AZ-900 : Microsoft Azure Fundamentals Practice Tests 2025 3

Question 1

The concept of sharing resources among multiple users or tenants, allowing for cost savings and increased efficiency, is known as _______.

Multi-Tenancy

Redundancy

Autonomy

Monolithic architecture

Answer 1

Multi-Tenancy

Explanation:
The concept of sharing resources among multiple users or tenants, allowing for cost savings and increased efficiency, is known as “multi-tenancy”.

Other options -

Redundancy: It refers to the duplication of critical system components to ensure continued operation in case of a failure. While redundancy is an important attribute of many cloud systems, it is not specifically related to the concept of sharing resources among multiple users.

Autonomy: It refers to the ability of a system or organization to operate independently, with minimal external control or interference. While autonomy can be an important attribute of cloud systems, it is not specifically related to the concept of multi-tenancy.

Monolithic architecture: It architecture refers to a software architecture pattern in which all components of an application are tightly integrated and deployed as a single unit. While monolithic architecture can be used in cloud systems, it is not specifically related to the concept of multi-tenancy, which involves the sharing of resources among multiple users or tenants.

Question 2

_____________ devices can easily move data to Azure when busy networks aren’t an option.

Azure File Sync
Azure Storage Explorer
Azure Migrate
Azure Data Box

Answer 2

Azure Data Box

Explanation:
Azure Data Box devices easily move data to Azure when busy networks aren’t an option. Move large amounts of data to Azure when you’re limited by time, network availability, or costs, using common copy tools such as Robocopy. All data is AES-encrypted, and the devices are wiped clean after upload, in accordance with NIST Special Publication 800-88 revision 1 standards.

Question 3

It’s possible to deploy a new Azure VM from a Google Chromebook by using PowerAutomate.

No
Yes

Answer 3

No

Explanation:
Tricky question! PowerAutomate is not the same as PowerShell.

PowerAutomate moreover isn’t a part of Azure! It falls under the Microsoft umbrella of offerings, just like PowerApps.

Hence, this statement is definitely False. You can use the Azure portal to provision Virtual Machines, or even the CLI.

Question 4

What is the maximum allowed number of tags per Azure resource?

50
15
10
30

Answer 4

50

Explanation:
Azure allows users to assign name-value pairs, called tags, to each resource, resource group, and subscription. The maximum number of tag name-value pairs that can be assigned to each of these entities is 50. If you need to apply more tags than the allowed number, you can use a JSON string to include multiple values for a single tag name. Each resource group or subscription can contain numerous resources, each with their own set of 50 tag name-value pairs.

Question 5

The members of your organization have been complaining about having to enter their password too many times which is frustrating. Moreover, users also tend to forget their passwords which leads to reset overhead. Which of the following services in Azure can help with this?

Azure Active Directory SeamlessAuth
Azure Active Directory Passwordless
Azure ExpressRoute
Azure Arc

Answer 5

Azure Active Directory Passwordless

Explanation:
Features like multifactor authentication (MFA) are a great way to secure your organization, but users often get frustrated with the additional security layer on top of having to remember their passwords. Passwordless authentication methods are more convenient because the password is removed and replaced with something you have, plus something you are or something you know.

Question 6

What is the maximum number of virtual network rules and IP network rules allowed per storage account in Azure?

500

200

150

300

Answer 6

500

Explanation;
The current maximum number of virtual networks per storage account are 200!

Question 7

What is the primary objective of the “Secure” aspect of Defender for Cloud?

To focus on Azure Security Benchmark compliance.

To provide protection against physical attacks on datacenters.

To deploy Log Analytics agents on all virtual machines.

To ensure secure configurations of workloads and resources.

Answer 7

To ensure secure configurations of workloads and resources.

Explanation:
The “Secure” aspect of Defender for Cloud aims to ensure that workloads and resources are securely configured. It provides policies and guidelines to help achieve Azure Security Benchmark compliance and secure configurations.

Question 8

How does the syntax of commands differ between Azure PowerShell and the Azure CLI?

Azure PowerShell uses PowerShell commands, while the Azure CLI uses Bash commands.

Azure PowerShell uses Python scripts, while the Azure CLI uses Ruby scripts.

There is no difference in command syntax between Azure PowerShell and the Azure CLI.

Azure PowerShell uses Bash scripts, while the Azure CLI uses JSON configuration files.

Answer 8

Azure PowerShell uses PowerShell commands, while the Azure CLI uses Bash commands.

Explanation:
The Azure CLI is functionally equivalent to Azure PowerShell, with the primary difference being the syntax of commands. While Azure PowerShell uses PowerShell commands, the Azure CLI uses Bash commands.

The Azure CLI provides the same benefits of handling discrete tasks or orchestrating complex operations through code. It’s also installable on Windows, Linux, and Mac platforms, as well as through Azure Cloud Shell.

Due to the similarities in capabilities and access between Azure PowerShell and the Bash based Azure CLI, it mainly comes down to which language you’re most familiar with.

Question 9

Which of the following are valid Azure purchasing options?

Github website

Microsoft Partner

Azure website

Microsoft representative

Answer 9

Microsoft Partner

Azure website

Microsoft representative

Explanation:
You can choose the purchasing option that works best for your organisation. Or, use any of the options simultaneously.

Question 10

What is the primary purpose of applying resource locks in Azure?

To prevent accidental deletion or modification of critical resources.

To restrict access to Azure resources to a specific user.

To prevent any modifications to resources, including read access.

To ensure resources are automatically deleted after a specific time period.

Answer 10

To prevent accidental deletion or modification of critical resources.

Explanation:
As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions.

You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only. In the command line, these locks are called CanNotDelete and ReadOnly.

CanNotDelete means authorized users can read and modify a resource, but they can’t delete it.

ReadOnly means authorized users can read a resource, but they can’t delete or update it. Applying this lock is similar to restricting all authorized users to the permissions that the Reader role provides.

Unlike role-based access control (RBAC), you use management locks to apply a restriction across all users and roles. To learn about setting permissions for users and roles, see Azure RBAC.

Therefore, Resource locks in Azure are used to prevent accidental deletion or modification of important resources. They help maintain the integrity of critical resources by preventing unwanted changes.

Question 11

______________ is a set of capabilities in Azure Active Directory (AAD) that enables organizations to secure and manage any outside user, including customers and partners.

Sentinel

External Identities

External Profiles

External User Management

Answer 11

External Identities

Explanation:
External Identities is a set of capabilities that enables organizations to secure and manage any external user, including customers and partners. Building on B2B collaboration, External Identities gives you more ways to interact and connect with users outside your organization.

Question 12

The ability to provision and deprovision cloud resources quickly, with minimal management effort, is known as _______.

Resiliency

Scalability

Sustainability

Elasticity

Answer 12

Scalability

Explanation:
The correct answer is Scalability. It specifically refers to the ability to provision and deprovision cloud resources quickly and with minimal management effort.

Question 13

Yes or No: Azure Site Recovery can only be used to replicate and recover virtual machines within Azure.

Yes

No

Answer 13

No

Explanation:
The answer is No. Azure Site Recovery can be used to replicate and recover virtual machines not only within Azure, but also from on-premises datacenters to Azure, and between different datacenters or regions.

Azure Site Recovery is a disaster recovery solution that provides continuous replication of virtual machines and physical servers to a secondary site, allowing for rapid recovery in case of a disaster. It supports a wide range of scenarios, including replication from VMware, Hyper-V, and physical servers to Azure, as well as replication between Azure regions or datacenters.

Question 14

Which of the following is a good usage of tags?

Using tags for data classification

Making business groups aware of cloud resource consumption requires IT to understand the resources and workloads each team is using

Using Tags to quickly locate resources associated with specific workloads, environments, ownership groups, or other important information.

To help identify the assets required to support a single workload.

All of these

Answer 14

All of these

Overall explanation
All of the above can help leverage the power of tags in one way or the other.

From the official Azure docs:

Organizing cloud-based resources is a crucial task for IT, unless you only have simple deployments. Use naming and tagging standards to organize your resources for the following reasons:

Resource management: Your IT teams need to quickly locate resources associated with specific workloads, environments, ownership groups, or other important information. Organizing resources is critical to assigning organizational roles and access permissions for resource management.

Cost management and optimization: Making business groups aware of cloud resource consumption requires IT to understand the resources and workloads each team is using.

Operations management: Visibility for the operations management team about business commitments and SLAs is an important aspect of ongoing operations. For operations to be managed well, tagging for mission criticality is required.

Security: Classification of data and security impact is a vital data point for the team, when breaches or other security issues arise. To operate securely, tagging for data classification is required.

Governance and regulatory compliance: Maintaining consistency across resources helps identify changes from agreed-upon policies. Prescriptive guidance for resource tagging demonstrates how one of the following patterns can help when deploying governance practices. Similar patterns are available to evaluate regulatory compliance using tags.

Automation: A proper organizational scheme allows you to take advantage of automation as part of resource creation, operational monitoring, and the creation of DevOps processes. It also makes resources easier for IT to manage.

Workload optimization: Tagging can help identify patterns and resolve broad issues. Tag can also help identify the assets required to support a single workload. Tagging all assets associated with each workload enables deeper analysis of your mission-critical workloads to make sound architectural decisions.

Question 15

What is network latency?

The cost incurred by the data travelling over the network

The maximum amount of data that can travel over the network

The distance the data travel over the network

The time it takes for data to travel over the network

Answer 15

The time it takes for data to travel over the network

Explanation:
Network latency is the time it takes for data or a request to go from the source to the destination. Latency in networks is measured in milliseconds.

Question 16

Which of the following services allows you to easily run popular open source frameworks including Apache Hadoop, Spark, and Kafka for open source analytics?

Azure Data Lake Analytics

Azure Cosmos DB

Azure Cognitive Services

Azure HDInsight

Answer 16

Azure HDInsight

Explanation:
We can easily run popular open source frameworks—including Apache Hadoop, Spark, and Kafka—using Azure HDInsight, a cost-effective, enterprise-grade service for open source analytics. Effortlessly process massive amounts of data and get all the benefits of the broad open source ecosystem with the global scale of Azure.

Question 17

You are an IT manager and want to ensure that you are notified when the Azure spending reaches a certain threshold. Which feature of Azure Cost Management should you use?

Cost analysis

Department spending quota alerts

Budgets

Cost alerts

Answer 17

Budgets

Explanation:
Budgets is the correct answer. Budgets in Azure Cost Management allow you to set a spending limit for Azure based on a subscription, resource group, service type, or other criteria. You can also set a budget alert, which will notify you when the budget reaches the defined alert level.

Question 18

How does the “compute” layer contribute to the defense-in-depth strategy?

It ensures that services are secure and free of vulnerabilities.

It focuses on securing virtual machines and access to them.

It prevents unauthorized physical access to hardware.

It secures access to physical data centers.

Answer 18

It focuses on securing virtual machines and access to them.

Explanation:
From the official docs: The focus in this layer is on making sure that your compute resources are secure and that you have the proper controls in place to minimize security issues.

At this layer, it’s important to:

Secure access to virtual machines.

Implement endpoint protection on devices and keep systems patched and current.

Therefore, the “compute” layer in the defense-in-depth model concentrates on securing access to virtual machines and ensuring they are properly protected. It involves implementing security controls and measures within the virtual machine environment. This is the best option out of the ones given.

Question 19

A Network Security Group (NSG) has the ability to encrypt data at rest and in transit.

No

Yes

Answer 19

No

Explanation:
No, a Network Security Group (NSG) DOES NOT encrypt traffic.

Question 20

In an Azure virtual network, which of the following is used to filter network traffic between subnets?

Azure Load Balancer

Azure Firewall

Network Security Group

Azure Application Gateway

Answer 20

Network Security Group

Explanation:
Network Security Group is the correct answer.

A Network Security Group (NSG) is a basic form of firewall that can be used to filter network traffic between subnets in an Azure virtual network. NSGs are used to define inbound and outbound traffic rules that control the flow of traffic to and from resources in a virtual network.

Other options -

Azure Firewall: It is a firewall service that can be used to filter network traffic, and is typically used to protect virtual networks from external threats and to enforce network security policies. However, Azure Firewall is not typically used to filter network traffic between subnets in an Azure virtual network. This is because Network Security Group (NSG) is the recommended method for filtering network traffic within a virtual network.

Azure Application Gateway: It provides application-level load balancing and routing, but is not used to filter network traffic between subnets in an Azure virtual network. It is focused on providing routing and load balancing for web traffic, rather than network traffic.

Azure Load Balancer: It can be used to distribute incoming traffic across multiple virtual machines or instances within a Virtual Network, but is not used to filter network traffic between subnets in an Azure virtual network. It provides a load balancing service, rather than a filtering service.

Question 21

ExpressRoute connections go over the public Internet, and they offer more reliability, faster speeds, and lower latencies than typical Internet connections.

No

Yes

Answer 21

No

Explanation:
No, it is false that ExpressRoute connections go over the public Internet. However, they do offer more reliability, faster speeds, and lower latencies than typical Internet connections.

Question 22

Which of the following Azure services offers a dedicated physical server to host your virtual machines?

Azure Bare Metal

Azure Virtual Dedicated Host

Azure Virtual Machines

Azure Dedicated Host

Answer 22

Azure Dedicated Host

Explanation:
Azure Dedicated Host is the correct answer.

Azure Dedicated Host is an Azure service that offers a dedicated physical server to host your virtual machines. With Azure Dedicated Host, you can control the underlying host infrastructure and manage host maintenance operations such as updates and reboots. You can also select the number of cores, amount of memory, and types of storage devices that best suit your workloads.

Other options -

Azure Virtual Machines: This is a cloud-based infrastructure as a service (IaaS) offering that provides virtual machines for running applications and services. However, Azure Virtual Machines do not offer dedicated physical servers.

Azure Virtual Dedicated Host: This is not a valid Azure service.

Azure Bare Metal: This is a term that generally refers to a physical server or machine without a hypervisor layer. While Azure provides access to virtual machines with a range of hardware specifications, Azure Bare Metal is not a specific service that provides dedicated physical servers.

Question 23

Microsoft Azure services operated by ____________ in China.

Alibaba
Xiaomi
21Vianet
Morgan Stanley

Answer 23

21Vianet

Explanation:
Microsoft Azure operated by 21Vianet is the first international public cloud service that has been commercialized in China in compliance with Chinese laws and regulations.

Question 24

_________________ is a hosting service for Domain Name System domains that provides name resolution by using Microsoft Azure infrastructure.

Azure ExpressRoute

Azure DNS

Azure VPN Gateway

Azure Virtual Subnets

Answer 24

Azure DNS

Explanation:
Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records by using the same credentials, APIs, tools, and billing as your other Azure services.

Question 25

Azure Service Health allows us to define the critical resources that should never be impacted due to outages and downtimes. Yes No

Answer 25

No Explanation: Azure Service Health notifies you about Azure service incidents and planned maintenance so you can take action to mitigate downtime. Configure customisable cloud alerts and use your personalised dashboard to analyse health issues, monitor the impact to your cloud resources, get guidance and support, and share details and updates.

Question 26

How can JSON strings be used to assign more than the maximum number of allowed tags to an Azure resource? By creating additional resource groups By creating additional tag names By creating additional subscriptions By including multiple values for a single tag name

Answer 26

By including multiple values for a single tag name Explanation: When you need to assign more than the maximum number of allowed tags to an Azure resource, you can use JSON strings to include multiple values for a single tag name. This approach allows you to apply more tag values than the limit allows while maintaining compliance with Azure's tag limit. The JSON string should be added as the tag value, and it should contain a comma-separated list of values that you want to apply to the tag.

Question 27

A(n) ______________ lets you run legacy applications in the cloud that can't use modern authentication methods, or where you don't want directory lookups to always go back to an on-premises AD DS environment Azure Active Directory External Identities Azure Single Sign On (SSO) Azure Migrate deployment Azure Active Directory Domain Services

Answer 27

Azure Active Directory Domain Services Explanation: Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud. An Azure AD DS managed domain lets you run legacy applications in the cloud that can't use modern authentication methods, or where you don't want directory lookups to always go back to an on-premises AD DS environment. You can lift and shift those legacy applications from your on-premises environment into a managed domain, without needing to manage the AD DS environment in the cloud.

Question 28

You can use Azure DNS to buy a domain name. Yes No

Answer 28

No Explanation: Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records by using the same credentials, APIs, tools, and billing as your other Azure services. You can't use Azure DNS to buy a domain name. For an annual fee, you can buy a domain name by using App Service domains or a third-party domain name registrar. Your domains then can be hosted in Azure DNS for record management. For more information, see Delegate a domain to Azure DNS.

Question 29

______________ is a command-line utility that you can use to copy blobs or files to or from a storage account. AzMove AzReplicate AzMigrate AzCopy

Answer 29

AzCopy Explanation: AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.

Question 30

Azure provides native support for IaC via the ________________ model. Azure Arc Azure Templates Azure Tags Azure Resource Manager

Answer 30

Azure Resource Manager Explanation: Azure provides native support for IaC via the Azure Resource Manager model. Teams can define declarative ARM templates that specify the infrastructure required to deploy solutions.

Question 31

Upon applying a Tag to a Resource Group, all Resources inside it inherit that Tag. Yes No

Answer 31

No Explanation: Tags applied to the resource group or subscription aren't inherited by the resources. To apply tags from a subscription or resource group to the resources, see Azure Policies - tags.

Question 32

A startup has deployed a set of Virtual Machines which are critical for their day-to-day operations. They need to ensure their availability even if a single data center goes down. One of their interns has suggested that deploying these VMs using a Scale Set would solve the problem. Do you agree? Yes No

Answer 32

No Explanation: This answer does not specify that the scale set will be configured across multiple data centers so this solution does not meet the goal. Azure virtual machine scale sets let you create and manage a group of load balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. Scale sets provide high availability to your applications, and allow you to centrally manage, configure, and update many VMs. Virtual machines in a scale set can be deployed across multiple update domains and fault domains to maximize availability and resilience to outages due to data center outages, and planned or unplanned maintenance events.

Question 33

How do resource locks affect Azure resources? Resource locks prevent modifications but allow read access. Resource locks restrict any access to the resources. Resource locks enforce automatic scaling of resources. Resource locks completely hide the resources from the Azure portal.

Answer 33

Resource locks prevent modifications but allow read access. Explanation: As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions. You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only. In the command line, these locks are called CanNotDelete and ReadOnly. CanNotDelete means authorized users can read and modify a resource, but they can't delete it. ReadOnly means authorized users can read a resource, but they can't delete or update it. Applying this lock is similar to restricting all authorized users to the permissions that the Reader role provides. Based on these definitions, we can still READ but not modify/delete the resources. This allows you to view resource configurations without accidentally altering them.

Question 34

Azure ____________ is an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources. Policies Locks Role Based Access Control (RBAC) Resource Groups

Answer 34

Role Based Access Control (RBAC) Explanation: Access management for cloud resources is a critical function for any organization that is using the cloud. Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources. What can you do with Azure RBAC? Here are some examples of what you can do with Azure RBAC: Allow one user to manage virtual machines in a subscription and another user to manage virtual networks Allow a DBA group to manage SQL databases in a subscription Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets Allow an application to access all resources in a resource group

Question 35

If your application experiences sudden high demand, what type of scaling would involve adding more virtual machines or containers? Static scaling Horizontal scaling Downscaling Vertical scaling

Answer 35

Horizontal scaling Explanation: With horizontal scaling, if you suddenly experienced a steep jump in demand, your deployed resources could be scaled out (either automatically or manually). For example, you could add additional virtual machines or containers, scaling out. In the same manner, if there was a significant drop in demand, deployed resources could be scaled in (either automatically or manually), scaling in.

Question 36

You are the lead of a Data Science team at your organization, and your management wants to utilize cloud capabilities to modernize your work stream. What should the company use to build, test, and deploy predictive analytics solutions? Azure App Service Azure Machine Learning Studio Azure Logic Apps Azure Batch

Answer 36

Azure Machine Learning Studio Explanation: Azure Machine Learning Studio is an enterprise-grade service for the end-to-end machine learning lifecycle. It empower data scientists and developers to build, deploy, and manage high-quality models faster and with confidence. It accelerates time to value with industry-leading machine learning operations (MLOps), open-source interoperability, and integrated tools. Innovate on a secure, trusted platform designed for responsible AI applications in machine learning.

Question 37

After taking a lot of courses and understanding cloud fundamentals, you've realized that migrating your business resources to Azure makes the most sense. Based on your understanding, which of the following would you need to create first? A resource lock A resource group A subscription A virtual network

Answer 37

A subscription Explanation: A subscription needs to be created first and foremost. The Azure account is what lets you access Azure services and Azure subscriptions. It is possible to create multiple subscriptions in our Azure account to create separation for billing or management purposes. In your subscription(s) you can manage resources in resources groups.

Question 38

Azure Advisor provides a cloud score to assess how well-architected your workloads are AND can also provide 'Step-by-Step' guidance and quick actions for fast remediation. No Yes

Answer 38

Yes Explanation: Azure Advisor helps in quick and easy optimization of your Azure deployments. Azure Advisor analyses your configurations and usage telemetry and offers personalised, actionable recommendations to help you optimise your Azure resources for reliability, security, operational excellence, performance and cost.

Question 39

Which of the following enables centralizing your organization's file shares in Azure Files, while keeping the flexibility, performance, and compatibility of a Windows file server? Azure File Manager Azure File Sync Azure File Explorer Azure File Storage

Answer 39

Azure File Sync Explanation: Azure File Sync enables centralizing your organization's file shares in Azure Files, while keeping the flexibility, performance, and compatibility of a Windows file server. While some users may opt to keep a full copy of their data locally, Azure File Sync additionally has the ability to transform Windows Server into a quick cache of your Azure file share. You can use any protocol that's available on Windows Server to access your data locally, including SMB, NFS, and FTPS. You can have as many caches as you need across the world.

Question 40

Your company makes use of several SQL databases. However, you want to increase their efficiency because of varying and unpredictable workloads. Which of the following can help you with this? Elastic Pools Region Pairs Scale Sets Resource Tags

Answer 40

Elastic Pools Explanation: Just like Azure VM Scale Sets are used with VMs, you can use Elastic Pools with Azure SQL Databases! SQL Database elastic pools are a simple, cost-effective solution for managing and scaling multiple databases that have varying and unpredictable usage demands. The databases in an elastic pool are on a single Azure SQL Database server and share a set number of resources at a set price. Elastic pools in Azure SQL Database enable SaaS developers to optimize the price performance for a group of databases within a prescribed budget while delivering performance elasticity for each database.

Question 41

Which of the following is the strongest way to protect sensitive customer data? Don't store sensitive data at all. Encrypt the data at rest. Encrypt the data in transit. Encrypt the data both at rest and in transit.

Answer 41

Encrypt the data both at rest and in transit. Explanation: To help protect data in the cloud, you need to account for the possible states in which your data can occur, and what controls are available for that state. Best practices for Azure data security and encryption relate to the following data states:

Question 42

_______________ copies your data synchronously across three Azure availability zones in the primary region. For applications requiring high availability. Locally redundant storage (LRS) Geo-zone-redundant storage (GZRS) Planet-redundant storage (PRS) Zone Redundant Storage (ZRS)

Answer 42

Zone Redundant Storage (ZRS) Explanation: Data in an Azure Storage account is always replicated three times in the primary region. Azure Storage offers two options for how your data is replicated in the primary region: Locally redundant storage (LRS) copies your data synchronously three times within a single physical location in the primary region. LRS is the least expensive replication option, but isn't recommended for applications requiring high availability or durability. Zone-redundant storage (ZRS) copies your data synchronously across three Azure availability zones in the primary region. For applications requiring high availability, Microsoft recommends using ZRS in the primary region, and also replicating to a secondary region. Geo-zone-redundant storage (GZRS) combines the high availability provided by redundancy across availability zones with protection from regional outages provided by geo-replication. Data in a GZRS storage account is copied across three Azure availability zones in the primary region and is also replicated to a secondary geographic region for protection from regional disasters.

Question 43

Which of the following services meets both criteria? 1) Monitoring of traffic patterns 24 hours a day, 7 days a week, looking for indicators of attacks. 2) Detailed reports in five-minute increments during an attack, and a complete summary after the attack ends. 3) Engagement of a dedicated team for help with attack investigation and analysis. A network security group (NSG) DDoS protection Azure Information Protection Azure Policies

Answer 43

DDoS protection Explanation: Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers that are moving their applications to the cloud. A DDoS attack attempts to exhaust an application's resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet. Azure DDoS Protection enables you to protect your Azure resources from denial of service (DoS) attacks with always-on monitoring and automatic network attack mitigation. There is no upfront commitment, and your total cost scales with your cloud deployment.

Question 44

Suppose the lead architect in your company has asked your team to implement a IaaS based solution in Azure for a quick Proof-of-Concept (POC) to senior management. One of your colleagues goes ahead and creates an Azure Virtual Network and 3 Azure Virtual machines. Would you agree with this implementation? Yes No

Answer 44

Yes Explanation: Azure Virtual Machines and Azure Virtual Networks both fall under the IaaS category, and therefore this solution would meet the lead architect's ask.

Question 45

An Azure ________________ is a connection between two Azure Regions within the same geographic region for disaster recovery purposes. Region Pair Region Availability Zone Geography

Answer 45

Region Pair Explanation: Regional Pairs are 2 connected Azure Regions for Disaster Recovery within the same Geography. Many organizations require both high availability provided by availability zones that are also supported with protection from large-scale phenomena and regional disasters. As discussed in the resiliency overview for regions and availability zones, Azure regions are designed to offer protection against local disasters with availability zones. But they can also provide protection from regional or large geography disasters with disaster recovery by making use of another region that uses cross-region replication. To ensure customers are supported across the world, Azure maintains multiple geographies. These discrete demarcations define a disaster recovery and data residency boundary across one or multiple Azure regions. Cross-region replication is one of several important pillars in the Azure business continuity and disaster recovery strategy. Cross-region replication builds on the synchronous replication of your applications and data that exists by using availability zones within your primary Azure region for high availability. Cross-region replication asynchronously replicates the same applications and data across other Azure regions for disaster recovery protection.

Question 46

What is the key difference between vertical scaling and horizontal scaling? Vertical scaling only applies to virtual machines, while horizontal scaling applies to containers. Vertical scaling adjusts the number of resources, while horizontal scaling adjusts capabilities. Vertical scaling is automatic, while horizontal scaling requires manual intervention. Vertical scaling adds more processing power, while horizontal scaling increases storage capacity.

Answer 46

Vertical scaling adjusts the number of resources, while horizontal scaling adjusts capabilities. Explanation: Vertical scaling involves adjusting the number of resources, such as CPUs or RAM. Horizontal scaling, on the other hand, involves adding or subtracting resources to adjust capabilities, such as adding more virtual machines.

Question 47

It's possible to deploy an Azure VM from a MacOS based system by using which of the following options? Azure CLI Azure Cloudshell Azure Powershell Azure Portal

Answer 47

Azure CLI Azure Cloudshell Azure Powershell Azure Portal Explanation: All of the above can be used to manage Azure resources on a MacOS based system! Azure Portal - Available for all Operating Systems Azure CLI - Available for MacOS, Windows and Linux Azure Powershell - Available to install on MacOS, Windows, Linux, Docker, and Arm (Subset of Azure Cloudshell) Azure Cloudshell - Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources. It provides the flexibility of choosing the shell experience that best suits the way you work, either Bash or PowerShell.

Question 48

Which Azure service should you use to store certificates? Azure Key Vault Azure Security Center Azure Information Protection An Azure Storage account

Answer 48

Azure Key Vault Explanation: Azure Key Vault helps solve the following problems: 1) Secrets Management - Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets 2) Key Management - Azure Key Vault can also be used as a Key Management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data. 3) Certificate Management - Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internal connected resources. Azure Key Vault has two service tiers: Standard, which encrypts with a software key, and a Premium tier, which includes hardware security module(HSM)-protected keys

Question 49

Azure strives to ensure a minimum distance of ______________ miles between datacenters in enabled regions, although it isn't possible across all geographies. Your answer is incorrect 200 300 500 400

Answer 49

300 Explanation: Azure strives to ensure a minimum distance of 300 miles (483 kilometers) between datacenters in enabled regions, although it isn't possible across all geographies. Datacenter separation reduces the likelihood that natural disaster, civil unrest, power outages, or physical network outages can affect multiple regions. Isolation is subject to the constraints within a geography, such as geography size, power or network infrastructure availability, and regulations.

Question 50

What types of threats does Defender for Cloud help detect across Azure PaaS services? Denial of service (DoS) attacks against network resources. Physical security breaches within datacenters. Threats related to physical hardware vulnerabilities. Threats targeting Azure services like Azure App Service, Azure SQL, and Azure Storage Account.

Answer 50

Threats targeting Azure services like Azure App Service, Azure SQL, and Azure Storage Account. Explanation: Defender for Cloud helps detect threats targeting various Azure services, such as Azure App Service, Azure SQL, and Azure Storage Account - these are PaaS services anyway. It provides monitoring and protection for these services to enhance their security.

Question 51

Which of the following can be included as artifacts in an Azure Blueprint? (Select all that apply) Role assignments Policy assignments Azure Resource Manager templates Resource groups

Answer 51

Role assignments Policy assignments Azure Resource Manager templates Resource groups Explanation: All the options are correct. From the official docs: Azure Blueprints deploy a new environment based on all of the requirements, settings, and configurations of the associated artifacts. Artifacts can include things such as: Role assignments Policy assignments Azure Resource Manager templates Resource groups

Question 52

Your Azure account contains several policies and you wish to group/organize them. Which of the following can help you achieve this? Resource Groups Azure Active Directory Initiatives Network Security Groups

Answer 52

Initiatives Explanations: An initiative definition is a collection of policy definitions that are tailored towards achieving a singular overarching goal. Initiative definitions simplify managing and assigning policy definitions. They simplify by grouping a set of policies as one single item. For example, you could create an initiative titled Enable Monitoring in Azure Security Center, with a goal to monitor all the available security recommendations in your Azure Security Center.

Question 53

____________ copies your data synchronously three times within a single physical location in the primary region. Zone-redundant storage (ZRS) Geo-zone-redundant storage (GZRS) Worldwide Redundant Storage (WRS) Locally redundant storage (LRS)

Answer 53

Locally redundant storage (LRS) Explanation: Azure Storage always stores multiple copies of your data so that it's protected from planned and unplanned events, including transient hardware failures, network or power outages, and massive natural disasters. Redundancy ensures that your storage account meets its availability and durability targets even in the face of failures.

Question 54

_______________. You're also responsible for their security. information , network controls devices, operating system data, physical network data , identities

Answer 54

data , identities Explanation: As you consider and evaluate public cloud services, it’s critical to understand the shared responsibility model and which security tasks are handled by the cloud provider and which tasks are handled by you. The workload responsibilities vary depending on whether the workload is hosted on Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), or in an on-premises datacenter.

Question 55

You are looking to link resources together in your on-premises environment and within your Azure subscription but don't want the connection to travel over the internet. Which of the following can you use? Azure Site-to-Site VPN Azure ExpressRoute Azure Bastion Azure Point-to-Site VPN Azure Sentinel

Answer 55

Azure ExpressRoute Explanation: Azure virtual networks enable you to link resources together in your on-premises environment and within your Azure subscription. In effect, you can create a network that spans both your local and cloud environments. There are three mechanisms for you to achieve this connectivity: Point-to-site virtual private networks The typical approach to a virtual private network (VPN) connection is from a computer outside your organization, back into your corporate network. In this case, the client computer initiates an encrypted VPN connection to connect that computer to the Azure virtual network. Site-to-site virtual private networks A site-to-site VPN links your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network. The connection is encrypted and works over the internet. Azure ExpressRoute For environments where you need greater bandwidth and even higher levels of security, Azure ExpressRoute is the best approach. ExpressRoute provides a dedicated private connectivity to Azure that doesn't travel over the internet.

Question 56

Which tab of the Azure pricing calculator would you use to calculate your estimate? Machines Storage Products Estimate

Answer 56

Products Explanation: The Products tab allows us to choose certain services, and configure a solution. We then get an estimated cost for deploying our solution.

Question 57

You require to seamlessly connect two Virtual Networks in Azure without a lot of hassle. Which of the following services would make sense to use? Virtual Network Integration Service Virtual Network Connector Virtual Network Peering Virtual Network Subnets

Answer 57

Virtual Network Peering Explanation: Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed through Microsoft's private network only. Azure supports the following types of peering: Virtual network peering: Connecting virtual networks within the same Azure region. Global virtual network peering: Connecting virtual networks across Azure regions.

Question 58

Your streaming website experiences a burst of heavy traffic whenever you launch a new web-series, but relatively moderate traffic on other days. Which of the following would be a great benefit if you migrate your setup to Azure? Elasticity High Availibility Load Balancing Low Latency

Answer 58

Elasticity Explanation: Elastic computing is the ability to quickly expand or decrease computer processing, memory, and storage resources to meet changing demands without worrying about capacity planning and engineering for peak usage. Typically controlled by system monitoring tools, elastic computing matches the amount of resources allocated to the amount of resources actually needed without disrupting operations. With cloud elasticity, a company avoids paying for unused capacity or idle resources and doesn’t have to worry about investing in the purchase or maintenance of additional resources and equipment.

Question 59

________________ is a cloud-based platform for creating and running automated workflows that integrate your apps, data, services, and systems. Azure Logic Apps Azure Events Hub Azure App Service Azure DevOps

Answer 59

Azure Logic Apps Explanation: Azure Logic Apps is a cloud service that helps you schedule, automate, and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations.

Question 60

A _______________ can enable branch offices to share sensitive information between locations. VPN Bastion Bridge DNS

Answer 60

VPN Explanation: VPNs use an encrypted tunnel within another network. They're typically deployed to connect two or more trusted private networks to one another over an untrusted network (typically the public internet). Traffic is encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks. VPNs can enable branch offices to share sensitive information between locations. For example, let's say that your offices on the East coast region of North America need to access your company's private customer data, which is stored on servers that are physically located in a West coast region. A VPN can connect your East coast offices to your West coast servers allowing your company to securely access your private customer data.

Question 61

Yes or No: The Azure Q/A forums is a paid service. No Yes

Answer 61

No Explanation: The Q/A forums is a free service offered by Azure. There is no cost associated with it. You can get answers to common questions, and even filter by product to limit the results!

Question 62

Which of the following is a free tool to conveniently manage your Azure cloud storage resources from your desktop? Azure Data Box Azure AzCopy Azure Migrate Azure Storage Explorer Azure FileSync

Answer 62

Azure Storage Explorer Explanation: Azure Storage Explorer is a free tool to conveniently manage your Azure cloud storage resources from your desktop.

Question 63

In Azure, when you set a budget, what happens when the budget alert level is reached? The budget is automatically increased by 10% An invoice is sent to the account owner A budget alert is triggered The resource usage is suspended

Answer 63

A budget alert is triggered Explanation: A budget alert is triggered is the correct option! Other options - The budget is automatically increased.by 10%: This is incorrect because reaching the budget alert level does not cause the budget to automatically increase. The purpose of the alert is to notify you when the spending reaches a certain threshold. The resource usage is suspended: This is incorrect because a budget alert by itself does not suspend resource usage. It simply provides a notification that the alert threshold has been reached. However, you can configure advanced automation to suspend or modify resources based on budget conditions, but this is not the default behavior. An invoice is sent to the account owner: This is incorrect because reaching the budget alert level does not trigger an invoice to be sent to the account owner. The budget alert is intended to inform you about the spending level, not to generate an invoice.

Question 64

Which of the following alert types are available in the Cost Management service? (Select all that apply) Department spending quota alerts Credit alerts Resource usage alerts Budget alerts

Answer 64

Department spending quota alerts Credit alerts Budget alerts Explanation: Budget alerts: Correct. Budget alerts notify you when spending, based on usage or cost, reaches or exceeds the amount defined in the alert condition of the budget. Credit alerts: Correct. Credit alerts notify you when your Azure credit monetary commitments are consumed. Monetary commitments are for organizations with Enterprise Agreements (EAs). Department spending quota alerts: Correct. Department spending quota alerts notify you when department spending reaches a fixed threshold of the quota. Spending quotas are configured in the EA portal. Other options - Resource usage alerts: Incorrect. Resource usage alerts are not part of the Cost Management service. Cost Management focuses on costs, budgets, and spending alerts.

Question 65

Which of the following Azure Storage would you use to store different types of files such as videos, audios, text in a highly cost effective and scalable manner? Azure PostgreSQL Azure SQL Database Azure Cosmos DB Azure Blob Storage

Answer 65

Azure Blob Storage Explanation: A blob is a binary, large object and a storage option for any type of data that you want to store in a binary format. Learn about blob types. Azure Blob storage is Microsoft's object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that doesn't adhere to a particular data model or definition, such as text or binary data. Blob storage is designed for: 1) Serving images or documents directly to a browser. 2) Storing files for distributed access. 3) Streaming video and audio. 4) Writing to log files. 5) Storing data for backup and restore, disaster recovery, and archiving. 6) Storing data for analysis by an on-premises or Azure-hosted service.

Question 66

Azure Service Health has the ability to configure cloud alerts to notify you about active and upcoming service issues Yes No

Answer 66

Yes Explanation: Azure Service Health notifies you about Azure service incidents and planned maintenance so you can take action to mitigate downtime. Configure customisable cloud alerts and use your personalised dashboard to analyse health issues, monitor the impact to your cloud resources, get guidance and support, and share details and updates.

Question 67

________________ is the process of verifying a user's credentials. Federation Authorization Authentication Ticketing

Answer 67

Authentication Explanation: Authentication is the process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are.

Question 68

A Resource can only access other resources in the same resource group. Yes No

Answer 68

No Explanation: A resource can connect to resources in other resource groups. This scenario is common when the two resources are related but don't share the same lifecycle. For example, you can have a web app that connects to a database in a different resource group.

Question 69

Which of the following is the mission-critical cloud deployment available only to US Federal, State, Local and Tribal Governments and their partners? Azure Nation Azure Federal Azure Government ISO

Answer 69

Azure Government Explanation: Azure Government is the mission-critical cloud, delivering breakthrough innovation to US government customers and their partners. Only US federal, state, local and tribal governments and their partners have access to this dedicated instance, operated by screened US citizens. Azure Government offers the broadest level of certifications of any cloud provider to simplify even the most critical government compliance requirements.

Question 70

_____________ notifies you about Azure service incidents and planned maintenance so you can take action to mitigate downtime. Azure Health Bot Azure Chaos Studio Azure Service Health Azure Percept

Answer 70

Azure Service Health Explanation: Azure Service Health notifies you about Azure service incidents and planned maintenance so you can take action to mitigate downtime. Configure customisable cloud alerts and use your personalised dashboard to analyse health issues, monitor the impact to your cloud resources, get guidance and support, and share details and updates.

Question 71

A team in your organization wants to implement a solution involving basic Artificial Intelligence (AI), but they have basic API and programming knowledge / background to implement this solution. As an experienced Azure Architect, which of the following would be your suggestion? Azure DevOps Azure Active Directory Azure Cognitive Services Azure Machine Learning Studio

Answer 71

Azure Cognitive Services Explanation: Cognitive Services brings AI within reach of every developer and data scientist. With leading models, a variety of use cases can be unlocked. All it takes is an API call to embed the ability to see, hear, speak, search, understand, and accelerate advanced decision-making into your apps. Enable developers and data scientists of all skill levels to easily add AI capabilities to their apps.

Question 72

As the Lead Security Engineer of your organization, you're worried that someone may mistakenly delete mission critical resources in Azure. What can you do to prevent this from accidentally happening? Apply the DoNotTouch Lock on the resources Use Azure ExpressRoute Apply the CanNotDelete Lock on the resources Use Azure Monitor to define policies Use an Azure Virtual Subnet

Answer 72

Apply the CanNotDelete Lock on the resources Explanation: Applying a delete lock to the resource group will prevent the resources inside it from being deleted. As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively: 1) CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource. 2) ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

Question 73

Yes or No: Having a hybrid cloud solution in place could be useful when regulations or policies do not permit moving specific data or workloads to the cloud. Yes No

Answer 73

Yes Explanation: When organizations move workloads and data to the cloud, their on-premises datacenters often continue to play an important role. The term hybrid cloud refers to a combination of public cloud and on-premises datacenters, to create an integrated IT environment that spans both. Some organizations use hybrid cloud as a path to migrate their entire datacenter to the cloud over time. Other organizations use cloud services to extend their existing on-premises infrastructure.

Question 74

____________ is a bridge that extends the Azure platform to help you build applications and services with the flexibility to run across datacenters, at the edge, and in multicloud environments. It also simplifies governance and management by delivering a consistent multi-cloud and on-premises management platform. Azure Sentinel Azure Bridge Azure Arc Azure DNS

Answer 74

Azure Arc Explanation: Azure Arc is a bridge that extends the Azure platform to help you build applications and services with the flexibility to run across datacenters, at the edge, and in multicloud environments. Develop cloud-native applications with a consistent development, operations, and security model. Azure Arc runs on both new and existing hardware, virtualization and Kubernetes platforms, IoT devices, and integrated systems.

Question 75

You can link virtual networks together by using ________________. Virtual Network Seeding Virtual Network Proxy Virtual Network Peering Virtual Network Hub

Answer 75

Virtual Network Peering Explanation: You can link virtual networks together by using virtual network peering. Peering enables resources in each virtual network to communicate with each other. These virtual networks can be in separate regions, which allows you to create a global interconnected network through Azure. User-defined routes (UDR) are a significant update to Azure’s Virtual Networks that allows for greater control over network traffic flow. This method allows network administrators to control the routing tables between subnets within a VNet, as well as between VNets.

Question 76

A recent unapproved size change to one of the Virtual Machines (VMs) in your company has led to a huge unexpected bill. Which of the following services can help you identify the user who made this unapproved change? Azure Information Protection (AIP) Azure Activity Log Azure Service Health Azure Event Hubs Azure Xamarin

Answer 76

Azure Activity Log Explanation: The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified or a virtual machine is started. You can view the activity log in the Azure portal or retrieve entries with PowerShell and the Azure CLI. This article provides information on how to view the activity log and send it to different destinations.

Question 77

_______________ is a workflow-based risk assessment tool that helps you track, assign, and verify your organization's regulatory compliance activities related to Microsoft Cloud services. The Microsoft community Forums website Compliance Manager from the Service Trust Portal The TCO portal The Azure Arc Portal

Answer 77

Compliance Manager from the Service Trust Portal Explanation: Compliance Manager in the Service Trust Portal is a workflow-based risk assessment tool that helps you track, assign, and verify your organization's regulatory compliance activities related to Microsoft Cloud services, such as Microsoft 365, Dynamics 365, and Azure.

Question 78

____________ is made up of one or more datacenters equipped with independent power, cooling, and networking. It is set up to be an isolation boundary. If one zone goes down, the other continues working. Database racks Scale Set Region Availability Zone

Answer 78

Availability Zone Explanation:

Question 79

Which of the following Azure resource types does NOT support tagging? Azure Container Registry Azure Cosmos DB Azure App Service Virtual Machines

Answer 79

Azure Container Registry Explanation: Azure provides the ability to apply metadata tags to resources to help organize and manage resources. These tags consist of name-value pairs that can be used to categorize resources based on common attributes. Azure supports tagging for most of its resource types, but some do not support tagging. Azure Container Registry is correct as Azure Container Registry does not support tagging. Container Registry is a private registry for storing and managing container images and does not currently support metadata tags.

Question 80

Which of the following is an example of a security layer in the defense-in-depth model? A dedicated intrusion detection system (IDS). A single firewall at the network perimeter. The physical locks on server room doors. A strong password policy for user accounts.

Answer 80

A dedicated intrusion detection system (IDS). Explanation: From the official documentation: "At Microsoft Azure, our security approach focuses on defense in depth, with layers of protection built throughout all phases of design, development, and deployment of our platforms and technologies. We also focus on transparency, making sure customers are aware of how we’re constantly working to learn and improve our offerings to help mitigate the cyberthreats of today and prepare for the cyberthreats of tomorrow."

Question 81

Which Azure service should you use to correlate events from multiple resources into a centralized repository? Azure Blueprint Azure Event Hubs Azure Cosmos DB Azure Log Analytics

Answer 81

Azure Event Hubs Explanation: Event Hubs is a fully managed, real-time data ingestion service that’s simple, trusted and scalable. Stream millions of events per second from any source to build dynamic data pipelines and immediately respond to business challenges. Keep processing data during emergencies using the geo-disaster recovery and geo-replication features.

Question 82

An Azure Firewall has the ability to encrypt data at rest as well as in transit. Yes No

Answer 82

No Explanation: A Firewall is used to mainly filter the traffic. From the Official Azure Documentation: Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics. To learn about Azure Firewall features, see Azure Firewall features.

Question 83

Which of the following tools is NOT available within the Azure Security Center for vulnerability management? Azure Firewall Manager Azure Defender Azure Policy Azure Advisor

Answer 83

Azure Firewall Manager Explanation: Azure Firewall Manager is not a tool for vulnerability management within the Azure Security Center. Instead, Azure Firewall Manager is a centralized security management service that provides a single pane of glass to manage multiple Azure Firewall instances and virtual networks across different regions and subscriptions. It allows you to configure and deploy Azure Firewall instances, create and apply security policies, and view security alerts and reports.

Question 84

Yes or No: Cloud services provide greater control over the physical security of your data compared to on-premises infrastructure. Yes No

Answer 84

No Explanation: Cloud services and on-premises infrastructure have different security models, with unique strengths and weaknesses. While cloud services provide greater control over some aspects of data security, such as network security and access control, they also require a greater degree of trust in the cloud provider to maintain physical security of the data centers where the data is stored. In contrast, on-premises infrastructure provides greater control over physical security, as the organization has direct control over the physical security measures and can ensure that the data is physically secure.