Microsoft Azure Fundamentals Practice Test (AZ-900)

Azure Advisor analyzes your Azure environment and provides personalized recommendations across various categories to help you optimize your resources. It covers aspects such as cost savings, performance enhancement, security improvement, and ensuring high availability. Understanding the scope of Azure Advisor's recommendations is key in effectively managing and optimizing an Azure environment.

Azure Subscriptions are the right choice for the company as they form the container for billing, access control, and resource allocation. Each department can have its own subscription, with the costs separated per subscription. Management groups are not the answer as they are used to manage access, policies, and compliance across multiple subscriptions, rather than separating the billing and access control for different departments. A single subscription with multiple resource groups would not ideally segregate the billing by department. While Azure Active Directory performs identity and access management, it doesn't separate resources and billing at the departmental level.

Microsoft Entra Domain Services provides managed domain services like LDAP, Kerberos, NTLM authentication, and Group Policy without the need to deploy or manage domain controllers. It is designed to support legacy applications in Azure that cannot use modern authentication methods.

Microsoft Entra ID offers identity and access management but does not support LDAP or Kerberos authentication directly.

Azure Virtual Machines would require setting up and maintaining domain controllers, increasing administrative effort.

Azure Key Vault is used for secure storage of keys and secrets, not for providing directory services.

Tags are key-value pairs that enable you to categorize resources according to your organizational needs. They are primarily used to organize resources for cost tracking, management, and billing purposes. By tagging resources, you can group them logically and generate consolidated billing reports based on those tags. Tags do not modify resource configurations, improve performance, or enforce security policies.

Azure Data Box provides physical devices that customers can use to transfer large volumes of data to Azure offline. The devices are shipped to the customer, who loads the data onto them, and then returns them to Microsoft for uploading to Azure. This method is ideal when network bandwidth is insufficient for transferring data in a timely manner.

Azure Migrate is designed for assessing and migrating on-premises servers, databases, and applications to Azure. It helps with migration planning and resource sizing but does not provide a physical transfer option for large data volumes.

Azure ExpressRoute is a private, high-speed connection to Azure, allowing secure data transfer over a dedicated network link rather than the internet. While it supports large data transfers, it still relies on network connectivity and is not an offline physical transfer solution.

Azure Site Recovery is a disaster recovery service that replicates virtual machines, physical servers, and applications to Azure to ensure business continuity. It does not support physical data transfer or offline data migration.

The Azure Blob Storage Cool tier is intended for data that is not accessed frequently but still requires reasonably fast access. It provides lower storage costs than the Hot tier without the higher access latency of the Archive tier. The Archive tier may seem cost-effective, but it is designed for data that is rarely accessed and has a retrieval delay of several hours, which is detrimental for a streaming user experience. The Premium performance tier is optimized for high transaction rates and provides lower latency but at a higher cost, making it unnecessary for the less frequently accessed videos.

Azure Data Box is a service that offers physical devices provided by Microsoft to transfer large volumes of data to Azure securely. It is ideal for situations where transferring data over the network is impractical due to limited bandwidth or high latency. This helps in efficiently moving terabytes of data to Azure without relying on network transfers.

Infrastructure as Code (IaC) enables the automation of resource deployment and management by using code-based templates like ARM templates. This approach ensures that environments are consistent and repeatable, reducing the risk of human error associated with manual configurations. The other options involve manual processes or tools not designed for automated, code-based deployment.

Azure File Sync provides the capability to synchronize files between on-premises Windows Servers and Azure File Shares, allowing for continuous replication and bi-directional sync. This enables the on-premises servers to cache frequently accessed files while keeping data synchronized with Azure.

AzCopy is a command-line tool designed for one-time data transfer tasks, not continuous synchronization.

Azure Storage Explorer is a GUI tool for managing and transferring files but does not offer automatic synchronization.

Azure Data Box is a physical device used for offline data transfer to Azure, suitable for large datasets but not for continuous sync.

The described model is Software as a Service (SaaS). In SaaS, the cloud provider hosts the application and all supporting infrastructure, applies updates, and handles security and backups. Customers access the application over the internet, typically via a web browser. Platform as a Service (PaaS) instead provides a development platform where customers build and deploy their own applications. Infrastructure as a Service (IaaS) offers virtualized computing resources that the customer must configure and manage. Serverless computing focuses on running code in response to events and is not a standalone application-delivery model.

A hybrid cloud model is the optimal solution for the financial institution as it allows for sensitive data to be stored on-premises or in a private cloud to comply with data sovereignty laws, while also providing the ability to scale resources using a public cloud during high-demand periods. A public cloud model does not guarantee data residency within specific geographic borders, which could violate data sovereignty laws. A private cloud may ensure compliance with data residency requirements but does not offer the same level of scalability as the public cloud. Therefore, a hybrid approach is the most appropriate for balancing compliance with scalability.

Software as a Service (SaaS) delivers complete applications over the internet, managed by the cloud provider. This allows the organization to use the CRM application without dealing with hardware maintenance or managing infrastructure, aligning with their preferences. Infrastructure as a Service (IaaS) would require them to manage operating systems and software installations. Platform as a Service (PaaS) is intended for custom application development and still involves managing the environment. Containers also require management of the application and its dependencies, which does not meet the organization's desire to avoid infrastructure management.

Infrastructure as a Service (IaaS) offers the highest level of control over computing resources in the cloud. With IaaS, you are responsible for managing operating systems, applications, and middleware, giving you flexibility to configure your environment as needed. The cloud provider manages the underlying physical infrastructure, including virtualization, storage, and networking components. This contrasts with Platform as a Service (PaaS), where the provider also manages the operating system and runtime, and Software as a Service (SaaS), where the provider manages the entire stack, including the application.

Azure datacenters are physical facilities that host the server hardware, networking equipment, power, and cooling systems required to run Azure services. They are the actual buildings where the physical infrastructure resides.

Each datacenter is part of an Azure region, which is a geographical grouping of multiple datacenters.

Availability zones are unique physical locations within a region designed for high availability, but they are not the datacenters themselves.

Resource groups are logical containers for organizing Azure resources and do not represent physical facilities.

The consumption-based (pay-as-you-go) pricing model charges only for the resources actually used, with no upfront commitment or long-term contracts. This enables costs to scale in direct proportion to workload demand, giving businesses the desired spending flexibility. Other options, such as Reserved Instance pricing, require one- or three-year commitments, while fixed subscriptions or perpetual licenses lock costs regardless of actual usage, making them less suitable for highly variable workloads.

Built-in roles are provided by Azure to cover the most common needs for access permissions, such as Owner, Contributor, and Reader. These roles are designed by Azure and cannot be changed. In contrast, custom roles can be created by users to grant specific permissions not covered by built-in roles. Custom roles are flexible and can be tailored to an organization's specific needs, allowing precise control over access to Azure resources. This distinction is critical in creating a security environment that both protects resources and provides sufficient access for users to perform their jobs effectively.

Azure Arc enables organizations to extend Azure management and governance to servers and Kubernetes clusters running outside of Azure, providing a consistent management experience across on-premises, multi-cloud, and edge environments.

Azure Monitor focuses on monitoring resources.

Azure Lighthouse allows service providers to manage customer Azure resources.

Azure Resource Manager is the deployment and management service for Azure resources within Azure but does not extend to external environments.

Azure Monitor is designed to collect telemetry (metrics, logs, and traces) from virtually every Azure resource, store that data in its integrated platform, and provide analysis tools such as Metrics Explorer, Log Analytics, dashboards, and alerts. This makes it the most comprehensive choice for cross-resource monitoring. Application Insights and Log Analytics are important components of Azure Monitor but are narrower in scope-Application Insights focuses on individual applications, and Log Analytics is the query interface for log data. Azure Service Health supplies personalized outage and maintenance information but does not aggregate or analyze performance telemetry.

Azure Policy helps in enforcing organizational standards and assessing compliance at scale. With Azure Policy, the company can create policies that govern resource properties during deployment and for already existing resources. Policies can be used to restrict the types of virtual machines that can be deployed, ensuring compliance with the company's security standards. Role-Based Access Control (RBAC), while an important security measure, doesn't enforce compliance rules on resource properties. Azure Service Health is for tracking the health of Azure services, not policy compliance. Azure Advisor provides recommendations for high availability, performance, security, and cost, but it is not designed to enforce specific compliance requirements.

The correct answer is Multi-factor authentication (MFA), which requires users to provide two or more verification factors-something they know (like a password), something they have (such as a phone or hardware token), or something they are (biometrics). MFA adds a critical second layer of security to sign-ins and transactions. Single sign-on (SSO) improves the user experience by letting users access multiple applications with one set of credentials, but it does not by itself enforce multiple factors. Passwordless authentication removes the password and relies on a single strong credential like a biometric or FIDO2 key; unless MFA is also required, it remains one factor. Business-to-business (B2B) collaboration is designed for granting external partners guest access and does not specifically enforce multiple verification methods.