AZ-204 Flashcards

Question 1

Q

What is deployment slots in Azure App Service?

Answer

A

Deployment slots are live apps with their own host names.

Question 2

Q

Why would one use deployment slots?

Answer

A

When you need 0 downtime and test your application in a deployed stage

Question 3

Q

What is the limitations of azure app services when it comes to storage?

Answer

A

When deployed to built-in images, your code and content are allocated a storage volume for web content, backed by Azure Storage. The disk latency of this volume is higher and more variable than the latency of the container filesystem. Apps that require heavy read-only access to content files may benefit from the custom container option, which places files in the container filesystem instead of on the content volume.

Question 4

Q

What does an Azure App Service Plan include?

Answer

A

Operating System
Region
Number of VM instances
Size of VM instances
Pricing Tier

Question 5

Q

What are the categories of the Azure App Service Plan and what plans do they include?

Answer

A

Shared compute (Free, Shared)
Dedicated compute (Basic, Standard, Premium, PremiumV2, PremiumV3)
Isolated (Isolated, IsolatedV2)

Question 6

Q

How does authentication and authorization work in Azure App Service?

Answer

A

When enables it acts as a middleware intercepting all http requests to your app. It does the following:
- Authenticates users and clients with the specified identity provider(s)
- Validates, stores, and refreshes OAuth tokens issued by the configured identity provider(s)
- Manages the authenticated session
- Injects identity information into HTTP request headers

Question 7

Q

What is the two different ways one can do authentication in Azure App Service?

Answer

A

With provider SDK
Without provider SDK

Question 8

Q

What is the different between authentication with and without provider SDK in Azure App Services

Answer

A

Without SDK:
- The application delegates federated sign-in to App Service. This is typically the case with browser apps, which can present the provider’s login page to the user. The server code manages the sign-in process, so it’s also called server-directed flow or server flow.
With SDK:
-The application signs users in to the provider manually and then submits the authentication token to App Service for validation. This is typically the case with browser-less apps, which can’t present the provider’s sign-in page to the user. The application code manages the sign-in process, so it’s also called client-directed flow or client flow. This applies to REST APIs, Azure Functions, JavaScript browser clients, and native mobile apps that sign users in using the provider’s SDK.

Question 9

Q

What is the inbound network features in Azure App Service

Answer

A

App assigned address
Access restriction
Service endpoints
Private endpoints

Question 10

Q

What is the outbound features in Azure App Service

Answer

A

Hybrid Connections
Gateway required virtual network integration
Virtual network integration

Question 11

Q

Which of the App Service plan categories provides the maximum scale-out capabilities?

Question 12

Q

What are the options of certificates in Azure App Service?

Answer

A

Create a free App Service managed certificate
Purchase an App Service certificate
Import a certificate from Key Vault
Upload a private certificate
Upload a public certificate

Question 13

Q

What is autoscaling?

Answer

A

Autoscaling is a cloud system or process that adjusts available resources based on the current demand. Autoscaling performs scaling in and out, as opposed to scaling up and down.

Question 14

Q

When should we consider using autoscaling?

Answer

A

When you need higher elasticity, availability and fault tolerance. Autoscaling has an overhead associated with monitoring resources and determining whether to trigger a scaling event. In this scenario, if you can anticipate the rate of growth, manually scaling the system over time may be a more cost effective approach.

Question 15

Q

What is some of the autoscaling conditions?

Answer

A

Scale based on a metric (HTTP, disk queue, etc)
Scale to a specific instance count according to a schedule

Question 16

Q

What is autoscaling rules?

Answer

A

An autoscale rule specifies a metric to monitor, and how autoscaling should respond when this metric crosses a defined threshold

Question 17

Q

What autoscaling rules metric can we monitor?

Answer

A

CPU Percentage
Memory Percentage
Disk Queue length
Http Queue length
Data in
Data out

Question 18

Q

What is Azure Functions?

Answer

A

Azure Functions is a serverless solution that allows you to write less code, maintain less infrastructure, and save on costs.

Question 19

Q

What is Azure Logic Apps?

Answer

A

Azure Logic Apps is a serverless workflow integration platform

Question 20

Q

What is the difference between Azure Web jobs and Azure Functions?

Answer

A

Azure Functions is built on the WebJobs SDK, so it shares many of the same event triggers and connections to other Azure services. But some main differences is that you do not pay per use as with Azure functions. It is also not a serverless app model with automatic scaling.

Question 21

Q

What are the different hosting plans for Azure Functions and what are the differences?

Answer

A

Consumption Plan:
- Default hosting plan
- Scales automatically and you only pay for compute resources when your functions are running
- Event driven. Scale out automatically, even during periods of high load
Premium Plan:
- Automatically scales based on demand using pre-warmed workers, which run applications with no delay after being idle
- Runs on more powerful instances
- Connects to virtual networks.
- Event driven. Scale out automatically, even during periods of high load
Dedicated Plan:
- Run your functions within an App Service plan at regular App Service plan rates. Best for long-running scenarios where Durable Functions can’t be used.
- Manual/auto scale

Question 22

Q

Which two componewnts is needed to create an Azure Function (Development)?

Answer

A

A function contains two important pieces - your code, which can be written in various languages, and some config, the function.json file.

Question 23

Q

What determines wether an Azure Function is to scale-out / scale-in?

Answer

A

Azure Functions uses a component called the scale controller to monitor the rate of events and determine whether to scale out or scale in. The scale controller uses heuristics for each trigger type.

Question 24

Q

What does the bindings property in the Azure Functions config file do?

Answer

A

The bindings property is where you configure both triggers and bindings.

Question 25

Q

What is a function app in Azure?

Answer

A

A function app provides an execution context in Azure in which your functions run. As such, it’s the unit of deployment and management for your functions. A function app is composed of one or more individual functions that are managed, deployed, and scaled together. All of the functions in a function app share the same pricing plan, deployment method, and runtime version. Think of a function app as a way to organize and collectively manage your functions.

Question 26

Q

What is Azure Blob Storage?

Answer

A

Azure Blob storage is Microsoft’s object storage solution for the cloud

Question 27

Q

What is Azure Blob Storage designed for?

Answer

A

Serving images or documents directly to a browser.
Storing files for distributed access.
Streaming video and audio.
Writing to log files.
Storing data for backup and restore, disaster recovery, and archiving.
Storing data for analysis by an on-premises or Azure-hosted service.

Question 28

Q

What is the different access tiers for block blob data?

Answer

A

Hot:
- Is optimized for frequent access of objects in the storage account. The Hot tier has the highest storage costs, but the lowest access costs. New storage accounts are created in the hot tier by default.
Cool:
Is optimized for storing large amounts of data that is infrequently accessed and stored for at least 30 days. The Cool tier has lower storage costs and higher access costs compared to the Hot tier.
Archive:
- Is available only for individual block blobs. The archive tier is optimized for data that can tolerate several hours of retrieval latency and will remain in the Archive tier for at least 180 days. The archive tier is the most cost-effective option for storing data, but accessing that data is more expensive than accessing data in the hot or cool tiers.

Question 29

Q

What are the types of storage accounts and what are their usage

Answer

A

General-purpose v2
- Standard storage account type for blobs, file shares, queues, and tables. Recommended for most scenarios using Blob Storage or one of the other Azure Storage services.
Block Blob
- Premium storage account type for block blobs and append blobs. Recommended for scenarios with high transaction rates or that use smaller objects or require consistently low storage latency
Page blobs
- Premium storage account type for page blobs only.

Question 30

Q

What is the hierarchy Azure Blob Storage

Answer

A

Storage Acoount - Container - Blob

Question 31

Q

What is a storage account?

Answer

A

A storage account provides a unique namespace in Azure for your data. Every object that you store in Azure Storage has an address that includes your unique account name. The combination of the account name and the Azure Storage blob endpoint forms the base address for the objects in your storage account.

Question 32

Q

What is a container in Azure Blob Storage

Answer

A

A container organizes a set of blobs, similar to a directory in a file system. A storage account can include an unlimited number of containers, and a container can store an unlimited number of blobs.

Question 33

Q

Which three types does Azure Storage support and what are their use?

Answer

A

Azure Storage supports three types of blobs:
- Block blobs store text and binary data. Block blobs are made up of blocks of data that can be managed individually. Block blobs can store up to about 190.7 TiB.
- Append blobs are made up of blocks like block blobs, but are optimized for append operations. Append blobs are ideal for scenarios such as logging data from virtual machines.
-Page blobs store random access files up to 8 TB in size. Page blobs store virtual hard drive (VHD) files and serve as disks for Azure virtual machines.

Question 34

Q

What is a Azure Blob Storage lifecycle management policy?

Answer

A

A lifecycle management policy is a collection of rules in a JSON document to manage the lifecycle of data that is stored in various tiers in Azure Blob Storage

Question 35

Q

What does Azure Blob Storage lifecycle management policy enable us to do?

Answer

A

Transition blobs to a cooler storage tier (hot to cool, hot to archive, or cool to archive) to optimize for performance and cost
Delete blobs at the end of their lifecycles
Define rules to be run once per day at the storage account level
Apply rules to containers or a subset of blobs (using prefixes as filters)

Question 36

Q

What are rules in Azure Blob Storageand what two things is in a rule?

Answer

A

Rules help mange your data in Azure Blob Storage. One example is lifecycle management policy. Each rule definition includes a filter set and an action set. The filter set limits rule actions to a certain set of objects within a container or objects names. The action set applies the tier or delete actions to the filtered set of objects.

Question 37

Q

What are rule filters in Azure Blob Storage?

Answer

A

Filters limit rule actions to a subset of blobs within the storage account. If more than one filter is defined, a logical AND runs on all filters. Filters include:
- blobTypes: An array of predefined enum values.
- prefixMatch: An array of strings for prefixes to be match. Each rule can define up to 10 prefixes. A prefix string must start with a container name.
- blobIndexMatch: An array of dictionary values consisting of blob index tag key and value conditions to be matched. Each rule can define up to 10 blob index tag condition.

Question 38

Q

What are rule actions in Azure Blob Storage?

Answer

A

In Azure Blob Storage, rule actions are part of the Lifecycle Management policy, which allows you to create rules to automatically transition your data to the best access tier and optimize costs. The rule actions define what operations to perform on the blobs when the conditions specified in the rule are met. Actions are applied to the filtered blobs when the run condition is met.

Question 39

Q

What are some of the rules action defined in the lifecycle management policy

Answer

A

tierToCool
enableAutoTierToHotFromCool
tierToArchive
delete

Question 40

Q

What happens if we define more than one rule actions to a blob?

Answer

A

If you define more than one action on the same blob, lifecycle management applies the least expensive action to the blob. For example, action delete is cheaper than action tierToArchive. Action tierToArchive is cheaper than action tierToCool.

Question 41

Q

What are some of the rules condition defined in the lifecycle management policy

Answer

A

daysAfterModificationGreaterThan
daysAfterCreationGreaterThan
daysAfterLastAccessTimeGreaterThan
daysAfterLastTierChangeGreaterThan

Question 42

Q

What are our two options of rehydrating blob data from the archieve tier?

Answer

A

Copy an archived blob to an online tier:
- You can rehydrate an archived blob by copying it to a new blob in the hot or cool tier with the Copy Blob or Copy Blob from URL operation. Microsoft recommends this option for most scenarios.
- Change a blob’s access tier to an online tier
- You can rehydrate an archived blob to hot or cool by changing its tier using the Set Blob Tier operation.

Question 43

Q

What header can we set to adjust the priority on the rehydration?

Answer

A

x-ms-rehydrate-priority

Question 44

Q

What are the two priorties when rehydrating a blob and what are the differences?

Answer

A

Standard priority: The rehydration request is processed in the order it was received and might take up to 15 hours.
High priority: The rehydration request is prioritized over standard priority requests and might complete in under one hour for objects under 10 GB in size.

Question 45

Q

What is one thing to note when rehydrating a blob when it come to lifecycle management policies?

Answer

A

Changing a blob’s tier doesn’t affect its last modified time. If there is a lifecycle management policy in effect for the storage account, then rehydrating a blob with Set Blob Tier can result in a scenario where the lifecycle policy moves the blob back to the archive tier after rehydration because the last modified time is beyond the threshold set for the policy.

Question 46

Q

In .NET, what does BlobServiceClient class do?

Answer

A

Represents the storage account, and provides operations to retrieve and configure account properties, and to work with blob containers in the storage account.

Question 47

Q

In .NET, what does BlobContainerClient class do?

Answer

A

Represents a specific blob container, and provides operations to work with the container and the blobs within.

Question 48

Q

In .NET, what does BlobClient class do?

Answer

A

Represents a specific blob, and provides general operations to work with the blob, including operations to upload, download, delete, and create snapshots.

Question 49

Q

In .NET, what does AppendBlobClient class do?

Answer

A

Represents an append blob, and provides operations specific to append blobs, such as appending log data.

Question 50

Q

In .NET, what does BlockBlobClient class do?

Answer

A

Represents a block blob, and provides operations specific to block blobs, such as staging and then committing blocks of data.

Question 51

Q

What HTTP headers are supported for both containers and blobs when setting properties by using REST

Answer

A

Last-Modified

Question 52

Q

What is Azure Cosmos DB

Answer

A

Azure Cosmos DB is a fully managed NoSQL database designed to provide low latency, elastic scalability of throughput, well-defined semantics for data consistency, and high availability.

Question 53

Q

What is the hierarchy in Azure Cosmos DB?

Answer

A

Database Accounts
Databases
Containers
Db Items

Question 54

Q

What is an Azure Cosmos Db Storage Containers?

Answer

A

An Azure Cosmos DB container is the unit of scalability both for provisioned throughput and storage. A container is horizontally partitioned and then replicated across multiple regions. The items that you add to the container are automatically grouped into logical partitions, which are distributed across physical partitions, based on the partition key.

Question 55

Q

What is two different types of throughput mode in Azure Cosmos DB Containers?

Answer

A

Dedicated provisioned throughput mode: The throughput provisioned on a container is exclusively reserved for that container and it’s backed by the SLAs.
Shared provisioned throughput mode: These containers share the provisioned throughput with the other containers in the same database (excluding containers that have been configured with dedicated provisioned throughput). In other words, the provisioned throughput on the database is shared among all the “shared throughput” containers.

Question 56

Q

What are the consistency levels of Azure Cosmos DB

Answer

A

Strong
Bounded staleness
Session
Consistent prefix
Eventual

Question 57

Q

What is strong consistency level of Azure Cosmos DB?

Answer

A

Strong consistency offers a linearizability guarantee. Linearizability refers to serving requests concurrently. The reads are guaranteed to return the most recent committed version of an item. A client never sees an uncommitted or partial write. Users are always guaranteed to read the latest committed write.

Question 58

Q

What is Bounded staleness consistency level of Azure Cosmos DB?

Answer

A

Cosmos DB allows a certain amount of lag (in terms of time or operations) between the primary data copy and its other copies. Once that boundary is crossed, the system makes sure all copies are up-to-date.

Question 59

Q

What is Session consistency level of Azure Cosmos DB?

Answer

A

In session consistency, within a single client session reads are guaranteed to honor the consistent-prefix, monotonic reads, monotonic writes, read-your-writes, and write-follows-reads guarantees. This assumes a single “writer” session or sharing the session token for multiple writers.

Question 60

Q

What is Consistent prefixconsistency level of Azure Cosmos DB?

Answer

A

Consistent prefix provides the assurance that you’ll never read data in a sequence that’s different from the way it was written, making sure there’s a logical flow to the data changes you observe.

Question 61

Q

What is Eventual consistency level of Azure Cosmos DB?

Answer

A

In eventual consistency, there’s no ordering guarantee for reads. In the absence of any further writes, the replicas eventually converge.

Eventual consistency is the weakest form of consistency because a client may read the values that are older than the ones it read before. Eventual consistency is ideal where the application doesn’t require any ordering guarantees. Examples include count of Retweets, Likes, or nonthreaded comments

Question 62

Q

What is Azure Cosmos DB API?

Answer

A

These APIs allow your applications to treat Azure Cosmos DB as if it were various other databases technologies, without the overhead of management, and scaling approaches.

Question 63

Q

When should one use Azure Comos DB API?

Answer

A

If you have existing MongoDB, PostgreSQL Cassandra, or Gremlin applications
If you don’t want to rewrite your entire data access layer
If you want to use the open-source developer ecosystem, client-drivers, expertise, and resources for your database

Question 64

Q

What is Request Units (RU’s) in regards to Azure Cosmos DB?

Answer

A

The cost of all database operations is normalized by Azure Cosmos DB and is expressed by request units (or RUs, for short). A request unit represents the system resources such as CPU, IOPS, and memory that are required to perform the database operations supported by Azure Cosmos DB.

Answer 64

A

Provisioned throughput mode:
- In this mode, you provision the number of RUs for your application on a per-second basis in increments of 100 RUs per second. To scale the provisioned throughput for your application, you can increase or decrease the number of RUs at any time in increments or decrements of 100 RUs. You can make your changes either programmatically or by using the Azure portal. You can provision throughput at container and database granularity level.

Serverless mode:
- In this mode, you don’t have to provision any throughput when creating resources in your Azure Cosmos DB account. At the end of your billing period, you get billed for the number of request units that have been consumed by your database operations.

Autoscale mode:
- In this mode, you can automatically and instantly scale the throughput (RU/s) of your database or container based on its usage. This scaling operation doesn’t affect the availability, latency, throughput, or performance of the workload. This mode is well suited for mission-critical workloads that have variable or unpredictable traffic patterns, and require SLAs on high performance and scale.

Answer 65

A

Creates a new CosmosClient with a connection string. CosmosClient is thread-safe. It’s recommended to maintain a single instance of CosmosClient per lifetime of the application that enables efficient connection management and performance.

Answer 66

A

It can be written in Javascript as code

Answer 67

A

Pretriggers:
Executed before modifying a database item.
Posttriggers:
Executed after modifying a database item

Answer 68

A

Validation of data
Adding metadata

Answer 69

A

Change feed in Azure Cosmos DB is a persistent record of changes to a container in the order they occur. Change feed support in Azure Cosmos DB works by listening to an Azure Cosmos DB container for any changes. It then outputs the sorted list of documents that were changed in the order in which they were modified. The persisted changes can be processed asynchronously and incrementally, and the output can be distributed across one or more consumers for parallel processing.

Answer 70

A

Push Model
Pull Model

Answer 71

A

With a push model, the change feed processor pushes work to a client that has business logic for processing this work. However, the complexity in checking for work and storing state for the last processed work is handled within the change feed processor. This is the recommended model because you won’t need to worry about polling the change feed for future changes, storing state for the last processed change, and other benefits.

Answer 72

A

With a pull model, the client has to pull the work from the server. The client, in this case, not only has business logic for processing work but also storing state for the last processed work, handling load balancing across multiple clients processing work in parallel, and handling errors.

Answer 73

A

Azure Functions
Change feed processor

Answer 74

A

The change feed processor is part of the Azure Cosmos DB .NET V3 and Java V4 SDKs. It simplifies the process of reading the change feed and distributes the event processing across multiple consumers effectively.

Answer 75

A

The monitored container: The monitored container has the data from which the change feed is generated. Any inserts and updates to the monitored container are reflected in the change feed of the container.
The lease container: The lease container acts as a state storage and coordinates processing the change feed across multiple workers. The lease container can be stored in the same account as the monitored container or in a separate account.
The compute instance: A compute instance hosts the change feed processor to listen for changes. Depending on the platform, it could be represented by a VM, a kubernetes pod, an Azure App Service instance, an actual physical machine. It has a unique identifier referenced as the instance name throughout this article.
The delegate: The delegate is the code that defines what you, the developer, want to do with each batch of changes that the change feed processor reads.

Answer 76

A

Azure Container Registry (ACR) is a managed, private Docker registry service based on the open-source Docker Registry 2.0. Create and maintain Azure container registries to store and manage your private Docker container images.

Answer 77

A

Scalable orchestration systems that manage containerized applications across clusters of hosts, including Kubernetes, DC/OS, and Docker Swarm.
Azure services that support building and running applications at scale, including Azure Kubernetes Service (AKS), App Service, Batch, Service Fabric, and others.

Answer 78

A

Basic:
- A cost-optimized entry point for developers learning about Azure Container Registry. Basic registries have the same programmatic capabilities as Standard and Premium (such as Microsoft Entra authentication integration, image deletion, and webhooks). However, the included storage and image throughput are most appropriate for lower usage scenarios.
Standard:
- Standard registries offer the same capabilities as Basic, with increased included storage and image throughput. Standard registries should satisfy the needs of most production scenarios.
Premium:
- Premium registries provide the highest amount of included storage and concurrent operations, enabling high-volume scenarios. In addition to higher image throughput, Premium adds features such as geo-replication for managing a single registry across multiple regions, content trust for image tag signing, and private link with private endpoints to restrict access to the registry.

Answer 79

A

Encyrption at rest
Regional storage
Zone redundancy
Scalable storage

Answer 80

A

Azure Container Instances (ACI) is a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs.

Answer 81

A

Fast startup: ACI can start containers in Azure in seconds, without the need to provision and manage VMs
Container access: ACI enables exposing your container groups directly to the internet with an IP address and a fully qualified domain name (FQDN)
Hypervisor-level security: Isolate your application as completely as it would be in a VM
Customer data: The ACI service stores the minimum customer data required to ensure your container groups are running as expected
Custom sizes: ACI provides optimum utilization by allowing exact specifications of CPU cores and memory
Persistent storage: Mount Azure Files shares directly to a container to retrieve and persist state
Linux and Windows: Schedule both Windows and Linux containers using the same API.

Answer 82

A

The top-level resource in Azure Container Instances is the container group. A container group is a collection of containers that get scheduled on the same host machine. The containers in a container group share a lifecycle, resources, local network, and storage volumes. It’s similar in concept to a pod in Kubernetes.

Answer 83

A

There are two common ways to deploy a multi-container group: use a Resource Manager template or a YAML file. A Resource Manager template is recommended when you need to deploy additional Azure service resources (for example, an Azure Files share) when you deploy the container instances. Due to the YAML format’s more concise nature, a YAML file is recommended when your deployment includes only container instances.

Answer 84

A

One should use Yaml file if it only contains container instances, but it other azure services need to be orchestrated the Resource Manager template is desired

Answer 85

A

Always:
- Containers in the container group are always restarted. This is the default setting applied when no restart policy is specified at container creation.
Never:
- Containers in the container group are never restarted. The containers run at most once.
OnFailure:
- Containers in the container group are restarted only when the process executed in the container fails (when it terminates with a nonzero exit code). The containers are run at least once.

Answer 86

A

Azure Container Apps provides the flexibility you need with a serverless container service built for microservice applications and robust autoscaling capabilities without the overhead of managing complex infrastructure.

Answer 87

A

Privileged containers: Azure Container Apps can’t run privileged containers. If your program attempts to run a process that requires root access, the application inside the container experiences a runtime error.

Operating system: Linux-based (linux/amd64) container images are required.

Answer 88

A

A revision is an immutable snapshot of a container app version.

Answer 89

A

By using Revistion, an immutable snapshot of a container app version.

Answer 90

A

OAuth 2.0 and OpenID Connect standard-compliant authentication service enabling developers to authenticate several identity types
Open-source libraries: Microsoft Authentication Libraries (MSAL) and support for other standards-compliant libraries
Application management portal: A registration and configuration experience in the Azure portal, along with the other Azure management capabilities.
Application configuration API and PowerShell: Programmatic configuration of your applications through the Microsoft Graph API and PowerShell so you can automate your DevOps tasks.

Answer 91

A

An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources

Answer 92

A

Single tenant: only accessible in your tenant
Multi-tenant: accessible in other tenants

Answer 93

A

The application object resides in the Microsoft Entra tenant where the application was registered (known as the application’s “home” tenant). An application object is used as a template or blueprint to create one or more service principal objects. It consist of some static properties that describes three aspects of an application: how the service can issue tokens in order to access the application, resources that the application might need to access, and the actions that the application can take.

Answer 94

A

Application
Managed Identity
Legacy

Answer 95

A

This type of service principal is the local representation, or application instance, of a global application object in a single tenant or directory. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.

Answer 96

A

This type of service principal is used to represent a managed identity. Managed identities provide an identity for applications to use when connecting to resources that support Microsoft Entra authentication. When a managed identity is enabled, a service principal representing that managed identity is created in your tenant. Service principals representing managed identities can be granted access and permissions, but can’t be updated or modified directly.

Answer 97

A

This type of service principal represents a legacy app, which is an app created before app registrations were introduced or an app created through legacy experiences. A legacy service principal can have credentials, service principal names, reply URLs, and other properties that an authorized user can edit, but doesn’t have an associated app registration. The service principal can only be used in the tenant where it was created.

Answer 98

A

The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant. The application object serves as the template from which common and default properties are derived for use in creating corresponding service principal objects.

Answer 99

A

It is another word for permistions. It contains the permissions for the user.

Answer 100

A

Delegated permissions
App-only access permissions

Answer 101

A

Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource.

Answer 102

A

App-only access permissions are used by apps that run without a signed-in user present, for example, apps that run as background services or daemons. Only an administrator can consent to app-only access permissions.

Answer 103

A

static user consent
incremental and dynamic user consent
admin consent.

Answer 104

A

In the static user consent scenario, you must specify all the permissions it needs in the app’s configuration in the Azure portal. If the user (or administrator, as appropriate) hasn’t granted consent for this app, then Microsoft identity platform prompts the user to provide consent at this time. Static permissions also enable administrators to consent on behalf of all users in the organization.

Answer 105

A

The app needs to request all the permissions it would ever need upon the user’s first sign-in. This can lead to a long list of permissions that discourages end users from approving the app’s access on initial sign-in.
The app needs to know all of the resources it would ever access ahead of time. It’s difficult to create apps that could access an arbitrary number of resources.

Answer 106

A

Incremental and dynamic consent in the context of Azure Identity refers to the practice of asking users for permission step-by-step, only at the time when a particular access level is needed, instead of asking for all permissions upfront.

Answer 107

A

Dynamic consent can be convenient, but presents a big challenge for permissions that require admin consent, since the admin consent experience doesn’t know about those permissions at consent time. If you require admin privileged permissions or if your app uses dynamic consent, you must register all of the permissions in the Azure portal (not just the subset of permissions that require admin consent). This enables tenant admins to consent on behalf of all their users.

Answer 108

A

Admin consent in Azure Identity refers to a scenario where an administrator grants permissions on behalf of all users within an organization. Instead of each individual user granting consent for an application to access their data, an administrator can provide consent once, allowing the application to work for all users without them having to go through the consent process individually. This is particularly useful for enterprise

Answer 109

A

The Conditional Access feature in Microsoft Entra ID offers one of several ways that you can use to secure your app and protect a service. Conditional Access enables developers and enterprise customers to protect services in a multitude of ways including:
- Multifactor authentication
- Allowing only Intune enrolled devices to access specific services
- Restricting user locations and IP ranges

Answer 110

A

Specifically, the following scenarios require code to handle Conditional Access challenges:
- Apps performing the on-behalf-of flow
- Apps accessing multiple services/resources
- Single-page apps using MSAL.js
- Web apps calling a resource

Answer 111

A

The Microsoft Authentication Library (MSAL) can be used to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API.
MSAL gives you many ways to get tokens, with a consistent API for many platforms.

Answer 112

A

No need to directly use the OAuth libraries or code against the protocol in your application.
Acquires tokens on behalf of a user or on behalf of an application (when applicable to the platform).
Maintains a token cache and refreshes tokens for you when they’re close to expire. - - You don’t need to handle token expiration on your own.
Helps you specify which audience you want your application to sign in.
Helps you set up your application from configuration files.
Helps you troubleshoot your app by exposing actionable exceptions, logging, and telemetry.

Answer 113

A

Authorization code: Native and web apps securely obtain tokens in the name of the user
Client credentials: Service applications run without user interaction
On-behalf-of: The application calls a service/web API, which in turns calls Microsoft Graph
Implicit: Used in browser-based applications
Device code: Enables sign-in to a device by using another device that has a browser
Integrated Windows: Windows computers silently acquire an access token when they’re domain joined
Interactive: Mobile and desktops applications call Microsoft Graph in the name of a user
Username/password: The application signs in a user by using their username and password

Answer 114

A

With MSAL.NET 3.x, the recommended way to instantiate an application is by using the application builders: PublicClientApplicationBuilder and ConfidentialClientApplicationBuilder. They offer a powerful mechanism to configure the application either from the code, or from a configuration file, or even by mixing both approaches.

Answer 115

A

A shared access signature (SAS) is a signed URI that points to one or more storage resources and includes a token that contains a special set of query parameters. The token indicates how the resources may be accessed by the client.

Answer 116

A

User delegation SAS
Service SAS
Account SAS

Answer 117

A

A user delegation SAS is secured with Microsoft Entra credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only.

Answer 118

A

Only blob storage

Answer 119

A

The Service SAS can be restricted to a specific service, such as Azure Blob Storage, Azure Table Storage, Azure Queue Storage, or Azure File Storage. The permissions granted by a Service SAS are scoped to a specific resource, such as a blob, container, table, queue, or file.

Answer 120

A

Blob storage, Queue storage, Table storage, or Azure Files.

Answer 121

A

An account SAS is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS.

Answer 122

A

When you use a SAS to access data stored in Azure Storage, you need two components. The first is a URI to the resource you want to access. The second part is a SAS token that you’ve created to authorize access to that resource.

Answer 123

A

To securely distribute a SAS and prevent man-in-the-middle attacks, always use HTTPS.
The most secure SAS is a user delegation SAS. Use it wherever possible because it removes the need to store your storage account key in code. You must use Microsoft - - Entra ID to manage credentials. This option might not be possible for your solution.
Try to set your expiration time to the smallest useful value. If a SAS key becomes compromised, it can be exploited for only a short time.
Apply the rule of minimum-required privileges. Only grant the access that’s required. - For example, in your app, read-only access is sufficient.
There are some situations where a SAS isn’t the correct solution. When there’s an unacceptable risk of using a SAS, create a middle-tier service to manage users and their access to storage.

Answer 124

A

Use a SAS when you want to provide secure access to resources in your storage account to any client who doesn’t otherwise have permissions to those resources.

Answer 125

A

A stored access policy provides an extra level of control over service-level shared access signatures (SAS) on the server side. Establishing a stored access policy groups SAS and provides more restrictions for signatures that are bound by the policy. You can use a stored access policy to change the start time, expiry time, or permissions for a signature, or to revoke it after it has been issued.

Answer 126

A

Blob containers
File shares
Queues
Tables

Answer 127

A

Microsoft Graph is the gateway to data and intelligence in Microsoft 365. It provides a unified programmability model that you can use to access the tremendous amount of data in Microsoft 365, Windows 10, and Enterprise Mobility + Security.

Answer 128

A

The Microsoft Graph API offers a single endpoint.
Microsoft Graph connectors
Microsoft Graph Data Connect

Answer 129

A

REST API
.NET SDK

Answer 130

A

GET: Read data from a resource.
POST: Create a new resource, or perform an action.
PATCH: Update a resource with new values.
PUT: Replace a resource with a new one.
DELETE: Remove a resource.

Answer 131

A

{HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters}
{HTTP method} - The HTTP method used on the request to Microsoft Graph.
{version} - The version of the Microsoft Graph API your application is using.
{resource} - The resource in Microsoft Graph that you’re referencing.
{query-parameters} - Optional OData query options or REST method parameters that customize the response.

Answer 132

A

GraphServiceClient

Answer 133

A

Authentication
Consent and Authorization
Handle responses effectively, pagination etc
Storing Data Locally: Your application should ideally make calls to Microsoft Graph to retrieve data in real time as necessary. You should only cache or store data locally necessary for a specific scenario, and if that use case is covered by your terms of use and privacy policy, and doesn’t violate the Microsoft APIs Terms of Use. Your application should also implement proper retention and deletion policies.

Answer 134

A

Microsoft Graph connectors work in the incoming direction, delivering data external to the Microsoft cloud into Microsoft Graph services and applications, to enhance Microsoft 365 experiences such as Microsoft Search. Connectors exist for many commonly used data sources such as Box, Google Drive, Jira, and Salesforce.

Answer 135

A

Microsoft Graph Data Connect provides a set of tools to streamline secure and scalable delivery of Microsoft Graph data to popular Azure data stores. The cached data serves as data sources for Azure development tools that you can use to build intelligent applications.

Answer 136

A

Vaults: support storing software, HSM-backed keys, secrets, and certificates
hardware security module(HSM) pools: HSM-backed keys

Answer 137

A

Centralized application secrets
Securely store secrets and keys
Monitor access and use
Simplified administration of application secrets

Answer 138

A

Use separate key vaults
Control access to your vault
Backup
Logging
Recovery Options

Answer 139

A

Enable a system-assigned managed identity for the application. With managed identity, Azure internally manages the application’s service principal and automatically authenticates the application with other Azure services. Managed identity is available for applications deployed to various services.
If you can’t use managed identity, you instead register the application with your Microsoft Entra tenant. Registration also creates a second application object that identifies the app across all tenants.

Answer 140

A

A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials. Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.

Answer 141

A

System-assigned managed identity
User-assigned managed identity

Answer 142

A

A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Microsoft Entra tenant that’s trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance. The lifecycle of a system-assigned identity is directly tied to the Azure service instance that it’s enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity in Microsoft Entra ID.

Answer 143

A

A user-assigned managed identity is created as a standalone Azure resource. Through a create process, Azure creates an identity in the Microsoft Entra tenant that’s trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances. The lifecycle of a user-assigned identity is managed separately from the lifecycle of the Azure service instances to which it’s assigned.

Answer 144

A

Azure resources that supports Microsoft Entra authentication

Answer 145

A

–assign-identity, followed by –role, –scope, –admin-username and –admin-password

Answer 146

A

DefaultAzureCredential

Answer 147

A

Azure App Configuration provides a service to centrally manage application settings and feature flags.

Answer 148

A

As key value pairs

Answer 149

A

Using a hierarchical naming convention.

Answer 150

A

App Configuration doesn’t version key values automatically as they’re modified. Use labels as a way to create multiple versions of a key value.

Answer 151

A

A feature flag is a variable with a binary state of on or off. The feature flag also has an associated code block. The state of the feature flag triggers whether the code block runs or not.

Answer 152

A

A feature manager is an application package that handles the lifecycle of all the feature flags in an application. The feature manager typically provides extra functionality, such as caching feature flags and updating their states.

Answer 153

A

A filter is a rule for evaluating the state of a feature flag. A user group, a device or browser type, a geographic location, and a time window are all examples of what a filter can represent.

Answer 154

A

Customer-managed keys
Private endpoints
Managed identities

Answer 155

A

When customer-managed key capability is enabled, App Configuration uses a managed identity assigned to the App Configuration instance to authenticate with Microsoft Entra ID. The managed identity then calls Azure Key Vault and wraps the App Configuration instance’s encryption key.

Answer 156

A

You can use private endpoints for Azure App Configuration to allow clients on a virtual network (VNet) to securely access data over a private link. The private endpoint uses an IP address from the VNet address space for your App Configuration store. Network traffic between the clients on the VNet and the App Configuration store traverses over the VNet using a private link on the Microsoft backbone network, eliminating exposure to the public internet.

Answer 157

A

Your application can be granted two types of identities:
- A system-assigned identity is tied to your configuration store. It’s deleted if your configuration store is deleted. A configuration store can only have one system-assigned identity.
- A user-assigned identity is a standalone Azure resource that can be assigned to your configuration store. A configuration store can have multiple user-assigned identities.

Answer 158

A

API Management provides the core functionality to ensure a successful API program through developer engagement, business insights, analytics, security, and protection.

Answer 159

A

API gateway
The management plane
The Developer portal

Answer 160

A

The API gateway is the endpoint that:
- Accepts API calls and routes them to appropriate backends
- Verifies API keys and other credentials presented with requests
- Enforces usage quotas and rate limits
- Transforms requests and responses specified in policy statements
- Caches responses to improve response latency and minimize the load on backend services
- Emits logs, metrics, and traces for monitoring, reporting, and troubleshooting

Answer 161

A

The management plane is the administrative interface where you set up your API program. Use it to:
- Provision and configure API Management service settings
- Define or import API schema
- Package APIs into products
- Set up policies like quotas or transformations on the APIs
- Get insights from analytics
- Manage users

Answer 162

A

The Developer portal is an automatically generated, fully customizable website with the documentation of your APIs. Using the developer portal, developers can:
- Read API documentation
- Call an API via the interactive console
- Create an account and subscribe to get API keys
- Access analytics on their own usage
- Download API definitions
- Manage API keys

Answer 163

A

Products are how APIs are surfaced to developers. Products in API Management have one or more APIs, and are configured with a title, description, and terms of use.

Answer 164

A

Protected products must be subscribed to before they can be used, while open products can be used without a subscription. Subscription approval is configured at the product level and can either require administrator approval, or be autoapproved.

Answer 165

A

Groups are used to manage the visibility of products to developers.

Answer 166

A

Administrators - Manage API Management service instances and create the APIs, operations, and products that are used by developers. Azure subscription administrators are members of this group.

Developers - Authenticated developer portal users that build applications using your APIs. Developers are granted access to the developer portal and build applications that call the operations of an API.

Guests - Unauthenticated developer portal users. They can be granted certain read-only access, like the ability to view APIs but not call them.

Answer 167

A

Managed and Self-hosted

Answer 168

A

The managed gateway is the default gateway component that is deployed in Azure for every API Management instance in every service tier. With the managed gateway, all API traffic flows through Azure regardless of where backends implementing the APIs are hosted.

Answer 169

A

The self-hosted gateway is an optional, containerized version of the default managed gateway. It’s useful for hybrid and multicloud scenarios where there’s a requirement to run the gateways off of Azure in the same environments where API backends are hosted. The self-hosted gateway enables customers with hybrid IT infrastructure to manage APIs hosted on-premises and across clouds from a single API Management service in Azure.

Answer 170

A

inbound, backend, outbound, and on-error

Answer 171

A

All APIs: Applies to every API accessible from the gateway

Single API: This scope applies to a single imported API and all of its endpoints

Product: A product is a collection of one or more APIs that you configure in API Management. You can assign APIs to more than one product. Products can have different access rules, usage quotas, and terms of use.

Answer 172

A

Having two keys makes it easier when you do need to regenerate a key. For example, if you want to change the primary key and avoid downtime, use the secondary key in your apps.

Answer 173

A

By setting this header: Ocp-Apim-Subscription-Key

Answer 174

A

Developer portal is an automatically generated, fully customizable website with the documentation of your APIs. It is where API consumers can discover your APIs, learn how to use them, request access, and try them out.

Answer 175

A

choose: The choose policy applies enclosed policy statements based on the outcome of evaluation of boolean expressions, similar to an if-then-else or a switch construct in a programming language.

Answer 176

A

forward-request

Answer 177

A

limit-concurrency:

Answer 178

A

log-to-eventhub

Answer 179

A

mock-response

Answer 180

A

return-response

Answer 181

A

Azure Event Grid is a serverless event broker that you can use to integrate applications using events. Events are delivered by Event Grid to subscriber destinations such as applications, Azure services, or any endpoint to which Event Grid has network access. The source of those events can be other applications, SaaS services and Azure services. Publishers emit events, but have no expectation about how the events are handled. Subscribers decide on which events they want to handle.

Answer 182

A

Event Grid event schema and Cloud event schema

Answer 183

A

It is Azure’s standard of creating an event. It consist of several properies like:
- topic
- subject
- eventType
- eventTime
- id
- data
- dataVersion

Answer 184

A

CloudEvents simplifies interoperability by providing a common event schema for publishing, and consuming cloud based events. This schema allows for uniform tooling, standard ways of routing & handling events, and universal ways of deserializing the outer event schema. With a common schema, you can more easily integrate work across platforms.

Answer 185

A

subject
eventType
eventTime
id

Answer 186

A

No, Event Grid doesn’t guarantee order for event delivery, so subscribers may receive them out of order.

Answer 187

A

Retry the delivery, dead-letter the event, or drop the event based on the type of the error.

Answer 188

A

Maximum number of attempts - The value must be an integer between 1 and 30. The default value is 30.
Event time-to-live (TTL) - The value must be an integer between 1 and 1440. The default value is 1440 minutes

Answer 189

A

You can configure Event Grid to batch events for delivery for improved HTTP performance in high-throughput scenarios.

Answer 190

A

Max events per batch - Maximum number of events Event Grid delivers per batch. This number won’t be exceeded, however fewer events may be delivered if no other events are available at the time of publish. Event Grid doesn’t delay events to create a batch if fewer events are available. Must be between 1 and 5,000.

Preferred batch size in kilobytes - Target ceiling for batch size in kilobytes. Similar to max events, the batch size may be smaller if more events aren’t available at the time of publish. It’s possible that a batch is larger than the preferred batch size if a single event is larger than the preferred size. For example, if the preferred size is 4 KB and a 10-KB event is pushed to Event Grid, the 10-KB event will still be delivered in its own batch rather than being dropped.

Answer 191

A

When Event Grid can’t deliver an event within a certain time period or after trying to deliver the event a number of times, it can send the undelivered event to a storage account. This process is known as dead-lettering.

Answer 192

A

Event isn’t delivered within the time-to-live period.
The number of tries to deliver the event exceeds the limit.

Answer 193

A

Event Grid Subscription Reader - Lets you read Event Grid event subscriptions.
Event Grid Subscription Contributor - Lets you manage Event Grid event subscription operations.
Event Grid Contributor - Lets you create and manage Event Grid resources.
Event Grid Data Sender - Lets you send events to Event Grid topics.

Answer 194

A

Synchronous handshake: At the time of event subscription creation, Event Grid sends a subscription validation event to your endpoint. The schema of this event is similar to any other Event Grid event. The data portion of this event includes a validationCode property. Your application verifies that the validation request is for an expected event subscription, and returns the validation code in the response synchronously. This handshake mechanism is supported in all Event Grid versions.

Asynchronous handshake: In certain cases, you can’t return the ValidationCode in response synchronously. For example, if you use a third-party service (like Zapier or IFTTT), you can’t programmatically respond with the validation code.

Answer 195

A

Event types
Subject begins with or ends with
Advanced fields and operators

Answer 196

A

Azure Event Hubs is a big data streaming platform and event ingestion service. It can receive and process millions of events per second. Data sent to an event hub can be transformed and stored by using any real-time analytics provider or batching/storage adapters.

Answer 197

A

Event Hubs client
Event Hubs producer
Event Hubs consumer
partition
consumer group
Event receivers
Throughput units or processing units

Answer 198

A

An Event Hubs client is the primary interface for developers interacting with the Event Hubs client library. There are several different Event Hubs clients, each dedicated to a specific use of Event Hubs, such as publishing or consuming events.

Answer 199

A

An Event Hubs producer is a type of client that serves as a source of telemetry data, diagnostics information, usage logs, or other log data, as part of an embedded device solution, a mobile device application, a game title running on a console or other device, some client or server based business solution, or a web site.

Answer 200

A

An Event Hubs consumer is a type of client that reads information from the Event Hubs and allows processing of it. Processing may involve aggregation, complex computation and filtering. Processing may also involve distribution or storage of the information in a raw or transformed fashion. Event Hubs consumers are often robust and high-scale platform infrastructure parts with built-in analytics capabilities, like Azure Stream Analytics, Apache Spark.

Answer 201

A

A partition is an ordered sequence of events that is held in an Event Hubs. Partitions are a means of data organization associated with the parallelism required by event consumers. Azure Event Hubs provides message streaming through a partitioned consumer pattern in which each consumer only reads a specific subset, or partition, of the message stream. As newer events arrive, they’re added to the end of this sequence. The number of partitions is specified at the time an Event Hubs is created and can’t be changed.

Answer 202

A

A consumer group is a view of an entire Event Hubs. Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and from their own position. There can be at most five concurrent readers on a partition per consumer group; however it’s recommended that there’s only one active consumer for a given partition and consumer group pairing. Each active reader receives all of the events from its partition; if there are multiple readers on the same partition, then they’ll receive duplicate events.

Answer 203

A

Is a feature of Azure Event Hubs that allows you to automatically capture the streaming data in Event Hubs and save it to a specified data store for later processing or analysis. It’s like turning on continuous data capture for your Event Hub.

Answer 204

A

In the context of Azure Event Hubs, the partitioned consumer model is used to facilitate the processing of large volumes of events in a scalable and parallel manner.

Answer 205

A

Partitions: When you create an Event Hub, you define a number of partitions. Each partition acts as an independent message queue that stores a sequence of events.

Answer 206

A

throughput units. A single throughput unit allows 1 MB per second or 1000 events per second of ingress and twice that amount of egress

Answer 207

A

We use the EventProcessorClient class. Clients will automatically manage distribution and balancing of work as instances become available or unavailable for the group.

Answer 208

A

Checkpointing is a process by which an event processor marks or commits the position of the last successfully processed event within a partition. Marking a checkpoint is typically done within the function that processes the events and occurs on a per-partition basis within a consumer group.

Answer 209

A

Azure Event Hubs Data Owner: Use this role to give complete access to Event Hubs resources.
Azure Event Hubs Data Sender: Use this role to give send access to Event Hubs resources.
Azure Event Hubs Data Receiver: Use this role to give receiving access to Event Hubs resources.

Answer 210

A

Service Bus queues
Storage queues

Answer 211

A

Service Bus queues are part of a broader Azure messaging infrastructure that supports queuing, publish/subscribe, and more advanced integration patterns. They’re designed to integrate applications or application components that may span multiple communication protocols, data contracts, trust domains, or network environments.

Answer 212

A

Storage queues are part of the Azure Storage infrastructure. They allow you to store large numbers of messages. You access messages from anywhere in the world via authenticated calls using HTTP or HTTPS. A queue may contain millions of messages, up to the total capacity limit of a storage account. Queues are commonly used to create a backlog of work to process asynchronously.

Answer 213

A

Your solution needs to receive messages without having to poll the queue.
Your solution requires the queue to provide a guaranteed first-in-first-out (FIFO) ordered delivery.
Your solution needs to support automatic duplicate detection.
You want your application to process messages as parallel long-running streams
Your solution requires transactional behavior and atomicity when sending or receiving multiple messages from a queue.
Your application handles messages that can exceed 64 KB but won’t likely approach the 256-KB limit.

Answer 214

A

Your application must store over 80 gigabytes of messages in a queue.
Your application wants to track progress for processing a message in the queue. It’s useful if the worker processing a message crashes. Another worker can then use that information to continue from where the prior worker left off.
You require server side logs of all of the transactions executed against your queues.

Answer 215

A

The main difference is a higher throughput rather than variable. And the same thing goes for latency. It also has a fixed pricing when choosing premium, the ability to scale and support larger messages.

Answer 216

A

Receive and delete or Peek lock.

Answer 217

A

In this mode, when Service Bus receives the request from the consumer, it marks the message as consumed and returns it to the consumer application.

Answer 218

A

It works best for scenarios in which the application can tolerate not processing a message if a failure occurs. For example, consider a scenario in which the consumer issues the receive request and then crashes before processing it. As Service Bus marks the message as consumed, the application begins consuming messages upon restart. It misses the message that it consumed before the crash.

Answer 219

A

In this mode, the receive operation becomes two-stage, which makes it possible to support applications that can’t tolerate missing messages.

Finds the next message to be consumed, locks it to prevent other consumers from receiving it, and then, return the message to the application.
After the application finishes processing the message, it requests the Service Bus service to complete the second stage of the receive process. Then, the service marks the message as consumed.

Answer 220

A

When applications can’t tolerate missing messages.

Answer 221

A

Simple request/reply
Multicast request/reply
Multiplexing
Multiplexed request/reply

Answer 222

A

Simple request/reply: A publisher sends a message into a queue and expects a reply from the message consumer. The publisher owns a queue to receive the replies. The address of that queue is contained in the ReplyTo property of the outbound message. When the consumer responds, it copies the MessageId of the handled message into the CorrelationId property of the reply message and delivers the message to the destination indicated by the ReplyTo property. One message can yield multiple replies, depending on the application context.

Answer 223

A

Multicast request/reply: As a variation of the prior pattern, a publisher sends the message into a topic and multiple subscribers become eligible to consume the message. Each of the subscribers might respond in the fashion described previously. If ReplyTo points to a topic, such a set of discovery responses can be distributed to an audience.

Answer 224

A

Multiplexing: This session feature enables multiplexing of streams of related messages through a single queue or subscription such that each session (or group) of related messages, identified by matching SessionId values, are routed to a specific receiver while the receiver holds the session under lock.

Answer 225

A

Multiplexed request/reply: This session feature enables multiplexed replies, allowing several publishers to share a reply queue. By setting ReplyToSessionId, the publisher can instruct the consumer(s) to copy that value into the SessionId property of the reply message. The publishing queue or topic doesn’t need to be session-aware. When the message is sent the publisher can wait for a session with the given SessionId to materialize on the queue by conditionally accepting a session receiver.

Answer 226

A

Message Sessions

Answer 227

A

Enables producers and consumers to send and receive messages at different rates. Intermediating message producers and consumers with a queue means that the consuming application only has to be able to handle average load instead of peak load.

Answer 228

A

Application Insights is an extension of Azure Monitor and provides Application Performance Monitoring (also known as “APM”) features. APM tools are useful to monitor applications from development, through test, and into production in the following ways:
- Proactively understand how an application is performing.
- Reactively review application execution data to determine the cause of an incident.

Answer 229

A

Live Metrics: Observe activity from your deployed application in real time with no effect on the host environment.
Availability: Also known as “Synthetic Transaction Monitoring”, probe your applications external endpoint(s) to test the overall availability and responsiveness over time.
GitHub or Azure DevOps integration: Create GitHub or Azure DevOps work items in context of Application Insights data.
Usage: Understand which features are popular with users and how users interact and use your application
Smart Detection: Automatic failure and anomaly detection through proactive telemetry analysis.
Application Map: A high level top-down view of the application architecture and at-a-glance visual references to component health and responsiveness.
Distributed Tracing: Search and visualize an end-to-end flow of a given execution or transaction.

Answer 230

A

Request rates, response times, and failure rates - Find out which pages are most popular, at what times of day, and where your users are. See which pages perform best. If your response times and failure rates go high when there are more requests, then perhaps you have a resourcing problem.
Dependency rates, response times, and failure rates - Find out whether external services are slowing you down.
Exceptions - Analyze the aggregated statistics, or pick specific instances and drill into the stack trace and related requests. Both server and browser exceptions are reported.
Page views and load performance - reported by your users’ browsers.
AJAX calls from web pages - rates, response times, and failure rates.
User and session counts.
Performance counters from your Windows or Linux server machines, such as CPU, memory, and network usage.
Host diagnostics from Docker or Azure.
Diagnostic trace logs from your app - so that you can correlate trace events with requests.
Custom events and metrics that you write yourself in the client or server code, to track business events such as items sold or games won.

Answer 231

A

. Log-based metrics
- Standard metrics

Answer 232

A

Log-based metrics are custom metrics derived from the log data or telemetry data. They are essentially custom queries written against the logs. They include any custom data that developers want to track and are not limited to predefined standard metrics.

Answer 233

A

Standard metrics are aggregated and collected by default without requiring any additional configuration. They include metrics like request rates, failure rates, dependency rates, exceptions, and host diagnostics (CPU, memory usage, etc.).

Answer 234

A

Application Insights is enabled through either Auto-Instrumentation (agent) or by adding the Application Insights SDK to your application code.

Answer 235

A

Auto-instrumentation is the preferred instrumentation method. It requires no developer investment and eliminates future overhead related to updating the SDK. In essence, all you have to do is enable and - in some cases - configure the agent, which collects the telemetry automatically.

Answer 236

A

To use the SDK, you install a small instrumentation package in your app and then instrument the web app, any background components, and JavaScript within the web pages. The app and its components don’t have to be hosted in Azure. The instrumentation monitors your app and directs the telemetry data to an Application Insights resource by using a unique token

Answer 237

A

URL ping test (classic): You can create this test through the portal to validate whether an endpoint is responding and measure performance associated with that response. You can also set custom success criteria coupled with more advanced features, like parsing dependent requests and allowing for retries.
Standard test (Preview): This single request test is similar to the URL ping test. It includes SSL certificate validity, proactive lifetime check, HTTP request verb (for example GET, HEAD, or POST), custom headers, and custom data associated with your HTTP request.
Custom TrackAvailability test: If you decide to create a custom application to run availability tests, you can use the TrackAvailability() method to send the results to Application Insights.

Answer 238

A

Data cache:
Content cache
Session store
Job and message queuing
Distributed transactions

Answer 239

A

Basic
Standard
Premium
Enterprise
Enterprise Flash

Answer 240

A

Enterprise

Answer 241

A

You should always place your cache instance and your application in the same region. Connecting to a cache in a different region can significantly increase latency and reduce reliability. If you’re connecting to the cache outside of Azure, then select a location close to where the application consuming the data is running.

Answer 242

A

With the Premium, Enterprise, and Enterprise Flash tiers you can implement clustering to automatically split your dataset among multiple nodes.

Answer 243

A

StackExchange.Redis

Answer 244

A

bool setValue = await db.StringSetAsync(“test:key”, “100”);
string getValue = await db.StringGetAsync(“test:key”);

Answer 245

A

1 millisecond

Answer 246

A

Read: Read the content, metadata, properties etc
Add: Add a block to an append blob
Create: Write a new blob
Write: Create or write content of a blob (updating)
Delete: Deleting a blob

Answer 247

A

The container that is hosting the blob

Answer 248

A

B grants the token at the blob level and the C grant the token at the container level

Answer 249

A

Assign a managed identity to the Azure Configuration Instance
Grant the identity GET, WRAP and UNWRAP permissions

Answer 250

A

az acr repository delete –name devregistry –image dev/nginx:latest

Answer 251

A

It enables commans related to the manifest of the artifact and not the image

Answer 252

A

In the deployment slot settings

Answer 253

A

The ARR Affinity setting ensures a client application is routed to the same instance for the life of the session.

Answer 254

A

@Microsoft.KeyVault(SecretName=secret;VaultName=name)

Answer 255

A

We create a function.json file for each function

Answer 256

A

with the / symbol before the number. Example 0 */5 * * * *, runs every 5 minutes

Answer 257

A

Seconds
Minutes
Hours
Days
Month
Day of the week

Answer 258

A

az webapp show \
–resource-group <group_name> \
--name <app_name> \
--query outboundIpAddresses \
--output tsv</app_name></group_name>

Answer 259

A

az webapp show \
–resource-group <group_name> \
--name <app_name> \
--query possibleOutboundIpAddresses \
--output tsv</app_name></group_name>

Answer 260

A

az webapp log tail –name <YourAppName> --resource-group <YourResourceGroup></YourResourceGroup></YourAppName>

Answer 261

A

az storage account management-policy create \
–account-name <storage-account> \
--policy @policy.json \
--resource-group <resource-group></resource-group></storage-account>

Answer 262

A

az storage account create –resource-group az204-blob-rg –name <myStorageAcct> --location <myLocation> --sku Standard_LRS</myLocation></myStorageAcct>

Answer 263

A

az acr build –image sample/hello-world:v1 \
–registry <myContainerRegistry> \
--file Dockerfile .</myContainerRegistry>

Answer 264

A

az acr repository list –name <myContainerRegistry> --output table</myContainerRegistry>

Answer 265

A

az acr repository show-tags –name <myContainerRegistry> \
--repository sample/hello-world --output table</myContainerRegistry>

Answer 266

A

az acr run –registry <myContainerRegistry> \
--cmd '$Registry/sample/hello-world:v1' /dev/null</myContainerRegistry>

Answer 267

A

az container create –resource-group az204-aci-rg
–name mycontainer
–image mcr.microsoft.com/azuredocs/aci-helloworld
–ports 80
–dns-name-label $DNS_NAME_LABEL –location <myLocation></myLocation>

Answer 268

A

az container create \
–resource-group myResourceGroup \
–name mycontainer \
–image mycontainerimage \
–restart-policy OnFailure

Answer 269

A

az container create \
–resource-group myResourceGroup \
–name mycontainer2 \
–image mcr.microsoft.com/azuredocs/aci-wordcount:latest
–restart-policy OnFailure \
–environment-variables ‘NumWords’=’5’ ‘MinLength’=’8’\

Answer 270

A

When you have the yaml configuration file, one can specify it by setting the secureValue property in the environment properties, instead of the regular value prop. To push it one can do it like this:
az container create –resource-group myResourceGroup \
–file secure-env.yaml \

Answer 271

A

az container create –resource-group $ACI_PERS_RESOURCE_GROUP –name hellofiles –image mcr.microsoft.com/azuredocs/aci-hellofiles –dns-name-label aci-demo –ports 80 –azure-file-volume-account-name $ACI_PERS_STORAGE_ACCOUNT_NAME –azure-file-volume-account-key $STORAGE_KEY –azure-file-volume-share-name $ACI_PERS_SHARE_NAME –azure-file-volume-mount-path /aci/logs/

Answer 272

A

az containerapp create \
–name my-container-app \
–resource-group $myRG \
–environment $myAppContEnv \
–image mcr.microsoft.com/azuredocs/containerapps-helloworld:latest \
–target-port 80 \
–ingress ‘external’ \
–query properties.configuration.ingress.fqdn

Answer 273

A

By setting –ingress to external, you make the container app available to public requests. The command returns a link to access your app.

Answer 274

A

az containerapp update \
–name <APPLICATION_NAME> \
--resource-group <RESOURCE_GROUP_NAME> \
--image <IMAGE_NAME></IMAGE_NAME></RESOURCE_GROUP_NAME></APPLICATION_NAME>

Answer 275

A

In the context of Azure Container Apps, a “revision” refers to a specific version or configuration of your containerized application. When you deploy or update an app in Azure Container Apps, the platform keeps track of the different configurations and versions of your app by creating a new revision for each change

Answer 276

A

az containerapp create \
–resource-group “my-resource-group” \
–name queuereader \
–environment “my-environment-name” \
–image demos/queuereader:v1 \
–secrets “queue-connection-string=$CONNECTION_STRING”

Answer 277

A

az containerapp create \
–resource-group “my-resource-group” \
–name myQueueApp \
–environment “my-environment-name” \
–image demos/myQueueApp:v1 \
–secrets “queue-connection-string=$CONNECTIONSTRING” \
–env-vars “QueueName=myqueue” “ConnectionString=secretref:queue-connection-string”

Answer 278

A

az keyvault create –name $myKeyVault –resource-group az204-vault-rg –location $myLocation

Answer 279

A

az keyvault secret set –vault-name $myKeyVault –name “ExamplePassword” –value “hVFkk965BuUv”

Answer 280

A

az keyvault secret show –name “ExamplePassword” –vault-name $myKeyVault

Answer 281

A

az vm create –resource-group myResourceGroup \
–name myVM –image win2016datacenter \
–generate-ssh-keys \
–assign-identity \
–role contributor \
–scope mySubscription \
–admin-username azureuser \
–admin-password myPassword12

Answer 282

A

az vm identity assign -g myResourceGroup -n myVm

Answer 283

A

az identity create -g myResourceGroup -n myUserAssignedIdentity

Answer 284

A

az vm create \
–resource-group <RESOURCE> \
--name <VM> \
--image Ubuntu2204 \
--admin-username <USER> \
--admin-password <PASSWORD> \
--assign-identity <USER> \
--role <ROLE> \
--scope <SUBSCRIPTION></SUBSCRIPTION></ROLE></USER></PASSWORD></USER></VM></RESOURCE>

Answer 285

A

az apim create -n $myApiName \
–location $myLocation \
–publisher-email $myEmail \
–resource-group az204-apim-rg \
–publisher-name AZ204-APIM-Exercise \
–sku-name Consumption

Answer 286

A

az eventgrid topic create –name $myTopicName \
–location $myLocation \
–resource-group az204-evgrid-rg

Answer 287

A

az deployment group create \
–resource-group az204-evgrid-rg \
–template-uri “https://raw.githubusercontent.com/Azure-Samples/azure-event-grid-viewer/main/azuredeploy.json” \
–parameters siteName=$mySiteName hostingPlanName=viewerhost

Answer 288

A

az eventgrid event-subscription create \
–source-resource-id “/subscriptions/$subId/resourceGroups/az204-evgrid-rg/providers/Microsoft.EventGrid/topics/$myTopicName” \
–name az204ViewerSub \
–endpoint $endpoint

Answer 289

A

az servicebus namespace create \
–resource-group az204-svcbus-rg \
–name $myNameSpaceName \
–location $myLocation

Answer 290

A

az servicebus queue create –resource-group az204-svcbus-rg \
–namespace-name $myNameSpaceName \
–name az204-queue

Answer 291

A

az redis create –location <myLocation> \
--resource-group az204-redis-rg \
--name $redisName \
--sku Basic --vm-size c0</myLocation>

Answer 292

A

The Azure CLI provides a special purge verb that will unpublish cached assets from an endpoint.

Answer 293

A

This is very useful if you have an application scenario where a large amount of data is invalidated and should be updated in the cache.

Answer 294

A

az cdn endpoint purge \
–content-paths ‘/css/*’ ‘/js/app.js’ \
–name ContosoEndpoint \
–profile-name DemoProfile \
–resource-group ExampleGroup

Answer 295

A

az cdn endpoint load \
–content-paths ‘/img/*’ ‘/js/module.js’ \
–name ContosoEndpoint \
–profile-name DemoProfile \
–resource-group ExampleGroup

Answer 296

A

The container name needs to be first

Answer 297

A

db.StringSetAsync(“key”, “value”, TimeSpan)

Answer 298

A

Data cache

Answer 299

A

Data cache: Improves the performance and scalability of applications by storing the results of database queries or the results of computations.
Content cache: Used for caching entire pages or page fragments to accelerate web applications by reducing the time to render and serve content

Answer 300

A

Visual Studio

Answer 301

A

TrackPageView: Pages, screens, panes, or forms.
TrackEvent: User actions and other events. Used to track user behavior or to monitor performance.
GetMetric: Zero and multidimensional metrics, centrally configured aggregation, C# only.
TrackMetric: Performance measurements such as queue lengths not related to specific events.
TrackException: Logging exceptions for diagnosis. Trace where they occur in relation to other events and examine stack traces.
TrackRequest: Logging the frequency and duration of server requests for performance analysis.
TrackTrace: Resource Diagnostic log messages. You can also capture third-party logs.
TrackDependency: Logging the duration and frequency of calls to external components that your app depends on.

Answer 302

A

Using standard metrics both minimizes the volume of data ingested into Application Insights and maximizes the accuracy of the collected metrics.

Answer 303

A

API Scope: Policies are applied to all operations within a specific API.
Product Scope: Policies are applied to all APIs associated with a specific product.

Answer 304

A

az eventhubs eventhub update –resource-group MyResourceGroupName –namespace-name MyNamespaceName –name MyEventHubName –partition-count 12

Answer 305

A

Azure Blob Storage, Azure Data Lake Storage Gen1 and Azure Data Lake Storage Gen2

Answer 306

A

SQL Filters
Boolean Filters
Correlation Filters

Answer 307

A

PeakMessages

Answer 308

A

The $filter query option must be used to limit the results returned. The $select query option limits the attributes projected from the result set, making the query more efficient

Answer 309

A

Virtual Machine Contributor

Answer 310

A

az keyvault key rotate –vault-name mykeyvault –name mykey

Answer 311

A

az acr repository delete –name devregistry –image dev/nginx:latest

Answer 312

A

WEBSITE_LOAD_CERTIFICATES

Answer 313

A

Scaling Out (Horizontal Scaling):
- Definition: Scaling out involves adding more nodes or instances to a system to distribute the load evenly and handle increased traffic.
Scaling Up (Vertical Scaling):
- Definition: Scaling up involves increasing the resources (like CPU, memory, or storage) of an existing node or instance to enhance its capacity to handle more load.

Answer 314

A

Free Tier:
- Features: The Free tier provides basic security features such as continuous assessment and actionable security recommendations. You get visibility into the security state of your Azure resources and can use it to improve your overall security posture.
- Cost: The Free tier is available at no additional cost.
- Limitations: It does not include advanced threat detection capabilities.
Standard Tier:
- Features: The Standard tier includes everything in the Free tier along with advanced features such as:
Advanced threat protection for Azure services (such as Virtual Machines, Databases, Storage, etc.)
Adaptive application control and network hardening
Just-in-time VM access
Regulatory compliance dashboard
Integration with SIEM solutions like Azure Sentinel
- Cost: The Standard tier is a paid offering, and pricing details can be found on the official Microsoft Azure pricing page.

Answer 315

A

Microsoft Defender for Cloud is a cloud-native security service offered by Microsoft to help protect your workloads in Azure, as well as in other cloud and on-premises environments. It provides advanced threat protection, security posture management, and increased visibility into the security state of your resources. Microsoft Defender for Cloud is built to integrate seamlessly with Azure services and helps in detecting and mitigating threats, identifying vulnerabilities, and ensuring compliance with security standards.

Answer 316

A

Run az webapp deploy to a staging slot with auto swap on.

Answer 317

A

If –clean true is used, the target folder is cleaned

Answer 318

A

Restarts the app after deployment

Answer 319

A

az webapp cors add -g MyResourceGroup -n MyWebApp --allowed-origins https://myapps.com

Answer 320

A

az webapp traffic-routing set --distribution myapps=100 --name MyWebApp --resource-group MyResourceGroup

Answer 321

A

az webapp config access-restriction add -g MyResourceGroup -n MyWebApp --rule-name external --action Allow –ids myapps --priority 200

Answer 322

A

OAuth 2.0 On-Behalf-Of flow (OBO) is used when an application invokes a service or web API, which in turn needs to call another service or web API. The idea is to propagate the delegated user identity and permissions through the request chain.

Answer 323

A

The OAuth 2.0 authorization code grant can be used in apps that are installed on a device to gain access to protected resources, such as web APIs.

Answer 324

A

The OAuth 2.0 client credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service.

Answer 325

A

Suited for clients that are implemented in a browser using a scripting language such as JavaScript. In the implicit flow, instead of handling the authorization code, an access token is returned directly. It’s less secure than the Authorization Code grant and doesn’t allow for refresh tokens.

Answer 326

A

Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled.
When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed.
The default retention period is 90 days, but it is possible to set the retention policy interval to a value from 7 to 90 days through the Azure portal. Once the retention policy interval is set and saved it cannot be changed for that vault.

Answer 327

A

When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.

Answer 328

A

az monitor metrics alert create -n myAlert -g myResourceGroups –scopes targetResourceId

Answer 329

A

Whern the Time over which to aggregate metrics in “##h##m##s” format.

Answer 330

A

WEBSITE_MAX_DYNAMIC_APPLICATION_SCALE_OUT

Answer 331

A

maxConcurrentRequests

Answer 332

A

Allows you to set custom headers in the HTTP response.
Default value: none

Answer 333

A

When enabled, this setting causes the request processing pipeline to periodically check system performance counters like connections/threads/processes/memory/cpu/etc and if any of those counters are over a built-in high threshold (80%), requests will be rejected with a 429 “Too Busy” response until the counter(s) return to normal levels.
The default in a Consumption plan is true. The default in a Dedicated plan is false

Answer 334

A

When isEnabled is set to true, the HTTP Strict Transport Security (HSTS) behavior of .NET Core is enforced, as defined in the HstsOptions class. The above example also sets the maxAge property to 10 days.
Default Value: Not Enabled

Answer 335

A

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against certain types of attacks such as protocol downgrade attacks and cookie hijacking. HSTS is designed to force browsers or other complying user agents to interact with the server using only secure HTTPS connections and not HTTP.

Answer 336

A

The maximum number of HTTP functions that are executed in parallel. This value allows you to control concurrency, which can help manage resource utilization.
The default for a Consumption plan is 100. The default for a Dedicated plan is unbounded (-1)

Answer 337

A

The maximum number of outstanding requests that are held at any given time. This limit includes requests that are queued but have not started executing, as well as any in progress executions. Any incoming requests over this limit are rejected with a 429 “Too Busy” response.
*The default for a Consumption plan is 200. The default for a Dedicated plan is unbounded (-1).

Answer 338

A

Databases are often too large to load directly into a cache. It’s common to use the cache-aside pattern to load data into the cache only as needed. When the system makes changes to the data, the system can also update the cache, which is then distributed to other clients. Additionally, the system can set an expiration on data, or use an eviction policy to trigger data updates into the cache.

Answer 339

A

Many web pages are generated from templates that use static content such as headers, footers, banners. These static items shouldn’t change often. Using an in-memory cache provides quick access to static content compared to backend datastores. This pattern reduces processing time and server load, allowing web servers to be more responsive. It can allow you to reduce the number of servers needed to handle loads. Azure Cache for Redis provides the Redis Output Cache Provider to support this pattern with ASP.NET.

Answer 340

A

This pattern is commonly used with shopping carts and other user history data that a web application might associate with user cookies. Storing too much in a cookie can have a negative effect on performance as the cookie size grows and is passed and validated with every request. A typical solution uses the cookie as a key to query the data in a database. When you use an in-memory cache, like Azure Cache for Redis, to associate information with a user is faster than interacting with a full relational database.

Answer 341

A

Applications often add tasks to a queue when the operations associated with the request take time to execute. Longer running operations are queued to be processed in sequence, often by another server. This method of deferring work is called task queuing. Azure Cache for Redis provides a distributed queue to enable this pattern in your application.

Answer 342

A

Applications sometimes require a series of commands against a backend data-store to execute as a single atomic operation. All commands must succeed, or all must be rolled back to the initial state. Azure Cache for Redis supports executing a batch of commands as a single transaction.

Answer 343

A

The main connection object in StackExchange.Redis is the StackExchange.Redis.ConnectionMultiplexer class. This object abstracts the process of connecting to a Redis server (or group of servers). It’s optimized to manage connections efficiently and intended to be kept around while you need access to the cache.

Answer 344

A

If you need to make custom API calls to track events/dependencies not captured by default with autoinstrumentation monitoring, you need to use this method

Answer 345

A

A dependency is a component that’s called by your application. It’s typically a service called by using HTTP, a database, or a file system. Application Insights measures the duration of dependency calls and whether it’s failing or not, along with information like the name of the dependency. You can investigate specific dependency calls and correlate them to requests and exceptions.

Answer 346

A

Azure Functions requires setting “EnableDependencyTracking” to true in the host.json file. Azure Functions requires setting “enableSqlCommandTextInstrumentation” to true int he host.json file.

Answer 347

A

Instrumentation key.

Answer 348

A

Alerts need to be configured inside insight1 and not the web app. You can use the data shown with each component to diagnose performance bottlenecks and failure hotspots. It needs to be configured inside insight1 and not the web app. Usage analysis provides information about an app’s users and needs to be configured in insight1, not the web app.

Answer 349

A

It is the same as standard metrics, so it gives a view based on requests, cpu usage etcx.

Answer 350

A

Stored access policies are not supported for the user delegation SAS or the account SAS.

Answer 351

A

The container that is hosting blobs

Answer 352

A

Set Container ACL

Answer 353

A

The Microsoft identity platform supports the device authorization grant, which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer. To enable this flow, the device has the user visit a webpage in a browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed.

Answer 354

A

Key prefixes
Labels

Answer 355

A

A system-assigned managed identity we avoid managing the rotation of secrets but with a user assigned managed identity he secret rotation needs to be managed

Answer 356

A

Standard tier offers:
- Encryption with customer-managed keys
- 30,000 instead of 1000 a day
- 1gb og storage instead of 10mb
- Have an SLA

Brainscape's Knowledge GenomeTM

AZ-204 Flashcards

Brainscape's Knowledge Genome^TM