Implement and manage storage — Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator Practice Questions

Learning

Loading practice session...

Loading certificate…

Ready to learn

Sample questions — Implement and manage storage

1. You must restrict access to a storage account so only specific corporate public IP ranges can reach it. Which configuration achieves this with the least administrative overhead?

A.Configure the storage account firewall to allow only the corporate public IP ranges and deny all other traffic by default.✓ Correct
B.Deploy network security groups (NSGs) on all subnets and rely on them to restrict public access to the storage account endpoints.
C.Restrict access by creating an Azure Policy that denies storage account creation outside the corporate IP ranges at subscription scope.
D.Enable service endpoints for the storage account and then whitelist the corporate public IP ranges on the subnet level to restrict access.

Explanation

The storage account firewall allows whitelisting public IP ranges directly and denies others; NSGs don't control PaaS endpoint public access and policy doesn't restrict runtime traffic. Service endpoints control VNet traffic, not public IP whitelisting.

2. An external partner needs temporary access to a blob in your storage account but you must keep the account firewall enabled for corporate IPs only. What is the recommended approach?

A.Temporarily add the partner's public IP address(es) to the storage firewall trusted IP list for the duration of access and remove them after the transfer.✓ Correct
B.Create a service-level SAS with short expiry and leave the firewall restricted; SAS alone will allow access even if the partner IP is not trusted.
C.Disable the storage account firewall during the transfer and re-enable it after, since the SAS keeps access limited to the blob only.
D.Share the storage account access key with the partner and rotate the key after they finish downloading the blob to restore security.

Explanation

A SAS does not bypass storage firewall network rules. To allow an external partner, either allowlist their public IP(s) on the storage firewall for the access window or use a Private Endpoint path; sharing keys or disabling the firewall is riskier.

3. You want traffic from an Azure VM subnet to reach your storage account over the Azure backbone and allow the storage firewall to trust that subnet, while authorization remains identity-based. What network feature should you enable and why?

A.Enable virtual network service endpoints for Azure Storage on the VM subnet to route traffic over the Microsoft backbone and allow storage account firewall to accept that VNet's traffic.✓ Correct
B.Configure a VPN gateway between the VM's VNet and the storage account resource to secure access over a private tunnel.
C.Deploy an Azure Application Gateway in front of the storage account and route VM requests through it to provide secured connectivity.
D.Enable Azure Private Link for the storage account and map a private IP into the VM subnet for direct SMB access.

Explanation

Service endpoints route traffic over the Microsoft backbone and let the storage firewall allow that VNet/subnet. Identity-based authorization is still enforced via Azure AD RBAC or SAS/keys; endpoints do not provide identity.

4. After enabling service endpoints from several subnets, you notice some storage requests still fail with firewall errors. Which troubleshooting step is most likely to resolve the issue?

A.Verify that the storage account's firewall includes the specific virtual network and subnet combinations that were enabled for service endpoints.✓ Correct
B.Check that the VM operating systems have updated DNS entries to resolve the storage account to a private IP inside the subnet.
C.Ensure that network security groups (NSGs) on the subnet explicitly allow outbound port 445 to the storage account's public IP addresses.
D.Recreate the storage account in the same VNet so that service endpoints are automatically trusted without configuration.

Explanation

Enabling service endpoints requires adding the VNet/subnet to the storage account firewall exceptions; DNS or NSG rules are usually not the cause, and recreating the account is unnecessary.

5. Which statement correctly compares account-level SAS tokens and service-level SAS tokens for Azure Storage?

A.Account-level SAS tokens can grant permissions across multiple services (Blob, Queue, Table, File) while service-level SAS tokens are scoped to a single service or resource like a specific blob.✓ Correct
B.Service-level SAS tokens can rotate account keys automatically while account-level SAS tokens are immutable and cannot be revoked before expiry.
C.Account-level SAS tokens are always safer because they are issued by Azure AD, while service-level SAS tokens require storing an account access key locally.
D.Service-level SAS tokens permit management operations like creating containers at account scope, whereas account-level SAS tokens only allow data plane access.

Explanation

Account SAS tokens can span services and provide broader permissions using account keys; service SAS tokens are scoped to a single resource or service. The other statements are inaccurate about rotation, AD issuance, and scope.

Practice all 34+ questions in this domain

Start free practice →

Frequently asked questions

How many Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator practice questions are there for Implement and manage storage?↓

AnyCert has 34 Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator practice questions specifically for the Implement and manage storage domain, each with a detailed AI-tutored explanation.

Is Implement and manage storage heavily tested on the Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator exam?↓

Implement and manage storage is one of the core domains in the Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator exam blueprint. Mastering this domain is essential for passing. AnyCert's practice questions cover the full scope of testable topics in this domain.

How should I study the Implement and manage storage domain for Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator?↓

Practice all 34 Implement and manage storage questions in AnyCert, review every explanation for missed answers, and use the AI tutor to clarify any concept. Focus on understanding the reasoning behind each answer, not just memorizing the correct choice.

Sample questions — Implement and manage storage

1. You must restrict access to a storage account so only specific corporate public IP ranges can reach it. Which configuration achieves this with the least administrative overhead?

A.Configure the storage account firewall to allow only the corporate public IP ranges and deny all other traffic by default.✓ Correct
B.Deploy network security groups (NSGs) on all subnets and rely on them to restrict public access to the storage account endpoints.
C.Restrict access by creating an Azure Policy that denies storage account creation outside the corporate IP ranges at subscription scope.
D.Enable service endpoints for the storage account and then whitelist the corporate public IP ranges on the subnet level to restrict access.

Explanation

2. An external partner needs temporary access to a blob in your storage account but you must keep the account firewall enabled for corporate IPs only. What is the recommended approach?

A.Temporarily add the partner's public IP address(es) to the storage firewall trusted IP list for the duration of access and remove them after the transfer.✓ Correct
B.Create a service-level SAS with short expiry and leave the firewall restricted; SAS alone will allow access even if the partner IP is not trusted.
C.Disable the storage account firewall during the transfer and re-enable it after, since the SAS keeps access limited to the blob only.
D.Share the storage account access key with the partner and rotate the key after they finish downloading the blob to restore security.

Explanation

A.Enable virtual network service endpoints for Azure Storage on the VM subnet to route traffic over the Microsoft backbone and allow storage account firewall to accept that VNet's traffic.✓ Correct
B.Configure a VPN gateway between the VM's VNet and the storage account resource to secure access over a private tunnel.
C.Deploy an Azure Application Gateway in front of the storage account and route VM requests through it to provide secured connectivity.
D.Enable Azure Private Link for the storage account and map a private IP into the VM subnet for direct SMB access.

Explanation

4. After enabling service endpoints from several subnets, you notice some storage requests still fail with firewall errors. Which troubleshooting step is most likely to resolve the issue?

A.Verify that the storage account's firewall includes the specific virtual network and subnet combinations that were enabled for service endpoints.✓ Correct
B.Check that the VM operating systems have updated DNS entries to resolve the storage account to a private IP inside the subnet.
C.Ensure that network security groups (NSGs) on the subnet explicitly allow outbound port 445 to the storage account's public IP addresses.
D.Recreate the storage account in the same VNet so that service endpoints are automatically trusted without configuration.

Explanation

Enabling service endpoints requires adding the VNet/subnet to the storage account firewall exceptions; DNS or NSG rules are usually not the cause, and recreating the account is unnecessary.

5. Which statement correctly compares account-level SAS tokens and service-level SAS tokens for Azure Storage?

A.Account-level SAS tokens can grant permissions across multiple services (Blob, Queue, Table, File) while service-level SAS tokens are scoped to a single service or resource like a specific blob.✓ Correct
B.Service-level SAS tokens can rotate account keys automatically while account-level SAS tokens are immutable and cannot be revoked before expiry.
C.Account-level SAS tokens are always safer because they are issued by Azure AD, while service-level SAS tokens require storing an account access key locally.
D.Service-level SAS tokens permit management operations like creating containers at account scope, whereas account-level SAS tokens only allow data plane access.

Explanation

Practice all 34+ questions in this domain

Start free practice →

Frequently asked questions

How many Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator practice questions are there for Implement and manage storage?↓

AnyCert has 34 Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator practice questions specifically for the Implement and manage storage domain, each with a detailed AI-tutored explanation.

Is Implement and manage storage heavily tested on the Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator exam?↓

How should I study the Implement and manage storage domain for Microsoft Press Exam Ref AZ-104 Microsoft Azure Administrator?↓