Free Practice Questions•Azure Fundamentals•60 Questions with Answers•Free Practice Questions•Azure Fundamentals•60 Questions with Answers•
FREE QUESTIONS
Azure Fundamentals Practice Questions
60 free questions with correct answers and detailed explanations.
60Free Questions
2Free Exams
100%With Explanations
AZ-900 Practice Set-01
30 questions
Q1
A company needs to deploy an application that handles sudden 10x traffic spikes within minutes without pre-provisioning. Which cloud feature makes this possible?
A
Geo-redundancy
B
Dedicated hardware allocation
On-demand scalability
D
Static provisioning
Correct Answer
On-demand scalability
Explanation
On-demand scalability (horizontal scale-out) combined with elasticity allows cloud resources to expand rapidly for traffic spikes and contract afterward—unavailable with fixed on-premises infrastructure. Learn more: https://learn.microsoft.com/en-us/azure/well-architected/performance-efficiency/scale-partition
Q2
Which statement best describes the difference between vertical scaling (scale up) and horizontal scaling (scale out)?
A
Vertical scaling adds VM instances; horizontal increases VM size
Vertical scaling increases resource size; horizontal adds more instances
C
Both vertical and horizontal are the same concept
D
Horizontal scaling is only available for Azure SQL Database
Correct Answer
Vertical scaling increases resource size; horizontal adds more instances
Explanation
Vertical scaling increases the size of an existing resource (more CPU/RAM). Horizontal scaling adds more instances to distribute load. Scale-out is preferred for HA and elasticity. Learn more: https://learn.microsoft.com/en-us/azure/well-architected/performance-efficiency/scale-partition
Q3
An organization needs to ensure its Azure data never leaves the European Union boundary. Which Azure capability guarantees this?
A
Azure Availability Zones
B
Azure Resource Locks
Azure Geographies and Region selection
D
Azure CDN edge locations
Correct Answer
Azure Geographies and Region selection
Explanation
Azure Geographies (e.g., Europe) group regions within a compliance boundary. Selecting EU regions ensures data stays within that geography. Customers must choose the appropriate regions to guarantee residency. Learn more: https://learn.microsoft.com/en-us/azure/availability-zones/az-overview#geographies
Q4
With IaaS, which layer does the customer manage that they do NOT need to manage with PaaS?
A
Physical hardware
B
Network infrastructure
Operating system and middleware
D
Physical data center
Correct Answer
Operating system and middleware
Explanation
With IaaS the customer manages the OS, runtime, middleware, and application. With PaaS, the cloud provider takes over OS, runtime, and middleware—customers only manage application and data. Learn more: https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility
Q5
Which document explains how Microsoft collects, processes, and uses personal data across Azure and other Microsoft products?
A
Azure Service Trust Portal audit reports
B
Azure Compliance Manager
Microsoft Privacy Statement
D
Azure Well-Architected Review
Correct Answer
Microsoft Privacy Statement
Explanation
The Microsoft Privacy Statement explains how Microsoft handles personal data collection, processing, and usage across all its products and services including Azure. Learn more: https://privacy.microsoft.com/en-us/privacystatement
Q6
A company is moving its physical DR site to Azure. What is the MAIN financial benefit of using Azure for DR?
A
Azure guarantees zero data loss
B
Azure eliminates the need for DR entirely
Pay only when DR resources are actively used—no idle site cost
D
Azure tests DR failover automatically at no cost
Correct Answer
Pay only when DR resources are actively used—no idle site cost
Explanation
The consumption-based model means Azure DR resources cost nothing when idle. You pay only during failover tests or actual disasters—unlike a physical DR site which costs 24/7 regardless of use. Learn more: https://learn.microsoft.com/en-us/azure/site-recovery/site-recovery-overview
Q7
Which Azure service stores Docker container images securely and makes them available for AKS and Azure Container Instances deployments?
A
Azure Blob Storage
B
Azure Container Instances
Azure Container Registry (ACR)
D
AKS built-in registry
Correct Answer
Azure Container Registry (ACR)
Explanation
Azure Container Registry (ACR) is a managed private Docker registry. It integrates natively with AKS and Container Instances and supports geo-replication for global deployments. Learn more: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-intro
Q8
A company needs to protect Azure VMs from DDoS attacks with advanced always-on traffic monitoring, adaptive tuning, and SLA-backed financial guarantee. Which tier provides this?
Azure DDoS Protection Network tier (Standard plan) provides advanced always-on monitoring, adaptive tuning, telemetry, and SLA-backed service credits if DDoS causes service degradation. DDoS Basic is free with limited protection. Learn more: https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
Q9
A company needs secure RDP/SSH access to Azure VMs without public IPs or open RDP/SSH ports, accessible from a browser. Which service provides this?
A
Azure VPN Gateway point-to-site
B
Azure Firewall DNAT rules
Azure Bastion
D
Azure Private Endpoint
Correct Answer
Azure Bastion
Explanation
Azure Bastion provides secure RDP/SSH access to VMs directly from the Azure Portal over TLS—without requiring a public IP on the VM or open RDP/SSH ports. Protects against port scanning and brute-force. Learn more: https://learn.microsoft.com/en-us/azure/bastion/bastion-overview
Q10
A company needs to store petabytes of archival data for 10 years with the lowest possible cost. Which storage option is BEST?
A
Azure Disk Storage Premium SSD
B
Azure Files cool tier
C
Azure Blob Storage Hot tier
Azure Blob Storage Archive tier
Correct Answer
Azure Blob Storage Archive tier
Explanation
Azure Blob Storage Archive tier offers the lowest cost for rarely accessed data (fractions of a cent per GB/month). Immutability policies can enforce compliance retention. Retrieval takes hours. Learn more: https://learn.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview
Q11
A company needs an encrypted IPsec/IKE VPN tunnel from on-premises to Azure over the public internet. Which service provides this?
A
Azure ExpressRoute
B
Azure Virtual WAN
Azure VPN Gateway
D
Azure Bastion
Correct Answer
Azure VPN Gateway
Explanation
Azure VPN Gateway creates encrypted IPsec/IKE site-to-site VPN tunnels between on-premises networks and Azure VNets over the public internet. ExpressRoute is private (non-internet). Learn more: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
Q12
Which Azure service ensures WORM (Write Once Read Many) immutability for Blob Storage, preventing deletion even by subscription owners during litigation?
A
Azure Resource Lock (ReadOnly)
B
Azure Key Vault access policy
Azure Blob Immutable Storage with WORM policy
D
Azure Policy Deny effect
Correct Answer
Azure Blob Immutable Storage with WORM policy
Explanation
Azure Blob Storage Immutable Storage with time-based retention or legal hold WORM policies prevents blobs from being modified or deleted. Even subscription owners cannot delete data under legal hold. Learn more: https://learn.microsoft.com/en-us/azure/storage/blobs/immutable-storage-overview
Q13
An organization implements micro-segmentation so the web tier cannot directly communicate with the database tier. Which TWO Azure features achieve this?
VNet subnets (separate subnet per tier)
B
Azure ExpressRoute
Network Security Groups with inter-tier deny rules
D
Azure Private DNS zones
Correct Answers
VNet subnets (separate subnet per tier)
Network Security Groups with inter-tier deny rules
Explanation
Placing each tier in separate subnets within an Azure VNet and applying NSGs with inter-tier deny rules achieves micro-segmentation. Azure Firewall can enforce this centrally for complex scenarios. Learn more: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
Q14
Three teams (Networking, Security, Dev) each need different Azure resource permissions. Which feature implements this least-privilege model?
A
Azure Policy
B
Azure AD Groups
Azure Role-Based Access Control (RBAC)
D
Azure Resource Locks
Correct Answer
Azure Role-Based Access Control (RBAC)
Explanation
Azure RBAC uses role assignments to grant permissions to users/groups/service principals at specific scopes. Built-in and custom roles enforce the principle of least privilege. Learn more: https://learn.microsoft.com/en-us/azure/role-based-access-control/overview
Q15
The finance team needs a monthly Azure spending report broken down by subscription, resource group, service type, and tag. Which service provides this?
A
Azure Advisor
B
Azure Monitor Workbooks
Azure Cost Management + Billing
D
Azure Service Health
Correct Answer
Azure Cost Management + Billing
Explanation
Azure Cost Management + Billing provides cost analysis with spending breakdowns by subscription, resource group, service, and tags. It also supports budget creation and alerts. Learn more: https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/cost-analysis-common-uses
Q16
What is the correct Azure scope hierarchy from BROADEST to NARROWEST?
A
Subscription > Management Group > Resource Group > Resource
Management Group > Subscription > Resource Group > Resource
C
Resource Group > Subscription > Management Group > Resource
D
Tenant > Resource > Subscription > Resource Group
Correct Answer
Management Group > Subscription > Resource Group > Resource
Explanation
The Azure scope hierarchy is: Management Group > Subscription > Resource Group > Resource. Policies and RBAC assigned at a higher scope inherit down to all lower scopes. Learn more: https://learn.microsoft.com/en-us/azure/governance/management-groups/overview
Q17
Which TWO actions does an Azure Resource Lock of type ReadOnly prevent?
A
Reading the properties of a locked resource
Modifying the configuration of a locked resource
Deleting a locked resource
D
Viewing the resource in the Azure Portal
Correct Answers
Modifying the configuration of a locked resource
Deleting a locked resource
Explanation
A ReadOnly lock prevents modification and deletion of the locked resource—only read operations are allowed. Creating new child resources inside a locked resource group is also blocked. Learn more: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
Q18
An Azure Policy is configured with the Deny effect requiring HTTPS on all storage accounts. A developer attempts to create one with HTTP enabled. What happens?
A
The storage account is created and flagged as non-compliant
The deployment fails and the storage account is not created
C
Azure automatically modifies the setting to HTTPS-only
D
The developer receives a warning but the resource is still created
Correct Answer
The deployment fails and the storage account is not created
Explanation
When Azure Policy effect is Deny, any request that violates the policy is blocked at the ARM layer. The deployment fails and the non-compliant resource is never created. Learn more: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects
Q19
A company has 15 Azure subscriptions and wants to query resource inventory and compliance data across ALL simultaneously. Which service enables this?
A
Azure Monitor Log Analytics
B
Azure Cost Management
Azure Resource Graph
D
Azure Policy compliance dashboard
Correct Answer
Azure Resource Graph
Explanation
Azure Resource Graph enables KQL-based queries across all subscriptions in a tenant simultaneously, providing near-real-time resource inventory and compliance data at scale. Learn more: https://learn.microsoft.com/en-us/azure/governance/resource-graph/overview
Q20
An Azure Policy with the Audit effect finds non-compliant SQL databases. What does the Audit effect DO to these databases?
A
Automatically encrypts non-compliant databases
B
Blocks creation of any new unencrypted databases
Flags non-compliant resources in the dashboard without blocking or remediating
D
Deletes all non-compliant databases
Correct Answer
Flags non-compliant resources in the dashboard without blocking or remediating
Explanation
The Audit effect flags non-compliant resources in the Policy compliance dashboard without blocking deployments or modifying resources. To enforce compliance, Deny or DeployIfNotExists effects are needed. Learn more: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects
Q21
A company is migrating a 5-year-old on-premises application to Azure VMs with minimal code changes (lift-and-shift). Which cloud service model does this represent?
A
SaaS migration
B
PaaS modernization
IaaS lift-and-shift
D
Serverless re-architecture
Correct Answer
IaaS lift-and-shift
Explanation
A lift-and-shift to Azure VMs is an IaaS migration. The application moves to Azure VMs with minimal changes; the customer still manages the OS, patches, and middleware—similar to on-premises but on cloud infrastructure. Learn more: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/migrate/
Q22
Which architecture concept separates an application into independently deployable units that communicate via APIs, each scalable and updatable independently?
A
Monolithic architecture
B
N-tier architecture
Microservices architecture
D
Serverless architecture
Correct Answer
Microservices architecture
Explanation
Microservices architecture decomposes an application into small, independently deployable services—each handling a specific business capability, with its own data store, communicating via APIs. AKS and Service Fabric are common microservices platforms. Learn more: https://learn.microsoft.com/en-us/azure/architecture/microservices/
Q23
Which Azure data center architecture concept guarantees data residency at which level—region, geography, or data center?
A
At the individual data center (specific building) level
At the region level—data stays within the selected region by default
C
At the geography level—data may move between regions in the same geography
D
Azure does not guarantee data residency at any level
Correct Answer
At the region level—data stays within the selected region by default
Explanation
In Azure, data residency is guaranteed at the Region level. When you select an Azure region, your data stays within that region by default unless you explicitly configure geo-replication. Learn more: https://learn.microsoft.com/en-us/azure/availability-zones/az-overview
Q24
Which TWO scenarios would MOST benefit from using Azure Spot VMs?
A
Production SQL Server serving live customer transactions
Large-scale ML model training with checkpointing
C
Real-time payment processing application
Batch rendering workloads that can be interrupted and resumed
Correct Answers
Large-scale ML model training with checkpointing
Batch rendering workloads that can be interrupted and resumed
Explanation
Spot VMs are ideal for fault-tolerant, interruptible workloads. Large-scale ML training with checkpointing and batch rendering workloads that can be interrupted and resumed are ideal. Production databases and real-time apps cannot tolerate eviction. Learn more: https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms
Q25
A non-profit wants infrastructure deployed as code, stored in Git, and deployed automatically on every commit. Which TWO services enable this GitOps approach?
A
Azure Portal manual deployment
Azure Bicep (Infrastructure as Code)
C
Azure AD Conditional Access
GitHub Actions or Azure Pipelines (CI/CD)
Correct Answers
Azure Bicep (Infrastructure as Code)
GitHub Actions or Azure Pipelines (CI/CD)
Explanation
Azure Bicep (IaC for defining Azure resources) and GitHub Actions or Azure Pipelines (CI/CD automation) together implement GitOps for Azure infrastructure—enabling automated, versioned, repeatable deployments. Learn more: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-github-actions
Q26
Which Azure compute feature provides automatic rolling upgrades for a fleet of VMs, updating a percentage at a time while the rest serve traffic?
A
Azure Availability Sets
Azure VMSS with rolling upgrade policy
C
Azure Load Balancer backend pool rotation
D
Azure App Service slots
Correct Answer
Azure VMSS with rolling upgrade policy
Explanation
Azure Virtual Machine Scale Sets (VMSS) with rolling upgrade policy automatically updates a configurable percentage of VMs at a time while the remaining instances continue serving traffic—enabling zero-downtime deployments. Learn more: https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-policy
Q27
Which Azure storage redundancy option stores THREE copies within a SINGLE data center facility?
A
Zone-Redundant Storage (ZRS)
B
Geo-Redundant Storage (GRS)
Locally Redundant Storage (LRS)
D
Read-Access Geo-Redundant Storage (RA-GRS)
Correct Answer
Locally Redundant Storage (LRS)
Explanation
Locally Redundant Storage (LRS) replicates data three times within a single data center (storage scale unit) in one region. It is the lowest-cost redundancy option but does not protect against data center-level failures. Learn more: https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy
Q28
Which Azure service allows you to host DNS zones and manage DNS records using Azure's globally distributed, highly available infrastructure?
A
Azure Traffic Manager
B
Azure Front Door
Azure DNS
D
Azure Load Balancer
Correct Answer
Azure DNS
Explanation
Azure DNS allows hosting DNS zones and managing DNS records using Azure's global anycast network infrastructure—providing ultra-high availability and integration with other Azure services. Learn more: https://learn.microsoft.com/en-us/azure/dns/dns-overview
Q29
A company needs to automate deploying a new Azure environment (VNet, App Service, SQL Database) for every feature branch in their development workflow. Which approach is BEST?
A
Manual provisioning via Azure Portal
B
Azure Blueprints for every branch
Azure Bicep + CI/CD pipeline
D
Azure Policy DeployIfNotExists
Correct Answer
Azure Bicep + CI/CD pipeline
Explanation
Azure Bicep/ARM Templates (IaC) stored in version control and triggered by a CI/CD pipeline (Azure DevOps/GitHub Actions) enables automated, repeatable, consistent environment provisioning per branch. Learn more: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview
Q30
Which TWO statements are TRUE about Azure free and preview services?
A
All Azure services are free forever with a free account
Certain Azure services remain always free regardless of account tier
Azure free account includes 12 months of popular free services
D
Free tier services have the same SLA as paid services
Correct Answers
Certain Azure services remain always free regardless of account tier
Azure free account includes 12 months of popular free services
Explanation
Certain Azure services remain always free (Azure Functions free tier, Cosmos DB free tier). Free Account includes 12 months of popular free services. Preview services typically have no SLA. Learn more: https://azure.microsoft.com/en-us/free/
AZ-900 Practice Set-02
30 questions
Q1
Which concept describes Microsoft's ability to offer lower Azure prices than individual organizations could achieve on their own, due to buying hardware at massive scale?
A
Elasticity
B
Geo-distribution
Economies of scale
D
Consumption-based billing
Correct Answer
Economies of scale
Explanation
Economies of scale: cloud providers purchase infrastructure in bulk, lowering per-unit costs, and pass savings to customers through competitive pricing—unavailable to individual organizations. Learn more: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/strategy/cloud-accounting
Q2
Which TWO items are ALWAYS Microsoft's responsibility regardless of whether the service is IaaS, PaaS, or SaaS?
A
Operating system patching
Physical data center security
C
Application code security
Physical network infrastructure
Correct Answers
Physical data center security
Physical network infrastructure
Explanation
Microsoft always owns physical data center security (facility access, perimeter, hardware) and the underlying physical network infrastructure. OS, data, and identity shift depending on model. Learn more: https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility
Q3
A company uses Azure for disaster recovery of on-premises workloads. What is the PRIMARY financial benefit compared to maintaining a physical secondary site?
A
Azure automatically tests DR weekly at no cost
B
Azure eliminates the need for DR
Pay only when DR resources are actively used—no idle infrastructure cost
D
Azure guarantees zero data loss
Correct Answer
Pay only when DR resources are actively used—no idle infrastructure cost
Explanation
The consumption-based model means DR resources in Azure cost nothing when idle—you pay only during failover tests or actual disasters. A physical DR site incurs 24/7 costs for idle capacity. Learn more: https://learn.microsoft.com/en-us/azure/site-recovery/site-recovery-overview
Q4
A government agency needs infrastructure dedicated to a single organization with full control, but doesn't want to build its own data center. Which model fits?
A
Public cloud
B
Hybrid cloud
Private cloud
D
Community cloud
Correct Answer
Private cloud
Explanation
A private cloud provides infrastructure dedicated to one organization. It can be hosted on-premises or by a third-party provider, giving full control while avoiding data center construction costs. Learn more: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/fundamental-concepts
Q5
Which TWO represent Operational Expenditure (OpEx) in a cloud context?
A
Purchasing 100 physical servers
Monthly Azure VM subscription charges
C
Buying network switches for on-premises
Per-hour Azure compute charges this month
Correct Answers
Monthly Azure VM subscription charges
Per-hour Azure compute charges this month
Explanation
OpEx is recurring operational spending paid as services are consumed. Monthly Azure VM charges and per-API-call fees are OpEx. Purchasing servers or network switches is CapEx. Learn more: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/strategy/cloud-accounting
Q6
A company needs to host a Linux VM in Azure with full OS-level control for a custom application. Which Azure service should they use?
A
Azure App Service
B
Azure Container Instances
Azure Virtual Machines
D
Azure Functions
Correct Answer
Azure Virtual Machines
Explanation
Azure Virtual Machines (VMs) provide IaaS compute with full control over the OS, installed software, and configuration—ideal when custom OS-level configuration is required. Learn more: https://learn.microsoft.com/en-us/azure/virtual-machines/overview
Q7
A company deploys VMs in Azure and needs a 99.99% SLA. What is the minimum architecture required?
A
Single VM with Premium SSD
B
Two VMs in the same Availability Zone
C
Two VMs in an Availability Set
Two VMs each in a different Availability Zone
Correct Answer
Two VMs each in a different Availability Zone
Explanation
VMs deployed across two or more Availability Zones in the same region receive a 99.99% SLA. A single VM with Premium SSD provides only 99.9%. Availability Sets provide 99.95%. Learn more: https://learn.microsoft.com/en-us/azure/reliability/availability-zones-overview
Q8
A developer needs a globally distributed NoSQL database with single-digit millisecond latency and multi-region writes. Which Azure service fits?
A
Azure SQL Database Hyperscale
B
Azure Table Storage
C
Azure Database for PostgreSQL
Azure Cosmos DB
Correct Answer
Azure Cosmos DB
Explanation
Azure Cosmos DB is a fully managed, globally distributed NoSQL database supporting multi-region writes and single-digit millisecond read/write latency at any scale. Learn more: https://learn.microsoft.com/en-us/azure/cosmos-db/introduction
Q9
A short background job runs under 2 minutes whenever a file is uploaded to Blob Storage. The team wants to pay only per execution. Which service is MOST cost-effective?
A
Azure Virtual Machines
B
Azure Kubernetes Service
Azure Functions
D
Azure App Service Standard tier
Correct Answer
Azure Functions
Explanation
Azure Functions is serverless and event-driven—you pay only per execution (per million executions after the free tier). It integrates natively with Blob Storage triggers. Running a VM 24/7 for a 2-minute job is wasteful. Learn more: https://learn.microsoft.com/en-us/azure/azure-functions/functions-overview
Q10
Which Azure storage service stores unstructured data like images, videos, and backups accessible via HTTP/HTTPS?
A
Azure Files
B
Azure Queue Storage
C
Azure Disk Storage
Azure Blob Storage
Correct Answer
Azure Blob Storage
Explanation
Azure Blob Storage is optimized for massive amounts of unstructured data (objects) accessible via HTTPS endpoints. It supports Hot, Cool, Cold, and Archive tiers. Learn more: https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction
Q11
A company needs a private dedicated connection from on-premises to Azure that bypasses the public internet for consistent low latency. Which service provides this?
A
Azure VPN Gateway
B
Azure Virtual WAN
Azure ExpressRoute
D
Azure Application Gateway
Correct Answer
Azure ExpressRoute
Explanation
Azure ExpressRoute provides a private, dedicated network connection between on-premises and Azure bypassing the public internet—delivering consistent, low-latency, high-throughput connectivity. Learn more: https://learn.microsoft.com/en-us/azure/expressroute/expressroute-introduction
Q12
A company wants to define standard Azure environments (RBAC, Policy, ARM templates) and deploy them consistently to new subscriptions as a versioned package. Which service is designed for this?
A
ARM templates alone
B
Azure Policy initiative
Azure Blueprints
D
Azure DevOps release pipeline
Correct Answer
Azure Blueprints
Explanation
Azure Blueprints packages RBAC assignments, Policy assignments, and resource templates into a versioned blueprint definition that can be assigned to multiple subscriptions for repeatable governed environment setup. Learn more: https://learn.microsoft.com/en-us/azure/governance/blueprints/overview
Q13
Which THREE are valid reasons to use multiple Azure subscriptions?
Separate billing between different departments
B
Increase performance of individual Azure VMs
Isolate production from development environments
Work around subscription-level resource quotas and limits
E
Automatically enable Azure Policy on all resources
Correct Answers
Separate billing between different departments
Isolate production from development environments
Work around subscription-level resource quotas and limits
Explanation
Multiple subscriptions are used to: separate billing by business unit, isolate environments (prod vs dev/test), and work around subscription-level resource quotas. Each subscription has its own billing and access boundary. Learn more: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions
Q14
Which TWO characteristics describe Azure Spot Virtual Machines?
A
Spot VMs offer SLA-backed uptime guarantees
Spot VMs can be evicted with 30 seconds notice when capacity is needed
Spot VMs provide up to 90% discount vs pay-as-you-go
D
Spot VMs are ideal for mission-critical production databases
Correct Answers
Spot VMs can be evicted with 30 seconds notice when capacity is needed
Spot VMs provide up to 90% discount vs pay-as-you-go
Explanation
Azure Spot VMs use Azure's excess compute capacity at up to 90% discount. However, Azure can evict them with 30 seconds notice when capacity is needed—not suitable for business-critical workloads. Learn more: https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms
Q15
A cloud admin needs to restrict an Azure storage account to be accessible ONLY from specific VNets, not from the public internet. Which feature achieves this?
A
Azure NSG outbound rules
B
SAS token with IP restriction
Storage account firewall with VNet service endpoints or Private Endpoints
D
Azure Policy with deny for public access
Correct Answer
Storage account firewall with VNet service endpoints or Private Endpoints
Explanation
Azure Storage Account Firewall and Virtual Networks settings restrict storage account access to specific VNet subnets via Service Endpoints or Private Endpoints, preventing access from the public internet. Learn more: https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security
Q16
Which Azure pricing option allows companies to reuse existing on-premises Windows Server licenses (with Software Assurance) on Azure VMs without paying for the OS license again?
A
Azure Reserved Instances
B
Azure Spot Instances
Azure Hybrid Benefit
D
Azure Dev/Test pricing
Correct Answer
Azure Hybrid Benefit
Explanation
Azure Hybrid Benefit allows customers with active Software Assurance on Windows Server and SQL Server licenses to use them on Azure VMs, saving up to 40-55% compared to pay-as-you-go pricing. Learn more: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/hybrid-use-benefit-licensing
Q17
Which Azure compliance feature maps Azure control implementations to specific regulatory frameworks like NIST 800-53 and ISO 27001?
A
Azure Policy initiative assignments
B
Azure Advisor compliance category
Microsoft Purview Compliance Manager
D
Microsoft Defender for Cloud regulatory compliance dashboard
Correct Answer
Microsoft Purview Compliance Manager
Explanation
Microsoft Purview Compliance Manager maps Azure built-in controls to regulatory frameworks (NIST 800-53, ISO 27001, GDPR, PCI DSS). It provides compliance scores and improvement actions for auditors. Learn more: https://learn.microsoft.com/en-us/purview/compliance-manager
Q18
A company wants all Azure VMs in Production resource groups to only use approved sizes (e.g., Standard_D2s_v3, Standard_D4s_v3). Which feature enforces this?
A
Azure Resource Locks
B
Azure RBAC custom role restrictions
C
Azure Advisor VM size recommendations
Azure Policy 'Allowed virtual machine size SKUs'
Correct Answer
Azure Policy 'Allowed virtual machine size SKUs'
Explanation
Azure Policy's built-in 'Allowed virtual machine size SKUs' definition with the Deny effect prevents creation of VMs not in the approved list—an effective cost governance control. Learn more: https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies
Q19
Which Azure service provides a personalized, filterable view of past Azure service incidents and planned maintenance events for post-incident reviews?
A
Azure Monitor Metrics
B
Azure Resource Graph
Azure Service Health (Health History)
D
Azure Activity Log
Correct Answer
Azure Service Health (Health History)
Explanation
Azure Service Health Health History allows viewing past service incidents, planned maintenance events, and health advisories—useful for post-incident reviews, SLA calculations, and identifying recurring issues. Learn more: https://learn.microsoft.com/en-us/azure/service-health/service-health-overview
Q20
Which Azure service lets you automatically shut down all non-production VMs every evening using a scheduled runbook?
A
Azure Policy scheduled job
B
Azure Logic Apps VM connector
Azure Automation runbooks with schedules
D
Azure DevOps pipeline schedules
Correct Answer
Azure Automation runbooks with schedules
Explanation
Azure Automation with scheduled Runbooks can automatically start/stop VMs on a schedule. For fleet-wide management, Azure Automation runbooks are the preferred approach. Learn more: https://learn.microsoft.com/en-us/azure/automation/automation-solution-vm-management
Q21
A company uses Azure for infrastructure and also needs to manage on-premises Kubernetes clusters from Azure using Azure Policy, Monitor, and RBAC. Which service extends Azure management to non-Azure resources?
What is the purpose of the Azure Cloud Adoption Framework (CAF)?
A
A set of pricing tools to estimate Azure costs
Microsoft's best-practice guidance for adopting and governing Azure at enterprise scale
C
A compliance certification program for Azure workloads
D
An automated tool that migrates workloads to Azure
Correct Answer
Microsoft's best-practice guidance for adopting and governing Azure at enterprise scale
Explanation
The Azure CAF is Microsoft's documented best-practice guidance for organizations to design and implement their cloud journey—covering strategy, planning, readiness, migration, governance, management, and innovation. Learn more: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/overview
Q23
Which Azure service enables building no-code automated workflows—such as sending an approval email when a SharePoint list item is added?
A
Azure Functions
B
Azure Service Bus
Azure Logic Apps
D
Azure Event Grid
Correct Answer
Azure Logic Apps
Explanation
Azure Logic Apps is a no-code/low-code workflow automation service with 400+ connectors integrating Microsoft 365, SharePoint, email, and other services—without writing code. Learn more: https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-overview
Q24
A solution must ingest 1 million IoT device events per second for real-time analytics. Which Azure service handles this high-throughput streaming?
A
Azure Service Bus
B
Azure Queue Storage
C
Azure Logic Apps
Azure Event Hubs
Correct Answer
Azure Event Hubs
Explanation
Azure Event Hubs is a big data streaming platform capable of receiving and processing millions of events per second—ideal for IoT telemetry and real-time analytics pipelines. Learn more: https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-about
Q25
Which TWO Azure compute services are serverless—where you do NOT manage the underlying infrastructure?
A
Azure Virtual Machines
Azure Functions
C
Azure Kubernetes Service
Azure Logic Apps
Correct Answers
Azure Functions
Azure Logic Apps
Explanation
Azure Functions and Azure Logic Apps are both serverless—you deploy code or workflows without managing servers, and pay only for execution. Azure VMs and AKS require infrastructure management. Learn more: https://learn.microsoft.com/en-us/azure/azure-functions/functions-overview
Q26
A company wants to deliver a web application globally with lowest latency by caching static content at edge nodes near users. Which service provides this?
A
Azure Traffic Manager
B
Azure Front Door
Azure CDN
D
Azure Application Gateway
Correct Answer
Azure CDN
Explanation
Azure Content Delivery Network (CDN) caches static content at globally distributed Points of Presence (edge nodes). Users are served from the nearest edge node, reducing latency. Learn more: https://learn.microsoft.com/en-us/azure/cdn/cdn-overview
Q27
Which Azure service provides managed identity (authentication/authorization) for Azure resources, apps, and users, including SSO and MFA?
A
Azure RBAC
B
Azure Key Vault
Microsoft Entra ID (Azure Active Directory)
D
AD Domain Services on VM
Correct Answer
Microsoft Entra ID (Azure Active Directory)
Explanation
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service providing authentication, SSO, MFA, and conditional access. Learn more: https://learn.microsoft.com/en-us/entra/identity/
Q28
A company needs cloud-native SIEM and SOAR to detect and automatically respond to threats across Azure subscriptions using AI. Which service provides this?
A
Microsoft Defender for Cloud
B
Azure Monitor
Microsoft Sentinel
D
Azure Firewall Premium
Correct Answer
Microsoft Sentinel
Explanation
Microsoft Sentinel is a cloud-native SIEM and SOAR solution using AI to detect threats, correlate signals, and automate responses across Azure and hybrid environments. Learn more: https://learn.microsoft.com/en-us/azure/sentinel/overview
Q29
Which TWO items are ALWAYS Microsoft's responsibility regardless of whether the service is IaaS, PaaS, or SaaS?
A
Operating system patching
Physical data center security
C
Application code security
Physical network infrastructure
Correct Answers
Physical data center security
Physical network infrastructure
Explanation
Microsoft always owns physical data center security (facility access, perimeter, hardware) and the underlying physical network infrastructure. OS, data, and identity shift depending on model. Learn more: https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility
Q30
A company uses Azure for disaster recovery of on-premises workloads. What is the PRIMARY financial benefit compared to maintaining a physical secondary site?
A
Azure automatically tests DR weekly at no cost
B
Azure eliminates the need for DR
Pay only when DR resources are actively used—no idle infrastructure cost
D
Azure guarantees zero data loss
Correct Answer
Pay only when DR resources are actively used—no idle infrastructure cost
Explanation
The consumption-based model means DR resources in Azure cost nothing when idle—you pay only during failover tests or actual disasters. A physical DR site incurs 24/7 costs for idle capacity. Learn more: https://learn.microsoft.com/en-us/azure/site-recovery/site-recovery-overview
Want More Practice?
These are just the free questions. Unlock the full Azure Fundamentals exam library with hundreds of additional questions, timed practice mode, and progress tracking.