Microsoft Certified: Azure Solutions Architect Expert Practice Exam 2025: Latest Questions

A company uses Azure Storage accounts and wants to prevent data exfiltration by ensuring that storage data can be accessed only from specific virtual networks and approved Azure services. What should you implement?

You have multiple Azure subscriptions and want consistent enforcement that resources must have specific tags (for example, CostCenter and DataClassification). You also want noncompliant resources to be blocked at creation time. What should you use?

An application is deployed across two Azure regions in active-active mode. You need to direct users to the closest healthy region and automatically fail over during regional outages. Which service should you use?

You have an Azure virtual network with multiple subnets. You must ensure that only approved private IP address ranges can connect to a subnet that hosts internal APIs. You also need to deny all other inbound traffic by default. What should you use?

A company is migrating a multi-terabyte on-premises file share to Azure. The file share must support SMB access, preserve NTFS ACLs, and integrate with on-premises Active Directory for authentication. What is the recommended target service?

You need to centralize platform and application logs from multiple Azure subscriptions into a single workspace for query, alerting, and dashboards. You also want to minimize administrative overhead when onboarding new subscriptions. What should you design?

Your organization requires that all Azure resources use customer-managed keys (CMKs) where supported, with centralized key control and auditing. You want the keys protected by hardware security modules and managed with minimal operational overhead. Which service should you choose?

An enterprise has a hub-and-spoke network architecture. The company wants to enforce and centrally manage outbound internet access, TLS inspection, and application-level FQDN filtering for all spokes. What is the best approach?

You run a mission-critical workload on Azure SQL Database. The business requires recovery from a regional outage with an RPO of near zero and automated failover to a secondary region. Which design meets the requirement?

A company wants to allow an Azure PaaS service that supports Private Link (for example, Azure SQL Database) to be accessed privately from multiple VNets across subscriptions. Name resolution must ensure clients always resolve the service to the private endpoint IP. What should you design?

Your company uses Microsoft Entra ID. You need to ensure that only compliant devices can access Microsoft 365 and a set of Azure-hosted web apps. The solution must block access from unmanaged devices while allowing access from compliant devices with minimal user disruption. What should you implement?

You are designing a monitoring strategy for 200 Azure virtual machines and multiple PaaS services. The security team requires a single place to query logs across all resources using KQL and to set up alert rules based on those queries. Which Azure service should you use?

You need to restrict outbound internet access from a subnet that hosts line-of-business virtual machines. Only traffic to a fixed list of external FQDNs should be allowed. You also need centralized logging of allowed and denied outbound connections. Which solution should you recommend?

You are migrating a legacy application that stores unstructured content (images and PDFs). The application requires: SMB access from Windows servers, the ability to mount the share concurrently from multiple VMs, and snapshots for quick recovery from accidental deletions. Which Azure storage option best meets these requirements?

You need to design a highly available application gateway layer for an internal web app. Requirements: TLS termination, WAF protection, and zone resilience within a region. Which solution best meets the requirements?

A company runs a mission-critical SQL Server workload on Azure virtual machines. The business requires the ability to fail over to a secondary region with minimal data loss and minimal manual intervention. Which architecture should you recommend?

You are designing data storage for an IoT solution that ingests millions of time-series events per minute. The solution must support near-real-time analytics and ad-hoc queries over large datasets while separating compute from storage. Which approach best meets these requirements?

You manage multiple Azure subscriptions. You must ensure that resource groups containing production workloads cannot be deleted, but resource groups in non-production can be deleted. The control must be centrally managed and enforceable. What should you use?

Your organization requires that all secrets, keys, and certificates used by applications are centrally managed. The solution must support automatic rotation where possible and must allow applications to retrieve secrets without storing credentials in code. Which design should you recommend?

You are designing a multi-region active-active web application using Azure SQL Database. The application must continue operating during a regional outage, and the database must support read-write operations in both regions with conflict detection and resolution. Which database capability should you use?

A company uses Azure Monitor and wants to ensure that all newly created subscriptions automatically send platform logs (Activity Log) and diagnostic logs from supported resources to a central Log Analytics workspace in a management subscription. The solution must be scalable and require minimal per-subscription configuration. What should you recommend?

You need to design storage for a high-ingest analytics workload that writes millions of small files per hour and then runs Azure Databricks jobs for batch processing. The data must remain in a hierarchical namespace to support ACLs and efficient directory operations. Which storage option should you choose?

A mission-critical web application runs in two Azure regions (active-active) behind Azure Front Door. The application stores user sessions in Azure Cache for Redis and writes transactional data to a single Azure SQL Database in the primary region. During a regional outage, the app stays online but users experience errors when the database is unreachable. You must design a solution that provides automatic failover for the database with minimal data loss. What should you recommend?

You are designing network connectivity for a hub-and-spoke architecture. Multiple spokes contain VNets with overlapping address spaces due to mergers. All spokes must connect to a shared set of services in the hub (firewalls, DNS, and shared PaaS private endpoints). You must minimize IP renumbering while enabling full connectivity. What should you recommend?

A company wants to restrict access to Azure Storage accounts so that only resources within approved VNets can reach them. They also need to prevent data exfiltration from these storage accounts to other tenants. Which design should you recommend?