Sign in to practice all 63 questions with progress tracking and AI explanations.
1. You need to collect Azure Activity Logs for auditing across multiple subscriptions owned by the same tenant; at what hierarchical scope should you enable diagnostic settings to capture all subscription-level changes with a single configuration?
- A.Enable diagnostic settings at the tenant level so Activity Logs for all subscriptions under the tenant are captured centrally into chosen destinations.
- B.Enable diagnostic settings individually on each subscription because tenant-level diagnostic settings do not exist for Activity Logs across subscriptions.✓ Correct
- C.Enable diagnostic settings per resource group because subscription-level events are not available at the tenant scope and must be mapped to resource groups.
- D.Enable diagnostic settings only on individual resources because subscription and tenant levels do not emit Activity Logs for auditing purposes.
Explanation
Tenant-level Activity Log collection is not done via diagnostic settings; enable per-subscription or use tenant-level solutions. The correct answer notes that tenant-level diagnostic for Activity Logs doesn't exist and you must enable at each subscription.
2. Your compliance team requires immutable storage of resource diagnostic logs for seven years and a SIEM needs near-real-time ingestion; which combination of routing destinations should you choose to satisfy both requirements?
- A.Route diagnostic logs to Azure Storage configured with retention and immutability policies for long-term archival, and to Event Hub for near-real-time ingestion by the SIEM.✓ Correct
- B.Route diagnostic logs only to Log Analytics workspace and rely on its built-in retention settings for both archival and SIEM integration.
- C.Route diagnostic logs exclusively to a partner solution since partner solutions always provide both immutability and real-time SIEM ingestion out of the box.
- D.Route diagnostic logs to Event Hub for archival and to Storage for SIEM ingestion because Event Hub stores data indefinitely and Storage provides real-time streaming.
Explanation
Storage with immutability handles long-term archival and Event Hub provides streaming to SIEMs; Log Analytics alone is not suitable for immutable 7-year archives and options D is reversed.
3. You must write a KQL query to find failed sign-in attempts in a Log Analytics workspace and return the top 10 IP addresses by count; which KQL pattern achieves this result efficiently?
- A.Use SigninLogs | where ResultType != 0 | summarize count() by IPAddress | top 10 by count_ to return the top failing IP addresses efficiently.✓ Correct
- B.Use SigninLogs | where ResultType == 0 | summarize count() by IPAddress | top 10 by count_ because ResultType 0 indicates failure in Azure AD sign-ins.
- C.Use Heartbeat | where TimeGenerated > ago(1d) | summarize count() by Computer | top 10 by count_ since Heartbeat contains sign-in attempt details.
- D.Use SigninLogs | where ResultType != 0 | project IPAddress | distinct IPAddress | take 10 to list unique failing IP addresses without counts.
Explanation
Filtering SigninLogs for non-zero ResultType finds failures, summarize by IP returns counts and top 10 sorts by count; option D lacks counts, B wrongly treats ResultType 0 as failure, C uses Heartbeat which is irrelevant.
4. You are replacing legacy agents with the Azure Monitor Agent and must collect different Windows event channels and performance counters per workload; how should you manage which data is collected on each VM?
- A.Create multiple Data Collection Rules (DCRs) targeting VMs by tags or resource IDs, and assign the appropriate DCR to each VM to control channels and counters per workload.✓ Correct
- B.Install multiple instances of the Azure Monitor Agent on each VM and configure each instance to collect a specific set of counters and event channels per workload.
- C.Use a single global Data Collection Rule for all VMs and filter unwanted events inside Log Analytics queries rather than tailoring collection per VM.
- D.Rely on VM extensions other than AMA to collect Windows event channels because AMA does not support per-VM configuration.
Explanation
DCRs let you define per-VM collection and assign by tags or resource scope; multiple AMA instances aren't supported and filtering in queries wastes bandwidth.
5. After enabling VM Insights, you observe incomplete application dependency maps for some VMs; which action most likely resolves missing dependency information?
- A.Install or enable the dependency agent (or ensure the Azure Monitor Agent collects process and network telemetry) on the affected VMs so VM Insights can map application dependencies accurately.✓ Correct
- B.Increase the Log Analytics workspace retention period so historical dependencies appear in the map for those VMs.
- C.Disable Network Security Group (NSG) flow logs because they conflict with VM Insights dependency mapping and prevent collection of network telemetry.
- D.Reduce the sampling rate in Application Insights to limit noise so VM Insights can identify dependencies more clearly.
Explanation
Dependency mapping requires the Dependency agent or AMA collection of process/network telemetry; retention, NSG flow logs, or App Insights sampling do not directly enable missing mapping.
Practice all 63+ questions in this domain
Start free practice →