50 Microsoft Certified: Azure Administrator Associate Practice Questions: Question Bank 2025

You need to grant a user the ability to reset passwords for all users in a specific Azure AD group. You must follow least privilege. What role should you assign?

You have a storage account that contains a container named data. You need to provide a vendor read-only access to only that container for 12 hours without sharing account keys. What should you use?

You deploy an Azure VM that must resolve internal hostnames for resources in an Azure virtual network. Without deploying any custom DNS servers, what should you configure on the VM or VNet to enable name resolution?

You need to ensure that an Azure VM is automatically restarted if the guest operating system becomes unresponsive. What feature should you enable?

Your organization requires that all new resource groups must include tags named CostCenter and Owner. You need to prevent creation if either tag is missing. What should you implement?

A storage account must allow access only from selected virtual networks and deny all public internet traffic. Which configuration should you use?

You have an Azure VM Scale Set (VMSS) running a web application. During deployments, you need to update instances in a controlled way to maintain service availability. What update method should you use?

You connect two Azure virtual networks using VNet peering. Users report they cannot connect to a VM in the peered VNet using its private IP address. The peering shows Connected. What is the MOST likely cause?

You need to collect Windows event logs and performance counters from 50 Azure VMs and query them using Kusto Query Language (KQL). You also need to set alert rules based on the collected data. What should you configure?

You host an internal API on an Azure App Service and want it accessible only from a specific virtual network and on-premises network connected via ExpressRoute. You must prevent any public internet access to the API endpoint. Which solution should you implement?

You need to grant a helpdesk group the ability to reset passwords for users in a specific department only. You want to follow least privilege. What should you use?

A storage account contains a container named logs. You need to allow an on-premises app to write blobs to logs for the next 12 hours without using an Entra ID sign-in and without granting permissions to other containers. What should you use?

You are deploying a VM Scale Set (VMSS) and want instances to automatically receive OS security updates without manually patching each instance. What should you configure?

Two virtual networks in different regions must connect privately over Microsoft’s backbone network with predictable latency. You want the simplest approach without deploying VPN appliances. What should you use?

You want to capture operating system performance counters and Windows event logs from multiple Azure VMs into a Log Analytics workspace. Which agent/approach should you use?

Your organization wants to ensure that all newly created resource groups enforce a required tag named CostCenter. The tag should be required at creation time. What should you implement?

You are troubleshooting connectivity to a VM. The VM is in a subnet associated with an NSG. A rule allows inbound TCP 3389 from your public IP. You still cannot connect. Which Azure feature can you use to determine whether the NSG is blocking traffic to the VM’s NIC or subnet?

You need to ensure that blob data in a storage account is recoverable if it is overwritten or deleted by mistake. You want to minimize operational overhead and avoid restoring the entire storage account. What should you enable?

You deployed an internal Azure Load Balancer for a web tier in a subnet. Back-end VMs report healthy, but clients in a peered VNet cannot reach the service. You need a solution that maintains private access and avoids exposing the service to the internet. What is the most likely requirement?

You must enforce that only approved VM sizes can be deployed across multiple subscriptions. The control must be centrally managed and inherited by all subscriptions, including future subscriptions. What should you do?

You need to ensure all new and existing resources in a subscription have the tag Environment with an allowed value of Dev, Test, or Prod. If the tag is missing, it should be added automatically. What should you use?

You have an Azure Storage account with a blob container named logs. You need to allow a partner to upload new blobs to the container for the next 24 hours. The partner must not be able to read, list, or delete any blobs. What should you provide?

You need to collect Windows event logs and performance counters from multiple Azure VMs and query them using Kusto Query Language (KQL). Which solution should you configure?

Your organization has multiple subscriptions under one tenant. You need to ensure that a specific policy initiative (policy set) is consistently assigned to every subscription, including new ones created in the future. What should you use?

You deploy a new VM into a subnet that has a route table (UDR) associated. The VM cannot reach the internet. The subnet’s route table contains a route for 0.0.0.0/0 with next hop set to Virtual appliance, but no appliance exists. What is the most likely cause?

You have a VM scale set (VMSS) hosting a stateless web app. You need to update the OS image with minimal service disruption while ensuring that a portion of instances remains available during the upgrade. What should you configure?

You need to restrict access to a storage account so that it is reachable only from a specific Azure virtual network and a specific on-premises network connected via VPN. Public access from the internet must be blocked. Which configuration meets the requirement?

You need to ensure administrators can manage Azure VMs without exposing SSH/RDP ports to the internet. The solution must support just-in-time connectivity from the Azure portal and enforce time-limited access. What should you implement?

A mission-critical VM uses managed disks. You must ensure that if the VM is deleted, the OS disk and data disks are preserved automatically for later reattachment. What should you configure?

Your security team requires that all administrative actions in a subscription are recorded and that you can detect suspicious activities such as mass deletion attempts. You need a solution that provides alerting and retains logs for querying. What should you configure?

You manage an Azure subscription that contains several resource groups. A user named User1 must be able to view resources and create support requests, but must not be able to modify any resources. Which built-in role should you assign to User1 at the subscription scope?

You have an Azure Storage account that contains a blob container named cont1. You need to allow an external partner to upload blobs to cont1 for the next 12 hours. The partner must not be able to list the container contents or read blobs. What should you provide?

You deploy a new Linux VM in Azure. You need to ensure that the VM can be accessed using SSH without exposing SSH (port 22) to the internet. What should you use?

You need to ensure that all newly created resources in a subscription automatically inherit the tags CostCenter and Owner when the tags exist on the resource group. What should you use?

You have a virtual network VNet1 with a subnet named Subnet1. Subnet1 contains several VMs. You associate an NSG to Subnet1 that allows inbound TCP 443 from the internet. Users report they still cannot reach an application on TCP 443 hosted on VM1. What is the most likely cause?

You have an Azure Storage account with a file share used by on-premises servers. You plan to use Azure File Sync. You need to ensure that frequently accessed files remain on-premises for performance while infrequently accessed files are tiered to Azure. Which Azure File Sync feature should you enable?

You have a VM scale set (VMSS) that uses autoscale based on CPU. You need to be notified when the number of instances exceeds 20. Which solution should you configure?

You have two virtual networks, VNetA and VNetB, peered together. You need to allow VMs in VNetA to resolve private DNS names for a private endpoint that exists in VNetB using Azure Private DNS zones. What should you do?

You need to enforce that all Azure Key Vaults in a subscription reject public network access and only allow access via private endpoints. Resources must be blocked from deployment if they don't comply. What should you implement?

Your company requires that VM administrative access is performed using per-user Azure AD identities and that local admin accounts are not used. You have Windows Server VMs in Azure. What should you configure to meet the requirement?

You need to ensure that all newly created Azure Storage accounts in a subscription require secure transfer (HTTPS). What should you use?

You are troubleshooting a Windows VM that cannot resolve internal DNS names. The VM uses a custom DNS server IP configured on the virtual network. You update the VNet DNS server IPs to a new server. What must you do on the VM for the change to take effect immediately?

You need to quickly restore a deleted blob in an Azure Storage account. No backup solution is in place, and you want to minimize administrative overhead going forward. Which feature should you enable?

A team wants to deploy an Azure VM Scale Set (VMSS) where instances must be evenly distributed across multiple datacenters in the same region for higher availability. What should you configure?

You manage multiple subscriptions under a single tenant. You need to ensure that a security baseline policy is applied consistently to all current and future subscriptions. What is the best approach?

A storage account must allow access only from a specific set of public IP addresses. You also need to ensure access from Azure services you trust. What should you configure?

You deploy a VM that must allow inbound RDP only from a single administrative public IP address. The subnet already has an NSG. What should you do?

You need to capture guest-level performance counters and Windows event logs from several Azure VMs to a Log Analytics workspace for centralized querying. Which solution should you use?

A company deploys a private endpoint for an Azure Storage account in a VNet. Clients in that VNet still resolve the storage account name to the public endpoint and fail to connect because public network access is disabled. What should you configure?

You need to perform an in-place OS disk encryption rollout on existing Azure VMs using customer-managed keys stored in Azure Key Vault. The security team requires that key access be controlled by Azure AD and that key usage be logged. What should you implement?