AZ-104 Microsoft Azure Administrator: 100 Interview

Questions & Answers

Module 1: Manage Azure Identities and Governance (15-20%)

1. What is Microsoft Entra ID (Azure Active Directory) and what are its core
functions for an Azure Administrator?

Answer: Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based

identity and access management service. For an Azure Administrator, its core functions
include:

User and Group Management: Creating, managing, and synchronizing user accounts
and groups, including external users (B2B collaboration).

Authentication: Providing single sign-on (SSO) for cloud and on-premises applications,
and enabling Multi-Factor Authentication (MFA).

Authorization: Integrating with Azure RBAC to grant access to Azure resources.

Device Management: Managing device identities for access control and compliance.

Application Management: Integrating applications for secure access and identity

provisioning.

2. Explain the difference between users and groups in Microsoft Entra ID and how
you manage them.

Answer:

Users: Individual identities that can sign in to Microsoft Entra ID. They can be cloud-
only, synchronized from on-premises AD (hybrid), or guest users. Management involves
creation, password resets, license assignments, and property modifications.

Groups: Collections of users (and other groups) used to manage access to resources
more efficiently. Instead of assigning permissions to individual users, you assign them
to groups, simplifying administration. Groups can be security groups (for access) or
Microsoft 365 groups. Management involves creation, adding/removing members, and
assigning ownership.
3. How do you implement Multi-Factor Authentication (MFA) in Microsoft Entra ID?

Answer: MFA can be implemented in Microsoft Entra ID through:

Security Defaults: A baseline level of security for all tenants, enabling MFA for
administrative roles and high-risk sign-ins.

Conditional Access Policies: The recommended and most flexible method. These
policies define "if-then" statements (e.g., if a user is from a specific location AND tries
to access a sensitive application, THEN require MFA).

Per-user MFA: An older method, where MFA is enabled for individual users, but less
flexible than Conditional Access.

4. What is Azure Role-Based Access Control (RBAC) and why is it crucial for
security?

Answer: Azure RBAC is an authorization system that provides fine-grained access

management to Azure resources. It's crucial because it allows you to:

Enforce Least Privilege: Grant users only the necessary permissions to perform their
job functions, minimizing potential damage from unauthorized access or malicious
activity.

Segregate Duties: Separate administrative responsibilities, preventing a single user

from having excessive control.

Improve Auditability: Track who has access to what, simplifying security audits and
compliance.

Simplify Management: Manage permissions at scale by assigning roles to groups or

management groups.

5. Describe the different scopes at which you can assign an Azure RBAC role.

Answer: Azure RBAC roles can be assigned at four levels of scope, from broadest to
most specific:

Management Group: A logical container for subscriptions, allowing governance and

access control across multiple subscriptions.

Subscription: A billing unit and a logical container for resource groups. Roles here
apply to all resource groups and resources within the subscription.

Resource Group: A logical container for Azure resources that share the same lifecycle.
Roles here apply to all resources within that resource group.
Resource: The smallest scope, allowing access control to a specific resource (e.g., a
single Virtual Machine, a storage account).

6. How would you troubleshoot an access issue for a user trying to access an Azure
resource?

Answer: To troubleshoot access issues:

1. Check RBAC Assignments: Verify the user's explicit role assignments at all relevant
scopes (resource, resource group, subscription, management group) and inherited
permissions.

2. Review Deny Assignments: See if any Deny assignments are preventing access.

3. Check Microsoft Entra ID Group Membership: Confirm the user is a member of any
groups that are assigned roles.

4. Verify Conditional Access Policies: See if any Conditional Access policies are
blocking access or requiring MFA that the user isn't fulfilling.

5. Examine Resource Locks: Check if a resource lock (Read-Only or Delete) is

preventing modification or deletion.

6. Review Network Security Group (NSG) rules: For connectivity issues, NSGs might
be blocking traffic.

7. Azure Activity Log: Check the activity log for failed operations and their associated
error messages.

7. What is Azure Policy and how do you use it for governance?

Answer: Azure Policy is a service that helps you create, assign, and manage policies to
enforce standards and assess compliance across your Azure environment. You use it for
governance by:

Enforcing Standards: Ensuring resource configurations adhere to organizational

requirements (e.g., only allowing specific VM sizes, requiring tags).

Cost Management: Preventing the deployment of expensive resources.

Security and Compliance: Ensuring resources meet security baselines and regulatory
compliance (e.g., requiring encryption for storage accounts).

Resource Consistency: Maintaining naming conventions and tagging strategies.

8. Explain the difference between Azure Policy and Azure RBAC.

Answer:

Azure RBAC (Role-Based Access Control): Focuses on *who* can do *what* on Azure
resources. It's about authorization for management plane operations (create, update,
delete resources).

Azure Policy: Focuses on what rules and conditions resources must adhere to. It's
about enforcing standards and assessing compliance of resource configurations.

9. How do you manage Azure subscriptions and what are management groups used
for?

Answer:

Subscription Management: Involves monitoring costs (budgets, cost alerts), managing

resource quotas, and applying policies across the subscription. Organizations often use
multiple subscriptions for different departments, environments (dev, test, prod), or
billing purposes.

Management Groups: Are logical containers that help you organize subscriptions into
hierarchies. They are used to apply governance policies and RBAC assignments at a
higher level, inheriting down to the subscriptions within them. This simplifies large-
scale policy and access management.

10. What are resource groups and what is their purpose in Azure?

Answer: A resource group is a logical container that holds related Azure resources for an
Azure solution. Its purpose is to:

Lifecycle Management: Group resources that share the same lifecycle, allowing for
easier deployment, management, and deletion as a single unit.

Delegated Administration: Simplify RBAC by applying permissions at the resource

group level rather than individual resources.

Cost Management: Track costs for a specific application or project by grouping its
resources.

Organization: Provide a structured way to organize your Azure resources.

Module 2: Implement and Manage Storage (10-15%)

11. What are the different types of Azure Storage accounts and when would you use
each?

Answer: The primary types are:

General-purpose v2 (recommended): Supports all Azure Storage services (Blobs,

Files, Queues, Tables) and offers the latest features and pricing tiers. Ideal for most
scenarios.

Block Blob Storage: Optimized for block blobs with high transaction rates or requiring
premium performance (e.g., SSDs).

File Storage: Optimized for Azure Files, providing shared file storage that can be
accessed via SMB or NFS.

Blob Storage: Legacy storage account type specifically for block and append blobs.
Less features than General-purpose v2.

General-purpose v1 (legacy): Older type, generally not recommended for new

deployments.

You'd choose based on your data type, access patterns, and performance
requirements.

12. Explain the different redundancy options for Azure Storage and their use cases.

Answer: Azure Storage offers various redundancy options to ensure data durability and
availability:

Locally Redundant Storage (LRS): Replicates data three times within a single data
center in the primary region. Lowest cost, but vulnerable to data center outages. Good
for non-critical data or local development.

Zone-Redundant Storage (ZRS): Replicates data synchronously across three Azure

availability zones in the primary region. Provides higher availability than LRS, protecting
against data center failures. Good for scenarios requiring high availability within a
region.

Geo-Redundant Storage (GRS): Replicates data three times in the primary region (LRS)
AND asynchronously replicates to a secondary, paired region. Provides excellent
disaster recovery. Ideal for critical data that needs protection against regional disasters.
Read-Access Geo-Redundant Storage (RA-GRS): Same as GRS, but provides read
access to the data in the secondary region. Useful for applications that need read
availability during a primary region outage.

Geo-Zone-Redundant Storage (GZRS): Combines ZRS in the primary region with

asynchronous replication to a secondary region. Provides both high availability within a
region and disaster recovery across regions.

Read-Access Geo-Zone-Redundant Storage (RA-GZRS): Same as GZRS, but provides

read access to the data in the secondary region.

13. How do you secure access to an Azure Storage account?

Answer: Several methods are available:

Access Keys: Two 512-bit keys (key1, key2) that grant full administrative access to the
storage account. Should be rotated regularly and used cautiously.

Shared Access Signatures (SAS): Granular, time-limited, and permission-specific

access to storage resources (blob, container, queue, table, file). Can be user delegation
SAS, service SAS, or account SAS.

Azure AD Integration (for Blob and Azure Files): Recommended for identity-based
access. You can use Azure RBAC roles to grant permissions to users/groups based on
their Microsoft Entra ID identities.

Azure Storage Firewalls and Virtual Networks: Restrict access to the storage account
to specific virtual networks and/or IP ranges, including allowing trusted Azure services.

Encryption: Data at rest is encrypted by default using Microsoft-managed keys, but

customer-managed keys (Azure Key Vault) can also be used. Data in transit is secured
using HTTPS.

14. What are the different Azure Blob storage tiers and when would you use them?

Answer:

Hot Tier: Optimized for frequently accessed data. Higher storage cost, lower access
cost. Ideal for active data (e.g., frequently accessed images, videos).

Cool Tier: Optimized for infrequently accessed data. Lower storage cost, higher access
cost. Data should be stored for at least 30 days. Good for short-term backups, older
logs.
Archive Tier: Optimized for rarely accessed data with flexible latency requirements.
Lowest storage cost, highest access cost, and higher retrieval latency (hours). Data
should be stored for at least 180 days. Perfect for long-term archives, compliance data.

15. How do you implement a blob lifecycle management policy?

Answer: A blob lifecycle management policy is configured within the storage account
settings. You define rules that automate the transition of blobs between access tiers
(e.g., from Hot to Cool after 30 days, then to Archive after 90 days) or to delete blobs
after a certain period. This helps optimize storage costs based on data access patterns.

16. Explain Azure Files and its use cases.

Answer: Azure Files provides fully managed file shares in the cloud that are accessible
via the industry-standard Server Message Block (SMB) protocol or Network File System
(NFS). Use cases include:

Lift-and-Shift Applications: Migrating on-premises applications that rely on file shares

without rewriting code.

Shared Application Settings: Centralizing configuration files for multiple VMs.

Developer Tools: Providing a shared location for development tools and scripts.

Diagnostic Logs: Storing diagnostic logs and metrics from cloud applications.

Disaster Recovery: As a target for file share replication for DR.

17. What is AzCopy and when would you use it?

Answer: AzCopy is a command-line utility designed for high-performance data transfer

to and from Azure Blob, File, and Table storage, as well as Azure Data Lake Storage.
You'd use it for:

Large-scale data migrations: Moving significant amounts of data between on-premises

and Azure, or between different Azure storage accounts.

Scripted transfers: Automating data transfer operations as part of deployment or

backup scripts.

Resumable transfers: AzCopy can resume transfers if interrupted.

18. How does object replication work for Azure Blob storage?
Answer: Object replication asynchronously copies block blobs between a source
storage account and a destination storage account. This is useful for:

Disaster Recovery: Replicating critical data to a different region for failover.

Compliance: Meeting data residency or compliance requirements by replicating data to

specific regions.

Data Distribution: Serving data from a region closer to users for improved
performance.

It's an automated, policy-based replication feature.

19. What are stored access policies in Azure Storage and why are they useful?

Answer: A stored access policy provides an additional level of control over Shared
Access Signatures (SAS). It allows you to:

Manage Multiple SAS: Define a single policy that can be used by multiple SAS tokens,
simplifying revocation.

Centralized Revocation: Revoke access for all associated SAS tokens by simply
deleting or modifying the stored access policy, rather than revoking each SAS
individually.

Extend SAS Expiration: Modify the expiration time of all associated SAS tokens without
regenerating them.

They provide better manageability and security for SAS tokens.

20. You have an on-premises application that generates large log files daily. How
would you store these efficiently and cost-effectively in Azure?

Answer:

1. Azure Blob Storage: This is the most suitable service for large amounts of
unstructured data like log files.

2. Access Tier: Initially, you might store them in the **Hot** or **Cool** tier depending
on immediate access needs.

3. Lifecycle Management: Implement a **blob lifecycle management policy** to

automatically transition older logs to the **Cool** tier after a few weeks, and then to the
**Archive** tier after a few months. This significantly reduces storage costs over time.
4. Redundancy: Choose **GRS** or **RA-GRS** for critical logs, or **LRS** for less
critical logs depending on recovery requirements.

5. Data Ingestion: Use **AzCopy** for bulk uploads or integrate with Azure Data
Factory or custom scripts for automated ingestion.

Module 3: Deploy and Manage Azure Compute Resources (25-30%)

21. What is an Azure Virtual Machine (VM) and what are its key components?

Answer: An Azure VM is a software emulation of a physical computer that runs an

operating system (Windows or Linux) and applications. Key components include:

Virtual Machine (VM) Instance: The compute resource itself.

Operating System Disk: A virtual hard disk (VHD) where the OS is installed.

Data Disks: Additional VHDs for storing application data.

Network Interface (NIC): Enables communication with other Azure resources and the
internet.

Virtual Network (VNet) and Subnet: Provides the logical network isolation for the VM.

Public IP Address (optional): For direct internet access.

Network Security Group (NSG): Firewall rules for inbound and outbound traffic.

Availability Options (Availability Sets, Availability Zones): For high availability.

22. Explain the different Azure VM availability options (Availability Sets vs.
Availability Zones).

Answer:

Availability Sets: Provide redundancy for VMs *within a single Azure data center*. They
distribute VMs across different fault domains (physical racks, power, network) and
update domains (logical groups for patching) to protect against localized hardware
failures and planned maintenance. Offers 99.95% SLA for two or more VMs.

Availability Zones: Offer redundancy *across physically separate data centers (zones)
within a single Azure region*. Each zone has independent power, cooling, and
networking. This protects against data center-wide failures. Offers 99.99% SLA for VMs
distributed across zones.
23. What are Azure Virtual Machine Scale Sets (VMSS) and why are they used?

Answer: VMSS allow you to create and manage a group of identical, load-balanced VMs.
They are used for:

High Availability: Automatically distributing instances across fault and update

domains.

Scalability: Automatically increasing or decreasing the number of VM instances based

on demand (auto scale).

Simplified Management: Managing a fleet of VMs as a single unit, including

configuration, patching, and upgrades.

Stateless Workloads: Ideal for applications that don't require session affinity or
maintain state on the individual VM instances.

24. How do you deploy and manage a custom VM image in Azure?

**Answer:

1. Prepare the Source VM: Create a generalized (sys prepped for Windows,
deprovisioned for Linux) VM.

2. Capture the Image: Use Azure Portal, Azure CLI, or PowerShell to capture the VM
into an Azure Compute Gallery (formerly Shared Image Gallery).

3. Create a VM from Image: Use the captured image from the Azure Compute Gallery
to deploy new VMs.

Management: Azure Compute Gallery allows you to manage versions, share images
across subscriptions and tenants, and replicate images to different regions.

25. What is Azure Disk Encryption and how does it work?

Answer: Azure Disk Encryption helps protect and safeguard your data by encrypting the
OS and data disks used by Azure Virtual Machines. It uses industry-standard BitLocker
for Windows and DM-Crypt for Linux. The encryption keys are securely stored in Azure
Key Vault. It integrates with Azure Key Vault to manage and control disk encryption keys
and secrets.

26. Explain the purpose of Azure Resource Manager (ARM) templates.

Answer: ARM templates are JSON files that define the infrastructure and configuration
for your Azure solution. Their purpose is:

Infrastructure as Code (IaC): Treat your infrastructure definition as code, enabling

version control, consistency, and repeatability.

Declarative Deployment: You declare the desired state of your resources, and Azure
Resource Manager ensures that state is achieved.

Consistency: Deploy identical environments repeatedly, reducing manual errors and

configuration drift.

Automation: Automate complex deployments and resource provisioning.

Dependency Management: ARM templates understand resource dependencies and

deploy them in the correct order.

27. How do you deploy an ARM template and what are common methods for doing
so?

Answer: ARM templates can be deployed using:

Azure Portal: Via the "Deploy a custom template" option.

Azure CLI: `az deployment group create` command.

Azure PowerShell: `New-AzResourceGroupDeployment` cmdlet.

Azure DevOps Pipelines: Integrate ARM template deployments into CI/CD pipelines for
automated releases.

REST API: Programmatic deployment.

28. What are Azure Container Instances (ACI) and when would you use them over
VMs or AKS?

Answer: Azure Container Instances (ACI) provide a fast and easy way to run containers
in Azure without managing underlying VMs or orchestrators. You'd use ACI when:

Simple Container Deployment: You need to run a single container or a small group of
containers without the overhead of a full Kubernetes cluster.

Burst Workloads: For short-lived, event-driven tasks that need to scale up and down
quickly.

Development and Testing: Rapidly test and iterate on containerized applications.

Serverless Container: When you want a serverless approach for running containers,
paying only for the compute used.

29. What is Azure Kubernetes Service (AKS) and what are its benefits?

Answer: Azure Kubernetes Service (AKS) is a managed Kubernetes service that

simplifies deploying, managing, and scaling containerized applications using
Kubernetes. Benefits include:

Simplified Operations: Azure manages the Kubernetes control plane, reducing

operational overhead.

Scalability: Easily scale your applications and underlying infrastructure.

Integration: Seamless integration with other Azure services (e.g., Azure Monitor, Azure
Container Registry, Azure Networking).

Developer Productivity: Provides a familiar Kubernetes environment for developers.

Cost Optimization: Pay only for the agent nodes (VMs) in your cluster.

30. You need to host a simple web application in Azure that requires minimal
management overhead and can scale automatically. What compute service would
you recommend and why?

Answer: I would recommend Azure App Service or Azure Container Apps.

Azure App Service: This is a Platform-as-a-Service (PaaS) offering, ideal for web apps.
It handles infrastructure, patching, and scaling, requiring minimal management. It
supports various languages and frameworks.

Azure Container Apps: This is a good choice if the web application is already
containerized or if you prefer a container-first approach with serverless characteristics.
It also offers automatic scaling and simplified deployment of microservices and
containerized apps.

Module 4: Configure and Manage Virtual Networking (30-35%)

31. What is an Azure Virtual Network (VNet) and what are its key components?
Answer: An Azure VNet is a logically isolated network within the Azure cloud. It enables
Azure resources to securely communicate with each other, the internet, and on-
premises networks. Key components:

Address Space: A private IP address range for the VNet.

Subnets: Logical subdivisions of the VNet's address space.

Network Security Groups (NSGs): Firewall rules for controlling traffic flow to/from
resources.

Virtual Network Gateways (optional): For connecting to on-premises networks or

other VNets.

DNS Servers: For name resolution within the VNet.

32. Explain the purpose of Network Security Groups (NSGs) and how they function.

Answer: NSGs act as a virtual firewall for your Azure resources. They contain security
rules that allow or deny inbound and outbound network traffic to or from various Azure
resources. Each rule specifies:

Priority: Lower numbers are processed first.

Source/Destination: IP addresses, CIDR blocks, Service Tags, Application Security

Groups.

Protocol: TCP, UDP, ICMP, Any.

Port Range: Specific ports or ranges.

Action: Allow or Deny.

NSGs can be associated with subnets or individual network interfaces (NICs).

33. What are Application Security Groups (ASGs) and how do they differ from
NSGs?

Answer: ASGs allow you to configure network security as a natural extension of an

application's structure, rather than explicit IP addresses.

NSGs are network-centric, defining rules based on IP addresses, subnets, or service

tags.

ASGs are application-centric. You create an ASG, assign network interfaces (NICs) of
VMs to it, and then use the ASG name in NSG rules. This simplifies rule management
when you have many VMs belonging to the same application tier (e.g., web servers,
database servers). If a VM's IP changes, the ASG rule remains valid.

34. Describe Azure VNet Peering and its use cases.

Answer: VNet Peering connects two Azure Virtual Networks, allowing resources in both
VNets to communicate with each other as if they were in the same network, using
Microsoft's backbone network. Use cases:

Hub-and-Spoke Topologies: A central (hub) VNet hosts shared services (e.g., firewalls,
VPN gateways), and spoke VNets host application workloads.

Cross-Subscription Connectivity: Connecting VNets that belong to different

subscriptions.

Data Sharing: Enabling secure and high-bandwidth communication between

applications in different VNets.

Isolation: Maintaining network isolation for different environments (dev, test, prod)
while allowing controlled communication.

35. What is Azure Bastion and why would you use it?

Answer: Azure Bastion is a fully managed PaaS service that provides secure and
seamless RDP/SSH access to your Azure Virtual Machines directly through the Azure
portal over SSL. You use it to:

Enhance Security: Eliminate the need for public IP addresses on your VMs, reducing
attack surface.

Simplify Access: Connect to VMs using a web browser, without needing a VPN client or
a dedicated jump server.

Centralized Logging: All Bastion connections are logged in Azure Monitor.

Just-in-Time Access: Can be integrated with Azure AD Privileged Identity Management

for time-limited access.

36. Explain the concept of User-Defined Routes (UDRs) and when you would
implement them.

Answer: UDRs allow you to override Azure's default routing behavior for specific traffic
flows. You implement them when:
Forced Tunneling: Directing all outbound internet bound traffic from a subnet through a
Network Virtual Appliance (NVA) like a firewall for inspection and auditing.

Routing Through NVAs: Forcing traffic to go through a firewall, load balancer, or other
network appliance for security or network virtualization purposes.

Hybrid Connectivity Scenarios: Directing traffic to an on-premises network or another

VNet via a VPN Gateway or ExpressRoute.

37. How do you configure DNS for an Azure Virtual Network?

Answer: You can configure DNS for an Azure VNet in two ways:

Azure-provided DNS servers: By default, Azure assigns its own DNS servers, which can
resolve public hostnames and private DNS zones.

Custom DNS servers: You can specify your own DNS servers (e.g., on-premises DNS
servers, domain controllers in Azure) for the VNet. This is common in hybrid
environments or when specific name resolution requirements exist.

Additionally, you can use **Azure Private DNS Zones** for internal name resolution
within VNets.

38. What is an Azure Load Balancer and what are its types?

Answer: An Azure Load Balancer distributes incoming network traffic across multiple
healthy virtual machines or instances in a backend pool. It provides high availability and
network performance for applications.

Types:

Basic Load Balancer: Simple, limited features, and typically used for dev/test
environments.

Standard Load Balancer: Production-ready, offers high performance, zone

redundancy, and enhanced monitoring. Supports private link and more complex
scenarios.

39. When would you choose Azure Application Gateway over an Azure Load
Balancer?

Answer:
Azure Load Balancer (Layer 4 - TCP/UDP): Used for basic load balancing of network
traffic across backend instances. Ideal for non-HTTP(S) traffic or when you only need
simple port forwarding.

Azure Application Gateway (Layer 7 - HTTP/HTTPS): An application delivery controller

(ADC) offering advanced load balancing for web applications. Choose it when you need:

SSL/TLS Termination: Offload encryption/decryption from backend servers.

Web Application Firewall (WAF): Protect web applications from common web
vulnerabilities.

URL-based Routing: Route traffic based on URL paths.

Multi-site Hosting: Host multiple web applications on a single Application Gateway.

Session Affinity: Directing a user's requests to the same backend server.

40. You need to connect your on-premises data center to an Azure VNet securely
and reliably. What connectivity options would you consider?

Answer:

Site-to-Site VPN (VPN Gateway): Uses IPsec/IKE VPN tunneling over the public
internet. Cost-effective and relatively easy to set up for many scenarios. Provides
encrypted connectivity.

Azure ExpressRoute: Provides a private, dedicated, high-bandwidth connection

between your on-premises network and Azure, bypassing the public internet. Offers
lower latency, higher bandwidth, and more reliability. Ideal for mission-critical
applications, large data transfers, and hybrid environments.

Point-to-Site VPN (VPN Gateway): For individual client computers to connect to an

Azure VNet securely (e.g., remote developers).

Module 5: Monitor and Backup Azure Resources (10-15%)

41. What is Azure Monitor and what are its core capabilities?

Answer: Azure Monitor is a comprehensive monitoring solution for applications,

infrastructure, and network resources in Azure and on-premises. Its core capabilities
include:

Collect: Gathers metrics, logs, and traces from various sources.

Analyze: Provides tools like Log Analytics Workspaces and Application Insights for data
analysis.

Visualize: Offers dashboards, workbooks, and integration with Power BI.

Respond: Enables alerts, autoscale, and automated actions based on monitoring data.

Integrate: Connects with other services and third-party tools.

42. Explain the difference between Azure Monitor Metrics and Logs.

Answer:

Metrics: Numerical values that describe some aspect of a system at a particular point
in time (e.g., CPU utilization, network I/O, storage transactions). They are lightweight,
near real-time, and ideal for performance trending and alerting.

Logs: Event data that describes what happened at a particular time (e.g., audit logs,
diagnostic logs, application logs). They contain richer, more detailed information and
are ideal for deep analysis, troubleshooting, and auditing. Logs are queried using Kusto
Query Language (KQL) in Log Analytics.

43. How do you set up an alert in Azure Monitor?

Answer: To set up an alert:

1. Select a resource: Choose the resource you want to monitor (e.g., VM, storage
account).

2. Define a condition: Based on metrics (e.g., CPU usage > 80% for 5 minutes), logs
(e.g., specific error message in logs), or activity log events.

3. Configure actions: Define what happens when the alert fires, such as:

Notifications: Email, SMS, push notifications, webhooks.

Automation: Triggering an Azure Function, Logic App, or Automation Runbook.

ITSMC integration: Create tickets in ITSM tools.

4. Define alert details: Severity, name, description.

44. What is Log Analytics Workspace and why is it important for Azure monitoring?

Answer: A Log Analytics Workspace is a unique environment in Azure Monitor where log
data is collected, aggregated, and stored. It's important because:
Centralized Log Storage: Collects logs from various Azure resources, on-premises
servers, and other cloud environments into a single repository.

Powerful Querying: Enables deep analysis of log data using Kusto Query Language
(KQL) to identify trends, troubleshoot issues, and gain operational insights.

Data Correlation: Allows correlation of logs from different sources to understand

complex system behaviors.

Alerting and Automation: Basis for log-based alerts and automated actions.

45. Describe Azure Network Watcher and its key capabilities.

Answer: Azure Network Watcher is a regional service that provides tools to monitor,
diagnose, and audit network health and connectivity within Azure. Key capabilities:

IP flow verify: Check if a packet is allowed or denied based on NSG rules.

Next hop: Determine the next hop for traffic, helping troubleshoot routing issues.

Connection troubleshoot: End-to-end connectivity checks between a source and

destination.

Connection monitor: Monitor network performance and connectivity over time.

NSG flow logs: Log all inbound and outbound traffic through an NSG.

VPN troubleshoot: Diagnose issues with VPN gateways.

46. What is Azure Backup and what are its benefits?

Answer: Azure Backup is a cloud-based backup service that protects your data by
backing up Azure VMs, on-premises servers, Azure file shares, SQL Server in Azure VMs,
and more. Benefits:

Cost-effective: Pay-as-you-go pricing, no upfront investment.

Scalability: Scales automatically with your data growth.

Durability: Data is stored in geo-redundant storage (GRS) by default.

Centralized Management: Manage all backups from a single Recovery Services vault.

Application-consistent backups: Ensures data integrity for applications.

Long-term retention: Store backups for extended periods for compliance.

47. Explain the process of backing up an Azure Virtual Machine.

Answer:

1. Create a Recovery Services vault: This is a logical container that stores your backup
data.

2. Enable Backup for the VM: From the VM's blade in the Azure portal, or using
PowerShell/CLI, enable backup.

3. Select a Backup Policy: Choose or create a policy defining backup frequency,

retention range (daily, weekly, monthly, yearly backups), and snapshot consistency.

4. Initial Backup: The first backup is typically a full backup, and subsequent backups
are incremental.

Azure Backup integrates with the VM and takes snapshots to ensure application-
consistent backups.

48. How do you restore an Azure Virtual Machine from a backup?

Answer: From the Recovery Services vault:

1. Navigate to Backup Items: Select the virtual machine you want to restore.

2. Choose Restore Point: Select the desired recovery point (date and time).

3. Choose Restore Configuration:

Create new VM: Restore to a new VM, useful for disaster recovery or testing.

Restore disks: Restore only the disks, which can then be attached to an existing VM or
used to create a new one.

Replace existing disks: Overwrite the disks of an existing VM (use with caution).

4. Confirm and Restore: The restore process is initiated, creating a new VM or

attaching disks as specified.

49. What is Azure Site Recovery and how does it differ from Azure Backup?

Answer:

Azure Backup: Primarily a backup solution for data protection and recovery from data
corruption, accidental deletion, or short-term outages. It takes point-in-time copies of
data.
Azure Site Recovery (ASR): A disaster recovery (DR) solution that enables continuous
replication of VMs (Azure VMs, VMware VMs, Hyper-V VMs, physical servers) to Azure or
a secondary site. It focuses on keeping applications running during major outages by
failing over to a replica. Key differences are RTO (Recovery Time Objective) and RPO
(Recovery Point Objective): ASR aims for low RTO/RPO, while Backup has higher
RTO/RPO.

50. You've noticed performance degradation on several Azure VMs. What steps
would you take to investigate using Azure Monitor?

Answer:

1. Azure Monitor Metrics: Start by checking key performance metrics for the affected
VMs (CPU utilization, memory usage, disk IOPS, network in/out) over time. Look for
correlations with the degradation.

2. Azure Monitor Alerts: Check if any alerts have fired for these VMs, indicating
resource exhaustion or other issues.

3. Log Analytics Workspace: If diagnostic settings are enabled, query the Log Analytics
Workspace for VM diagnostic logs (Syslog/Windows Event Logs), boot diagnostics, and
performance counters. Look for error messages, application crashes, or specific events
coinciding with the performance issues.

4. Application Insights: If the VMs host applications, check Application Insights for
application-specific performance issues (response times, failed requests,
dependencies).

5. Network Watcher: Use Connection Troubleshoot or IP flow verify to rule out network
connectivity issues or NSG blocking traffic.

6. Scale Up/Out: If resource exhaustion is consistent, consider scaling up (increasing

VM size) or scaling out (using VM Scale Sets).

Real-Time Industry Standards & Advanced Scenarios (51-100)

51. How would you design a secure network architecture for a multi-tier application
in Azure?

Answer:
VNet Segmentation: Create a VNet with separate subnets for each tier (Web, App, DB).

NSGs: Apply NSGs to each subnet to control traffic flow between tiers (e.g., Web tier
can talk to App tier on specific ports, App tier can talk to DB tier).

Application Security Groups (ASGs): Use ASGs to simplify NSG rules for application
tiers.

Internal Load Balancer: Use Internal Load Balancers for distributing traffic within tiers
(e.g., between web servers).

Application Gateway (with WAF): For inbound internet traffic to the web tier, use an
Application Gateway with WAF to protect against web vulnerabilities and provide SSL
termination.

Azure Private Link: For secure, private connectivity to Azure PaaS services (e.g., Azure
SQL Database) without exposing them to the public internet.

Azure Firewall: For centralized outbound internet access control and inspection.

Azure Bastion: For secure RDP/SSH access to VMs without public IPs.

52. Your company wants to ensure all newly created storage accounts are Geo-
Redundant. How would you enforce this using Azure Policy?

Answer:

1. Define a Custom Policy Definition: Create an Azure Policy that has a `deny` effect.

2. Policy Rule: The policy rule would check the `Microsoft.Storage/storageAccounts`

resource type and specifically evaluate the `sku.name` property.

3. Condition: The condition would be `where sku.name is not like 'Standard_GRS' OR

'Standard_RAGRS' OR 'Premium_GRS'`. (Adjust for desired premium GRS options).

4. Assignment: Assign this policy to the relevant management group, subscription, or

resource group.

This policy will prevent the creation of any storage account that does not meet the Geo-
Redundant requirement.

53. How do you manage costs effectively in Azure for a large enterprise?

Answer:

Azure Cost Management + Billing: Use its tools for monitoring, forecasting, and setting
budgets and alerts.
Tagging: Implement a robust tagging strategy (e.g., `Owner`, `Department`,
`Environment`, `Project`) to categorize and allocate costs.

Right-sizing Resources: Regularly review resource utilization (Azure Advisor

recommendations, Azure Monitor) and resize VMs, databases, etc., to match actual
needs.

Reserved Instances (RIs): Purchase RIs for consistent, long-running workloads (VMs,
SQL Database) to achieve significant discounts.

Azure Hybrid Benefit: Leverage existing Windows Server and SQL Server licenses to
save costs on Azure VMs.

Delete Unused Resources: Identify and deallocate/delete resources that are no longer
needed.

Automation: Automate start/stop schedules for non-production environments.

Azure Advisor: Regularly review Advisor recommendations for cost optimization.

Azure Policy: Enforce cost-saving policies (e.g., restrict expensive VM sizes).

54. A development team needs secure access to a VM in an isolated VNet. They

don't have VPN access. How would you provide this securely?

Answer: I would implement Azure Bastion.

1. Deploy an Azure Bastion host in a dedicated subnet within the VNet where the VM
resides.

2. Users can then connect to the VM directly through the Azure portal (or native
RDP/SSH client with Bastion Shareable Link) via their web browser.

This eliminates the need for public IP addresses on the VMs, a VPN client, or exposing
an RDP/SSH port directly to the internet, significantly enhancing security.

55. Describe a scenario where you would use Azure Storage Explorer vs. AzCopy.

Answer:

Azure Storage Explorer: A GUI-based desktop application. Use it for:

Interactive management: Browse, uploading, downloading, and managing individual

blobs, files, queues, or tables.

Visualizing data: Easily inspect contents of storage accounts.

Small-scale operations: When you need to quickly move a few files or folders.

AzCopy: A command-line utility. Use it for:

Large-scale bulk transfers: Migrating terabytes of data.

Automated scripting: Integrating data transfers into CI/CD pipelines, backup scripts,
or scheduled tasks.

High-performance transfers: Optimized for speed and can handle resumable

transfers.

56. How do you ensure business continuity and disaster recovery (BCDR) for Azure
VMs?

Answer:

Azure Site Recovery (ASR): For near real-time replication and failover of VMs to a
secondary Azure region. This is the primary DR solution for low RTO/RPO.

Azure Backup: For regular backups and point-in-time recovery to protect against data
loss. Provides longer retention and less aggressive RTO/RPO than ASR.

Availability Sets/Zones: For high availability *within* a region, protecting against

localized failures.

Cross-Region VNet Peering: To enable network connectivity between primary and

secondary regions for ASR and failover.

Application-level redundancy: Designing the application to be resilient across regions

(e.g., using global load balancers, active-active deployments).

57. A user reports that they cannot create any resources in a specific resource
group, but they are a "Contributor" on the subscription. How would you
troubleshoot this?

Answer:

1. Check Resource Group Locks: The most common reason for a Contributor not being
able to create or modify resources at a resource group level is a `Read-Only` or
`Delete` resource lock applied to that resource group or even the subscription level.

2. Azure Policy Deny Assignment: An Azure Policy with a `deny` effect might be
preventing the creation of that specific resource type or combination of properties
within that resource group.
3. RBAC Deny Assignments: Although rare, explicit deny assignments can override
allow permissions.

4. Subscription Quotas: The subscription might have reached a resource quota limit
for that specific resource type or in that region.

5. Microsoft Entra ID Role (less likely for Contributor, but good to check): Ensure the
user's Microsoft Entra ID account is active and not blocked.

58. Explain how you would implement a hybrid identity solution using Microsoft
Entra Connect.

Answer: Microsoft Entra Connect synchronizes user identities, groups, and contacts
from an on-premises Active Directory Domain Services (AD DS) to Microsoft Entra ID.

1. Prerequisites: Ensure on-premises AD DS health, network connectivity, and

appropriate permissions.

2. Installation: Install Microsoft Entra Connect on a domain-joined server.

3. Configuration: Configure synchronization options (password hash synchronization,

pass-through authentication, or federation with ADFS), OU filtering, attribute filtering,
and password writeback if needed.

4. Synchronization: The tool then performs initial and ongoing synchronization of

identities.

This allows users to use their on-premises credentials to access cloud resources.

59. You need to deploy 50 identical Linux VMs for a batch processing workload that
scales based on CPU utilization. How would you automate this deployment?

Answer:

1. Custom Image: Create a generalized custom Linux VM image with all necessary
applications and configurations. Store it in an Azure Compute Gallery.

2. Azure Virtual Machine Scale Set (VMSS): Deploy a VMSS using the custom image.

3. Autoscaling: Configure autoscaling rules for the VMSS based on CPU utilization
metrics. Define a minimum and maximum instance count.

4. Deployment Automation: Use an **ARM template** (preferred for IaC) or Azure

CLI/PowerShell scripts to define and deploy the VMSS and its configurations
(networking, storage, autoscale rules).
5. Monitoring: Integrate with Azure Monitor to track performance and scaling events.

60. How would you ensure only authorized services can access an Azure Storage
account, restricting public internet access?

Answer:

1. Azure Storage Firewalls and Virtual Networks:

* Set the storage account's network access to "Enabled from selected virtual
networks and IP addresses".

* Add the virtual networks and specific subnets where your authorized Azure services
(e.g., VMs, App Services, Functions) reside to the allowed list.

* Enable "Allow trusted Microsoft services to access this storage account" if

necessary (e.g., for Azure Backup, Azure Site Recovery).

2. Azure Private Link (preferred for PaaS): For PaaS services (e.g., Azure SQL
Database, Azure Web Apps) that need to access the storage account, configure an
Azure Private Endpoint for the storage account within your VNet. This creates a private
IP address for the storage account, making it accessible only from your VNet.

3. Disable Public Access: Ensure the storage account's public access is disabled.

61. What are Service Endpoints and Private Endpoints, and when would you use
each?

Answer:

Service Endpoints: Extend your virtual network's private address space and the identity
of your VNet to Azure services (e.g., Azure Storage, Azure SQL Database). Traffic to
these services stays on the Azure backbone network. Use them for:

* Securing PaaS services to specific VNets without needing public IP addresses on the
PaaS service.

* Simpler to configure than Private Endpoints.

Private Endpoints (Azure Private Link): A network interface that connects you privately
and securely to a service powered by Azure Private Link. It brings the service into your
VNet by creating a private IP address within your VNet. Use them for:

* More secure and granular access control, as the service is truly accessed via a
private IP within your VNet.

* Accessing services across subscriptions or even from on-premises over

VPN/ExpressRoute.
 * Overlapping IP address spaces are not an issue.

* Preferred for critical production workloads.

62. You need to migrate an on-premises SQL Server database to Azure. What are the
options and which would you recommend for a lift-and-shift scenario?

Answer:

Azure SQL Database (PaaS): Fully managed, serverless option, ideal for cloud-native
applications or when you want to offload database administration.

Azure SQL Managed Instance (PaaS): Offers near 100% compatibility with on-
premises SQL Server, ideal for lift-and-shift scenarios that require a higher level of SQL
Server feature compatibility than Azure SQL Database.

SQL Server on Azure Virtual Machines (IaaS): You manage the OS and SQL Server.
Provides maximum control and compatibility, ideal for highly customized SQL Server
deployments or specific licensing requirements.

Recommendation for lift-and-shift: **Azure SQL Managed Instance** is generally the

best choice as it minimizes application changes while leveraging a managed service. If
full control over the OS and SQL Server is paramount, or specific features are only
available in SQL Server on VM, then that would be considered.

63. How do you implement automated patching for Windows and Linux VMs in
Azure?

Answer:

Azure Update Management (part of Azure Automation): This is the primary service. It
allows you to:

* Assess the update compliance of your VMs.

* Schedule deployments of missing updates for both Windows and Linux.

* Integrate with Log Analytics for reporting and compliance.

Azure Automation Runbooks: Create custom runbooks to apply patches.

VM Extensions: Use custom script extensions or Desired State Configuration (DSC)

extensions for more granular control, though Update Management is generally simpler
for large-scale patching.
64. A new compliance requirement dictates that all sensitive data in Azure Storage
must be encrypted with customer-managed keys. How do you achieve this?

Answer:

1. Create an Azure Key Vault: This is where your encryption keys will be securely
stored.

2. Generate/Import Key: Generate a new key or import an existing one into the Key
Vault.

3. Grant Storage Account Access: Grant the storage account's Managed Identity
(System-assigned or User-assigned) appropriate permissions (e.g., "Key Vault Crypto
Service Encryption User") to access the key in Key Vault.

4. Configure Encryption for Storage Account: In the storage account's encryption

settings, select "Customer-managed keys" and specify the Key Vault and the key to be
used.

This ensures that your data at rest in the storage account is encrypted using a key you
control.

65. You are managing a large number of Azure resources. How do you enforce
naming conventions and tagging policies?

Answer:

Azure Policy: Create Azure Policies with the `DeployIfNotExists` or `AuditIfNotExists`

effect to:

Enforce Naming Conventions: Define patterns (e.g., `resourcetype-env-name-

region`) and audit/deny resources that don't follow them.

Require Tags: Ensure specific tags (e.g., `Environment`, `CostCenter`) are present on
all resources.

Inherit Tags: Automatically inherit tags from the resource group or subscription.

Management Groups: Apply these policies at the management group level to cascade
down to all subscriptions.

Azure Resource Graph: Use Resource Graph to query for non-compliant resources and
identify resources missing tags or violating naming conventions.

Automation: Integrate policy enforcement with ARM templates or CI/CD pipelines to

ensure compliance at deployment time.
66. How do you troubleshoot network connectivity between two Azure VMs in
different subnets of the same VNet?

Answer:

1. Check NSG Rules: This is the most common culprit. Use Azure Network Watcher's
**IP flow verify** to simulate traffic and see if any NSG rules (inbound or outbound on
either VM/subnet) are blocking communication.

2. Check UDRs: If User-Defined Routes are in place, they might be directing traffic
unexpectedly. Use Network Watcher's Next hop to confirm routing.

3. VM Network Configuration: Verify IP addresses, subnet masks, and DNS settings on

both VMs.

4. Firewall within VM: Check operating system firewalls (Windows Firewall,

iptables/firewalld for Linux) on both VMs.

5. Application Listening Ports: Ensure the application on the destination VM is

listening on the expected port.

6. Connection Troubleshoot (Network Watcher): Perform an end-to-end connection

troubleshoot between the two VMs.

67. What are the benefits of using Azure Managed Disks over Unmanaged Disks?

Answer: Azure Managed Disks are the recommended and preferred way to manage VM
disks.

Simplified Management: Azure handles the storage accounts, block blobs, and
availability for you. You don't need to create or manage storage accounts for your disks.

Better Scalability: You can deploy thousands of VMs with managed disks in a single
subscription.

Higher Availability: Automatic distribution of disks into different fault domains for
better availability.

Better Security: Improved security with features like Azure Disk Encryption and RBAC
on disks.

Snapshot Management: Easier creation and management of snapshots.

Consistency: Consistent performance.

Redundancy: Supports various storage redundancy options.

68. How would you ensure only authenticated users from your Microsoft Entra ID
can access an Azure Web App?

Answer:

1. Azure App Service Authentication/Authorization (Easy Auth): This is the simplest

and recommended method. Enable "Authentication" for your Azure App Service and
configure it to use Microsoft Entra ID as an identity provider. You can choose to allow
only authenticated users or allow anonymous requests with optional authentication.

2. Role-Based Access Control (RBAC) in App Service: Map Microsoft Entra ID groups
to application roles defined within your web app, allowing fine-grained authorization.

3. Managed Identities: If the web app needs to access other Azure resources (e.g.,
Azure SQL Database, Key Vault), use Managed Identities for Azure resources to
authenticate the app itself, rather than using connection strings with credentials.

69. You need to provide temporary, read-only access to a specific Azure Storage
container for an external partner. How would you achieve this securely?

Answer: I would generate a Shared Access Signature (SAS) token with the following
characteristics:

Service SAS: Apply it to the specific container.

Permissions: Grant only "Read" and "List" permissions.

Start and Expiry Times: Set a very short validity period (e.g., a few hours or a day) that
aligns with the partner's immediate need.

Allowed IP Addresses (Optional but Recommended): Restrict the SAS to specific IP

addresses if the partner's IP is static.

HTTPS Only: Ensure the SAS enforces HTTPS.

Additionally, if this is a recurring need, consider creating a **Stored Access Policy** on

the container and then generating SAS tokens that refer to that policy, allowing for easier
revocation if needed.

70. Explain the process of extending a data disk on an Azure VM.

Answer:
1. Stop/Deallocate VM: For Windows VMs, it's generally recommended to deallocate
the VM to ensure disk consistency. For Linux, you might be able to online resize
depending on the filesystem and kernel.

2. Resize Disk in Azure Portal/CLI/PowerShell: Go to the VM's disk settings and

increase the size of the data disk.

3. Start VM: Start the VM after resizing the disk.

4. Extend Volume within OS:

Windows: Open Disk Management, rescan disks, and extend the volume into the
unallocated space.

Linux: Use `lsblk` to identify the disk, then `fdisk` or `parted` to resize the partition,
and `resize2fs` (for ext4) or `xfs_growfs` (for XFS) to extend the filesystem.

71. How would you implement a cost-saving measure for development/test VMs
that are only used during business hours?

Answer:

1. Azure Automation Runbooks: Create an Azure Automation account and schedule

runbooks to:

Start VMs: At the beginning of business hours (e.g., 9:00 AM IST).

Stop/Deallocate VMs: At the end of business hours (e.g., 6:00 PM IST).

2. Auto-shutdown feature: For individual VMs, you can enable the "Auto-shutdown"
feature directly in the Azure portal, which will automatically shut down the VM at a
specified time. This is simpler for a few VMs.

3. Azure DevTest Labs: For more comprehensive management of dev/test

environments, consider Azure DevTest Labs, which provides built-in policies for auto-
shutdown, auto-startup, and setting max VMs per user.

72. You have multiple web applications and APIs that need a central point of entry
with SSL termination and path-based routing. What Azure service would you use?

Answer: Azure Application Gateway would be the ideal service.

SSL Termination: It can handle SSL/TLS encryption and decryption, offloading the work
from your backend web servers.
Path-based Routing: You can configure rules to direct traffic to different backend pools
based on the URL path (e.g., `/api/*` to API backend pool, `/web/*` to web application
backend pool).

Centralized Entry Point: Acts as a single public endpoint for all your applications.

WAF (Optional): Can be enabled for additional security.

73. What is Just-in-Time (JIT) VM Access in Azure Security Center, and why is it
important?

Answer: JIT VM Access is a feature of Azure Security Center (now Microsoft Defender for
Cloud) that helps reduce the attack surface of your VMs by allowing controlled, time-
limited access to specific management ports (RDP, SSH) only when needed.

Importance:

Reduces Attack Surface: Closes management ports by default, preventing brute-force

attacks.

Least Privilege: Grants temporary, just-enough-access to authorized users.

Auditability: All JIT access requests are logged, providing an audit trail.

Integration: Integrates with Microsoft Entra ID PIM for even more robust access
control.

74. How do you implement custom DNS for an Azure VNet, resolving both public
and private hostnames?

Answer:

1. Configure VNet DNS Servers: In your VNet's DNS settings, set the custom DNS
servers to the IP addresses of your internal DNS servers (e.g., domain controllers in
Azure). This will handle internal name resolution.

2. Azure Private DNS Zones: For private hostnames of Azure resources within your
VNet (e.g., `vm1.internal.contoso.com`), create an Azure Private DNS Zone and link it
to your VNet. This allows VMs in the VNet to resolve these private hostnames.

3. Conditional Forwarders (On-premises DNS): If your internal DNS servers are on-
premises, ensure they have conditional forwarders configured to forward Azure-specific
DNS queries (e.g., for `privatelink.blob.core.windows.net`) to Azure DNS.
75. You need to capture logs from Azure VMs and store them centrally for analysis
and compliance. How would you set this up?

Answer:

1. Enable VM Diagnostics: For each Azure VM, enable VM diagnostic settings.

Configure it to send desired logs (e.g., Windows Event Logs, Syslog, Performance
Counters) to a **Log Analytics Workspace**.

2. Create a Log Analytics Workspace: If not already present, create a dedicated Log
Analytics Workspace in Azure Monitor.

3. Kusto Query Language (KQL): Use KQL queries in Log Analytics to analyze, filter, and
correlate the collected logs.

4. Dashboards and Workbooks: Create custom dashboards or workbooks in Azure

Monitor to visualize key log data and trends.

5. Export Data (Optional): If long-term archival or further processing is needed,

configure data export from Log Analytics to an Azure Storage account or Azure Event
Hubs.

76. How would you move an Azure VM from one resource group to another within
the same subscription?

Answer:

1. Identify Resources: Identify all dependent resources associated with the VM (disks,
NICs, public IPs, NSGs, availability sets). It's crucial to move all related resources
together to maintain connectivity and functionality.

2. Use Azure Portal/CLI/PowerShell:

Azure Portal: Navigate to the VM, select "Move" -> "Move to another resource group".
Select all associated resources.

Azure CLI: `az resource move --ids <resource_id_1> <resource_id_2> --destination-

group <destination_resource_group_name>`

Azure PowerShell: `Move-AzResource -DestinationResourceGroupName

<destination_resource_group_name> -ResourceId <resource_id>`

3. Validation: Azure performs a validation step to ensure the move is possible without
breaking dependencies.

4. Confirm: Confirm the move. The operation typically takes a few minutes.
77. Your company wants to migrate an existing application to Azure, but it relies
heavily on file shares accessed via SMB. What is the best Azure service for this?

Answer: Azure Files is the best service for this scenario.

* It provides fully managed file shares that can be accessed via the SMB protocol,
making it compatible with existing applications.

* You can mount Azure File shares directly from Azure VMs or on-premises servers.

* For hybrid scenarios, Azure File Sync can be used to cache Azure File shares on-
premises for local performance while maintaining synchronization with the cloud.

78. How do you implement a secure connection between an Azure VNet and an on-
premises network using a VPN Gateway, and what are the key requirements?

Answer:

1. Create a Virtual Network Gateway: In your Azure VNet, create a VPN Gateway
(Route-based for Site-to-Site).

2. Create a Local Network Gateway: In Azure, define a "Local Network Gateway"

resource that represents your on-premises VPN device and its public IP address and
network address spaces.

3. Configure Connection: Create a "Connection" between the Azure VPN Gateway and
the Local Network Gateway, specifying the connection type (Site-to-Site) and a shared
key (pre-shared key).

4. Configure On-premises VPN Device: Configure your on-premises VPN device

(router/firewall) to establish an IPsec VPN tunnel to the Azure VPN Gateway's public IP
address, using the same shared key and matching encryption parameters.

Key Requirements:

* Non-overlapping IP address spaces between Azure VNet and on-premises network.

* Public IP address for the on-premises VPN device.

* Supported VPN device.

* Matching VPN parameters (encryption, hashing, Perfect Forward Secrecy, lifetime

values).

79. What is Azure Identity Protection and how does it enhance security for
Microsoft Entra ID users?
Answer: Azure Identity Protection is a feature of Microsoft Entra ID P2 that detects
potential vulnerabilities affecting your organization's identities, configures automated
responses to suspicious actions, and investigates suspicious incidents. It enhances
security by:

Risk Detection: Identifies risky sign-ins (e.g., from unfamiliar locations, impossible
travel, infected devices) and compromised credentials.

Automated Responses: Configures risk-based Conditional Access policies to block

access, require MFA, or enforce password changes when a risk is detected.

Reporting: Provides reports on risky users, risky sign-ins, and risk detections.

Remediation: Helps administrators remediate compromised identities.

80. You are tasked with migrating a legacy application running on a physical server
to an Azure VM. What tool or service would you use for the migration, and why?

Answer: I would primarily use Azure Migrate.

Assessment: Azure Migrate provides tools for discovery, assessment, and migration of
on-premises servers, databases, and web applications. It helps you understand
dependencies, assess readiness for Azure, and estimate costs.

Migration Tool: For physical servers, Azure Migrate supports agent-based migration.
You install an agent on the physical server, and it replicates the server's data to Azure.
Once replicated, you can perform a test failover and then a final cutover.

Why: Azure Migrate simplifies the end-to-end migration process, provides insights for
planning, and supports various migration scenarios beyond just VMs (databases, web
apps).

81. How do you implement fine-grained authorization for a web application

accessing an Azure SQL Database, using Managed Identities?

Answer:

1. Enable Managed Identity for Web App: In the Azure App Service (or other Azure
resource hosting the web app), enable a System-assigned Managed Identity (or create a
User-assigned Managed Identity).

2. Grant SQL Database Access: Go to the Azure SQL Database or SQL Server, and
grant the Managed Identity specific permissions. Instead of a SQL login/user with a
password, you'd create a contained database user (or a Microsoft Entra ID user in the
master database mapped to the Managed Identity) and then grant it `db_datareader`,
`db_datawriter`, or other specific permissions.

This eliminates the need to store credentials in configuration files or code, improving
security and simplifying credential rotation.

82. You need to ensure that all VMs deployed in a specific subscription have Azure
Disk Encryption enabled. How can you enforce this?

Answer:

1. Azure Policy: Create an Azure Policy definition with a `deny` or `auditIfNotExists`

effect.

2. Policy Rule: The policy rule would target the `Microsoft.Compute/virtualMachines`

resource type.

3. Condition: The condition would check if the `osDisk.encryptionSettings` property is

set to `null` or if the `diskEncryptionSet` property is not configured.

4. Assignment: Assign this policy to the target subscription.

This policy will either prevent the creation of non-encrypted VMs or audit them for non-
compliance.

83. How do you monitor the health and performance of an Azure VPN Gateway?

Answer:

Azure Monitor Metrics: Monitor key metrics like `Tunnel ingress/egress bytes`,
`Gateway throughput`, `Packet count (drop/forward)`.

Log Analytics Workspace: Enable diagnostic settings for the VPN Gateway to send logs
to a Log Analytics Workspace. Query these logs for connection status, errors, and
tunnel events.

Azure Network Watcher: Use the `VPN Troubleshoot` feature in Network Watcher to
diagnose common VPN gateway issues. `Connection Monitor` can also track
connectivity over time.

Gateway Logs: Access gateway logs directly for more detailed information.

Alerts: Set up alerts in Azure Monitor for critical metrics (e.g., throughput drops, tunnel
disconnections) or log events.
84. Your organization requires strict auditing of all administrative activities in
Azure. What Azure service is key for this, and how would you use it?

Answer: Azure Activity Log is the primary service for this.

What it is: The Activity Log provides a historical record of all control plane operations
(management events) in your Azure subscription, including who performed what action,
when, and from where.

How to use it:

Review in Azure Portal: Easily view recent activities.

Export to Log Analytics Workspace: For long-term retention, advanced querying

(KQL), and integration with other monitoring data, send Activity Log to a Log Analytics
Workspace.

Export to Storage Account: For cheaper long-term archival.

Export to Event Hubs: For streaming to SIEM systems (e.g., Azure Sentinel, Splunk)
for real-time security monitoring and compliance.

Set up Alerts: Create alerts based on specific activity log events (e.g., deletion of a
critical resource, privilege escalation).

85. You have a requirement to ensure network traffic between two Azure VMs in
different VNets (peered) is inspected by a firewall. How would you achieve this?

Answer: You would use User-Defined Routes (UDRs) in combination with an Azure
Firewall or a Network Virtual Appliance (NVA).

1. Deploy Azure Firewall/NVA: Deploy the firewall in a dedicated subnet (e.g.,

`AzureFirewallSubnet`) within one of the peered VNets (often a hub VNet in a hub-and-
spoke topology).

2. Configure UDRs: In both peered VNets (or relevant subnets), create UDRs that direct
traffic destined for the other VNet's address space (and potentially internet traffic if
forced tunneling is desired) to the *private IP address* of the Azure Firewall/NVA as the
next hop.

This forces all inter-VNet communication through the firewall for inspection and policy
enforcement.

86. Explain the concept of Azure Tags and their benefits.

Answer: Azure Tags are key-value pairs that you apply to Azure resources, resource
groups, or subscriptions.

Benefits:

Cost Management: Categorize resources for billing and chargeback purposes (e.g.,
`CostCenter: IT`, `Project: Alpha`).

Resource Organization: Logically group resources for easier management and

searching (e.g., `Environment: Prod`, `Application: WebApp1`).

Access Control: Use tags in Azure Policy or RBAC conditions to control access or
enforce configurations based on tag values.

Automation: Automate tasks based on tags (e.g., tagging resources for auto-
shutdown).

Reporting: Generate reports based on tagged resources.

87. How can you automate the deployment of Azure resources in a repeatable and
consistent manner?

Answer:

Azure Resource Manager (ARM) Templates: Declarative IaC for defining and deploying
Azure resources. Ideal for complex, interdependent deployments.

Bicep: A Domain Specific Language (DSL) that provides a cleaner, more readable syntax
for authoring ARM templates. Transpiles to ARM JSON.

Terraform: An open-source IaC tool that supports multi-cloud deployments, including

Azure.

Azure CLI/PowerShell Scripts: For simpler, sequential deployments or automation

tasks.

Azure DevOps Pipelines/GitHub Actions: Integrate IaC deployments into CI/CD

workflows for automated, version-controlled deployments.

88. What are Managed Identities for Azure Resources and why are they important
for security?

Answer: Managed Identities (formerly Managed Service Identity) provide Azure services
with an automatically managed identity in Microsoft Entra ID. This identity can then be
used to authenticate to any service that supports Microsoft Entra ID authentication,
without requiring credentials in your code.
Importance for Security:

Eliminates Credential Management: You no longer need to manage credentials

(connection strings, secrets, certificates) in your code, configuration files, or Key Vault,
reducing the risk of accidental exposure.

Automatic Credential Rotation: Azure automatically manages and rotates the

credentials used by the managed identity.

Azure RBAC Integration: You grant permissions to the managed identity using Azure
RBAC, providing fine-grained control.

Enhanced Security Posture: Reduces the attack surface by removing hardcoded

credentials.

89. You have an Azure SQL Database that needs to be protected against SQL
injection and other web attacks. What Azure service would you integrate?

Answer: You would integrate Azure Application Gateway with Web Application
Firewall (WAF). The WAF on Application Gateway inspects incoming web traffic to your
application (which then communicates with the SQL Database) and blocks common
web vulnerabilities like SQL injection, cross-site scripting, and others defined by
OWASP Top 10 rules.

90. How do you troubleshoot a VM that fails to start after a reboot in Azure?

Answer:

1. Boot Diagnostics: Check the Boot Diagnostics feature in the Azure portal for the VM.
This provides console output and screenshots of the VM's boot process, which often
reveals error messages or boot failures.

2. Serial Console: Use the Azure Serial Console to connect to the VM's console directly
and attempt to diagnose boot issues or access the command line.

3. VM Status/Resource Health: Check the VM's status and Resource Health for any
reported issues or service advisories.

4. Activity Log: Review the Activity Log for the VM to see if any recent operations (e.g.,
disk changes, network changes) might have caused the issue.

5. Re-deploy VM: As a last resort, if you cannot resolve the issue, you can use the
"Redeploy" option in the portal to move the VM to a different host within the Azure
infrastructure. This often resolves underlying host issues.
6. Attach OS Disk to another VM: Detach the OS disk from the problematic VM and
attach it to a working VM as a data disk to inspect logs or repair the filesystem.

91. What is the shared responsibility model in cloud computing, and what are the
Azure Administrator's responsibilities?

Answer: The shared responsibility model defines what the cloud provider (Microsoft) is
responsible for and what the customer (you, as the Azure Administrator) is responsible
for.

Microsoft's Responsibilities ("Security *of* the Cloud"): Physical security of data

centers, host infrastructure, network controls, hypervisor.

Customer's Responsibilities ("Security *in* the Cloud"): This is where the Azure
Administrator comes in. Their responsibilities include:

Data Security: Protecting your data (encryption, access control).

Endpoint Security: Securing VMs, applications, and network endpoints.

Account Management: Managing user identities, permissions (RBAC), and

authentication.

Network Controls: Configuring NSGs, VNets, firewalls.

Application Security: Ensuring applications are developed and configured securely.

Operating System Security: Patching and configuring OS for VMs.

92. How would you ensure compliance with data residency requirements for
storage in Azure?

Answer:

Region Selection: Deploy storage accounts in the specific Azure region(s) that meet
your data residency requirements.

Redundancy Options: Choose redundancy options that keep data within the required
geographical boundaries (e.g., LRS or ZRS within the region if data must stay in a single
region; avoid GRS/RA-GRS if cross-region replication is not allowed).

Azure Policy: Implement Azure Policies to enforce the allowed regions for resource
deployment, preventing users from inadvertently deploying resources outside
compliant regions.
Data Governance: Clearly document data residency policies and ensure all data flows
and storage locations comply.

93. Explain the different types of Virtual Network Gateways in Azure.

Answer: Azure Virtual Network Gateways are used to send network traffic between
Azure virtual networks and on-premises locations, or between different Azure VNets.

VPN Gateway: Encrypted traffic over the public internet.

Route-based VPN: Uses routing/IP forwarding (recommended for Site-to-Site and

VNet-to-VNet).

Policy-based VPN: Uses specific IP prefixes to encrypt/decrypt traffic (legacy, limited

use).

ExpressRoute Gateway: High-bandwidth, low-latency private connection over a

dedicated circuit.

VNet Gateway (for Point-to-Site): Enables individual client computers to connect

securely to an Azure VNet.

94. What is the role of Azure Advisor in an Azure Administrator's daily tasks?

Answer: Azure Advisor analyzes your Azure resource configurations and usage telemetry
and provides personalized, actionable recommendations to help you optimize your
Azure deployments. An Azure Administrator uses it for:

Cost Optimization: Identifying underutilized resources, recommending reserved

instances, and suggesting right-sizing.

High Availability: Recommending VM availability options, backup configurations.

Performance: Suggesting VM size changes, disk types, or network configurations.

Security: Highlighting security vulnerabilities and recommending best practices from

Microsoft Defender for Cloud.

Operational Excellence: Providing recommendations for improving resource

organization and manageability.

It acts as a personal cloud consultant.

95. How do you implement a robust logging and monitoring strategy for an
enterprise Azure environment?
Answer:

1. Centralized Log Analytics Workspace: Route all diagnostic logs (Activity Logs, VM
diagnostics, App Service logs, Network Watcher flow logs, etc.) from all Azure resources
to one or more central Log Analytics Workspaces.

2. Microsoft Entra ID Audit & Sign-in Logs: Send these logs to Log Analytics for
identity-related monitoring.

3. Azure Monitor Insights: Utilize built-in insights (VM Insights, Network Insights,
Storage Insights) for pre-configured dashboards and analysis.

4. Kusto Query Language (KQL): Train administrators to use KQL for advanced log
analysis and troubleshooting.

5. Alerting Strategy: Define comprehensive alert rules based on metrics and logs,
leveraging action groups for notification and automation.

6. Azure Sentinel (SIEM): Integrate Log Analytics with Azure Sentinel for security
information and event management, threat detection, and incident response.

7. Dashboards and Workbooks: Create custom Azure Monitor dashboards and

workbooks for key operational metrics and performance trends.

8. Automated Remediation: Use Azure Automation, Logic Apps, or Azure Functions to

respond to critical alerts.

96. Your company needs to isolate development, testing, and production

environments in Azure, both logically and from a billing perspective. How would
you structure your Azure environment?

Answer:

1. Separate Subscriptions: Create separate Azure subscriptions for each environment

(Development, Testing, Production). This provides:

Billing Isolation: Clear cost separation for each environment.

Resource Isolation: Resources in one subscription are naturally isolated from others
unless explicitly connected.

Policy and RBAC Scoping: Easier to apply different policies and RBAC roles per
environment.

2. Management Groups: Organize these subscriptions under Management Groups for

consistent policy and RBAC application across environments (e.g., a "Development"
Management Group containing all dev subscriptions).
3. Naming Conventions & Tagging: Implement strict naming conventions and tagging
policies to clearly identify resources belonging to each environment within their
respective subscriptions.

4. Network Isolation: Use VNet peering to allow controlled communication between

environments if needed (e.g., Test to Dev for data synchronization), but maintain strict
NSG rules. Production VNet should typically be fully isolated from non-prod.

5. Azure Policy: Enforce policies specific to each environment (e.g., no public IPs in
Dev, higher security policies in Prod).

97. What are Azure Private DNS Zones and how do they benefit internal name
resolution?

Answer: Azure Private DNS Zones provide a reliable, secure, and fully managed DNS
service for your virtual networks.

Benefits for Internal Name Resolution:

Seamless Integration: VMs within the linked VNets can automatically resolve names in
the private DNS zone without manual configuration.

Private and Secure: Name resolution occurs entirely within Azure's private network,
preventing exposure to the public internet.

No Custom DNS Servers Needed: Eliminates the need to deploy and manage your own
DNS servers for internal name resolution.

Zone Isolation: You can have multiple private DNS zones, even with overlapping
names, provided they are linked to different VNets.

Automatic Registration: Azure can automatically register VM hostnames in a private

DNS zone for easier discovery.

98. Describe a scenario where you would use Azure Automation Runbooks.

Answer: Azure Automation Runbooks are useful for automating repetitive, time-
consuming, or error-prone management tasks.

Scenario: Automating VM Patching and Updates:

You could create a PowerShell or Python runbook that:

1. Connects to Azure.
2. Identifies VMs that are missing critical updates (e.g., using Azure Update
Management assessment data).

3. Initiates the update process on those VMs during a predefined maintenance window.

4. Reboots VMs if necessary.

5. Sends a notification (e.g., email or Teams message) upon completion or failure.

This automates a crucial but often manual task, ensuring VMs are kept up-to-date and
secure without human intervention.

99. How would you secure a public-facing web application hosted on Azure App
Service against common web vulnerabilities?

Answer:

1. Azure Application Gateway with Web Application Firewall (WAF): Place an

Application Gateway with WAF in front of your App Service. This provides Layer 7
protection against SQL injection, XSS, etc.

2. Network Security Groups (NSGs): If the App Service is integrated with a VNet, use
NSGs on the App Service's subnet to control inbound and outbound traffic.

3. HTTPS Everywhere: Enforce HTTPS for all traffic to the App Service.

4. Azure AD Authentication/Authorization (Easy Auth): Use Microsoft Entra ID for user

authentication.

5. Managed Identities: For the App Service to access backend Azure services
(databases, storage), use Managed Identities to eliminate storing credentials.

6. Azure Key Vault: Store secrets, certificates, and connection strings in Key Vault, and
retrieve them at runtime.

7. Security Scanning: Regularly scan the web application for vulnerabilities using tools
like Azure Security Center (Defender for Cloud) or third-party solutions.

8. Least Privilege: Ensure the App Service identity has only the necessary permissions
to function.

100. A critical Azure VM needs to be available with 99.99% uptime, even during
regional disasters. How would you design for this?

Answer: To achieve 99.99% uptime and regional disaster recovery, you need a multi-
region strategy:
1. Deploy VMs in Multiple Regions: Deploy identical VMs (or VM Scale Sets) in at least
two separate Azure regions (primary and secondary).

2. Availability Zones (within each region): Within each region, ensure VMs are
deployed across multiple Availability Zones to protect against data center-level failures.

3. Azure Site Recovery (ASR): Configure ASR for continuous replication of VMs from the
primary region to the secondary region. This enables rapid failover with low RTO/RPO.

4. Azure Load Balancer (Standard SKU) / Azure Application Gateway: If the

application requires traffic distribution *within* a region, use a Standard Load Balancer
or Application Gateway, which support Zone Redundancy.

5. Azure Front Door / Azure Traffic Manager (Global Load Balancer): Use one of these
services to distribute user traffic globally across your primary and secondary regions.

Azure Front Door (Layer 7): For web applications, provides WAF, SSL offloading, and
intelligent routing based on latency, performance, or priority.

Azure Traffic Manager (DNS-based): Routes users to the closest or healthiest

endpoint based on various routing methods.

6. Geo-Redundant Storage (GRS/GZRS): For data, use GRS or GZRS to replicate data
asynchronously to the paired region.

7. Database Replication: Implement geo-replication for databases (e.g., Azure SQL

Database Geo-Replication, SQL Managed Instance auto-failover groups).

8. Automated Failover Plan: Define and regularly test a detailed disaster recovery plan,
including automated failover procedures.