Azure Administrator Associate · 18% of the exam

Implement and manage storage: free practice questions

5 sample questions from our 45-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real Azure exam.

1. An administrator manages an Azure Files share mounted on several Azure VMs. The VMs are in a virtual network, and the storage account firewall is configured to allow only that virtual network. Users on the VMs report they can access the share, but on-premises users connecting over a Site-to-Site VPN cannot. What is the MOST likely cause?

  • A. The storage account does not have 'Allow trusted Microsoft services' enabled.
  • B. The on-premises network is not added as an allowed IP address range or virtual network in the storage account firewall settings.✓ Correct
  • C. Azure Files does not support access over Site-to-Site VPN connections.
  • D. The Azure Files share requires SMB 3.0 and the on-premises clients are using SMB 2.1.
Explanation

The storage account firewall is configured to allow only the specific Azure virtual network. On-premises clients connecting via Site-to-Site VPN traverse the VPN gateway and arrive at the storage service from the on-premises IP range, which is not in the allowed list. Adding the on-premises IP range (or the gateway subnet if using a private endpoint) to the firewall rules resolves the issue. 'Allow trusted Microsoft services' enables Azure platform services (like Azure Backup) to bypass the firewall — it does not help on-premises clients. Azure Files does support access over Site-to-Site VPN; this is a supported and common connectivity pattern. SMB version mismatch could prevent mounting, but the scenario states on-premises users cannot access the share at all, which points to a network/firewall issue rather than an SMB protocol negotiation failure.

2. A company's storage account contains a blob container where blobs are frequently uploaded and updated throughout the day. The security team wants point-in-time snapshots of individual blobs so that accidental overwrites can be rolled back to any prior state automatically, without writing custom scripts. Which feature should be enabled?

  • A. Blob snapshots with a lifecycle management policy
  • B. Blob versioning✓ Correct
  • C. Container soft delete
  • D. Point-in-time restore for block blobs
Explanation

Blob versioning automatically creates and retains a new version of a blob each time it is overwritten or deleted. This requires no custom scripting; Azure manages version creation transparently. An administrator can restore a previous version by copying it over the current version. Blob snapshots are read-only copies of a blob at a specific moment, but they must be created manually or via a lifecycle policy that only moves/deletes them — snapshots are not created automatically on every overwrite. Container soft delete retains deleted containers, not overwritten blobs. Point-in-time restore for block blobs allows restoration of a container or account to a prior state but requires blob versioning or change feed to be enabled first — it is a higher-level recovery mechanism, not the feature that 'automatically captures overwrites'.

3. You have an Azure storage account. A blob was uploaded to the hot tier six months ago and has not been accessed since. You are concerned about the cost. You move the blob manually to the archive tier. A colleague now needs to read the contents of the blob immediately. What must happen before the blob data can be read?

  • A. The blob must be copied to a new storage account using AzCopy.
  • B. The blob must be rehydrated to the hot or cool tier, which can take up to 15 hours with standard priority.✓ Correct
  • C. The blob can be read directly from the archive tier using a shared access signature with the 'Read' permission.
  • D. The blob must be deleted and re-uploaded to the hot tier from an on-premises backup.
Explanation

Blobs in the archive tier are stored offline and cannot be read directly. They must first be rehydrated (moved or copied) to an online tier (hot or cool). Standard-priority rehydration can take up to 15 hours, while high-priority rehydration typically completes in under 1 hour for objects under 10 GB. Copying to a new storage account is not required; rehydration can be done within the same account. Archived blobs cannot be read with any type of SAS token because the data is offline — the SAS grants permission but the data is not accessible until rehydrated. Deleting and re-uploading from a backup is unnecessary and destructive if a backup is not readily available.

4. A developer at your company needs to upload a large dataset to a blob container every night using an automated script running on an Azure VM. The VM has a system-assigned managed identity. You want to grant the minimum required permissions without using storage account keys or SAS tokens. What is the most appropriate role to assign to the VM's managed identity on the storage container?

  • A. Storage Account Contributor
  • B. Storage Blob Data Contributor✓ Correct
  • C. Storage Blob Data Owner
  • D. Reader
Explanation

The Storage Blob Data Contributor role grants the managed identity permissions to read, write, and delete blobs in the container — which is exactly what is needed for nightly uploads — while following the principle of least privilege. Storage Account Contributor is an Azure RBAC management-plane role that allows managing the storage account's configuration (such as settings and access keys) but does not grant data-plane access to read or write blob data. Storage Blob Data Owner grants full control including the ability to set POSIX ACLs (relevant for ADLS Gen2) and is more permissive than required. The Reader role provides read-only access to Azure resource metadata only and does not grant any data-plane blob access.

5. Your company has a GPv2 storage account in Azure with geo-redundant storage (GRS). A regional disaster causes the primary region to become unavailable. You need to restore read and write access to the storage account as quickly as possible. After initiating a customer-managed failover, what is an important consequence you must plan for?

  • A. All blob data is permanently lost; you must restore from an Azure Backup vault.
  • B. The storage account automatically fails back to the primary region after 24 hours.
  • C. Some recently written data may be lost because replication to the secondary region is asynchronous, and the RPO is not zero.✓ Correct
  • D. The storage account type is automatically downgraded from GRS to LRS after failover and cannot be changed back.
Explanation

With GRS, data is replicated asynchronously to the secondary region. This means there is a non-zero Recovery Point Objective (RPO) — typically less than 15 minutes under normal conditions, but not guaranteed to be zero. After a customer-managed failover, the secondary becomes the new primary, but any data that had not yet been replicated to the secondary before the outage will be lost. All blob data is not permanently lost; the data that was successfully replicated to the secondary region remains intact. Azure Storage does not automatically fail back; failback is a separate manual process initiated by the administrator after the original primary region recovers. After failover, the account is downgraded to LRS (not permanently — you can re-enable geo-redundancy), but this is true only temporarily and the account type can be upgraded back to GRS once the new primary is stable.

40 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free