. Attach an NSG to the database subnet to allow only specific ports (e.g., TCP 1433 for SQL Server) from the web subnet. Service Bus is for messaging; local network gateways enable VPN; route filters control ExpressRoute BGP routing — none filter inter-subnet traffic.
You have 10 virtual networks and 100 virtual machines. You need to limit inbound traffic to ALL virtual networks. What should you create?
A. One network security group (NSG)
B. 10 virtual network gateways
C. 10 Azure ExpressRoute circuits
D. One Azure firewall
✓ Correct Answer: D — One Azure firewall
Azure Firewall can be deployed in a hub VNet and peered to all spoke VNets (hub-and-spoke topology). A single Azure Firewall instance controls traffic across all 10 virtual networks via User-Defined Routes. A single NSG cannot span multiple VNets. VNet gateways are for VPN/ExpressRoute, and ExpressRoute is for private connectivity to on-premises — neither filters internet inbound traffic across multiple VNets.
You need to ensure VM1 is accessible from the Internet over HTTP. Solution: Modify a DDoS protection plan. Does this meet the goal?
A. Yes
B. No
✓ Correct Answer: B — No
Azure DDoS Protection defends against volumetric/protocol attacks — it does not enable internet access. To make VM1 accessible over HTTP: (1) assign a Public IP to the VM's NIC, (2) add an NSG rule allowing inbound TCP port 80. DDoS protection is a defensive layer, not an access-enabling service.
You need to ensure VM1 is accessible from the Internet over HTTP. Solution: Modify an Azure Traffic Manager profile. Does this meet the goal?
A. Yes
B. No
✓ Correct Answer: B — No
Azure Traffic Manager is a DNS-based load balancer that routes users to the best-performing endpoint — it does not enable internet access at the VM level. Traffic Manager requires endpoints to already be publicly reachable. It cannot configure public IPs or NSG rules. The correct solution is a public IP + NSG rule on port 80.
You need to ensure VM1 is accessible from the Internet over HTTP. Solution: Modify an Azure Firewall. Does this meet the goal?
A. Yes
B. No
✓ Correct Answer: A — Yes
Azure Firewall supports DNAT rules (Destination NAT) that translate inbound internet traffic from the firewall's public IP to a VM's private IP. Adding a DNAT rule mapping public_IP:80 → VM_private_IP:80 correctly routes HTTP traffic to VM1. This is a supported pattern for exposing VMs through Azure Firewall.
You plan to migrate on-premises servers to Azure and need to ensure some servers are available if a single Azure data center goes offline. What should you include?
A. Fault tolerance
B. Elasticity
C. Scalability
D. Low latency
✓ Correct Answer: A — Fault tolerance
Fault tolerance is the ability of a system to continue operating when one or more components fail. Deploying across multiple Azure Availability Zones or regions ensures a data center failure doesn't take all servers offline. Elasticity and scalability address capacity/load; low latency addresses response time — none ensure availability during hardware failures.
Storage & Resource Management
You create resource group RG1 and need to prevent deletion of its resources. Which setting should you use?
✓ Correct Answer: Locks
Azure Resource Locks prevent accidental deletion or modification. A Delete lock (CanNotDelete) prevents deletion while allowing reads and modifications. Applied at the resource group level, locks are inherited by all resources within the group. In the Azure portal: Resource Group → Settings → Locks → Add lock.
Evaluate: You have VMs in an Azure subscription. You create a new subscription. The virtual machines cannot be moved to the new subscription.
A. No change is needed
B. The virtual machines can be moved to the new subscription
C. Can be moved only if in the same resource group
D. Can be moved only if they run Windows Server 2016
✓ Correct Answer: B — The virtual machines can be moved to the new subscription
The underlined statement is INCORRECT. Azure resources including VMs can be moved between subscriptions using the portal, PowerShell (Move-AzResource), or CLI. Requirements: both subscriptions must be in the same Azure AD tenant. No resource group or OS version restrictions apply. VMs must be deallocated during the move.
Evaluate: Resource groups provide organizations with the ability to manage the compliance of Azure resources across multiple subscriptions.
A. No change is needed
B. Management groups
C. Azure policies
D. Azure App Service plans
✓ Correct Answer: C — Azure policies
Azure Policy enforces compliance rules across resources and subscriptions — it can audit, deny, or auto-remediate non-compliant resources. Resource Groups are single-subscription containers that don't manage compliance across subscriptions. Management Groups organize subscriptions for access governance but don't directly audit resource compliance.
For each statement about resource groups, select Yes if true, otherwise No.
✓ Answers: No, No, Yes
| Statement | Answer |
|---|---|
| All Azure resources in a single resource group must share the same Azure region. | No |
| If you assign a tag to a resource group, all resources in that group are automatically assigned the same tag. | No |
| If you set permissions to a resource group, all Azure resources in that group inherit the permissions. | Yes |
Explanation: Resources in a resource group can be in different Azure regions — the RG location stores metadata only (No). Tags on a resource group do NOT automatically propagate to resources inside; use Azure Policy to enforce tag inheritance (No). RBAC permissions (roles) assigned at the resource group level are inherited by all child resources via Azure's permission model (Yes).
Security, Privacy & Compliance
You need to ensure that when Azure AD users sign in from anonymous IP addresses, they are automatically prompted to change their password. Which service should you use?
A. Azure AD Connect Health
B. Azure AD Privileged Identity Management
C. Azure Advanced Threat Protection (ATP)
D. Azure AD Identity Protection
✓ Correct Answer: D — Azure AD Identity Protection
Azure AD Identity Protection uses machine learning to detect risky sign-ins including logins from anonymous IP addresses (Tor nodes, VPNs). You configure sign-in risk policies to automatically trigger MFA challenges or forced password resets. Azure AD Connect Health monitors AD sync health; PIM manages privileged role access; ATP monitors on-premises AD threats.
Your Active Directory forest has 5,000 user accounts. You are migrating all resources to Azure and decommissioning the on-premises data center. You need to minimize the impact on users. What should you recommend?
A. Implement Azure Multi-Factor Authentication (MFA)
B. Sync all Active Directory user accounts to Azure Active Directory (Azure AD)
C. Instruct all users to change their password
D. Create a guest user account in Azure AD for each user
✓ Correct Answer: B — Sync all Active Directory user accounts to Azure AD
Azure AD Connect synchronizes on-premises AD users to Azure AD, allowing users to sign in with their existing credentials. This minimizes disruption — no new accounts, no password changes, same familiar usernames. MFA adds security but doesn't reduce migration impact; password changes and guest accounts would disrupt users unnecessarily.
For each statement about Azure Multi-Factor Authentication (MFA), select Yes if true, otherwise No.
✓ Answers: No, No, Yes
| Statement | Answer |
|---|---|
| To implement Azure MFA, you must deploy Azure AD Connect. | No |
| Two valid methods for Azure MFA are picture identification and a passport number. | No |
| Azure MFA can be required for administrative and non-administrative user accounts. | Yes |
Explanation: Azure AD MFA works with cloud-only Azure AD accounts — AD Connect is NOT required (No). Valid MFA methods: Authenticator app, SMS, phone call, OATH token, Windows Hello — NOT physical ID or passport (No). MFA can be enforced for any user via Conditional Access policies, not just admins (Yes).
Match each term to its correct definition.
✓ Correct Matches:
| Term | Definition |
|---|---|
| Azure Government | A dedicated public cloud for federal and state agencies in the United States. |
| GDPR | A European policy that regulates data privacy and data protection. |
| ISO | An organization that defines international standards across all industries. |
| NIST | An organization that defines standards used by the United States government. |
Explanation: Azure Government is Microsoft's isolated cloud for US federal/state/local government. GDPR is the EU's data privacy regulation. ISO (International Organization for Standardization) publishes global standards including ISO 27001 for information security. NIST (National Institute of Standards and Technology) publishes US government cybersecurity frameworks like NIST CSF and SP 800-53.
Which two types of customers are eligible to use Azure Government?
A. A Canadian government contractor
B. A European government contractor
C. A United States government entity
D. A United States government contractor
E. A European government entity
✓ Correct Answer: C and D
Azure Government is exclusively for US government customers: (C) US federal, state, local, and tribal government entities, and (D) US government contractors building solutions for eligible government entities. Non-US government organizations (Canadian, European) are not eligible — they have separate sovereign cloud options.
Evaluate: When implementing a SaaS solution, you are responsible for configuring high availability.
A. No change is needed.
B. Defining scalability rules
C. Installing the SaaS solution
D. Configuring the SaaS solution
✓ Correct Answer: D — Configuring the SaaS solution
In the SaaS model, the cloud provider manages ALL infrastructure including high availability, scalability, and OS maintenance. The customer is only responsible for configuring and using the application (settings, data, access controls). High availability is the provider's responsibility in SaaS — making it the most hands-off cloud model for customers.
Match each Azure AI service to its correct description.
✓ Correct Matches:
| Service | Description |
|---|---|
| Azure Machine Learning | Uses past trainings to provide predictions that have high probability. |
| Azure IoT Hub | Processes data from millions of sensors. |
| Azure AI bot | Provides a digital online assistant that provides speech support. |
| Azure Functions | Provides serverless computing functionalities. |
Explanation: Azure Machine Learning trains models on historical data to predict outcomes. Azure IoT Hub connects, monitors, and manages IoT devices and ingests sensor data at scale. Azure AI Bot Service builds conversational bots with voice and language capabilities. Azure Functions is serverless event-driven compute — no infrastructure management required, pay per execution.
Azure Pricing & Support
What is required to use Azure Cost Management?
A. A Dev/Test subscription
B. Software Assurance
C. An Enterprise Agreement (EA)
D. A pay-as-you-go subscription
✓ Correct Answer: C — An Enterprise Agreement (EA)
Azure Cost Management + Billing provides its full feature set (budgets, cost allocation, chargebacks, detailed recommendations) to Enterprise Agreement customers. While basic cost visibility exists on other subscription types, the comprehensive Cost Management experience is EA-focused. Dev/Test subscriptions and Software Assurance alone do not unlock Cost Management capabilities.
Evaluate: Your Azure trial account expired last week. You are now unable to create additional Azure Active Directory (Azure AD) user accounts.
A. No change is needed
B. Start an existing Azure virtual machine
C. Access your data stored in Azure
D. Access the Azure portal
✓ Correct Answer: C — Access your data stored in Azure
The underlined statement is incorrect. Azure AD is a free service — creating Azure AD users does not require an active paid subscription. What you actually cannot do after trial expiry is access data stored in Azure (VMs, storage accounts, databases). Azure suspends paid services and eventually deletes data. The portal and basic Azure AD remain accessible.
Your company requires access to support engineers by phone or email. Solution: Recommend a Basic support plan. Does this meet the goal?
A. Yes
B. No
✓ Correct Answer: B — No
The Basic plan does NOT include access to support engineers by phone or email. Basic only covers: self-help documentation, Azure Advisor, and Service Health alerts. Support engineer access requires: Developer (email only, business hours) | Standard (email + phone, 24/7) | Professional Direct | Premier.
Your company requires access to support engineers by phone or email. Solution: Recommend a Standard support plan. Does this meet the goal?
A. Yes
B. No
✓ Correct Answer: A — Yes
The Standard plan includes 24/7 access to technical support engineers via both phone and email. It also provides 1-hour response time for Severity A (critical) issues and Azure Advisor integration. Standard is the minimum tier satisfying both phone and email support engineer access requirements.
Your company has a Basic support plan and needs to request an architectural review from Microsoft. The solution must minimize costs. Which support plan should you recommend?
A. Premier
B. Developer
C. Professional Direct
D. Standard
✓ Correct Answer: A — Premier
An architectural review from Microsoft (Well-Architected Review or proactive advisory engagement) requires the Premier support plan. Although "minimize costs" might suggest a lower tier, the architectural review requirement specifically mandates Premier-level support. Developer, Standard, and Professional Direct do not include formal architectural review services.
For each statement about Azure preview services, select Yes if true, otherwise No.
✓ Answers: Yes, No, Yes
| Statement | Answer |
|---|---|
| Most Azure services are introduced in private preview before public preview, then general availability (GA). | Yes |
| Azure services in public preview can be managed only by using the Azure CLI. | No |
| The cost of an Azure service in private preview decreases when the service becomes generally available. | Yes |
Explanation: Azure services follow the lifecycle: private preview → public preview → GA (Yes). Public preview services can be managed through all tools: portal, CLI, PowerShell, ARM templates — not CLI only (No). Preview services are often free or discounted; GA pricing is higher — so the cost relative to preview is lower in preview, meaning it increases at GA, confirming that preview cost was lower (Yes).
More Practice Questions — Continued
Questions 41–100 below continue coverage of all AZ-900 exam domains: Cloud Concepts, Core Azure Services, Networking, Storage & Resource Management, Security & Compliance, and Azure Pricing & Support.
Which cloud service model gives you the most control over the operating system, middleware, and runtime?
A. Software as a Service (SaaS)
B. Platform as a Service (PaaS)
C. Infrastructure as a Service (IaaS)
D. Function as a Service (FaaS)
✓ Correct Answer: C
IaaS gives you full control over the OS, middleware, and runtime while the cloud provider manages physical hardware, networking, and virtualization. PaaS abstracts the OS and runtime away from you. SaaS provides complete, ready-to-use applications where you manage nothing below the application layer.
What term describes the ability of a cloud service to automatically increase resources when demand rises and decrease them when demand falls?
A. High availability
B. Elasticity
C. Fault tolerance
D. Geo-redundancy
✓ Correct Answer: B
Elasticity is the ability to automatically scale resources up or down in response to real-time demand changes. High availability means staying online despite failures. Fault tolerance means continuing to operate despite component failures. Geo-redundancy means data or services are replicated across geographic regions.
Your company is moving from on-premises servers to Azure. Which financial term describes the shift from buying physical hardware upfront to paying monthly for cloud services?
A. Moving from OpEx to CapEx
B. Moving from CapEx to OpEx
C. Increasing total cost of ownership
D. Reducing capital expenditure by leasing hardware
✓ Correct Answer: B
On-premises hardware is a Capital Expenditure (CapEx) — a large upfront purchase that depreciates over time. Cloud services are Operational Expenditure (OpEx) — ongoing monthly payments with no upfront cost. Moving to cloud shifts the model from CapEx to OpEx, improving cash flow and eliminating the risk of over-provisioning hardware.
A company needs its cloud environment to remain operational even when individual hardware components fail. Which cloud concept does this describe?
A. Scalability
B. Agility
C. Fault tolerance
D. Disaster recovery
✓ Correct Answer: C
Fault tolerance is the ability of a system to continue operating correctly when one or more of its components fail. Azure achieves this through redundant hardware, automatic failover, and distributed architecture. Scalability is about handling load changes. Agility refers to speed of deployment. Disaster recovery is about recovering after a major failure event.
Which cloud deployment model is best for an organization that wants full control over sensitive data on-premises while also using public cloud services for other workloads?
A. Public cloud
B. Private cloud
C. Hybrid cloud
D. Community cloud
✓ Correct Answer: C
A hybrid cloud combines on-premises (or private cloud) resources with public cloud resources, allowing data and applications to be shared between them. Organizations use hybrid cloud when they need to keep sensitive data on-premises for compliance or security while using the public cloud for scale, burst capacity, or non-sensitive workloads.
What does "pay-as-you-go" mean in the context of Azure pricing?
A. You pay a flat monthly subscription regardless of usage
B. You pay only for the resources you actually consume
C. You pay upfront for the resources you plan to use for the year
D. You pay a fixed price per virtual machine regardless of size
✓ Correct Answer: B
Pay-as-you-go means you are billed only for the resources you actually consume — compute time, storage, network transfer, etc. If you stop using a resource, billing stops. This contrasts with purchasing physical hardware where you pay the full acquisition cost regardless of how heavily you use it.
In the shared responsibility model for a PaaS solution, which of the following is the customer's responsibility?
A. Physical datacenter security
B. Network infrastructure and hypervisor
C. Application data and access management
D. Host operating system patching
✓ Correct Answer: C
In PaaS, Microsoft manages the physical infrastructure, network, host OS, and runtime. The customer remains responsible for their application code, data stored in the service, and access management (who can use the application and its data). The higher the service model (IaaS to PaaS to SaaS), the more Microsoft manages and the less the customer manages.
Which of the following is an example of Platform as a Service (PaaS)?
A. Azure Virtual Machines
B. Azure App Service
C. Microsoft 365
D. Azure Virtual Network
✓ Correct Answer: B
Azure App Service is PaaS — you deploy application code and Azure manages the underlying OS, runtime, patching, and infrastructure. Azure VMs are IaaS (you manage the OS and everything above it). Microsoft 365 is SaaS (a fully managed application). Azure Virtual Network is infrastructure-level networking.
What is the primary benefit of geo-distribution in cloud computing?
A. Lower cost by using cheaper hardware
B. Delivering content closer to users worldwide to reduce latency
C. Consolidating all resources in one location for easier management
D. Eliminating the need for physical servers
✓ Correct Answer: B
Geo-distribution means deploying services and content to multiple geographic locations. This reduces latency because users connect to a nearby datacenter or edge node rather than one far away. It also improves availability — if one region has an outage, users can be routed to another region automatically.
What is the difference between vertical scaling and horizontal scaling?
A. Vertical scaling adds more instances; horizontal scaling adds more power to existing instances
B. Vertical scaling increases the power of an existing resource; horizontal scaling adds more instances
C. Vertical scaling is for databases; horizontal scaling is for VMs only
D. Both terms describe the same concept in Azure
✓ Correct Answer: B
Vertical scaling (scaling up/down) means increasing or decreasing the CPU, RAM, or disk of an existing resource. Horizontal scaling (scaling out/in) means adding or removing instances of a resource. Horizontal scaling is preferred for cloud workloads because it provides better fault tolerance — if one instance fails, others continue serving traffic.
What is the primary purpose of Azure Resource Manager (ARM)?
A. To manage on-premises servers from the cloud
B. To provide a consistent deployment and management layer for all Azure resources
C. To monitor application performance and availability
D. To provide authentication for Azure users
✓ Correct Answer: B
Azure Resource Manager is the deployment and management service for Azure. Every action you take in Azure — through the portal, CLI, PowerShell, or REST APIs — goes through ARM. It provides consistent access control, tagging, deployment templates (Bicep/ARM JSON), and resource grouping. ARM enables infrastructure-as-code and repeatable deployments.
Which Azure service provides a fully managed relational database with built-in high availability, automated backups, and intelligent performance optimization?
A. Azure Cosmos DB
B. Azure SQL Database
C. Azure Table Storage
D. Azure Cache for Redis
✓ Correct Answer: B
Azure SQL Database is a fully managed PaaS relational database. It handles backups, patching, high availability, and performance tuning automatically. Azure Cosmos DB is a globally distributed NoSQL database. Azure Table Storage is a simple NoSQL key-value store. Azure Cache for Redis is an in-memory caching service used to accelerate application performance.
Your organization needs to store large amounts of unstructured data such as images, videos, and backup files. Which Azure storage service is most appropriate?
A. Azure Queue Storage
B. Azure File Storage
C. Azure Blob Storage
D. Azure Table Storage
✓ Correct Answer: C
Azure Blob Storage (Binary Large Object) is designed for storing massive amounts of unstructured data — images, videos, documents, backups, log files, and data for analysis. Queue Storage handles message queuing. File Storage provides SMB/NFS-compatible file shares for lift-and-shift scenarios. Table Storage is a NoSQL key-value store for structured data.
What is Azure Cosmos DB?
A. A managed SQL Server instance in the cloud
B. A globally distributed, multi-model NoSQL database service
C. A block storage service for virtual machine disks
D. An in-memory caching service
✓ Correct Answer: B
Azure Cosmos DB is a fully managed, globally distributed NoSQL database supporting multiple APIs (SQL/Core, MongoDB, Cassandra, Gremlin, Table). It offers single-digit millisecond response times, automatic and instant scaling, and a 99.999% availability SLA. It differs from Azure SQL Database, which uses the traditional relational model with tables, rows, and SQL queries.
Which Azure service allows you to run containerized applications without managing virtual machines or Kubernetes clusters?
A. Azure Virtual Machines
B. Azure Kubernetes Service (AKS)
C. Azure Container Instances (ACI)
D. Azure App Service
✓ Correct Answer: C
Azure Container Instances (ACI) lets you run Docker containers on-demand without provisioning or managing VMs or orchestration infrastructure. It is the fastest and simplest way to run a single container or small container group in Azure. AKS provides full Kubernetes orchestration for complex multi-container applications needing auto-scaling, service discovery, and rolling updates.
What is Azure Virtual Desktop?
A. A GUI for managing Azure virtual machines
B. A cloud-based desktop and application virtualization service
C. A service for hosting websites and web applications
D. A remote monitoring tool for Windows servers
✓ Correct Answer: B
Azure Virtual Desktop provides desktop and application virtualization running in the cloud. Users access a full Windows 11 desktop experience from any device — browser, thin client, tablet — without a physical PC. Organizations use it for secure remote work, BYOD scenarios, and to run legacy applications. Microsoft manages the infrastructure; you manage the session hosts and applications.
Which Azure service is a serverless compute service that runs code in response to events such as HTTP requests, timers, and queue messages?
A. Azure App Service
B. Azure Logic Apps
C. Azure Functions
D. Azure Batch
✓ Correct Answer: C
Azure Functions is a serverless event-driven compute service. You write code that runs in response to triggers (HTTP, timer, queue message, blob upload, etc.) without provisioning or managing servers. You pay only for the time your code runs. Azure App Service hosts web apps on managed infrastructure. Logic Apps automates workflows using a visual designer. Azure Batch processes large-scale parallel compute jobs.
What is the purpose of Azure Availability Sets?
A. To deploy resources across multiple Azure regions
B. To protect VMs from planned and unplanned maintenance events within a datacenter
C. To create a private network within Azure
D. To automatically scale virtual machines based on demand
✓ Correct Answer: B
Availability Sets group VMs into different fault domains (separate physical racks with independent power and networking) and update domains (groups rebooted at different times during maintenance). This ensures at least some VMs remain available during a hardware failure or planned maintenance window. Availability Zones protect against entire datacenter failures; Availability Sets protect within a single datacenter.
Which Azure storage redundancy option protects data by replicating it to a secondary region far from the primary region?
A. Locally Redundant Storage (LRS)
B. Zone-Redundant Storage (ZRS)
C. Geo-Redundant Storage (GRS)
D. Premium Locally Redundant Storage
✓ Correct Answer: C
GRS replicates data synchronously three times within the primary region and asynchronously to a secondary region. This protects against a complete regional disaster. LRS replicates within a single datacenter (3 copies). ZRS replicates across availability zones within the same region. Read-Access GRS (RA-GRS) adds read access to the secondary region even when the primary is available.
What is Azure Kubernetes Service (AKS)?
A. A serverless container runtime for running individual containers
B. A managed Kubernetes orchestration service for containerized applications
C. A service for hosting traditional web applications without containers
D. A managed database service for containerized applications
✓ Correct Answer: B
AKS is a managed Kubernetes service that simplifies deploying and managing containerized applications. Microsoft handles the Kubernetes control plane (provisioning, upgrading, scaling). You manage the agent nodes running your workloads. AKS is used for complex, multi-container applications needing features like auto-scaling, rolling updates, service mesh, and health monitoring. ACI is the simpler option for single containers.
Which Azure compute service is best for running traditional lift-and-shift workloads where you need full control over the operating system configuration?
A. Azure Functions
B. Azure App Service
C. Azure Virtual Machines
D. Azure Container Instances
✓ Correct Answer: C
Azure Virtual Machines provide IaaS — you get a VM with full OS control (Windows or Linux) and can install any software, configure services exactly as on-premises. This makes VMs ideal for lift-and-shift migrations of applications that need specific OS settings. Azure Functions and App Service abstract the OS, while Container Instances run containers rather than full VMs.
What is Azure Blob Storage access tier "Cool" designed for?
A. Frequently accessed data requiring the fastest retrieval
B. Infrequently accessed data stored for at least 30 days
C. Data archived for years with rare access needs
D. Real-time streaming data
✓ Correct Answer: B
Azure Blob Storage offers three access tiers: Hot (for frequently accessed data, highest storage cost, lowest access cost), Cool (for infrequently accessed data stored for at least 30 days, lower storage cost, higher access cost), and Archive (for rarely accessed data stored for at least 180 days, lowest storage cost, highest retrieval cost and time). Choosing the right tier reduces storage costs significantly.
Which Azure service provides a fully managed message broker for decoupling application components and enabling reliable asynchronous communication?
A. Azure Event Grid
B. Azure Service Bus
C. Azure Queue Storage
D. Azure Notification Hubs
✓ Correct Answer: B
Azure Service Bus is an enterprise-grade message broker supporting message queues and publish-subscribe topics. It provides features like dead-letter queues, message sessions, duplicate detection, and transactions — important for critical business applications. Azure Queue Storage is a simpler, cheaper option for basic queuing without these enterprise features. Event Grid is an event routing service for reactive, event-driven architectures.
What is the purpose of a Network Security Group (NSG) in Azure?
A. To encrypt network traffic between virtual machines
B. To filter inbound and outbound network traffic using allow and deny rules
C. To create a VPN connection between Azure and on-premises networks
D. To balance load across multiple virtual machines
✓ Correct Answer: B
NSGs contain security rules that allow or deny inbound and outbound network traffic based on source IP, destination IP, port, and protocol. They are applied to subnets or individual network interfaces and function as a basic stateful firewall. NSGs are free to use and are the primary tool for network access control within Azure Virtual Networks.
What is Azure VPN Gateway used for?
A. Filtering network traffic within a virtual network
B. Creating encrypted connections between Azure VNets and on-premises networks over the public internet
C. Providing dedicated private fiber connections to Azure datacenters
D. Distributing internet traffic across multiple virtual machines
✓ Correct Answer: B
Azure VPN Gateway creates encrypted IPsec/IKE tunnels over the public internet between on-premises networks and Azure virtual networks (Site-to-Site VPN), between two Azure regions (VNet-to-VNet), or from individual client devices (Point-to-Site VPN). For guaranteed bandwidth and private connectivity without using the internet, Azure ExpressRoute is the appropriate alternative.
What is Azure ExpressRoute?
A. A cloud-to-cloud connection between Azure and competing cloud providers
B. A dedicated private connection from on-premises to Azure that bypasses the public internet
C. A VPN service that encrypts site-to-site connections over the internet
D. A CDN for accelerating global content delivery
✓ Correct Answer: B
ExpressRoute provides dedicated, private connectivity from your data center to Azure through a connectivity provider. Traffic does NOT travel over the public internet — it uses a private circuit providing more reliability, faster speeds, lower latency, and higher security. It supports speeds from 50 Mbps to 100 Gbps. It is more expensive than VPN Gateway but required for strict bandwidth, latency, or compliance requirements.
What is the purpose of Azure Traffic Manager?
A. To monitor network traffic for security threats inside Azure
B. To distribute DNS-based traffic across global Azure endpoints based on routing methods
C. To create private virtual network segments within Azure
D. To provide DDoS protection for internet-facing applications
✓ Correct Answer: B
Azure Traffic Manager is a DNS-based global load balancer. It routes user DNS queries to the most appropriate endpoint based on a routing method: performance (lowest latency), priority (primary/failover), weighted (percentage distribution), or geographic. Traffic Manager itself does not handle actual traffic — it only directs DNS resolution. Endpoints can be in any Azure region or even on-premises.
What is VNet peering in Azure?
A. Connecting an Azure VNet to an on-premises network via VPN
B. Connecting two Azure Virtual Networks so resources communicate using private IP addresses via Microsoft backbone
C. Creating an encrypted tunnel between two VMs in the same subnet
D. Linking Azure subscriptions to share billing
✓ Correct Answer: B
VNet peering connects two Azure Virtual Networks, enabling resources in both to communicate as if on the same network using private IP addresses. Traffic between peered VNets travels over Microsoft's private backbone — not the public internet. Global VNet Peering connects VNets across different Azure regions. Peering is low-latency and high-bandwidth but does not support transitive routing by default.
A company needs centralized control of outbound internet traffic from Azure VMs, with FQDN filtering and threat intelligence. Which service should they use?
A. Network Security Group
B. Azure Load Balancer
C. Azure Firewall
D. Azure DDoS Protection
✓ Correct Answer: C
Azure Firewall is a managed, stateful cloud-native network security service with high availability and unrestricted cloud scalability. It supports FQDN-based application rules (allow/block traffic by domain name), network rules (IP/port), DNAT rules for inbound traffic, and threat intelligence-based filtering. NSGs provide basic rule-based filtering without deep inspection or centralized management across multiple VNets.
Which Azure service provides application-layer (Layer 7) load balancing with SSL termination and URL-based routing?
A. Azure Load Balancer
B. Azure Traffic Manager
C. Azure Application Gateway
D. Azure Front Door
✓ Correct Answer: C
Azure Application Gateway is a web traffic (Layer 7) load balancer. It inspects HTTP/HTTPS traffic and routes requests based on URL paths, hostnames, or other HTTP attributes. Features include SSL/TLS termination, session affinity, WebSocket support, and an optional Web Application Firewall (WAF). Azure Load Balancer works at Layer 4 (TCP/UDP) without inspecting application content.
What does Azure DNS provide?
A. DDoS protection for domain names
B. Hosting for DNS domains and resolving domain names to Azure resources
C. Encrypted tunnels between Azure and on-premises networks
D. Automatic registration of all Azure VM hostnames
✓ Correct Answer: B
Azure DNS allows you to host your DNS zones (domain names) in Azure and manage DNS records using Azure tools, APIs, and RBAC. It uses Microsoft's global network for fast DNS query resolution. Azure DNS does NOT provide domain name registration — you still purchase the domain from a registrar. The benefit is managing DNS alongside your other Azure resources with the same credentials and tools.
What is the purpose of Resource Groups in Azure?
A. To manage billing across multiple subscriptions
B. To logically group related Azure resources that share the same lifecycle
C. To create network isolation between resources
D. To set spending limits on Azure services
✓ Correct Answer: B
A Resource Group is a container that holds related Azure resources — such as a web app, its database, storage account, and networking — that share the same lifecycle. When you delete a resource group, all resources inside are deleted together. Resource groups also serve as the scope for applying RBAC permissions and Azure Policy, making them essential for organized resource management.
What is Azure Policy?
A. A service for creating user accounts and managing identities
B. A service that evaluates Azure resources against defined rules to enforce organizational standards
C. A pricing model for Azure services
D. A monitoring tool for Azure resource performance
✓ Correct Answer: B
Azure Policy creates, assigns, and manages policy definitions that enforce rules on your Azure resources. Examples: require all resources to have a specific tag, restrict which VM sizes can be deployed in a region, or enforce that storage accounts only use HTTPS. Policy continuously evaluates resources and reports compliance status — it can also automatically remediate non-compliant resources.
What is the purpose of resource tags in Azure?
A. To create network segments for resources
B. To assign metadata name-value pairs to resources for organization, cost tracking, and automation
C. To set performance limits on resource consumption
D. To replicate resources to another region automatically
✓ Correct Answer: B
Tags are name-value pairs (e.g., "Environment: Production", "Department: Finance") attached to Azure resources, subscriptions, or resource groups. They are used to organize resources logically, track and allocate costs by project or team, automate resource management policies, and filter resources in reports. Up to 50 tags can be applied per resource. Tags are not automatically inherited from resource groups.
Which Azure service allows you to define and deploy a repeatable set of Azure resources that enforces your organization's standards, including policies, role assignments, and ARM templates?
A. Azure Policy
B. Azure Resource Manager Templates alone
C. Azure Blueprints
D. Management Groups
✓ Correct Answer: C
Azure Blueprints enables cloud architects to define a reusable, version-controlled package of governance artifacts: resource groups, ARM templates, role assignments, and policy assignments. A Blueprint maintains an ongoing relationship with deployed resources for compliance tracking. Unlike standalone ARM templates, Blueprints ensure governance artifacts are deployed together and remain auditable over time.
What is the correct hierarchy of Azure management scopes from broadest to most specific?
A. Subscription > Management Group > Resource Group > Resource
B. Management Group > Subscription > Resource Group > Resource
C. Resource Group > Subscription > Management Group > Resource
D. Tenant > Subscription > Management Group > Resource Group
✓ Correct Answer: B
The Azure governance hierarchy is: Management Groups (can contain multiple subscriptions and other management groups) > Subscriptions (contain resource groups) > Resource Groups (contain individual resources). The Azure AD Tenant is the root above all management groups. Policies and RBAC roles applied at a higher scope are inherited by all child scopes below — this is the key principle of Azure governance.
What type of data is Azure Table Storage best suited for?
A. Large binary files such as images and videos
B. Structured, non-relational data that does not require complex joins or foreign keys
C. Relational data with complex multi-table relationships
D. Message queuing for decoupling application components
✓ Correct Answer: B
Azure Table Storage is a NoSQL key-value store designed for large volumes of structured, non-relational data — such as web application user data, device telemetry, address books, or metadata. It is significantly cheaper than Cosmos DB for simple use cases. It does not support joins, foreign keys, or complex queries. Cosmos DB's Table API is the drop-in upgrade when you need global distribution and stronger SLAs.
What feature allows you to apply consistent governance, policies, and access controls to multiple Azure subscriptions simultaneously?
A. Resource Groups
B. Management Groups
C. Azure Policy alone
D. Azure Blueprints alone
✓ Correct Answer: B
Management Groups are containers above subscriptions in the Azure hierarchy. You can organize subscriptions into management groups and apply Azure Policy and RBAC at the management group level — all child subscriptions and resource groups inherit these settings automatically. This is essential for large enterprises managing dozens or hundreds of subscriptions that need uniform governance and compliance enforcement.
What is Azure Key Vault primarily used for?
A. Managing user identities and access permissions
B. Securely storing and accessing secrets, encryption keys, and certificates
C. Monitoring and detecting security threats across Azure resources
D. Providing DDoS protection for web applications
✓ Correct Answer: B
Azure Key Vault is a cloud service for securely storing and controlling access to secrets (passwords, API keys, connection strings), cryptographic keys, and certificates. Applications retrieve secrets from Key Vault at runtime instead of hardcoding them in source code or configuration. Key Vault supports hardware security module (HSM) backed storage, detailed audit logs, and fine-grained access control via Azure AD.
What is Azure Active Directory (Azure AD / Microsoft Entra ID)?
A. A server OS for managing domain controllers in the cloud
B. A cloud-based identity and access management service for Azure and Microsoft 365
C. A network firewall service for Azure virtual networks
D. A database service for storing user profile records
✓ Correct Answer: B
Azure Active Directory (now called Microsoft Entra ID) is Microsoft's cloud-based identity platform. It provides authentication (verifying who a user is) and authorization (what resources they can access) for Azure, Microsoft 365, and thousands of third-party SaaS applications. Unlike Windows Server AD, Azure AD uses modern protocols (OAuth 2.0, OpenID Connect, SAML) and is optimized for internet-scale cloud access.
What is the purpose of Multi-Factor Authentication (MFA) in Azure?
A. To encrypt data at rest in Azure storage accounts
B. To require users to provide two or more verification factors beyond just a password
C. To filter malicious inbound network traffic
D. To automatically replicate data to multiple regions
✓ Correct Answer: B
MFA adds a security layer beyond passwords by requiring at least two of: something you know (password), something you have (authenticator app, phone, hardware token), or something you are (biometrics). Even if a password is stolen or leaked, an attacker cannot access the account without the second factor. MFA in Azure is enforced through Azure AD and is a core Zero Trust security control.
What is the Zero Trust security model?
A. Trusting all traffic that originates from inside your corporate network perimeter
B. A model that assumes breaches can happen anywhere and verifies every request regardless of origin
C. Blocking all external traffic to Azure by default until explicitly allowed
D. Using minimal encryption for internal network traffic to improve performance
✓ Correct Answer: B
Zero Trust assumes no user, device, or network should be trusted by default — even inside the corporate perimeter. Every access request is verified explicitly using identity, device health, location, and risk signals before granting least-privilege access. The three principles are: verify explicitly, use least privilege, and assume breach. Azure AD Conditional Access and Microsoft Defender implement Zero Trust controls.
What does Azure DDoS Protection Standard provide beyond the free Basic protection tier?
A. Encrypted HTTPS connections to Azure
B. Adaptive tuning, attack analytics, real-time metrics, and access to DDoS rapid response team support
C. Protection against password brute-force and phishing attacks
D. Automatic firewall rules that block malicious IP addresses permanently
✓ Correct Answer: B
DDoS Protection Basic is automatically enabled for all Azure resources at no cost. Standard adds: adaptive tuning calibrated to your specific traffic baseline, real-time attack metrics and diagnostics in Azure Monitor, post-attack reports and analysis, and access to Microsoft's DDoS Rapid Response team during an active attack. Standard is appropriate for internet-facing applications that require SLA-backed protection.
In Azure RBAC, what does the "Contributor" role allow compared to "Owner"?
A. Contributor has read-only access; Owner can create resources
B. Contributor can manage all resources but cannot grant access to others; Owner can do both
C. Contributor and Owner have identical permissions
D. Contributor can only manage compute resources; Owner manages all resource types
✓ Correct Answer: B
The Owner role has full access to all resources and the ability to assign Azure RBAC roles to other users. The Contributor role has the same ability to create and manage all resources but cannot assign roles or grant access to others. The Reader role provides read-only access to view resources. User Access Administrator can manage access without managing resources themselves.
What is Conditional Access in Azure AD?
A. A backup and recovery policy for Azure resources
B. A policy engine that automates access decisions based on user, device, location, and risk signals
C. A method for granting temporary administrative access to virtual machines
D. A service for encrypting data in transit between Azure services
✓ Correct Answer: B
Conditional Access enforces intelligent access policies based on conditions and signals. Example policy: "If a user signs in from outside the corporate network, require MFA." Another: "If the device is not compliant with security policies, block access." It is the core control plane for Zero Trust in Azure AD — applying the right access controls in the right conditions without compromising user experience.
What is the Microsoft Trust Center?
A. A support portal for Azure billing disputes and refund requests
B. A website providing detailed information about Microsoft's security, privacy, and compliance practices
C. A dashboard for monitoring the health of Azure services in real time
D. A certification testing portal for Microsoft professional exams
✓ Correct Answer: B
The Microsoft Trust Center (trust.microsoft.com) provides documentation about Microsoft's security practices, privacy commitments, and compliance certifications across its cloud services. It lists compliance offerings (GDPR, ISO 27001, SOC 2, HIPAA, FedRAMP, and hundreds more) and provides audit reports, data residency information, and privacy policies — essential for organizations evaluating Azure for regulated industries.
What is Microsoft Defender for Cloud?
A. A firewall appliance for blocking inbound network traffic
B. A unified security posture management and threat protection service for Azure and hybrid workloads
C. A backup service for protecting Azure virtual machine data
D. A network bandwidth monitoring tool
✓ Correct Answer: B
Microsoft Defender for Cloud (formerly Azure Security Center with Azure Defender) provides two key capabilities: Cloud Security Posture Management (CSPM) — continuously assessing resource configurations and providing a security score with recommendations — and Cloud Workload Protection (CWP) — detecting and responding to threats across VMs, containers, databases, app service, key vaults, and more.
What is the Azure Pricing Calculator used for?
A. To view your current Azure invoice and billing history
B. To estimate the monthly cost of Azure services before you deploy them
C. To compare Azure pricing with AWS and Google Cloud pricing
D. To request discounts and special pricing from Microsoft
✓ Correct Answer: B
The Azure Pricing Calculator (azure.microsoft.com/pricing/calculator) lets you select Azure services, configure their options, and see an estimated monthly cost before provisioning anything. It is a planning and budgeting tool. It differs from Azure Cost Management (which shows actual spending on deployed resources) and the TCO Calculator (which compares on-premises costs vs Azure).
What does the Azure Total Cost of Ownership (TCO) Calculator help you estimate?
A. The monthly Azure bill for newly provisioned services
B. The cost savings of migrating on-premises workloads to Azure
C. The relative cost of different Azure VM sizes
D. Your Azure subscription discount based on committed spending
✓ Correct Answer: B
The TCO Calculator helps organizations quantify the financial benefit of moving to Azure. You input your current on-premises infrastructure (server count, storage, network bandwidth, electricity costs, labor) and the calculator compares that against equivalent Azure services, showing estimated savings over 3-5 years. It is primarily a pre-sales planning tool to build the business case for cloud migration.
What is an Azure Reservation and what benefit does it provide?
A. A temporary hold placed on Azure resources before purchasing them
B. A 1- or 3-year commitment to use specific Azure resources in exchange for discounts up to 72%
C. A reserved public IP address for a virtual machine
D. A scheduled maintenance window negotiated with Microsoft
✓ Correct Answer: B
Azure Reservations (Reserved Instances) let you pre-commit to using a specific resource type and size for 1 or 3 years in exchange for significant discounts compared to pay-as-you-go pricing. Discounts vary by service: up to 72% for VMs, up to 65% for Azure SQL Database, etc. They are ideal for predictable, steady-state workloads. You can exchange or cancel reservations subject to applicable fees.
What does a Service Level Agreement (SLA) in Azure define?
A. The maximum number of users allowed per Azure subscription
B. Microsoft's uptime and connectivity commitment for each service, including service credits for missed targets
C. The security requirements customers must meet to use Azure regulated services
D. The list of features available in each Azure pricing tier
✓ Correct Answer: B
An SLA is Microsoft's formal commitment to the uptime percentage for each Azure service (e.g., single VM with premium SSD: 99.9%, VMs across availability zones: 99.99%). If Microsoft misses the SLA, customers receive service credits as compensation. For composite architectures, the effective SLA is calculated by multiplying individual service SLAs — adding redundancy improves the composite SLA.
How can you improve the effective SLA of an Azure application?
A. By using a larger VM size
B. By deploying redundant resources across multiple Availability Zones or regions
C. By choosing a premium support plan
D. By using Azure Reserved Instances instead of pay-as-you-go pricing
✓ Correct Answer: B
Redundancy improves SLA because the failure of one component does not take the application offline. A single VM has a 99.9% SLA. Two VMs in different Availability Zones have a 99.99% SLA. Deploying across two regions with automatic failover can approach 99.999%. VM size, support plan, and billing model do not affect the service SLA — only architecture and redundancy do.
What is Azure Cost Management + Billing?
A. A tool for estimating costs before deploying Azure resources
B. A service for analyzing, monitoring, and optimizing actual Azure spending
C. A feature for setting the billing cycle and payment method for a subscription
D. A calculator that compares on-premises costs with Azure costs
✓ Correct Answer: B
Azure Cost Management + Billing provides detailed analysis of current and historical Azure spending, budget creation with alert thresholds, spending forecasts, and cost optimization recommendations. You can view costs by resource, resource group, subscription, or tag. It integrates with Azure Advisor to surface underutilized resources. Unlike the Pricing Calculator (pre-deployment estimates), Cost Management analyzes real spending.
What is Azure Advisor?
A. A chatbot that answers questions about Azure services and configurations
B. A personalized cloud consultant that analyzes your Azure resources and recommends improvements
C. A service for connecting you with a human Microsoft support engineer
D. A compliance audit tool that checks resources against regulatory frameworks
✓ Correct Answer: B
Azure Advisor analyzes your deployed Azure resources and provides prioritized recommendations across five categories: Cost (right-size or shut down unused resources), Security (enable MFA, apply missing patches), Reliability (add redundancy, enable backups), Performance (add caching, improve throughput), and Operational Excellence (use automation, enable diagnostics). It is free, always-on, and actionable.
What is Azure Service Health?
A. A tool that monitors CPU and memory usage of your virtual machines
B. A personalized dashboard showing Azure service issues, planned maintenance, and health advisories for your resources
C. A support ticket portal for reporting incidents to Microsoft
D. A compliance dashboard showing whether your resources meet security standards
✓ Correct Answer: B
Azure Service Health has three components: Azure Status (global outages affecting all customers), Service Health (incidents and maintenance affecting YOUR specific subscriptions and regions), and Resource Health (health of YOUR individual resources). It sends proactive notifications before planned maintenance, during active incidents, and after events — enabling you to act before issues affect users.
Which Azure support plan provides 24/7 technical support for all severity issues and is appropriate for production workloads?
A. Basic
B. Developer
C. Standard
D. Free
✓ Correct Answer: C
The Standard support plan provides 24/7 access to Azure technical support for all severity levels (Sev A critical: under 1-hour response), unlimited tickets, and access to full technical support. Developer provides support during business hours only for non-production scenarios. Basic includes self-help documentation, community forums, and access to Azure Advisor — no human technical support. Professional Direct adds proactive services and an account manager.
What is the purpose of Azure management groups in the context of billing and governance?
A. To combine the billing of multiple Azure subscriptions into one invoice
B. To apply governance policies and access controls consistently across multiple subscriptions
C. To create separate billing accounts for different departments
D. To monitor spending limits across all resources in an organization
✓ Correct Answer: B
Management Groups are governance containers above subscriptions. Azure Policy and RBAC role assignments made at the management group level are inherited by all child subscriptions and resource groups. This enables consistent governance (e.g., require all VMs to use approved OS images) across many subscriptions without configuring each one separately. For billing consolidation, Enterprise Agreements or Microsoft Customer Agreements handle invoice-level grouping.
Which tool allows you to manage Azure resources using a pre-authenticated browser-based command-line interface without installing anything locally?
A. Azure CLI installed on your laptop
B. Azure PowerShell installed on your laptop
C. Azure Cloud Shell in the portal
D. Windows Terminal with Azure extensions
✓ Correct Answer: C
Azure Cloud Shell is a browser-based interactive shell accessible from the Azure portal (or shell.azure.com). It comes pre-installed with Azure CLI, Azure PowerShell, Terraform, kubectl, git, and other tools, and authenticates automatically using your Azure credentials. Files persist across sessions via an Azure Files share. It is available in Bash and PowerShell modes — no local installation required.
What is the difference between Azure Hybrid Benefit and Azure Reserved Instances?
A. Both are the same discount program with different names
B. Hybrid Benefit reduces cost by applying existing Windows Server and SQL Server licenses; Reserved Instances discount comes from multi-year commitments
C. Hybrid Benefit requires a 3-year commitment; Reserved Instances are month-to-month
D. Reserved Instances are only for virtual machines; Hybrid Benefit covers all Azure services
✓ Correct Answer: B
Azure Hybrid Benefit lets customers with existing on-premises Windows Server or SQL Server licenses with Software Assurance apply those licenses to Azure VMs, reducing costs by up to 40-55%. Azure Reservations (Reserved Instances) reduce costs by committing to 1 or 3 years of consistent usage. These two discounts can be combined for maximum savings on predictable workloads running on Windows or SQL Server.
Which of the following actions can you perform in the Azure portal that you CANNOT do with the Azure Pricing Calculator?
A. Estimate the monthly cost of an Azure SQL Database
B. View and download your actual Azure invoice for last month
C. Compare the cost of different VM sizes before deployment
D. Select a specific Azure region to estimate location-based pricing
✓ Correct Answer: B
The Azure Pricing Calculator is a pre-deployment estimation tool — it shows you what a configuration WOULD cost. The Azure portal (under Cost Management + Billing) shows your actual invoices, payment history, and real spending data. Both tools allow cost estimation and comparison. Only the portal and Cost Management + Billing provide actual billing records and invoices.
