AZ-140: Microsoft Azure Virtual Desktop Specialty Practice Exam

What the AZ-140 exam covers

• Plan and Implement an Azure Virtual Desktop Infrastructure339 questions
• Plan and Implement Identity and Security266 questions
• Plan and Implement User Environments and Apps254 questions
• Monitor and Maintain an AVD Infrastructure261 questions

Free AZ-140 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 1,120.

1. Question 1Plan and Implement an Azure Virtual Desktop Infrastructure

   Your organization wants to deploy Azure Virtual Desktop for a team of 200 call center agents who all use the same set of applications. You need to minimize costs while providing a consistent desktop experience. Which host pool type should you use?

   • APooled host pool with breadth-first load balancing
   • BPersonal host pool with pre-assigned desktops
   • CPooled host pool with depth-first load balancingCorrect
   • DPersonal host pool with direct assignment
   ✓ Correct answer: C

   A pooled host pool is the most cost-effective option for 200 call center agents who all use the same applications, because multiple users share session host VMs rather than each user requiring a dedicated VM. Depth-first load balancing maximizes the number of user sessions on each session host before sending connections to the next available host, which means fewer VMs need to be running at any given time and costs are minimized.

   Why the other options are wrong

   • APooled host pool with breadth-first load balancing is incorrect because breadth-first distributes users evenly across all available session hosts, which requires more hosts to be powered on simultaneously and increases costs.
   • BPersonal host pool with pre-assigned desktops is incorrect because a personal host pool assigns a dedicated VM to each user, which would require 200 VMs for 200 agents and significantly increase costs.
   • DPersonal host pool with direct assignment is incorrect because, like pre-assigned desktops, direct assignment in a personal host pool maps each user to their own VM, making it far more expensive than a pooled approach for identical workloads.
2. Question 2Plan and Implement an Azure Virtual Desktop Infrastructure

   What is a host pool in Azure Virtual Desktop?

   • AA DNS zone
   • BA virtual network
   • CA storage account
   • DA collection of session hosts that serve a common purposeCorrect
   ✓ Correct answer: D

   A host pool in Azure Virtual Desktop is a logical grouping of one or more session host virtual machines that are registered together and share common configuration settings such as load balancing algorithms, maximum session limits, and RDP properties. All session hosts within a host pool are typically created from the same VM image to ensure a consistent user experience. Host pools can be configured as pooled (where multiple users share VMs) or personal (where each user gets a dedicated VM), and they serve as the foundational deployment unit in AVD.

   Why the other options are wrong

   • AA DNS zone is incorrect because DNS zones are used for name resolution and have no relation to Azure Virtual Desktop session hosting.
   • BA virtual network is incorrect because virtual networks provide IP connectivity for Azure resources but are not AVD-specific constructs for grouping session hosts.
   • CA storage account is incorrect because storage accounts provide blob, file, queue, and table storage services and are not related to session host management in AVD.
3. Question 3Plan and Implement Identity and Security

   You are configuring Azure Virtual Desktop with Hybrid Microsoft Entra ID joined session hosts. Users need single sign-on (SSO) to the AVD session. Which component is required to enable SSO for Hybrid Microsoft Entra ID joined devices?

   • AMicrosoft Entra ID B2C
   • BMicrosoft Entra ID Connect with password hash synchronization or pass-through authenticationCorrect
   • CActive Directory Federation Services (AD FS)
   • DMicrosoft Entra ID Application Proxy
   ✓ Correct answer: B

   Hybrid Entra-joined devices rely on Microsoft Entra ID Connect to synchronize identities and provide a sign-in method (password hash synchronization or pass-through authentication) so the host and user have a consistent cloud identity. This underpins SSO for hybrid-joined session hosts. Without Entra Connect and a working sign-in method, hybrid join and the resulting SSO cannot function. It is the foundational component for the hybrid identity scenario.

   Why the other options are wrong

   • AEntra ID B2C is for customer-facing identity in apps and is not used for hybrid-join SSO of session hosts.
   • CAD FS is a legacy federation option and is not required; password hash sync or PTA via Entra Connect is the standard approach.
   • DApplication Proxy publishes on-premises web apps externally and has no role in hybrid-join SSO.
4. Question 4Plan and Implement User Environments and Apps

   Consolidated Messenger is deploying Azure Virtual Desktop and needs to provide GPU-accelerated rendering for a 3D modeling application. Which VM series should you select for the session hosts?

   • ANVv4 series (AMD GPU)Correct
   • BBsv2 series (burstable)
   • CFsv2 series (compute optimized)
   • DDsv5 series (general purpose)
   ✓ Correct answer: A

   The NVv4 series virtual machines in Azure provide GPU-accelerated rendering capabilities using AMD Radeon Instinct MI25 GPUs with partitioned GPU support. These VMs are specifically designed for graphics-intensive workloads such as 3D modeling, CAD applications, and visualization. In Azure Virtual Desktop, NV-series VMs (NVv3 with NVIDIA Tesla M60, NVv4 with AMD Radeon MI25, or NCasT4_v3 with NVIDIA T4) are the appropriate choices when session hosts need to run applications that require GPU acceleration for rendering.

   Why the other options are wrong

   • BBsv2 series (burstable) is incorrect because burstable VMs provide variable CPU performance and do not include GPU acceleration, making them unsuitable for sustained 3D rendering workloads.
   • CFsv2 series (compute optimized) is incorrect because while Fsv2 VMs offer high CPU clock speeds for compute-intensive tasks, they do not include GPU hardware needed for graphics rendering.
   • DDsv5 series (general purpose) is incorrect because general-purpose VMs are balanced for CPU and memory workloads but do not include GPU acceleration required for 3D modeling applications.
5. Question 5Monitor and Maintain an AVD Infrastructure

   Humongous Insurance wants to optimize costs for their Azure Virtual Desktop deployment. They have 100 session hosts but only 30 are typically in use during off-peak hours. Which combination of features should they implement?

   • AScaling plans with ramp-down scheduling and Start VM on ConnectCorrect
   • BAzure Spot VMs for all session hosts
   • CAzure Reserved Instances for all 100 session hosts
   • DMigrate all session hosts to B-series burstable VMs
   ✓ Correct answer: A

   This combination is the most cost-effective approach for Azure Virtual Desktop. Scaling plans allow you to define schedules that automatically shut down (deallocate) session hosts during off-peak hours when demand is low, eliminating compute costs for idle VMs. The ramp-down phase gradually drains sessions and powers off hosts as usage decreases. Start VM on Connect complements this by automatically powering on a deallocated session host when a user attempts to connect, ensuring availability without keeping all 100 hosts running 24/7. Together, these features mean Humongous Insurance only pays for the ~30 hosts needed during off-peak while still providing on-demand access if additional users connect.

   Why the other options are wrong

   • BAzure Spot VMs for all session hosts is incorrect because Spot VMs can be evicted at any time when Azure needs the capacity back, making them unsuitable for production session hosts where user sessions would be abruptly terminated.
   • CAzure Reserved Instances for all 100 session hosts is incorrect because Reserved Instances commit to paying for all 100 VMs for a 1- or 3-year term regardless of usage, which does not optimize costs when only 30 are needed during off-peak hours.
   • DMigrate all session hosts to B-series burstable VMs is incorrect because while B-series VMs are cheaper, they are designed for workloads with low average CPU usage and may not provide consistent performance for desktop sessions. This also does not address the core issue of 70 idle hosts during off-peak hours.
6. Question 6Plan and Implement an Azure Virtual Desktop Infrastructure

   When implementing Virtual practices in Plan and Implement an Azure Virtual Desktop Infrastructure, which approach is recommended?

   • ADeploy to a single instance to reduce overall costs
   • BSkip failover testing to save time and budget
   • CUse the smallest possible configuration at all times
   • DDesign for high availability with redundant componentsCorrect
   ✓ Correct answer: D

   Best practice for planning and implementing AVD infrastructure is to design for high availability using redundant components such as multiple session hosts, availability zones/sets, and replicated profile storage, so a single failure does not take down the service. This ensures resilient access to virtual desktops. The other options deliberately reduce resilience or skip validation, which contradicts sound infrastructure design.

   Why the other options are wrong

   • ADeploying a single instance creates a single point of failure and undermines availability.
   • BSkipping failover testing leaves recovery procedures unverified and is risky.
   • CAlways using the smallest configuration can starve the workload of resources and harm reliability.
7. Question 7Plan and Implement an Azure Virtual Desktop Infrastructure

   You need to implement RDP Shortpath for managed networks in your Azure Virtual Desktop environment. The session hosts are connected to the same network as the client devices through a VPN. Which transport protocol does RDP Shortpath use for the connection?

   • ATCP only
   • BUDP onlyCorrect
   • CHTTP/2
   • DWebSocket
   ✓ Correct answer: B

   RDP Shortpath for managed networks uses the User Datagram Protocol (UDP) as its transport protocol. When RDP Shortpath is enabled, the Remote Desktop Protocol establishes a direct UDP-based transport between the client device and the session host, bypassing the Azure Virtual Desktop gateway. UDP is preferred for real-time interactive sessions because it provides lower latency and better performance compared to TCP, particularly in scenarios with network congestion or packet loss. UDP does not require the retransmission overhead that TCP imposes, making it more suitable for the time-sensitive nature of remote desktop rendering and input. RDP Shortpath uses the URCP (Universal Rate Control Protocol) on top of UDP to provide reliable delivery where needed.

   Why the other options are wrong

   • ATCP only is incorrect because RDP Shortpath specifically uses UDP to achieve its performance advantages over the default TCP-based reverse connect transport.
   • CHTTP/2 is an application-layer protocol used for web traffic and is not the transport protocol used by RDP Shortpath.
   • DWebSocket is a communication protocol that provides full-duplex communication over a single TCP connection and is used by the standard AVD gateway connection, not by RDP Shortpath.
8. Question 8Plan and Implement Identity and Security

   You need to configure Network Security Groups (NSGs) for your Azure Virtual Desktop subnet. Which inbound port must be allowed for the Azure Virtual Desktop agent on session hosts to communicate with the Azure Virtual Desktop service?

   • AInbound port 3389 from the internet
   • BNo inbound ports are required; the agent uses outbound HTTPS (port 443) connectionsCorrect
   • CInbound port 443 from the Azure Virtual Desktop service tag
   • DInbound port 9354 from the Azure service bus
   ✓ Correct answer: B

   AVD's reverse-connect model means session hosts initiate outbound HTTPS (TCP 443) to the AVD service; no inbound ports need to be opened in the NSG for the agent to communicate. This is why AVD is secure by default without inbound RDP. So the correct NSG posture is to allow the necessary outbound 443 and require no inbound management ports. The inbound-port options contradict the reverse-connect design.

   Why the other options are wrong

   • AInbound 3389 from the internet is never required and is explicitly discouraged for AVD.
   • CThe agent does not need inbound 443; it connects outbound to the service.
   • DNo inbound 9354 is required on session hosts; communication is outbound over 443.
9. Question 9Monitor and Maintain an AVD Infrastructure

   You need to monitor application group usage to determine which RemoteApp applications are most frequently used across your Azure Virtual Desktop environment. Which diagnostic table should you query?

   • AWVDConnectionsCorrect
   • BWVDFeeds
   • CWVDCheckpoints
   • DWVDErrors
   ✓ Correct answer: A

   RemoteApp/desktop usage frequency is derived from connection records, which AVD writes to the WVDConnections table, including the resource (application group/published resource) accessed. Querying WVDConnections lets you count how often each RemoteApp is launched. So WVDConnections is the table to analyze for usage. The other tables hold feeds, checkpoints, or errors, not the connection/usage data needed.

   Why the other options are wrong

   • BWVDFeeds records feed (workspace subscription) activity, not per-application launch frequency.
   • CWVDCheckpoints holds connection step diagnostics, not application usage counts.
   • DWVDErrors lists errors, not successful application usage data.
10. Question 10Plan and Implement Identity and Security

    You have the Defender for Cloud alerts shown in the table for your AVD environment. You need to prioritize incident response. Which alert should be investigated FIRST?

    • AUnusual RDP activity on SH-Prod-03
    • BMFA fraud alert for jsmith@contoso.comCorrect
    • CSuspicious PowerShell on SH-Prod-01
    • DBrute force attack on SH-Dev-01
    ✓ Correct answer: B

    Although several alerts are High severity, a user reporting an MFA prompt as fraud is the strongest signal that an attacker already holds valid credentials and is actively trying to push through MFA, meaning a compromise is in progress right now. That makes it the highest-priority investigation because it indicates the perimeter has likely been breached, not merely probed. The brute-force and unusual-RDP alerts represent attempts that authentication may still be blocking. Confirmed-credential abuse signaled by an MFA fraud report should be triaged first.

    Why the other options are wrong

    • AUnusual RDP activity with failed connection attempts indicates probing that authentication is still rejecting, which is less urgent than an in-progress account compromise.
    • CSuspicious PowerShell is only Medium severity and already under investigation, so it ranks below an active High-severity credential-abuse signal.
    • DThe brute force attack is on a Dev host and reflects failed sign-in attempts being blocked, making it lower priority than a user-confirmed MFA fraud on a production identity.

AZ-140 practice exam FAQ