AZ-900 : Microsoft Azure Fundamentals Practice Tests 2025 4 Flashcards

Question

______________ is a security framework that uses the principles of explicit verification, least privileged access, and assuming breach to keep users and data secure while allowing for common scenarios like access to applications from outside the network perimeter. Less Trust Least Trust Zero Trust No Trust

Answer 1

Zero Trust Explanation: Zero Trust is a security framework that does not rely on the implicit trust afforded to interactions behind a secure network perimeter. Instead, it uses the principles of explicit verification, least privileged access, and assuming breach to keep users and data secure while allowing for common scenarios like access to applications from outside the network perimeter. App developers can improve app security, minimize the impact of breaches, and ensure that their applications meet their customers' security requirements by adopting Zero Trust principles.

Answer 2

Azure Management Groups Explanation: If your organization has many Azure subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Management groups provide a governance scope above subscriptions. You organize subscriptions into management groups the governance conditions you apply cascade by inheritance to all associated subscriptions. Management groups give you enterprise-grade management at scale no matter what type of subscriptions you might have. However, all subscriptions within a single management group must trust the same Azure Active Directory (Azure AD) tenant. For example, you can apply policies to a management group that limits the regions available for virtual machine (VM) creation. This policy would be applied to all nested management groups, subscriptions, and resources, and allow VM creation only in authorized regions.

Answer 3

No Explanation: Public clouds are the most common type of cloud computing deployment. The cloud resources (like servers and storage) are owned and operated by a third-party cloud service provider and delivered over the internet. With a public cloud, all hardware, software, and other supporting infrastructure are owned and managed by the cloud provider. Microsoft Azure is an example of a public cloud. In a public cloud, you share the same hardware, storage, and network devices with other organisations or cloud “tenants,” and you access services and manage your account using a web browser. Public cloud deployments are frequently used to provide web-based email, online office applications, storage, and testing and development environments. Reference: https://azure.microsoft.com/en-ca/resources/cloud-computing-dictionary/what-are-private-public-hybrid-clouds/#deployment-options

Answer 4

alert rule Explanation: Alerts help you detect and address issues before users notice them by proactively notifying you when Azure Monitor data indicates that there may be a problem with your infrastructure or application. You can alert on any metric or log data source in the Azure Monitor data platform. An alert rule monitors your telemetry and captures a signal that indicates that something is happening on a specified target. The alert rule captures the signal and checks to see if the signal meets the criteria of the condition. If the conditions are met, an alert is triggered, which initiates the associated action group and updates the state of the alert.

Answer 5

Defense in Depth Explanation: Defense in depth is a strategy that employs a series of mechanisms to slow the advance of an attack that's aimed at acquiring unauthorized access to information. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure. Microsoft applies a layered approach to security, both in its physical datacenters and across Azure services. The objective of defense in depth is to protect information and prevent it from being stolen by individuals who aren't authorized to access it

Answer 6

To allow external partners and customers to access resources in your Azure environment. Explanation: External identities in Azure AD enable organizations to extend their identity management beyond their own employees. This allows external partners, vendors, and customers to access specific resources within the organization's Azure environment without requiring them to have internal accounts.

Answer 7

Azure ExpressRoute Explanation: ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure and Microsoft 365. Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a colocation facility. ExpressRoute connections don't go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, consistent latencies, and higher security than typical connections over the Internet. For information on how to connect your network to Microsoft using ExpressRoute, see ExpressRoute connectivity models.

Answer 8

To enforce access control rules on inbound and outbound traffic to the private endpoint. Explanation: A Network Security Group (NSG) associated with a private endpoint is used to enforce access control rules on the inbound and outbound traffic to the private endpoint. This helps in controlling and restricting the network traffic flow to and from the private endpoint, enhancing security and compliance.

Answer 9

Investigate the alert and take appropriate action to remediate the threat if necessary. Explanation: Microsoft Defender for Cloud can detect and alert you to potential threats to your cloud resources, but it is up to you to investigate the alert and take appropriate action to remediate the threat. Ignoring the alert or waiting for a follow-up email from Microsoft Support can leave your organization vulnerable to attack. Deleting the cloud resource may not necessarily eliminate the threat, and could cause other issues such as data loss.

Answer 10

Azure Cosmos DB Azure Table Storage Explanation: Azure Table storage is a service that stores non-relational structured data (also known as structured NoSQL data) in the cloud, providing a key/attribute store with a schemaless design. Because Table storage is schemaless, it's easy to adapt your data as the needs of your application evolve. Azure Cosmos DB is a fully managed NoSQL database for modern app development. Single-digit millisecond response times, and automatic and instant scalability, guarantee speed at any scale.

Answer 11

Private cloud Explanation: The correct answer is Private Cloud. Private clouds are cloud deployments that are dedicated to a single organization and are hosted either on-premises or in a third-party data center. Private clouds offer greater control over data security and compliance, as the organization has direct control over the infrastructure and can implement security measures tailored to their specific requirements. Private clouds can also be used to address regulatory compliance requirements that may restrict the use of public clouds for certain types of data. In contrast, public clouds and community clouds are shared by multiple organizations, which can raise concerns about data security and compliance. Hybrid clouds, which combine elements of public and private clouds, can also be used to address data security and compliance requirements, but they can be more complex to manage.

Answer 12

Operational (OpEx) Explanation: One of the major changes that you will face when you move from on-premises cloud to the public cloud is the switch from capital expenditure (buying hardware) to operating expenditure (paying for service as you use it). However, this switch also requires more careful management of your costs.

Answer 13

SAML Explanation: SAML (Security Assertion Markup Language) is the protocol used for federated authentication in Azure AD. Federated authentication is a mechanism that allows users to use their existing credentials from a trusted identity provider (IdP) to authenticate with another application or service. In the context of Azure AD, federated authentication allows users to use their existing corporate credentials to authenticate with cloud-based applications and services. Azure AD supports several federated authentication protocols, including Security Assertion Markup Language (SAML), OAuth 2.0, and OpenID Connect. SAML is widely used for federated authentication in enterprise environments, while OAuth 2.0 and OpenID Connect are commonly used in web and mobile applications.

Answer 14

Azure Monitor Explanation: Azure Monitor helps you maximize the availability and performance of your applications and services. It delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. This information helps you understand how your applications are performing and proactively identify issues that affect them and the resources they depend on. Azure Service Health notifies you about Azure service incidents and planned maintenance so you can take action to mitigate downtime. Azure Comprehend is not an existing service. Azure Advisor helps to quickly and easily optimize your Azure deployments. Azure Advisor analyzes your configurations and usage telemetry and offers personalized, actionable recommendations to help you optimize your Azure resources for reliability, security, operational excellence, performance, and cost.

Answer 15

Azure Functions Explanation: Azure Functions is a serverless solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running. You focus on the pieces of code that matter most to you, and Azure Functions handles the rest. Azure Functions provides "compute on-demand" in two significant ways. First, Azure Functions allows you to implement your system's logic into readily available blocks of code. These code blocks are called "functions". Different functions can run anytime you need to respond to critical events. Second, as requests increase, Azure Functions meets the demand with as many resources and function instances as necessary - but only while needed. As requests fall, any extra resources and application instances drop off automatically.

Answer 16

Load balancing the incoming traffic Explanation: Load balancing is done to increase the overall availability of the application not to optimise costs.

Answer 17

Declarative Explanation: Declarative Infrastructure as Code involves writing a definition that defines how you want your environment to look. In this definition, you specify a desired outcome rather than how you want it to be accomplished. The tooling figures out how to make the outcome happen by inspecting your current state, comparing it to your target state, and then applying the differences.

Answer 18

No Explanation: No, PowerApps is not a part of Azure!

Answer 19

Azure Data Box Explanation: Azure Data Box Gateway is a storage solution that enables you to seamlessly send data to Azure. This article provides you an overview of the Azure Data Box Gateway solution, benefits, key capabilities, and the scenarios where you can deploy this device. Data Box Gateway is a virtual device based on a virtual machine provisioned in your virtualized environment or hypervisor. The virtual device resides in your premises and you write data to it using the NFS and SMB protocols. The device then transfers your data to Azure block blob, page blob, or Azure Files. Use cases - Data Box Gateway can be leveraged for transferring data to the cloud such as cloud archival, disaster recovery, or if there is a need to process your data at cloud scale. Here are the various scenarios where Data Box Gateway can be used for data transfer. Cloud archival - Copy hundreds of TBs of data to Azure storage using Data Box Gateway in a secure and efficient manner. The data can be ingested one time or an ongoing basis for archival scenarios. Continuous data ingestion - Continuously ingest data into the device to copy to the cloud, regardless of the data size. As the data is written to the gateway device, the device uploads the data to Azure Storage. Initial bulk transfer followed by incremental transfer - Use Data Box for the bulk transfer in an offline mode (initial seed) and Data Box Gateway for incremental transfers (ongoing feed) over the network.

Answer 20

Azure Resource Manager templates Explanation: Azure Resource Manager Templates is correct since templates are idempotent (Same), which means you can deploy the same template many times and get the same resource types in the same state.

Answer 21

Azure App Service Explanation: App Service enables you to build and host web apps, background jobs, mobile back-ends, and RESTful APIs in the programming language of your choice without managing infrastructure. It offers automatic scaling and high availability. App Service supports Windows and Linux. It enables automated deployments from GitHub, Azure DevOps, or any Git repo to support a continuous deployment model. Types of app services With App Service, you can host most common app service styles like: Web apps API apps WebJobs Mobile apps

Answer 22

Bicep Explanation: Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. In Bicep files, you define the infrastructure you intend to deploy and its properties. Compared to ARM templates, Bicep files are easier to read and write for a non-developer audience because they use a concise syntax.

Answer 23

Conditional Access Explanation: The modern security perimeter now extends beyond an organization's network to include user and device identity. Organizations can use identity-driven signals as part of their access control decisions. Conditional Access brings signals together, to make decisions, and enforce organizational policies. Azure AD Conditional Access is at the heart of the new identity-driven control plane. Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multi-factor authentication to access it. Administrators are faced with two primary goals: Empower users to be productive wherever and whenever Protect the organization's assets

Answer 24

Platform as a Service (PaaS) Explanation: Azure CosmosDB is an example of Platform as a Service! Azure Cosmos DB is a fully managed NoSQL database for modern app development. Single-digit millisecond response times, and automatic and instant scalability, guarantee speed at any scale. Business continuity is assured with SLA-backed availability and enterprise-grade security. App development is faster and more productive thanks to turnkey multi region data distribution anywhere in the world, open source APIs and SDKs for popular languages. As a fully managed service, Azure Cosmos DB takes database administration off your hands with automatic management, updates and patching. It also handles capacity management with cost-effective serverless and automatic scaling options that respond to application needs to match capacity with demand.

Answer 25

Azure Initiative Explanation: An Azure initiative is a collection of Azure policy definitions that are grouped together towards a specific goal or purpose in mind. Azure initiatives simplify management of your policies by grouping a set of policies together as one single item. For example, you could use the PCI-DSS built-in initiative which has all the policy definitions that are centered around meeting PCI-DSS compliance. Similar to Azure Policy, initiatives have definitions ( a bunch of policies ) , assignments and parameters. Once you determine the definitions that you want, you would assign the initiative to a scope so that it can be applied.

Answer 26

Microsoft Defender for Cloud Explanation: From the official documentation: Microsoft Defender for Cloud is a unified cloud-native application protection platform that helps strengthen your security posture, enables protection against modern threats, and helps reduce risk throughout the cloud application lifecycle across multicloud and hybrid environments.

Answer 27

All of these Explanation: The answer is All of the these. Azure Arc enables you to manage resources both on-premises and across multiple clouds using a single control plane. This includes managing Windows Server and Linux servers, Kubernetes clusters, and virtual machines. By extending Azure services to hybrid environments, Azure Arc provides consistent management, security, and compliance across all resources.

Answer 28

Rehydrate it Explanation:

Answer 29

Service Trust Portal Explanation: The Microsoft Service Trust Portal provides a variety of content, tools, and other resources about Microsoft security, privacy, and compliance practices. The Service Trust Portal contains details about Microsoft's implementation of controls and processes that protect our cloud services and the customer data therein. To access some of the resources on the Service Trust Portal, you must log in as an authenticated user with your Microsoft cloud services account (Azure Active Directory organization account) and review and accept the Microsoft Non-Disclosure Agreement for Compliance Materials.

Answer 30

HIPAA/HITECH Explanation: The correct answer is HIPAA/HITECH. HIPAA stands for the Health Insurance Portability and Accountability Act, which is a US law that regulates the handling of sensitive medical information. HITECH stands for the Health Information Technology for Economic and Clinical Health Act, which expands on HIPAA's privacy and security rules. Azure has undergone third-party audits and achieved compliance with the HIPAA/HITECH standards, making it suitable for use in the healthcare industry.

Answer 31

Yes Explanation: When you define your management group hierarchy, first create the root management group. Then move all existing subscriptions in the directory into the root management group. New subscriptions always go into the root management group initially. Later, you can move them to another management group. What happens when you move a subscription to an existing management group? The subscription inherits the policies and role assignments from the management group hierarchy above it. Establish many subscriptions for your Azure workloads. Then create other subscriptions to contain Azure services that other subscriptions share. Do you expect your Azure environment to grow? Then create management groups for production and nonproduction now, and apply appropriate policies and access controls at the management group level. As you add new subscriptions to each management group, those subscriptions inherit the appropriate controls.

Answer 32

All of the above. Explanation: Private endpoints can be used to access various Azure services, including Azure Storage accounts, Azure Key Vault, Azure App Service, and Azure SQL Database. By using private endpoints, you can connect to these services from within your virtual network, ensuring that the traffic remains within the Azure backbone network and doesn't traverse the public internet.

Answer 33

ARM Templates Explanation: With the move to the cloud, many teams have adopted agile development methods. These teams iterate quickly. They need to repeatedly deploy their solutions to the cloud, and know their infrastructure is in a reliable state. As infrastructure has become part of the iterative process, the division between operations and development has disappeared. Teams need to manage infrastructure and application code through a unified process. To meet these challenges, you can automate deployments and use the practice of infrastructure as code. In code, you define the infrastructure that needs to be deployed. The infrastructure code becomes part of your project. Just like application code, you store the infrastructure code in a source repository and version it. Any one on your team can run the code and deploy similar environments. To implement infrastructure as code for your Azure solutions, use Azure Resource Manager templates (ARM templates). The template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it. In the template, you specify the resources to deploy and the properties for those resources.

Answer 34

Elasticity Explanation: Elasticity in this case is the ability to provide additional compute resource when needed (spikes) and reduce the compute resource when not needed to reduce costs. Load Balancing and High Availability are also great advantages the streaming platform would enjoy, but Elasticity is the option that best describes the workload in the question.

Answer 35

Infrastructure Explanation: In the IaaS cloud service model, customers are responsible for managing applications, data, runtime, middleware, and operating systems, while the cloud provider manages the underlying infrastructure. Customers have more control and flexibility over their infrastructure compared to the other cloud service models, but also have more responsibility for managing their applications and workloads.

Answer 36

Premium P1 edition Explanation: The correct answer is - Premium P1 edition is the minimum required edition to enable self-service password reset for users in Azure AD.

Answer 37

Azure Pricing Calculator Explanation: You can use the Azure Pricing Calculator to calculate your estimated hourly or monthly costs for using Azure. Azure TCO on the other hand is primarily used to estimate the cost savings you can realize by migrating your workloads to Azure.

Answer 38

It is free of cost Explanation: Bandwidth refers to data moving in and out of Azure data centres, as well as data moving between Azure data centres; other transfers are explicitly covered by the Content Delivery Network, ExpressRoute pricing or Peering

Answer 39

False Explanation: Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records by using the same credentials, APIs, tools, and billing as your other Azure services. Azure DNS can manage DNS records for your Azure services and provide DNS for your external resources as well. Azure DNS is integrated in the Azure portal and uses the same credentials, support contract, and billing as your other Azure services. DNS billing is based on the number of DNS zones hosted in Azure and on the number of DNS queries received. To learn more about pricing, see Azure DNS pricing.

Answer 40

No, it is a PaaS offering. Explanation: Azure Cosmos DB is an example of a Platform as a Service (PaaS) offering.

Answer 41

No Explanation: Even though Subscriptions can be moved to another management group, they cannot be merged into 1 single subscription.

Answer 42

Granting external vendors access to a shared project workspace. Explanation:" Business-to-Business (B2B) collaboration in Azure AD is used to collaborate with users external to your organization, such as vendors or partners. It allows you to securely share resources like documents and applications while maintaining control over access.

Answer 43

To provide a direct and secure connection to Azure services. Explanation: A public endpoint in Azure allows resources to be accessed over the public internet. It's used to expose services to clients or users who are not within the same network as the resource. Public endpoints are commonly used for services that need to be accessed from anywhere, such as web applications.

Answer 44

\Azure Migrate Explanation: Azure Migrate provides all the Azure migration tools and guidance you need to plan and implement your move to the cloud—and track your progress using a central dashboard that provides intelligent insights. Multiple scenarios Use a comprehensive approach to migrating your application and datacenter estate. Get support for key migration workloads like Windows, SQL and Linux Server, databases, data, web apps, and virtual desktops. Migrate to destinations including Azure Virtual Machines, Azure VMware Solution, Azure App Service, and Azure SQL Database. Migrations are holistic across VMware, Hyper-V, physical server, and cloud-to-cloud migration.

Answer 45

Azure Data Lake Storage Gen2 Explanation: Azure Data Lake Storage Gen2 is a set of capabilities dedicated to big data analytics, built on Azure Blob Storage. Data Lake Storage Gen2 converges the capabilities of Azure Data Lake Storage Gen1 with Azure Blob Storage. For example, Data Lake Storage Gen2 provides file system semantics, file-level security, and scale. Because these capabilities are built on Blob storage, you'll also get low-cost, tiered storage, with high availability/disaster recovery capabilities.

Answer 46

Management Groups Explanation: If you have only a few subscriptions, it's fairly easy to manage them independently. But what if you have many subscriptions? Then you can create a management group hierarchy to help manage your subscriptions and resources. For your subscriptions, Azure management groups help you efficiently manage: Access Policies Compliance Each management group contains one or more subscriptions. Azure arranges management groups in a single hierarchy. You define this hierarchy in your Azure Active Directory (Azure AD) tenant to align with your organization's structure and needs. The top level is called the root management group. You can define up to six levels of management groups in your hierarchy. Only one management group contains a subscription. Azure provides four levels of management scope: Management groups Subscriptions Resource groups Resources If you apply any access or policy at one level in the hierarchy, it propagates down to the lower levels. A resource owner or subscription owner can't alter an inherited policy. This limitation helps improve governance. This inheritance model lets you arrange the subscriptions in your hierarchy, so each subscription follows appropriate policies and security controls.

Answer 47

Azure Data Box Explanation: Azure Blob storage is Microsoft's object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that doesn't adhere to a particular data model or definition, such as text or binary data. Blob storage is designed for: Serving images or documents directly to a browser. Storing files for distributed access. Streaming video and audio. Writing to log files. Storing data for backup and restore, disaster recovery, and archiving. Storing data for analysis by an on-premises or Azure-hosted service. A number of solutions exist for migrating existing data to Blob storage: *Azure Data Box* service is available to transfer on-premises data to Blob storage when large datasets or network constraints make uploading data over the wire unrealistic. Depending on your data size, you can request Azure Data Box Disk, Azure Data Box, or Azure Data Box Heavy devices from Microsoft. You can then copy your data to those devices and ship them back to Microsoft to be uploaded into Blob storage. AzCopy is an easy-to-use command-line tool for Windows and Linux that copies data to and from Blob storage, across containers, or across storage accounts. For more information about AzCopy, see Transfer data with the AzCopy v10. and more..

Answer 48

Archive Tier Explanation: Data stored in the cloud grows at an exponential pace. To manage costs for your expanding storage needs, it can be helpful to organize your data based on how frequently it will be accessed and how long it will be retained. Azure storage offers different access tiers so that you can store your blob data in the most cost-effective manner based on how it's being used. Azure Storage access tiers include: Hot tier - An online tier optimized for storing data that is accessed or modified frequently. The Hot tier has the highest storage costs, but the lowest access costs. Cool tier - An online tier optimized for storing data that is infrequently accessed or modified. Data in the Cool tier should be stored for a minimum of 30 days. The Cool tier has lower storage costs and higher access costs compared to the Hot tier. Archive tier - An offline tier optimized for storing data that is rarely accessed, and that has flexible latency requirements, on the order of hours. Data in the Archive tier should be stored for a minimum of 180 days.

Answer 49

RBAC allows you to assign permissions to specific roles rather than individual users. Explanation: Role-Based Access Control (RBAC) is an approach to access control that allows you to manage user access based on the roles they perform within an organization. With RBAC, you can define a set of roles, each with a specific set of permissions, and then assign users to those roles. One of the key benefits of RBAC over traditional access control methods is that it allows you to assign permissions to specific roles rather than individual users. This means that when a user's role changes, their permissions can be automatically adjusted without the need for manual updates. This can help to streamline the process of managing access control and reduce the risk of errors or oversights. RBAC provides centralized management of user identities and access: This is incorrect because RBAC does not provide centralized management of user identities and access. Instead, RBAC is a way to manage access control for specific resources within an organization. RBAC supports a wider range of authentication protocols than traditional methods: This is incorrect because RBAC does not necessarily support a wider range of authentication protocols than traditional methods. RBAC is a method of access control, whereas authentication protocols are used to verify the identity of users. RBAC provides stronger encryption for sensitive data: This is incorrect because RBAC does not provide stronger encryption for sensitive data. Encryption is a method of protecting data from unauthorized access, whereas RBAC is a way to manage access control for specific resources within an organization. Therefore, the correct answer is 'RBAC allows you to assign permissions to specific roles rather than individual users', as RBAC allows you to assign permissions to specific roles rather than individual users, making it easier to manage access control and reduce the risk of errors or oversights.

Answer 50

Azure Queue Storage Explanation: Azure Queue Storage is a service for storing large numbers of messages. You access messages from anywhere in the world via authenticated calls using HTTP or HTTPS. A queue message can be up to 64 KB in size. A queue may contain millions of messages, up to the total capacity limit of a storage account. Queues are commonly used to create a backlog of work to process asynchronously.

Answer 51

Imperative Explanation: Imperative Infrastructure as Code involves writing scripts in languages like Bash or PowerShell. You explicitly state commands that are executed to produce a desired outcome. When you use imperative deployments, it's up to you to manage the sequence of dependencies, error control, and resource updates.

Answer 52

Yes Explanation: Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks. VNet is similar to a traditional network that you'd operate in your own data center, but brings with it additional benefits of Azure's infrastructure such as scale, availability, and isolation. All resources in a VNet can communicate outbound to the internet, by default. You can communicate inbound to a resource by assigning a public IP address or a public Load Balancer. You can also use public IP or public Load Balancer to manage your outbound connections. To learn more about outbound connections in Azure, see Outbound connections, Public IP addresses, and Load Balancer. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

Answer 53

Infrastructure as a Service (laaS) Explanation: Infrastructure as a service (IaaS) is a type of cloud computing service that offers essential compute, storage, and networking resources on demand, on a pay-as-you-go basis. IaaS is one of the four types of cloud services, along with software as a service (SaaS), platform as a service (PaaS), and serverless. Migrating your organization's infrastructure to an IaaS solution helps you reduce maintenance of on-premises data centers, save money on hardware costs, and gain real-time business insights. IaaS solutions give you the flexibility to scale your IT resources up and down with demand. They also help you quickly provision new applications and increase the reliability of your underlying infrastructure. IaaS lets you bypass the cost and complexity of buying and managing physical servers and datacenter infrastructure. Each resource is offered as a separate service component, and you only pay for a particular resource for as long as you need it. A cloud computing service provider like Azure manages the infrastructure, while you purchase, install, configure, and manage your own software—including operating systems, middleware, and applications. Incorrect Answers: A: Software as a service (SaaS) allows users to connect to and use cloud-based apps over the Internet. Common examples are email, calendaring, and office tools. In this scenario, you need to run your own apps, but the OS, Middleware and Runtime are managed by the cloud provider. B: Platform as a service (PaaS) is a complete development and deployment environment in the cloud. PaaS includes infrastructure servers, storage, and networking but also middleware, development tools, business intelligence (BI) services, database management systems, and more. PaaS is designed to support the complete web application lifecycle: building, testing, deploying, managing, and updating. Here as well, the OS, Middleware and Runtime are managed by the cloud provider. C: Anything As a Service : Irrelevant to the question completely.

Answer 54

Azure Site Recovery Explanation: Azure Site Recovery (ASR) is a service offered by Azure that enables replication of virtual machines from on-premises environments to Azure or between Azure regions with little or no downtime. This allows for the migration of virtual machines to Azure without any disruption to business operations. After replication to Azure, the virtual machines can be launched and used as if they were in the on-premises environment. Other Options : Azure Reserved Virtual Machines: This is a purchasing option for Azure virtual machines where compute capacity can be reserved for one or three years at a lower cost than pay-as-you-go pricing. This option is not related to virtual machine migration. Azure Spot Virtual Machines: This is a purchasing option for Azure virtual machines that allows the use of unused capacity in Azure data centers at a significant discount compared to pay-as-you-go pricing. This option is not related to virtual machine migration. Azure Virtual Machine Scale Sets: This is a service that allows the creation and management of a group of identical virtual machines in Azure, designed to horizontally scale applications to meet increased demand. Although this service can be used in combination with virtual machine migration, it does not provide a solution for migrating virtual machines without downtime.

Answer 55

Deny Explanation: The default action for an NSG rule if no other action is specified is DENY.

Answer 56

Protection Explanation: Microsoft's approach to privacy is built on six principles: Control: Microsoft provides customers with the ability to control their personal data and how it is used. Transparency: Microsoft is transparent about the collection, use, and sharing of personal data. Security: Microsoft takes strong measures to protect personal data from unauthorized access, disclosure, alteration, and destruction. Strong legal protections: Microsoft complies with applicable laws and regulations, including data protection and privacy laws. No content-based targeting: Microsoft does not use personal data to target advertising to customers based on the content of their communications or files. Benefits to the customer: Microsoft uses personal data to provide customers with valuable products and services that improve their productivity and overall experience. Protection is NOT one of the principles.

Answer 57

Platform as a Service (PaaS) Explanation: Azure App Service is a platform-as-a-service (PaaS) offering that lets you create web and mobile apps for any platform or device and connect to data anywhere, in the cloud or on-premises. App Service includes the web and mobile capabilities that were previously delivered separately as Azure Websites and Azure Mobile Services.

Answer 58

Azure Cost Management Explanation: By using the Microsoft cloud, you can significantly improve the technical performance of your business workloads. It can also reduce your costs and the overhead required to manage organizational assets. However, the business opportunity creates a risk because of the potential for waste and inefficiencies that are introduced into your cloud deployments. Cost Management + Billing is a suite of tools provided by Microsoft that help you analyze, manage, and optimize the costs of your workloads. Using the suite helps ensure that your organization is taking advantage of the benefits provided by the cloud.

Answer 59

False Explanation: As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions. You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only. In the command line, these locks are called CanNotDelete and ReadOnly. In the left navigation panel, the subscription lock feature's name is Resource locks, while the resource group lock feature's name is Locks.

Answer 60

Azure Cost Management + Billing Explanation: With Azure products and services, you only pay for what you use. As you create and use Azure resources, you’re charged for the resources. Because of the deployment ease for new resources, the costs of your workloads can jump significantly without proper analysis and monitoring. You use Cost Management + Billing features to: Conduct billing administrative tasks such as paying your bill Manage billing access to costs Download cost and usage data that was used to generate your monthly invoice Proactively apply data analysis to your costs Set spending thresholds Identify opportunities for workload changes that can optimize your spending

Answer 61

Yes Explanation: VPN Gateway sends encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use VPN Gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. A VPN gateway is a specific type of virtual network gateway. Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.

AZ-900 : Microsoft Azure Fundamentals Practice Tests 2025 4 Flashcards

(86 cards)