| Configure Azure Storage firewalls and virtual networks |
- Questions test how storage network access restrictions interact with different network configurations. You need to understand how storage firewall rules and virtual network settings determine whether a given resource can connect to a storage account, and which configuration approach best satisfies a requirement to limit access while minimising administrative effort.
- Questions present a multi-requirement scenario — given that an on-premises network needs to upload files and Azure infrastructure needs to attach those files as managed disks, you need to identify which two firewall settings to configure, choosing from IP range allowlists, VNet integration, and trusted Azure services exceptions.
- Questions present a storage account with firewall restrictions and ask whether specific subnet-based or backup-based access is permitted — you need to know how subnet rules control VM connectivity to file shares, and how the trusted Azure services bypass setting determines whether Azure Backup can access the account to protect unmanaged disks.
|
| Create and use shared access signature (SAS) tokens |
- Questions test how to enforce a recommended maximum duration for SAS tokens — you need to know which specific storage account setting triggers a warning when a generated SAS exceeds a defined time period.
- Questions present a SAS configuration (including IP range restrictions and a validity window) and ask you to determine the effective access level — if the client IP is outside the allowed range or the date falls outside the validity period, access is denied regardless of the permissions defined in the SAS.
- Questions also test how effective SAS permissions are determined — the access a user gets through a SAS is the intersection of their RBAC role permissions and the SAS-defined permissions; account key access bypasses RBAC entirely.
- Questions test which resource type and permission settings to enable in a SAS when the requirement is to enumerate and download blobs in a specific container — you need to know which combination of allowed resource types and allowed permissions corresponds to list and read access at the container and object level.
- Questions test when to use IAM (Access Control) versus SAS — given apps with managed identities where one needs permanent access and another needs time-limited access, you need to identify which storage access mechanism to configure for each app.
- Questions present a storage account configuration with specific settings (such as account key access disabled) and ask which SAS token types are still valid — a user delegation SAS is backed by Entra credentials and works when account key access is disabled; service SAS and account SAS are signed with the account key and are blocked when key access is disabled. You need to know which SAS type can still authenticate in each configuration.
|
| Configure stored access policies |
- Questions test the hard limits on how many stored access policies and immutable blob policies can exist on a single container. Given that some policies are already present, you must calculate the maximum number of additional ones that can still be created.
|
| Manage access keys |
- Questions test which built-in role to assign when a user needs to list or regenerate storage account access keys, and which service must be configured to enable automatic key rotation. Multiple options are presented for each — you need to know exactly what grants key management permissions and what enables automated rotation.
|
| Configure identity-based access for Azure Files |
- Questions test whether a given user can access an Azure Files share based on their identity source and sync configuration. You need to understand which types of identities are eligible to authenticate when AD DS is configured as the identity source, and how factors like directory sync scope affect access.
- Questions test what must be done on the storage account before RBAC roles (such as Storage File Data SMB Share Contributor) can be assigned for Azure Files access — there is a prerequisite configuration step on the storage account that must be completed before IAM role assignments on file shares become effective.
|
| Create and configure storage accounts |
- Given a set of requirements (such as supporting Data Lake Storage, minimising cost for infrequently accessed data, or replicating to a secondary region), you need to identify the correct combination of storage account settings — account type, access tier, and redundancy option — that satisfies all conditions.
- Questions also test storage account network routing settings — given a requirement to direct inbound user traffic via the Microsoft global network (entering at the point of presence closest to the user), you need to identify which specific storage account setting controls this behaviour.
- Questions test which storage account type supports the broadest combination of services (blobs, files, queues, tables) and is required when planned changes include features only available on general purpose v2 accounts — you need to know the differences between BlobStorage, BlockBlobStorage, and StorageV2 account kinds.
- Questions also test how to read an ARM template that deploys a storage account and determine the resulting configuration — for example, interpreting redundancy options (LRS means three synchronous copies in the primary region), whether location affects user access, and which features enable data rollback.
- Questions present a storage account configuration and ask which setting should be changed to minimise network access costs — you need to know which routing tier setting controls how traffic is directed and understand the cost difference between routing options.
- Questions test which storage account settings are immutable after account creation and which can be modified post-creation — certain settings (such as performance tier and infrastructure encryption) cannot be changed once the account is created, while others (such as support for customer-managed keys) can be enabled later.
|
| Configure Azure Storage redundancy |
- Questions require you to match a replication requirement (e.g. automatic cross-region replication) to the correct redundancy option — you need to know what each option (LRS, ZRS, GRS, GZRS) covers and where data is replicated.
- Questions also test which existing storage accounts can be converted to ZRS — not all account types support a live migration to ZRS, and you need to know the eligibility rules.
- Questions present a multi-requirement scenario — given a user who needs blob write access and a requirement to fail over a geo-redundant storage account to its secondary endpoint, you need to identify which two settings in the storage account must be configured to meet both requirements.
|
| Configure object replication |
-
Questions test the prerequisites for setting up object replication between storage accounts — including which account types are supported as the destination, and which object type (container, file share, table, queue) must be created in the destination account.
|
| Configure storage account encryption |
- Questions test the boundaries of what an encryption scope can and cannot encrypt within a storage account — you need to know which storage services and resource types fall within or outside the scope.
- Questions test customer-managed key configuration — given a requirement to use a key vault with the maximum supported encryption, you need to know the correct key type and the maximum supported bit length.
- Questions also test the prerequisite for using a different encryption key on a specific container — you need to know which resource must be created before the container itself, and in what order.
|
| Manage data by using Azure Storage Explorer and AzCopy |
- Given a scenario requiring a recursive copy from on-premises to a blob container, you need to identify the correct tool and the exact command structure to use.
- Questions also test which AzCopy verb and which storage service endpoint to use when creating a new container — you need to know both the correct subcommand and the correct service-specific URL format.
- Questions test which storage service types AzCopy supports as copy destinations — not all storage services are valid targets.
- Questions test which operating systems AzCopy can run on — given devices running different platforms, you need to identify which ones support AzCopy.
- Questions test which authentication method to use with AzCopy for different storage service types — blob containers (with Microsoft Entra authentication enabled) require a different authentication approach than file shares, and you need to know which method (OAuth, SAS token, access key) is correct for each.
|
| Create and configure a file share in Azure Storage |
- Questions test which storage containers and file shares are valid targets for a given content organisation requirement — you need to know what constraints determine whether a specific container or file share can be used for a particular purpose.
- Questions also test the networking prerequisite for mapping an Azure file share as a drive from an external computer — specifically which outbound port must be open for the SMB protocol to work.
- Questions test which storage account types support Azure Files shares — not all account kinds (e.g. BlobStorage) support file shares, and given a list of accounts with different types, you need to identify which are valid for creating a share.
- Questions test the correct UNC path format when scripting access to an Azure file share — you need to know the exact structure of the path, including the storage account name, the correct service subdomain, and the share name.
|
| Create and configure a container in Blob Storage |
- Questions cover both technical configuration of blob containers and immutability controls. You need to understand how to configure a container to prevent modification of its contents for a defined period, and know which container setting achieves this — distinguishing it from access control, access tier, and soft delete settings.
- Questions test which storage account types support blob containers — given a list of accounts with different kinds (BlobStorage, BlockBlobStorage, StorageV2, etc.), you need to identify which accounts are valid for creating a blob container.
|
| Configure storage tiers |
- You need to match access tier (Hot, Cool, Archive) to a stated requirement such as cost minimisation for infrequently accessed data — often combined with redundancy and account type choices in multi-requirement scenarios.
- Questions also test which storage account types support lifecycle management policies, and which account types support moving data to the Archive tier — not all account kinds are eligible for these features, and the eligibility rules differ between them.
- Questions test whether early deletion penalties apply when a blob is deleted or moved to a different tier before the minimum retention period has elapsed — you need to know the minimum storage durations for each tier (Cool and Archive have minimums; Hot does not) and how performing a tier change resets the clock.
|
| Configure soft delete for blobs and containers |
- Questions test when to use blob soft delete versus other blob protection features — given a requirement to recover accidentally deleted blobs within a defined retention period, you need to identify soft delete as the correct feature and distinguish it from lifecycle management (for tiering), versioning (for overwrite history), and snapshots (for point-in-time copies).
|
| Configure blob lifecycle management |
- Questions present an incomplete lifecycle rule JSON and ask you to fill in the correct condition and blob type — you need to know which condition property targets blobs that have not been modified (as opposed to not been accessed or created), and which blob type string is the correct value for standard block blobs in a lifecycle rule filter.
- Questions ask which action property moves blobs to the lowest-cost tier — you need to know which tier is cheapest and which JSON action key name corresponds to that tier transition.
- Questions test how to scope a lifecycle rule to a specific container using the filters section — you need to know which filter property (prefixMatch vs blobIndexMatch vs blobTypes) to use when targeting all blobs in a named container.
- Questions present a table of multiple lifecycle rules with different container prefixes and day thresholds, then ask what tier a specific blob is in on a given date — you need to apply the correct rule(s) to each blob based on its container prefix, evaluate which rules apply, and determine which action fires first. When a blob is deleted by one rule, later archive rules for the same blob do not apply.
- Questions test whether a blob can be read immediately given its current tier — blobs in the Archive tier cannot be read without a rehydration delay (the archive tier is offline); blobs in Cool or Hot tier can be read immediately. When two rules apply to the same blob (a prefix-scoped rule and an account-wide rule), the more restrictive action takes effect. You need to trace each blob's modification history through the applicable rules to determine its tier on a specific date, then determine if immediate reading is possible.
|
| Configure blob versioning |
- Questions test which storage account feature must be enabled to allow data changes to be rolled back to a previous state — you need to know which specific Blob service setting provides version-level restore capability, and distinguish it from other features like soft delete or lifecycle management.
|