AZ 204 questions Flashcards

Question 1

Q

You have two Hyper-V hosts named Host1 and Host2. Host1 has an Azure virtual machine
named VM1 that was deployed by using a custom Azure Resource Manager template.
You need to move VM1 to Host2.
What should you do?
A. From the Update management blade, click Enable.
B. From the Overview blade, move VM1 to a different subscription.
C. From the Redeploy blade, click Redeploy.
D. From the Profile blade, modify the usage location.

Answer

A

Answer: C
Explanation:
When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and
then powers it back on, retaining all your configuration options and associated resources.

Question 2

Q

Your company has an Azure Kubernetes Service (AKS) cluster that you manage from an Azure
AD-joined device. The cluster is located in a resource group.
Developers have created an application named MyApp. MyApp was packaged into a container image.
You need to deploy the YAML manifest file for the application.
Solution: You install the Azure CLI on the device and run the
kubectl apply –fmyapp.yaml command.
Does this meet the goal?
A. Yes
B. No

Answer

A

Answer: A
Explanation:
kubectl apply -f myapp.yaml applies a configuration change to a resource from a file or stdin.

Question 3

Q

Your company has an Azure Kubernetes Service (AKS) cluster that you manage from an Azure
AD-joined device. The cluster is located in a resource group.
Developers have created an application named MyApp. MyApp was packaged into a container
image.
You need to deploy the YAML manifest file for the application.
Solution: You install the docker client on the device and run the docker run -it
microsoft/azure-cli:0.10.17 command.
Does this meet the goal?
A. Yes
B. No

Answer

A

Answer: B

Question 4

Q

Your company has a web app named WebApp1.
You use the WebJobs SDK to design a triggered App Service background task that automatically
invokes a function in the code every time new data is received in a queue.
You are preparing to configure the service processes a queue data item.
Which of the following is the service you should use?
A. Logic Apps
B. WebJobs
C. Flow
D. Functions

Answer

A

Answer: B
Usually you’ll host the WebJobs SDK in Azure WebJobs, but you can also run your jobs in a Worker Role. The Azure WebJobs feature of Azure Web Apps provides an easy way for you to run programs such as services or background tasks in a Web App…

Question 5

Q

Your company has an Azure subscription.
You need to deploy a number of Azure virtual machines to the subscription by using Azure
Resource Manager (ARM) templates. The virtual machines will be included in a single
availability set.
You need to ensure that the ARM template allows for as many virtual machines as possible to
remain accessible in the event of fabric failure or maintenance.
Which of the following is the value that you should configure for the
platformFaultDomainCount property?
A. 10
B. 30
C. Min Value
D. Max Value

Answer

A

Answer: D
2 or 3 is max for a region so answer should be Max.

Question 6

Q

Your company has an Azure subscription.
You need to deploy a number of Azure virtual machines to the subscription by using Azure
Resource Manager (ARM) templates. The virtual machines will be included in a single
availability set.
You need to ensure that the ARM template allows for as many virtual machines as possible to
remain accessible in the event of fabric failure or maintenance.
Which of the following is the value that you should configure for the
platformUpdateDomainCount property?
A. 10
B. 20
C. 30
D. 40

Answer

A

Answer: B
Each availability set can be configured with up to three fault domains and twenty update domains.

Question 7

Q

This question requires that you evaluate the underlined text to determine if it is correct.
You company has an on-premises deployment of MongoDB, and an Azure Cosmos DB account
that makes use of the MongoDB API.
You need to devise a strategy to migrate MongoDB to the Azure Cosmos DB account.
You include the Data Management Gateway tool in your migration strategy.
Instructions: Review the underlined text. If it makes the statement correct, select “No change required.”
If the statement is incorrect, select the answer choice that makes the statement correct.
A. No change required
B. mongorestore
C. Azure Storage Explorer
D. AzCopy

Answer

A

Answer: B

Question 8

Q

You are developing an e-Commerce Web App.
You want to use Azure Key Vault to ensure that sign-ins to the e-Commerce Web App are secured by using Azure App Service authentication and Azure Active Directory (AAD).
What should you do on the e-Commerce Web App?
A. Run the az keyvault secret command.
B. Enable Azure AD Connect.
C. Enable Managed Service Identity (MSI).
D. Create an Azure AD service principal.

Answer

A

Answer: C
Explanation:
A managed identity from Azure Active Directory allows your app to easily access other AADprotected resources such as Azure Key Vault.

Question 9

Q

This question requires that you evaluate the underlined text to determine if it is correct.
Your Azure Active Directory Azure (Azure AD) tenant has an Azure subscription linked to it.
Your developer has created a mobile application that obtains Azure AD access tokens using the OAuth 2 implicit grant type.
The mobile application must be registered in Azure AD.
You require a redirect URI from the developer for registration purposes.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed.”
If the statement is incorrect, select the answer choice that makes the statement correct.
A. No change required.
B. a secret
C. a login hint
D. a client ID

Answer

A

Answer: A
Explanation:
For Native Applications you need to provide a Redirect URI, which Azure AD will use to return token responses.

Question 10

Q

You are creating an Azure key vault using PowerShell. Objects deleted from the key vault must be kept for a set period of 90 days.
Which two of the following parameters must be used in conjunction to meet the requirement?
(Choose two.)
A. EnabledForDeployment
B. EnablePurgeProtection
C. EnabledForTemplateDeployment
D. EnableSoftDelete

Answer

A

Answer: BD
You’ll need to enable soft delete, and then purge protection to make sure that soft-deleted objects are not purged early.

Question 11

Q

You manage an Azure SQL database that allows for Azure AD authentication.
You need to make sure that database developers can connect to the SQL database via Microsoft SQL Server Management Studio (SSMS). You also need to make sure the developers use their on-premises Active Directory account for authentication.
Your strategy should allow for authentication prompts to be kept to a minimum.
Which of the following should you implement?
A. Azure AD token.
B. Azure Multi-Factor authentication.
C. Active Directory integrated authentication.
D. OATH software tokens.

Answer

A

Answer: C
Explanation:
Azure AD can be the initial Azure AD managed domain. Azure AD can also be an on-premises
Active Directory Domain Services that is federated with the Azure AD.

Question 12

Q

You are developing an application to transfer data between on-premises file servers and Azure
Blob storage. The application stores keys, secrets, and certificates in Azure Key Vault and makes
use of the Azure Key Vault APIs.
You want to configure the application to allow recovery of an accidental deletion of the key
vault or key vault objects for 90 days after deletion.
What should you do?
A. Run the Add-AzKeyVaultKey cmdlet.
B. Run the az keyvault update –enable-soft-delete true –enablepurge-protection true CLI.
C. Implement virtual network service endpoints for Azure Key Vault.
D. Run the az keyvault update –enable-soft-delete false CLI.

Answer

A

Answer: B
Explanation:
When soft-delete is enabled, resources marked as deleted resources are retained for a specified
period (90 days by default). The service further provides a mechanism for recovering the deleted
object, essentially undoing the deletion.
Purge protection is an optional Key Vault behavior and is not enabled by default. Purge
protection can only be enabled once soft-delete is enabled.
When purge protection is on, a vault or an object in the deleted state cannot be purged until the
retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that
the retention policy will be followed.
The default retention period is 90 days, but it is possible to set the retention policy interval to a
value from 7 to 90 days through the Azure portal. Once the retention policy interval is set and
saved it cannot be changed for that vault.

Question 13

Q

You are configuring a web app that delivers streaming video to users. The application makes use
of continuous integration and deployment.
You need to ensure that the application is highly available and that the users’ streaming
experience is constant. You also want to configure the application to store data in a geographic
location that is nearest to the user.
Solution: You include the use of Azure Redis Cache in your design.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: B

Question 14

Q

You are configuring a web app that delivers streaming video to users. The application makes use
of continuous integration and deployment.
You need to ensure that the application is highly available and that the users’ streaming
experience is constant. You also want to configure the application to store data in a geographic
location that is nearest to the user.
Solution: You include the use of an Azure Content Delivery Network (CDN) in your design.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: A

Question 15

Q

You are configuring a web app that delivers streaming video to users. The application makes use
of continuous integration and deployment.
You need to ensure that the application is highly available and that the users’ streaming
experience is constant. You also want to configure the application to store data in a geographic
location that is nearest to the user.
Solution: You include the use of a Storage Area Network (SAN) in your design.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: B

Question 16

Q

You develop a Web App on a tier D1 app service plan.
You notice that page load times increase during periods of peak traffic.
You want to implement automatic scaling when CPU load is above 80 percent. Your solution
must minimize costs.
What should you do first?
A. Enable autoscaling on the Web App.
B. Switch to the Premium App Service tier plan.
C. Switch to the Standard App Service tier plan.
D. Switch to the Azure App Services consumption plan.

Answer

A

Answer: C
Explanation:
Configure the web app to the Standard App Service Tier. The Standard tier supports autoscaling, and we should minimize the cost. We can then enable autoscaling on the web app, add a
scale rule and add a Scale condition.

Question 17

Q

Your company’s Azure subscription includes an Azure Log Analytics workspace.
Your company has a hundred on-premises servers that run either Windows Server 2012 R2 or
Windows Server 2016, and is linked to the Azure Log Analytics workspace. The Azure Log
Analytics workspace is set up to gather performance counters associated with security from these
linked servers.
You must configure alerts based on the information gathered by the Azure Log Analytics
workspace.
You have to make sure that alert rules allow for dimensions, and that alert creation time should
be kept to a minimum. Furthermore, a single alert notification must be created when the alert is
created and when the alert is resolved.
You need to make use of the necessary signal type when creating the alert rules.
Which of the following is the option you should use?
A. The Activity log signal type.
B. The Application Log signal type.
C. The Metric signal type.
D. The Audit Log signal type.

Answer

A

Answer: C
Explanation:
Metric alerts in Azure Monitor provide a way to get notified when one of your metrics cross a
threshold. Metric alerts work on a range of multi-dimensional platform metrics, custom metrics,
Application Insights standard and custom metrics.
Note: Signals are emitted by the target resource and can be of several types. Metric, Activity log,
Application Insights, and Log

Question 18

Q

You are developing a .NET Core MVC application that allows customers to research
independent holiday accommodation providers.
You want to implement Azure Search to allow the application to search the index by using
various criteria to locate documents related to accommodation.
You want the application to allow customers to search the index by using regular expressions.
What should you do?
A. Configure the SearchMode property of the SearchParameters class.
B. Configure the QueryType property of the SearchParameters class.
C. Configure the Facets property of the SearchParameters class.
D. Configure the Filter property of the SearchParameters class.

Answer

A

Answer: B
Explanation:
The SearchParameters.QueryType Property gets or sets a value that specifies the syntax of the
search query. The default is ‘simple’. Use ‘full’ if your query uses the Lucene query syntax.
You can write queries against Azure Search based on the rich Lucene Query Parser syntax for
specialized query forms: wildcard, fuzzy search, proximity search, regular expressions are a few
examples.

Question 19

Q

You are a developer at your company.
You need to update the definitions for an existing Logic App.
What should you use?
A. the Enterprise Integration Pack (EIP)
B. the Logic App Code View
C. the API Connections
D. the Logic Apps Designer

Answer

A

Answer: B
Explanation:
Edit JSON - Azure portal
Sign in to the Azure portal.
From the left menu, choose All services. In the search box, find “logic apps”, and then from the
results, select your logic app.
On your logic app’s menu, under Development Tools, select Logic App Code View.
The Code View editor opens and shows your logic app definition in JSON format.

Question 20

Q

You are developing a solution for a public facing API.
The API back end is hosted in an Azure App Service instance. You have implemented a
RESTful service for the API back end.
You must configure back-end authentication for the API Management service instance.
Solution: You configure Basic gateway credentials for the Azure resource.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: B
Explanation:
API Management allows to secure access to the back-end service of an API using client
certificates.

Question 21

Q

You are developing a solution for a public facing API.
The API back end is hosted in an Azure App Service instance. You have implemented a
RESTful service for the API back end.
You must configure back-end authentication for the API Management service instance.
Solution: You configure Client cert gateway credentials for the HTTP(s) endpoint.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: A
This is scenario questions.
If backend is accepts HTTP(S)
Then Basic AUTH or Certificate will work.
so Client Certificate + HTTP(s) YES

Question 22

Q

You are developing a solution for a public facing API.
The API back end is hosted in an Azure App Service instance. You have implemented a
RESTful service for the API back end.
You must configure back-end authentication for the API Management service instance.
Solution: You configure Basic gateway credentials for the HTTP(s) endpoint.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: A
This is scenario questions.
If backend is accepts HTTP(S)
Then Basic AUTH or Certificate will work.
so Basic + HTTPS Yes

Question 23

Q

You are developing a solution for a public facing API.
The API back end is hosted in an Azure App Service instance. You have implemented a
RESTful service for the API back end.
You must configure back-end authentication for the API Management service instance.
Solution: You configure Client cert gateway credentials for the Azure resource.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: B
This is scenario questions.
If backend is accepts HTTP(S)
Then Basic AUTH or Certificate will work.
so Certificate + Azure Resource NO

Question 24

Q

You are developing a .NET Core MVC application that allows customers to research
independent holiday accommodation providers.
You want to implement Azure Search to allow the application to search the index by using
various criteria to locate documents related to accommodation venues.
You want the application to list holiday accommodation venues that fall within a specific price
range and are within a specified distance to an airport.
What should you do?
A. Configure the SearchMode property of the SearchParameters class.
B. Configure the QueryType property of the SearchParameters class.
C. Configure the Facets property of the SearchParameters class.
D. Configure the Filter property of the SearchParameters class.

Answer

A

Answer: D
Explanation:
The Filter property gets or sets the OData $filter expression to apply to the search query

Question 25

Q

You are a developer at your company.
You need to edit the workflows for an existing Logic App.
What should you use?
A. the Enterprise Integration Pack (EIP)
B. the Logic App Code View
C. the API Connections
D. the Logic Apps Designer

Answer

A

Answer: D
For definitions use the Code View, for the Workflows use the Designer.

Question 26

Q

You are developing an application that applies a set of governance policies for internal and
external services, as well as for applications.
You develop a stateful ASP.NET Core 2.1 web application named PolicyApp and deploy it to an
Azure App Service Web App. The PolicyApp reacts to events from Azure Event Grid and
performs policy actions based on those events.
You have the following requirements:
Authentication events must be used to monitor users when they sign in and sign out.
All authentication events must be processed by PolicyApp.
Sign outs must be processed as fast as possible.
What should you do?
A. Create a new Azure Event Grid subscription for all authentication events. Use the
subscription to process sign-out events.
B. Create a separate Azure Event Grid handler for sign-in and sign-out events.
C. Create separate Azure Event Grid topics and subscriptions for sign-in and sign-out events.
D. Add a subject prefix to sign-out events. Create an Azure Event Grid subscription. Configure
the subscription to use the subjectBeginsWith filter.

Answer

A

Answer: C
Only C is mentioned both topic and subscription, which are two critical parts for event grid

Question 27

Q

You develop a software as a service (SaaS) offering to manage photographs. Users upload
photos to a web service which then stores the photos in Azure Storage Blob storage. The storage
account type is General-purpose V2.
When photos are uploaded, they must be processed to produce and save a mobile-friendly
version of the image. The process to produce a mobile-friendly version of the image must start in
less than one minute.
You need to design the process that starts the photo processing.
Solution: Trigger the photo processing from Blob storage events.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: B
The answer (B) is correct. Because, the trick is in the “less than one minute” detail.
You can read about “..10-minute delay in processing new blobs..” in “3-Minimizing latency” description.
Microsoft says: “…..Use Event Grid instead of the Blob storage trigger for the following scenarios:”
1-Blob-only storage accounts: Blob-only storage accounts are supported for blob input and output bindings but not for blob triggers.
2-High-scale: High scale can be loosely defined as containers that have more than 100,000 blobs in them or storage accounts that have more than 100 blob updates per second.
3-Minimizing latency: If your function app is on the Consumption plan, there can be up to a ##10-minute delay in processing new blobs## if a function app has gone idle. To avoid this latency, you can switch to an App Service plan with Always On enabled. You can also use an Event Grid trigger with your Blob storage account. For an example, see the Event Grid tutorial.

Question 28

Q

You develop and deploy an Azure App Service API app to a Windows-hosted deployment slot
named Development. You create additional deployment slots named Testing and Production.
You enable auto swap on the Production deployment slot.
You need to ensure that scripts run and resources are available before a swap operation occurs.
Solution: Update the web.config file to include the applicationInitialization configuration
element. Specify custom initialization actions to run the scripts.
Does the solution meet the goal?
A. No
B. Yes

Answer

A

Answer: B
Correct answer must be B (applicationinitialization tag is way of implementing custom warm-up)

Question 29

Q

You develop and deploy an Azure App Service API app to a Windows-hosted deployment slot
named Development. You create additional deployment slots named Testing and Production.
You enable auto swap on the Production deployment slot.
You need to ensure that scripts run and resources are available before a swap operation occurs.
Solution: Enable auto swap for the Testing slot. Deploy the app to the Testing slot.
Does the solution meet the goal?
A. No
B. Yes

Answer

A

Answer: A
I vote A, No, because for me the solution is updating the web.config file to include the applicationInitialization configuration element.

Question 30

Q

You develop and deploy an Azure App Service API app to a Windows-hosted deployment slot
named Development. You create additional deployment slots named Testing and Production.
You enable auto swap on the Production deployment slot.
You need to ensure that scripts run and resources are available before a swap operation occurs.
Solution: Disable auto swap. Update the app with a method named statuscheck to run the scripts.
Re-enable auto swap and deploy the app to the Production slot.
Does the solution meet the goal?
A. No
B. Yes

Answer

A

Answer: A
Instead, use applicationInitialization

Question 31

Q

You develop a software as a service (SaaS) offering to manage photographs. Users upload
photos to a web service which then stores the photos in Azure Storage Blob storage. The storage
account type is General-purpose V2.
When photos are uploaded, they must be processed to produce and save a mobile-friendly
version of the image. The process to produce a mobile-friendly version of the image must start in
less than one minute.
You need to design the process that starts the photo processing.
Solution: Convert the Azure Storage account to a BlockBlobStorage storage account.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: B
Explanation:
Not necessary to convert the account, instead move photo processing to an Azure Function
triggered from the blob upload.

Question 32

Q

You develop a website. You plan to host the website in Azure. You expect the website to
experience high traffic volumes after it is published.
You must ensure that the website remains available and responsive while minimizing cost.
You need to deploy the website.
What should you do?
A. Deploy the website to a virtual machine. Configure the virtual machine to automatically scale
when the CPU load is high.
B. Deploy the website to an App Service that uses the Shared service tier. Configure the App
Service plan to automatically scale when the CPU load is high.
C. Deploy the website to a virtual machine. Configure a Scale Set to increase the virtual machine
instance count when the CPU load is high.
D. Deploy the website to an App Service that uses the Standard service tier. Configure the App
Service plan to automatically scale when the CPU load is high.

Answer

A

Answer: D
Explanation:
Windows Azure Web Sites (WAWS) offers 3 modes: Standard, Free, and Shared.
Standard mode carries an enterprise-grade SLA (Service Level Agreement) of 99.9% monthly,
even for sites with just one instance.
Standard mode runs on dedicated instances, making it different from the other ways to buy
Windows Azure Web Sites.
Incorrect Answers:
B: Shared and Free modes do not offer the scaling flexibility of Standard, and they have some
important limits.
Shared mode, just as the name states, also uses shared Compute resources, and also has a CPU
limit. So, while neither Free nor Shared is likely to be the best choice for your production
environment due to these limits.

Question 33

Q

You develop an HTTP triggered Azure Function app to process Azure Storage blob data. The
app is triggered using an output binding on the blob.
The app continues to time out after four minutes. The app must process the blob data.
You need to ensure the app does not time out and processes the blob data.
Solution: Use the Durable Function async pattern to process the blob data.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: A
“230 seconds is the maximum amount of time[…] For longer processing times, consider using the DURABLE FUNCTIONS ASYNC PATTERN[…]”

Question 34

Q

You develop an HTTP triggered Azure Function app to process Azure Storage blob data. The
app is triggered using an output binding on the blob.
The app continues to time out after four minutes. The app must process the blob data.
You need to ensure the app does not time out and processes the blob data.
Solution: Pass the HTTP trigger payload into an Azure Service Bus queue to be processed by a
queue trigger function and return an immediate HTTP success response.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: A
Yes, the solution meets the goal. By passing the HTTP trigger payload into an Azure Service Bus queue to be processed by a queue trigger function and returning an immediate HTTP success response, you can address the timeout issue and ensure that the blob data is processed without timing out.

Question 35

Q

You develop an HTTP triggered Azure Function app to process Azure Storage blob data. The
app is triggered using an output binding on the blob.
The app continues to time out after four minutes. The app must process the blob data.
You need to ensure the app does not time out and processes the blob data.
Solution: Configure the app to use an App Service hosting plan and enable the Always On
setting.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: B
Explanation:
Instead pass the HTTP trigger payload into an Azure Service Bus queue to be processed by a
queue trigger function and return an immediate HTTP success response.
Note: Large, long-running functions can cause unexpected timeout issues. General best practices
include:
Whenever possible, refactor large functions into smaller function sets that work together and
return responses fast. For example, a webhook or HTTP trigger function might require an
acknowledgment response within a certain time limit; it’s common for webhooks to require an
immediate response. You can pass the HTTP trigger payload into a queue to be processed by a
queue trigger function. This approach lets you defer the actual work and return an immediate
response.

Question 36

Q

You develop a software as a service (SaaS) offering to manage photographs. Users upload
photos to a web service which then stores the photos in Azure Storage Blob storage. The storage
account type is General-purpose V2.
When photos are uploaded, they must be processed to produce and save a mobile-friendly
version of the image. The process to produce a mobile-friendly version of the image must start in
less than one minute.
You need to design the process that starts the photo processing.
Solution: Move photo processing to an Azure Function triggered from the blob upload.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: B
blob storage event doesn’t guarantee an SLA.
you cannot control the event arrival in less than a minute.

Question 37

Q

You are developing an application that uses Azure Blob storage.
The application must read the transaction logs of all the changes that occur to the blobs and the
blob metadata in the storage account for auditing purposes. The changes must be in the order in
which they occurred, include only create, update, delete, and copy operations and be retained for
compliance reasons.
You need to process the transaction logs asynchronously.
What should you do?
A. Process all Azure Blob storage events by using Azure Event Grid with a subscriber Azure
Function app.
B. Enable the change feed on the storage account and process all changes for available events.
C. Process all Azure Storage Analytics logs for successful blob events.
D. Use the Azure Monitor HTTP Data Collector API and scan the request body for successful
blob events.

Answer

A

Answer: B
Explanation:
Change feed support in Azure Blob Storage
The purpose of the change feed is to provide transaction logs of all the changes that occur to the
blobs and the blob metadata in your storage account. The change feed provides ordered,
guaranteed, durable, immutable, read-only log of these changes. Client applications can read
these logs at any time, either in streaming or in batch mode. The change feed enables you to
build efficient and scalable solutions that process change events that occur in your Blob Storage
account at a low cost.

Question 38

Q

You are developing an Azure Function App that processes images that are uploaded to an Azure
Blob container.
Images must be processed as quickly as possible after they are uploaded, and the solution must
minimize latency. You create code to process images when the Function App is triggered.
You need to configure the Function App.
What should you do?
A. Use an App Service plan. Configure the Function App to use an Azure Blob Storage input
trigger.
B. Use a Consumption plan. Configure the Function App to use an Azure Blob Storage trigger.
C. Use a Consumption plan. Configure the Function App to use a Timer trigger.
D. Use an App Service plan. Configure the Function App to use an Azure Blob Storage trigger.
E. Use a Consumption plan. Configure the Function App to use an Azure Blob Storage input
trigger.

Answer

A

Answer: D
The answer is D. Use an App Service plan. Configure the Function App to use an Azure Blob Storage trigger.
Consumption plan can cause a 10-min delay in processing new blobs if a function app has gone idle. To avoid this latency, you can switch to an App Service plan with Always On enabled.

Question 39

Q

You are preparing to deploy a website to an Azure Web App from a GitHub repository. The
website includes static content generated by a script.
You plan to use the Azure Web App continuous deployment feature.
You need to run the static generation script before the website starts serving traffic.
What are two possible ways to achieve this goal? Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.
A. Add the path to the static content generation tool to WEBSITE_RUN_FROM_PACKAGE
setting in the host.json file.
B. Add a PreBuild target in the websites csproj project file that runs the static content generation
script.
C. Create a file named run.cmd in the folder /run that calls a script which generates the static
content and deploys the website.
D. Create a file named .deployment in the root of the repository that calls a script which
generates the static content and deploys the website.

Answer

A

Answer: B,D
Option B is correct because you can use the PreBuild target in the csproj file to execute a custom command or script before the project is built. This way, you can run the static content generation script and include the generated files in the project output.
Option D is correct because you can use the .deployment file in the root of the repository to customize the deployment process and specify a custom deployment script. This way, you can run the static content generation script and deploy the website using the custom script.

Question 40

Q

You develop a software as a service (SaaS) offering to manage photographs. Users upload
photos to a web service which then stores the photos in Azure Storage Blob storage. The storage
account type is General-purpose V2.
When photos are uploaded, they must be processed to produce and save a mobile-friendly
version of the image. The process to produce a mobile-friendly version of the image must start in
less than one minute.
You need to design the process that starts the photo processing.
Solution: Create an Azure Function app that uses the Consumption hosting model and that is
triggered from the blob upload.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: B
Answer should be “No”. Consumption plan can take up to several minutes to trigger the function.
“When your function app runs in the default Consumption plan, there may be a delay of up to several minutes between the blob being added or updated and the function being triggered. If you need low latency in your blob triggered functions, consider running your function app in an App Service plan.”

Question 41

Q

You develop and deploy an Azure App Service API app to a Windows-hosted deployment slot
named Development. You create additional deployment slots named Testing and Production.
You enable auto swap on the Production deployment slot.
You need to ensure that scripts run and resources are available before a swap operation occurs.
Solution: Update the app with a method named statuscheck to run the scripts. Update the app
settings for the app. Set the WEBSITE_SWAP_WARMUP_PING_PATH and
WEBSITE_SWAP_WARMUP_PING_STATUSES with a path to the new method and
appropriate response codes.
Does the solution meet the goal?
A. No
B. Yes

Answer

A

Answer: B
Should be YES?
You can also customize the warm-up behavior with one or both of the following app settings:
WEBSITE_SWAP_WARMUP_PING_PATH: The path to ping to warm up your site. Add this app setting by specifying a custom path that begins with a slash as the value. An example is /statuscheck. The default value is /.
WEBSITE_SWAP_WARMUP_PING_STATUSES: Valid HTTP response codes for the warm-up operation. Add this app setting with a comma-separated list of HTTP codes. An example is 200,202 . If the returned status code isn’t in the list, the warmup and swap operations are stopped. By default, all response codes are valid.
WEBSITE_WARMUP_PATH: A relative path on the site that should be pinged whenever the site restarts (not only during slot swaps). Example values include /statuscheck or the root path, /.

Question 42

Q

You are developing a web app that is protected by Azure Web Application Firewall (WAF). All
traffic to the web app is routed through an Azure Application Gateway instance that is used by
multiple web apps. The web app address is contoso.azurewebsites.net.
All traffic must be secured with SSL. The Azure Application Gateway instance is used by
multiple web apps.
You need to configure the Azure Application Gateway for the web app.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. In the Azure Application Gateway’s HTTP setting, enable the Use for App service setting.
B. Convert the web app to run in an Azure App service environment (ASE).
C. Add an authentication certificate for contoso.azurewebsites.net to the Azure Application
Gateway.
D. In the Azure Application Gateway’s HTTP setting, set the value of the Override backend path
option to contoso22.azurewebsites.net.

Answer

A

Answer: AD
Explanation:
D: The ability to specify a host override is defined in the HTTP settings and can be applied to
any back-end pool during rule creation.
The ability to derive the host name from the IP or FQDN of the back-end pool members. HTTP
settings also provide an option to dynamically pick the host name from a back-end pool
member’s FQDN if configured with the option to derive host name from an individual back-end
pool member.
A (not C): SSL termination and end to end SSL with multi-tenant services.
In case of end to end SSL, trusted Azure services such as Azure App service web apps do not
require whitelisting the backends in the application gateway. Therefore, there is no need to add
any authentication certificates.

Question 43

Q

You develop a software as a service (SaaS) offering to manage photographs. Users upload
photos to a web service which then stores the photos in Azure Storage Blob storage. The storage
account type is General-purpose V2.
When photos are uploaded, they must be processed to produce and save a mobile-friendly
version of the image. The process to produce a mobile-friendly version of the image must start in
less than one minute.
You need to design the process that starts the photo processing.
Solution: Use the Azure Blob Storage change feed to trigger photo processing.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: B
Explanation:
The change feed is a log of changes that are organized into hourly segments but appended to and
updated every few minutes. These segments are created only when there are blob change events
that occur in that hour.
Instead catch the triggered event, so move the photo processing to an Azure Function triggered
from the blob upload.

Question 44

Q

You are developing a web application that runs as an Azure Web App. The web application
stores data in Azure SQL Database and stores files in an Azure Storage account. The web
application makes HTTP requests to external services as part of normal operations.
The web application is instrumented with Application Insights. The external services are
OpenTelemetry compliant.
You need to ensure that the customer ID of the signed in user is associated with all operations
throughout the overall system.
What should you do?
A. Add the customer ID for the signed in user to the CorrelationContext in the web application
B. On the current SpanContext, set the TraceId to the customer ID for the signed in user
C. Set the header Ocp-Apim-Trace to the customer ID for the signed in user
D. Create a new SpanContext with the TraceFlags value set to the customer ID for the signed in
user

Answer

A

Answer: A
“I would choose option A, Add the customer ID for the signed in user to the CorrelationContext in the web application.

The CorrelationContext is a way to associate contextual information with a request as it flows through the system. It allows you to track a request as it passes through different components of the system, and to identify related log entries and telemetry data. By adding the customer ID to the CorrelationContext in the web application, you can ensure that it is associated with all operations throughout the overall system. This will allow you to track the request and identify related log entries and telemetry data for a specific customer.

Question 45

Q

You develop an HTTP triggered Azure Function app to process Azure Storage blob data. The
app is triggered using an output binding on the blob.
The app continues to time out after four minutes. The app must process the blob data.
You need to ensure the app does not time out and processes the blob data.
Solution: Update the functionTimeout property of the host.json project file to 10 minutes.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: B
Explanation:
Instead pass the HTTP trigger payload into an Azure Service Bus queue to be processed by a
queue trigger function and return an immediate HTTP success response.
Note: Large, long-running functions can cause unexpected timeout issues. General best practices
include:
Whenever possible, refactor large functions into smaller function sets that work together and
return responses fast. For example, a webhook or HTTP trigger function might require an
acknowledgment response within a certain time limit; it’s common for webhooks to require an
immediate response. You can pass the HTTP trigger payload into a queue to be processed by a
queue trigger function. This approach lets you defer the actual work and return an immediate
response.

Question 46

Q

You are developing an Azure Durable Function to manage an online ordering process.
The process must call an external API to gather product discount information.
You need to implement the Azure Durable Function.
Which Azure Durable Function types should you use? Each correct answer presents part of the
solution.
NOTE: Each correct selection is worth one point.
A. Orchestrator
B. Entity
C. Client
D. Activity

Answer

A

Answer: A, D
“ Like orchestrator functions, entity functions are functions with a special trigger type, entity trigger.” - u can not call Entity from Orchestrator… right answer is Orchestrator and Activity

Question 47

Q

You develop Azure Durable Functions to manage vehicle loans.
The loan process includes multiple actions that must be run in a specified order. One of the
actions includes a customer credit check process, which may require multiple days to process.
You need to implement Azure Durable Functions for the loan process.
Which Azure Durable Functions type should you use?
A. orchestrator
B. client
C. entity
D. activity

Answer

A

Answer: A
Explanation:
Durable Functions is an extension of Azure Functions. You can use an orchestrator function to
orchestrate the execution of other Durable functions within a function app. Orchestrator
functions have the following characteristics:
Orchestrator functions define function workflows using procedural code. No declarative schemas
or designers are needed.
Orchestrator functions can call other durable functions synchronously and asynchronously.
Output from called functions can be reliably saved to local variables.
Orchestrator functions are durable and reliable. Execution progress is automatically
checkpointed when the function “awaits” or “yields”. Local state is never lost when the process
recycles or the VM reboots.
Orchestrator functions can be long-running. The total lifespan of an orchestration instance can be
seconds, days, months, or never-ending.

Question 48

Q

You develop Azure Web Apps for a commercial diving company. Regulations require that all
divers fill out a health questionnaire every 15 days after each diving job starts.
You need to configure the Azure Web Apps so that the instance count scales up when divers are
filling out the questionnaire and scales down after they are complete.
You need to configure autoscaling.
What are two possible auto scaling configurations to achieve this goal? Each correct answer
presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Recurrence profile
B. CPU usage-based autoscaling
C. Fixed date profile
D. Predictive autoscaling

Answer

A

Answer: B,D
I think it should
B. CPU usage-based autoscaling
D. Predictive autoscaling

A. Recurrence profile is used to schedule the scaling of resources at specific times or dates, but it does not meet the requirement to scale up when divers are filling out the questionnaire and scale down after they are complete. It only triggers scaling based on a set schedule, not based on actual usage.

C. Fixed date profile is used to specify the number of instances at a specific date and time, but it also does not meet the requirement to dynamically scale based on actual usage. It only sets a fixed number of instances and does not adjust based on changing workloads.

Question 49

Q

You are building a website that uses Azure Blob storage for data storage. You configure Azure
Blob storage lifecycle to move all blobs to the archive tier after 30 days.
Customers have requested a service-level agreement (SLA) for viewing data older than 30 days.
You need to document the minimum SLA for data recovery.
Which SLA should you use?
A. at least two days
B. between one and 15 hours
C. at least one day
D. between zero and 60 minutes

Answer

A

Answer: B
Explanation:
The archive access tier has the lowest storage cost. But it has higher data retrieval costs
compared to the hot and cool tiers. Data in the archive tier can take several hours to retrieve
depending on the priority of the rehydration. For small objects, a high priority rehydrate may
retrieve the object from archive in under 1 hour.

Question 50

Q

You are developing an Azure solution to collect point-of-sale (POS) device data from
2,000 stores located throughout the world. A single device can produce 2 megabytes (MB) of
data every 24 hours. Each store location has one to five devices that send data.
You must store the device data in Azure Blob storage. Device data must be correlated based on a
device identifier. Additional stores are expected to open in the future.
You need to implement a solution to receive the device data.
Solution: Provision an Azure Event Grid. Configure the machine identifier as the partition key
and enable capture.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: A
Partitions - 2000 per CU - Dedicated Plan - So we can have 2K+ partitions in Event Hub
Size allowed - Yes

Question 51

Q

You develop Azure solutions.
A .NET application needs to receive a message each time an Azure virtual machine finishes
processing data. The messages must NOT persist after being processed by the receiving
application.
You need to implement the .NET object that will receive the messages.
Which object should you use?
A. QueueClient
B. SubscriptionClient
C. TopicClient
D. CloudQueueClient

Answer

A

Answer: A

Azure.Storage.Queues.QueueClient: .NET v12
Azure.Storage.Queues.CloudQueueClient: .NET v11 (Legacy)

So, the question is really about what kind of queue message tool you should use. And the key word here is that “message must NOT persist after being processed”.

Azure.Storage.Queues.QueueClient supports “At-Most-Once” deliver mode, while Azure.Storage.Queues.CloudQueueClient doesn’t.

Question 52

Q

You develop Azure solutions.
You must connect to a No-SQL globally-distributed database by using the .NET API.
You need to create an object to configure and execute requests in the database.
Which code segment should you use?
A. new Container(EndpointUri, PrimaryKey);
B. new Database(EndpointUri, PrimaryKey);
C. new CosmosClient(EndpointUri, PrimaryKey);

Answer

A

Answer: C
Explanation:
Example:
// Create a new instance of the Cosmos Client
this.cosmosClient = new CosmosClient(EndpointUri, PrimaryKey)
//ADD THIS PART TO YOUR CODE
await this.CreateDatabaseAsync();

Question 53

Q

You have an existing Azure storage account that stores large volumes of data across multiple
containers.
You need to copy all data from the existing storage account to a new storage account. The copy
process must meet the following requirements:
 Automate data movement.
 Minimize user input required to perform the operation.
 Ensure that the data movement process is recoverable.
What should you use?
A. AzCopy
B. Azure Storage Explorer
C. Azure portal
D. .NET Storage Client Library

Answer

A

Answer: A
Explanation:
You can copy blobs, directories, and containers between storage accounts by using the AzCopy
v10 command-line utility.
The copy operation is synchronous so when the command returns, that indicates that all files
have been copied.

Question 54

Q

You are developing an Azure Cosmos DB solution by using the Azure Cosmos DB SQL API.
The data includes millions of documents. Each document may contain hundreds of properties.
The properties of the documents do not contain distinct values for partitioning. Azure Cosmos
DB must scale individual containers in the database to meet the performance needs of the
application by spreading the workload evenly across all partitions over time.
You need to select a partition key.
Which two partition keys can you use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. a single property value that does not appear frequently in the documents
B. a value containing the collection name
C. a single property value that appears frequently in the documents
D. a concatenation of multiple property values with a random suffix appended
E. a hash suffix appended to a property value

Answer

A

Answer: D,E
Explanation:
You can form a partition key by concatenating multiple property values into a single artificial
partitionKey property. These keys are referred to as synthetic keys.
Another possible strategy to distribute the workload more evenly is to append a random number
at the end of the partition key value. When you distribute items in this way, you can perform
parallel write operations across partitions.
Note: It’s the best practice to have a partition key with many distinct values, such as hundreds or
thousands. The goal is to distribute your data and workload evenly across the items associated
with these partition key values. If such a property doesn’t exist in your data, you can construct a
synthetic partition key.

Question 55

Q

You develop and deploy a web application to Azure App Service. The application accesses data
stored in an Azure Storage account. The account contains several containers with several blobs
with large amounts of data. You deploy all Azure resources to a single region.
You need to move the Azure Storage account to the new region. You must copy all data to the
new region.
What should you do first?
A. Export the Azure Storage account Azure Resource Manager template
B. Initiate a storage account failover
C. Configure object replication for all blobs
D. Use the AzCopy command line tool
E. Create a new Azure Storage account in the current region
F. Create a new subscription in the current region

Answer

A

Answer: A
Explanation:
To move a storage account, create a copy of your storage account in another region. Then, move
your data to that account by using AzCopy, or another tool of your choice and finally, delete the
resources in the source region.
To get started, export, and then modify a Resource Manager template

Question 56

Q

An organization deploys Azure Cosmos DB.
You need to ensure that the index is updated as items are created, updated, or deleted.
What should you do?
A. Set the indexing mode to Lazy.
B. Set the value of the automatic property of the indexing policy to False.
C. Set the value of the EnableScanInQuery option to True.
D. Set the indexing mode to Consistent.

Answer

A

Answer: D
Explanation:
Azure Cosmos DB supports two indexing modes:
Consistent: The index is updated synchronously as you create, update or delete items. This
means that the consistency of your read queries will be the consistency configured for the
account.
None: Indexing is disabled on the container.

Question 57

Q

You are developing a .Net web application that stores data in Azure Cosmos DB. The application
must use the Core API and allow millions of reads and writes. The Azure Cosmos DB account
has been created with multiple write regions enabled. The application has been deployed to the
East US2 and Central US regions.
You need to update the application to support multi-region writes.
What are two possible ways to achieve this goal? Each correct answer presents part of the
solution.
NOTE: Each correct selection is worth one point.
A. Update the ConnectionPolicy class for the Cosmos client and populate the PreferredLocations
property based on the geo-proximity of the application.
B. Update Azure Cosmos DB to use the Strong consistency level. Add indexed properties to the
container to indicate region.
C. Update the ConnectionPolicy class for the Cosmos client and set the
UseMultipleWriteLocations property to true.
D. Create and deploy a custom conflict resolution policy.
E. Update Azure Cosmos DB to use the Session consistency level. Send the SessionToken
property value from the FeedResponse object of the write action to the end-user by using a
cookie.

Answer

A

Answer: A,C
The goal is

“You need to update the application to support multi-region writes”,

that is enable multi-region writes (bool, option C) and add the regions (option A)
Then you have to apply the Conflict resolution policies.This can be LLW(default, not mentioned) or custom (option D).

Hence : there is only ONE way to to support multi-region writes (both apply C AND A) and there are subsequently TWO ways to apply the Conflict resolution policies (@ SQL) to solve write, update and delete conflicts of which one is mentioned in the question (D).
To support multi-region writes I would answer A and C , but they have to be set both, not one or the other.

Question 58

Q

You are developing an application to store business-critical data in Azure Blob storage.
The application must meet the following requirements:
 Data must not be modified or deleted for a user-specified interval.
 Data must be protected from overwrites and deletes.
 Data must be written once and allowed to be read many times.
You need to protect the data in the Azure Blob storage account.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Configure a time-based retention policy for the storage account.
B. Create an account shared-access signature (SAS).
C. Enable the blob change feed for the storage account.
D. Enable version-level immutability support for the storage account.
E. Enable point-in-time restore for containers in the storage account.
F. Create a service shared-access signature (SAS).

Answer

A

Answer: A,D
A. Configure a time-based retention policy for the storage account
- A time-based retention policy stores blob data in a Write-Once, Read-Many (WORM) format for a specified interval. When a time-based retention policy is set, clients can create and read blobs, but can’t modify or delete them. After the retention interval has expired, blobs can be deleted but not overwritten.
D. Before you can apply a time-based retention policy to a blob version, you must enable support for version-level immutability.

Question 59

Q

You are updating an application that stores data on Azure and uses Azure Cosmos DB for
storage. The application stores data in multiple documents associated with a single username.
The application requires the ability to update multiple documents for a username in a single
ACID operation.
You need to configure Azure Cosmos DB.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Create a collection sharded on username to store documents.
B. Configure Azure Cosmos DB to use the Gremlin API.
C. Create an unsharded collection to store documents.
D. Configure Azure Cosmos DB to use the MongoDB API.

Answer

A

Answer: CD
Explanation:
C: Multi-document transactions, Requirements
Multi-document transactions are supported within an unsharded collection in API version 4.0.
Multi-document transactions are not supported across collections or in sharded collections in 4.0.
D: In Azure Cosmos DB for MongoDB, operations on a single document are atomic. Multidocument transactions enable applications to execute atomic operations across multiple
documents. It offers “all-or-nothing” semantics to the operations. On commit, the changes made
inside the transactions are persisted and if the transaction fails, all changes inside the transaction
are discarded.
Multi-document transactions follow ACID semantics:
Atomicity: All operations treated as one
Consistency: Data committed is valid
Isolation: Isolated from other operations
Durability: Transaction data is persisted when client is told so

Question 60

Q

You develop Azure solutions.
You must connect to a No-SQL globally-distributed database by using the .NET API.
You need to create an object to configure and execute requests in the database.
Which code segment should you use?
A.
database_name = ‘MyDatabase’
database =
client.create_database_if_not_exists(id=database_name)
B.
client = CosmosClient(endpoint, key)
C.
container_name = ‘MyContainer’
container = database.create_container_if_not_exists(
id=container_name, partition_key=PartitionKey(path=”/lastName”),
offer_throughput=400 )

Answer

A

Answer: B
CosmosClient has to be created before you can do option A and C to create databases and execute requests.

client = CosmosClient(endpoint, key)
database_name = ‘MyDatabase’
database = client.create_database_if_not_exists(id=database_name)
container_name = ‘MyContainer’
container = database.create_container_if_not_exists(
id=container_name, partition_key=PartitionKey(path=”/lastName”), offer_throughput=400 )

Question 61

Q

You develop a web application that provides access to legal documents that are stored on Azure
Blob Storage with version-level immutability policies. Documents are protected with both timebased policies and legal hold policies. All time-based retention policies have the
AllowProtectedAppendWrites property enabled.
You have a requirement to prevent the user from attempting to perform operations that would
fail only when a legal hold is in effect and when all other policies are expired.
You need to meet the requirement.
Which two operations should you prevent? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. adding data to documents
B. deleting documents
C. creating documents
D. overwriting existing documents

Answer

A

Answer: BD
Explanation:
The Append Block operation is permitted only for policies with the
allowProtectedAppendWrites or allowProtectedAppendWritesAll property enabled.
The AllowProtectedAppendWrites property setting allows for writing new blocks to an append
blob while maintaining immutability protection and compliance. If this setting is enabled, you
can create an append blob directly in the policy-protected container, and then continue to add
new blocks of data to the end of the append blob with the Append Block operation. Only new
blocks can be added; any existing blocks can’t be modified or deleted. Enabling this setting
doesn’t affect the immutability behavior of block blobs or page blobs.

Question 62

Q

You are developing a Java application that uses Cassandra to store key and value data. You plan
to use a new Azure Cosmos DB resource and the Cassandra API in the application. You create
an Azure Active Directory (Azure AD) group named Cosmos DB Creators to enable
provisioning of Azure Cosmos accounts, databases, and containers.
The Azure AD group must not be able to access the keys that are required to access the data.
You need to restrict access to the Azure AD group.
Which role-based access control should you use?
A. DocumentDB Accounts Contributor
B. Cosmos Backup Operator
C. Cosmos DB Operator
D. Cosmos DB Account Reader

Answer

A

Answer: C
Explanation:
Azure Cosmos DB now provides a new RBAC role, Cosmos DB Operator. This new role lets
you provision Azure Cosmos accounts, databases, and containers, but can’t access the keys that
are required to access the data. This role is intended for use in scenarios where the ability to
grant access to Azure Active Directory service principals to manage deployment operations for
Cosmos DB is needed, including the account, database, and containers.

Question 63

Q

You are developing a website that will run as an Azure Web App. Users will authenticate by
using their Azure Active Directory (Azure AD) credentials.
You plan to assign users one of the following permission levels for the website: admin, normal,
and reader. A user’s Azure AD group membership must be used to determine the permission
level.
You need to configure authorization.
Solution: Configure the Azure Web App for the website to allow only authenticated requests and
require Azure AD log on.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: B
Explanation:
Instead in the Azure AD application’s manifest, set value of the groupMembershipClaims option
to All. In the website, use the value of the groups claim from the JWT for the user to determine
permissions.

Question 64

Q

You are developing a website that will run as an Azure Web App. Users will authenticate by
using their Azure Active Directory (Azure AD) credentials.
You plan to assign users one of the following permission levels for the website: admin, normal,
and reader. A user’s Azure AD group membership must be used to determine the permission
level.
You need to configure authorization.
Solution:
 Create a new Azure AD application. In the application’s manifest, set value of the
groupMembershipClaims option to All.
 In the website, use the value of the groups claim from the JWT for the user to determine
permissions.
Does the solution meet the goal?
A. Yes
B. No

Answer

A

Answer: A
Explanation:
To configure Manifest to include Group Claims in Auth Token
1. Go to Azure Active Directory to configure the Manifest. Click on Azure Active
Directory, and go to App registrations to find your application:
2. Click on your application (or search for it if you have a lot of apps) and edit the Manifest
by clicking on it.
3. Locate the “groupMembershipClaims” setting. Set its value to either “SecurityGroup” or
“All”. To help you decide which:
 “SecurityGroup” - groups claim will contain the identifiers of all security groups
of which the user is a member.
 “All” - groups claim will contain the identifiers of all security groups and all
distribution lists of which the user is a member
Now your application will include group claims in your manifest and you can use this fact in
your code.

Answer 65

A

Answer:A
The roles get assigned by AD groups, so the requirement “A user’s Azure AD group membership must be used to determine the permission level” is met.

This solution should be answered with “yes”.

This scenario has 2 solutions provided as the approach using the “groupMembershipClaims” is possible as well.
That’s OK as it says “Some question sets might have more than one correct solution, while others might not have a correct solution.”

Answer 66

A

Answer: A,C
As the API documentation only allows 3 options. It states:&raquo_space;»
Authentication policies
Authenticate with Basic - Authenticate with a backend service using Basic authentication.
Authenticate with client certificate - Authenticate with a backend service using client certificates.
Authenticate with managed identity - Authenticate with the managed identity for the API Management service.

Answer 67

A

Answer: A
Because we have more than one App (Web App and other Function Apps) , So we agree it is going to be a managed identity but should I create one for each app or one for all apps?
If I create system MI then there should be one for each App.
If I create user MI then I can re-use it for any App I want with minimum change to AD

Answer 68

A

Answer: A

Answer 69

A

Answer: B
Explanation:
Instead use an Azure Key vault and public key encryption. Store the encrypted from in Azure
Storage Blob storage.

Answer 70

A

Answer: C
Explanation:
Azure Active Directory Managed Service Identity (MSI) gives your code an automatically
managed identity for authenticating to Azure services, so that you can keep credentials out of
your code.
Note: Use the authentication-managed-identity policy to authenticate with a backend service
using the managed identity. This policy essentially uses the managed identity to obtain an access
token from Azure Active Directory for accessing the specified resource. After successfully
obtaining the token, the policy will set the value of the token in the Authorization header using
the Bearer scheme.
Incorrect Answers:
A: Use the authentication-basic policy to authenticate with a backend service using Basic
authentication. This policy effectively sets the HTTP Authorization header to the value
corresponding to the credentials provided in the policy.
B: Anonymous is no authentication at all.
D: Your code needs credentials to authenticate to cloud services, but you want to limit the
visibility of those credentials as much as possible. Ideally, they never appear on a developer’s
workstation or get checked-in to source control. Azure Key Vault can store credentials securely
so they aren’t in your code, but to retrieve them you need to authenticate to Azure Key Vault. To
authenticate to Key Vault, you need a credential! A classic bootstrap problem.

Answer 71

A

Answer: B
Explanation:
Instead run the Invoke-RestMethod cmdlet to make a request to the local managed identity for
Azure resources endpoint.

Answer 72

A

Answer: B
Explanation:
Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service
resources.
Instead in the Azure AD application’s manifest, set value of the groupMembershipClaims option
to All. In the website, use the value of the groups claim from the JWT for the user to determine
permissions.

Answer 73

A

Answer: A
Explanation:
Get an access token using the VM’s system-assigned managed identity and use it to call Azure
Resource Manager
You will need to use PowerShell in this portion.
1. In the portal, navigate to Virtual Machines and go to your Windows virtual machine and
in the Overview, click Connect.
2. Enter in your Username and Password for which you added when you created the
Windows VM.
3. Now that you have created a Remote Desktop Connection with the virtual machine, open
PowerShell in the remote session.
4. Using the Invoke-WebRequest cmdlet, make a request to the local managed identity for
Azure resources endpoint to get an access token for Azure Resource Manager.
Example:
$response = Invoke-WebRequest -Uri
‘http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-
01&resource=https://management.azure.com/’ -Method GET -Headers @{Metadata=”true”}

Answer 74

A

Answer: B
Explanation:
The Start-AzureStorageBlobCopy cmdlet starts to copy a blob.
Example 1: Copy a named blob
C:\PS>Start-AzureStorageBlobCopy -SrcBlob “ContosoPlanning2015” -DestContainer
“ContosoArchives” -SrcContainer “ContosoUploads”
This command starts the copy operation of the blob named ContosoPlanning2015 from the
container named ContosoUploads to the container named ContosoArchives.

Answer 75

A

Answer: A
Explanation:
These formats are supported in the lists of paths to purge:
 Single path purge: Purge individual assets by specifying the full path of the asset (without
the protocol and domain), with the file extension, for example, /pictures/strasbourg.png;
 Wildcard purge: Asterisk () may be used as a wildcard. Purge all folders, subfolders,
and files under an endpoint with / in the path or purge all subfolders and files under a
specific folder by specifying the folder followed by /, for example, /pictures/.
 Root domain purge: Purge the root of the endpoint with “/” in the path.

Answer 76

A

Answer: C
Explanation:
Use the authentication-managed-identity policy to authenticate with a backend service using the
managed identity of the API Management service. This policy essentially uses the managed
identity to obtain an access token from Azure Active Directory for accessing the specified
resource. After successfully obtaining the token, the policy will set the value of the token in the
Authorization header using the Bearer scheme.

Answer 77

A

Answer: D
Explanation:
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Incorrect Answers:
A: The jsonp policy adds JSON with padding (JSONP) support to an operation or an API to
allow cross-domain calls from JavaScript browser-based clients. JSONP is a method used in
JavaScript programs to request data from a server in a different domain. JSONP bypasses the
limitation enforced by most web browsers where access to web pages must be in the same
domain.
JSONP - Adds JSON with padding (JSONP) support to an operation or an API to allow crossdomain calls from JavaScript browser-based clients.

Answer 78

A

Answer: A,B
To configure the Azure App Service REST API to retrieve and update user profile information stored in Azure Active Directory (Azure AD), you should use the following tools:
A. Microsoft Graph API: The Microsoft Graph API allows you to interact with data in Azure AD, including retrieving and updating user profile information.
B. Microsoft Authentication Library (MSAL): MSAL is used for handling authentication in your application. It helps you authenticate users and acquire access tokens, which are necessary when making requests to the Microsoft Graph API.
Therefore, the correct answers are A (Microsoft Graph API) and B (Microsoft Authentication Library).

Answer 79

A

Answer: A,D
There’re two ways to create a SAS:
(1). The “standard” way to generate a SAS token is to use the storage account key.
(2). by using “managed identities” with a technique is called a “user delegation” SAS, and it allows you to sign the signature with Azure AD credentials instead of with the storage account key.
This question is (2) hence A, D is correct

Answer 80

A

Answer: A
Explanation:
To give a managed identity access to an Azure resource, you need to add a role to the target
resource for that identity.
Note: To easily authenticate access to other resources that are protected by Azure Active
Directory (Azure AD) without having to sign in and provide credentials or secrets, your logic
app can use a managed identity (formerly known as Managed Service Identity or MSI). Azure
manages this identity for you and helps secure your credentials because you don’t have to
provide or rotate secrets.
If you set up your logic app to use the system-assigned identity or a manually created, userassigned identity, the function in your logic app can also use that same identity for
authentication.

Answer 81

A

Answer: C,D
C: “Because Azure Functions uses the change feed processor behind the scenes, it automatically parallelizes change processing across your container’s partitions.”
D: “You can use the change feed pull model to consume the Azure Cosmos DB change feed at your own pace. Similar to the change feed processor, you can use the change feed pull model to parallelize the processing of changes across multiple change feed consumers.”

Answer 82

A

Answer: B
To validate the Azure AD request in the app code when using Twitter as the identity provider, you should validate the ID token signature (option B).

The ID token is a JSON Web Token (JWT) that contains claims about the user. It is signed by Azure AD using a private key, and the signature can be verified using the corresponding public key. Validating the ID token signature ensures that the token was issued by a trusted source and that it has not been tampered with in transit.

Option A, validating the ID token header, is not sufficient for validating the entire ID token. The header only contains metadata about the token, such as the algorithm used for signing.

Option C, validating the HTTP response code, is unrelated to validating the ID token.

Option D, validating the tenant ID, is important for ensuring that the app is only accepting tokens from a trusted Azure AD tenant, but it does not ensure the integrity of the token itself.

Answer 83

A

Answer: A
A. Generate a shared access signature (SAS) for the Azure Blob storage account and provide the SAS to all developers.

A shared access signature (SAS) is a secure token that can be used to grant temporary and revocable access to a blob container or individual blobs. You can specify an expiration time for the SAS, so it will automatically expire after the two-month time period, making the blob storage account no longer accessible to the developers.
This approach allows you to grant the developers the necessary access to the Azure Blob storage account while still maintaining control over the access, and it also allows you to revoke access easily after the two-month time period.

Answer 84

A

Answer: B, C
Explanation:
B: MFA Enabled by conditional access policy. It is the most flexible means to enable two-step
verification for your users. Enabling using conditional access policy only works for Azure MFA
in the cloud and is a premium feature of Azure AD.
C: Multi-Factor Authentication comes as part of the following offerings:
 Azure Active Directory Premium licenses - Full featured use of Azure Multi-Factor
Authentication Service (Cloud) or Azure Multi-Factor Authentication Server (Onpremises).
 Multi-Factor Authentication for Office 365
 Azure Active Directory Global Administrators

Answer 85

A

Answer: A
Explanation:
A service SAS is secured with the storage account key. A service SAS delegates access to a
resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage,
or Azure Files.
Stored access policies give you the option to revoke permissions for a service SAS without
having to regenerate the storage account keys.
Incorrect Answers:
B: Account SAS is specified at the account level. It is secured with the storage account key.
C: A user delegation SAS applies to Blob storage only.

Answer 86

A

Answer: C
Explanation:
oid -The object identifier for the user in Azure AD. This value is the immutable and non-reusable
identifier of the user. Use this value, not email, as a unique identifier for users; email addresses
can change. If you use the Azure AD Graph API in your app, object ID is that value used to
query profile information.

Answer 87

A

Answer: D
Explanation:
Add Key Vault secrets reference in the Function App configuration.
Syntax: @Microsoft.KeyVault(SecretUri={copied identifier for the username secret})

Answer 88

A

Answer: A
External collaboration settings let you specify what roles in your organization can invite external users for B2B collaboration. These settings also include options for allowing or blocking specific domains, and options for restricting what external guest users can see in your Azure AD directory.
So, you use B2B external collaboration to invite guests into your Azure AD tenant.

I vote for Custom Policies. Both Custom Policies and User Flows support external identity providers, but because of required custom in-house providers support, I’d choose Custom Policies over the User Flows

Answer 89

A

Answer: AE
Explanation:
A: Secure environment variables
Another method (another than a secret volume) for providing sensitive information to containers
(including Windows containers) is through the use of secure environment variables.
E: Use a secret volume to supply sensitive information to the containers in a container group.
The secret volume stores your secrets in files within the volume, accessible by the containers in
the container group. By storing secrets in a secret volume, you can avoid adding sensitive data
like SSH keys or database credentials to your application code.

Answer 90

A

Answer: A
Explanation:
Data Connect grants a more granular control and consent model: you can manage data, see who
is accessing it, and request specific properties of an entity. This enhances the Microsoft Graph
model, which grants or denies applications access to entire entities.
Microsoft Graph Data Connect augments Microsoft Graph’s transactional model with an
intelligent way to access rich data at scale. The data covers how workers communicate,
collaborate, and manage their time across all the applications and services in Microsoft 365.
Incorrect:
Not B: The Microsoft Graph API is a RESTful web API that enables you to access Microsoft
Cloud service resources. After you register your app and get authentication tokens for a user or
service, you can make requests to the Microsoft Graph API.
A simplistic definition of a Graph API is an API that models the data in terms of nodes and
edges (objects and relationships) and allows the client to interact with multiple nodes in a single
request.
Not C: Microsoft Graph connectors, your organization can index third-party data so that it
appears in Microsoft Search results.
With Microsoft Graph connectors, your organization can index third-party data so that it appears
in Microsoft Search results.

Answer 91

A

Answer: E
Explanation:
Microsoft identity platform and OAuth 2.0 authorization code flow, Request an authorization
code
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
The authorization code flow begins with the client directing the user to the /authorize endpoint.
In this request, the client requests the openid, offline_access, and
https://graph.microsoft.com/mail.read permissions from the user.
Parameters include:
* scope required
A space-separated list of scopes that you want the user to consent to. For the /authorize leg of the
request, this parameter can cover multiple resources. This value allows your app to get consent
for multiple web APIs you want to call.

Answer 92

A

Answer: D Explanation: An Azure Function can be used with managed identity to rotate service principal keys. Then an app can use service principal keys to authenticate to Key Vault to check for new versions of the app secret. As long as it does so before the old secret expires it can successfully update its cache with the new secret allowing a smooth transition to the new version.

Answer 93

A

Answer: B
Explanation:
Encryption keys
Customer-managed keys
Before DEKs get stored in Azure Cosmos DB, they are wrapped by a customer-managed key
(CMK). By controlling the wrapping and unwrapping of DEKs, CMKs effectively control the
access to the data that’s encrypted with their corresponding DEKs. CMK storage is designed as
an extensible, with a default implementation that expects them to be stored in Azure Key Vault.

Answer 94

A

Answer: A,D
You can use the Key Rotation Policy in Azure Key Vault combined with Event Grid to trigger sending notification when a secret in the key vault is about to expire.

Answer 95

A

Answer: B
Explanation:
Instead deploy and configure Azure Cache for Redis. Update the web applications.

Answer 96

A

Answer: B
Share Session State Across Applications: While PostgreSQL can store session state, sharing session state across multiple ASP.NET applications is not its primary use case. It requires additional configuration and programming to handle session state management.
Controlled, Concurrent Access for Multiple Readers and a Single Writer: PostgreSQL supports concurrent access, but managing this for session state data would require additional programming effort.
Save Full HTTP Responses for Concurrent Requests: PostgreSQL is not designed for caching full HTTP responses. It is primarily a relational database for structured data, not a cache for HTTP responses.

Answer 97

A

Answer: A
correct answer is A because it is the one that takes advantage of the swagger definition of the API

Answer 98

A

Answer: A, D
Explanation:
D: CorrelationId: Enables an application to specify a context for the message for the purposes of
correlation; for example, reflecting the MessageId of a message that is being replied to.
A: ReplyToSessionId: This value augments the ReplyTo information and specifies which
SessionId should be set for the reply when sent to the reply entity.
Incorrect Answers:
B, E: DeliveryCount
Number of deliveries that have been attempted for this message. The count is incremented when
a message lock expires, or the message is explicitly abandoned by the receiver. This property is
read-only.
C, E: SequenceNumber
The sequence number is a unique 64-bit integer assigned to a message as it is accepted and
stored by the broker and functions as its true identifier. For partitioned entities, the topmost 16
bits reflect the partition identifier. Sequence numbers monotonically increase and are gapless.
They roll over to 0 when the 48-64 bit range is exhausted. This property is read-only.

Answer 99

A

Answer: A
The answer should be A.
The error message shows that there is not enough connections, which means that the concurrency is too high. Too many instances are running parallel. So we have to reduce the concurrency of the app.

Answer 100

A

Answer: A
Explanation:
The session state provider for Azure Cache for Redis enables you to share session information
between different instances of an ASP.NET web application.
The same connection can be used by multiple concurrent threads.
Redis supports both read and write operations.
The output cache provider for Azure Cache for Redis enables you to save the HTTP responses
generated by an ASP.NET web application.

Answer 101

A

Answer: B, C
Explanation:
There are three types of availability tests:
 URL ping test: a simple test that you can create in the Azure portal.
 Multi-step web test: A recording of a sequence of web requests, which can be played
back to test more complex scenarios. Multi-step web tests are created in Visual Studio
Enterprise and uploaded to the portal for execution.
 Custom Track Availability Tests: If you decide to create a custom application to run
availability tests, the TrackAvailability() method can be used to send the results to
Application Insights.

Answer 102

A

Answer: B
Explanation:
You can create an Azure Function with TrackAvailability() that will run periodically according
to the configuration given in TimerTrigger function with your own business logic. The results of
this test will be sent to your Application Insights resource, where you will be able to query for
and alert on the availability results data. This allows you to create customized tests similar to
what you can do via Availability Monitoring in the portal. Customized tests will allow you to
write more complex availability tests than is possible using the portal UI, monitor an app inside
of your Azure VNET, change the endpoint address, or create an availability test even if this
feature is not available in your region.

Answer 103

A

Answer: A,C
Metrics will give you the uptime. Logs will give you the causes of the downtime.
wrong B: Alerts are not required
wrong D: Web tests has nothing to do with uptime.

Answer 104

A

Answer: BD
Explanation:
Example:
public async Task Enqueue(string payload)
{
// StartOperation is a helper method that initializes the telemetry item
// and allows correlation of this operation with its parent and children.
var operation = telemetryClient.StartOperation(“enqueue “ +
queueName);

operation.Telemetry.Type = “Azure Service Bus”;
operation.Telemetry.Data = “Enqueue “ + queueName;
var message = new BrokeredMessage(payload);
// Service Bus queue allows the property bag to pass along with the message.
// We will use them to pass our correlation identifiers (and other context)
// to the consumer.
message.Properties.Add(“ParentId”, operation.Telemetry.Id);
message.Properties.Add(“RootId”, operation.Telemetry.Context.Operation.Id);

Answer 105

A

Answer: B, C
Explanation:
B: The allkeys-lru policy evict keys by trying to remove the less recently used (LRU) keys first,
in order to make space for the new data added. Use the allkeys-lru policy when you expect a
power-law distribution in the popularity of your requests, that is, you expect that a subset of
elements will be accessed far more often than the rest.
C: volatile-lru: evict keys by trying to remove the less recently used (LRU) keys first, but only
among keys that have an expire set, in order to make space for the new data added.
Note: The allkeys-lru policy is more memory efficient since there is no need to set an expire for
the key to be evicted under memory pressure.

Answer 106

A

Answer: B
Explanation:
The log type AppServiceEnvironmentPlatformLogs handles the App Service Environment:
scaling, configuration changes, and status logs.
Incorrect:
AppServiceAppLogs contains logs generated through your application.
AppServiceAuditLogs logs generated when publishing users successfully log on via one of the
App Service publishing protocols.

Answer 107

A

Answer: C
Explanation:
Live Metrics Stream
Deploying the latest build can be an anxious experience. If there are any problems, you want to
know about them right away, so that you can back out if necessary. Live Metrics Stream gives
you key metrics with a latency of about one second.
With Live Metrics Stream, you can:
* Validate a fix while it’s released, by watching performance and failure counts.
* Etc.

Answer 108

A

Answer: A, C
The key here is “In case of an Azure data center outage, metadata loss must be kept to a minimum.”

So the correct answer is AC.

Answer 109

A

Answer: A
A. Add Azure Monitor alert processing rules to suppress notifications: Correct. This allows suppression of notifications during offline processing.
B. Disable Azure Monitor Service Health Alerts during offline processing: Incorrect. This would stop all alerts, not just the ones related to offline processing.
C. Create an Azure Monitor Metric Alert: Incorrect. This would still trigger alerts during offline processing.
D. Build an Azure Monitor action group that suppresses the alerts: Incorrect. This requires additional configuration and may not specifically target the offline processing alerts.

Answer 110

A

Answer: B
There must be a way to tell our redis that logged off users must not be prioritized.
Sample: User A moves and then automatically logs-off. With allkeys-lru we can’t distinguish this particularity. With volatile-lru we can tell our redis what are good candidates to be removed using different TTL values.

Answer 111

A

Answer: C
Explanation:
Exceptions in web applications can be reported with Application Insights. You can correlate
failed requests with exceptions and other events on both the client and server so that you can
quickly diagnose the causes.
When an exception occurs, you can automatically collect a debug snapshot from your live web
application. The debug snapshot shows the state of source code and variables at the moment the
exception was thrown. The Snapshot Debugger in Azure Application Insights:
Monitors system-generated logs from your web app.
Collects snapshots on your top-throwing exceptions.
Provides information you need to diagnose issues in production.

Answer 112

A

Answer: AB
Explanation:
The App Configuration .NET provider library supports updating configuration on demand
without causing an application to restart.
A: Request-driven configuration refresh
The configuration refresh is triggered by the incoming requests to your web app. No refresh will
occur if your app is idle. When your app is active, the App Configuration middleware monitors
the sentinel key, or any other keys you registered for refreshing in the ConfigureRefresh call.
The middleware is triggered upon every incoming request to your app. However, the middleware
will only send requests to check the value in App Configuration when the cache expiration time
you set has passed.
B, not C: The SetCacheExpiration method specifies the minimum time that must elapse before a
new request is made to App Configuration to check for any configuration changes. Default
expiration time is 30 seconds. Adjust to a higher value if you need to reduce the number of
requests made to your App Configuration store.

Answer 113

A

Answer: B, D, E

Gotta enable App Insights.
Always On can solve the performance issues.
Profiler can help find performance issues.
You can eliminate Premium upgrade because it says minimize costs, snapshot debugger is for debugging exceptions and has nothing to do with performance issues, restarting app impacts users and it says minimize impact.

Answer 114

A

Answer: A
A. Authorization - Correct The Authorization header is used to authenticate the client/user in the application by including authorization credentials. It’s crucial for protecting the Azure function against misconfigured invocations.

B. WebHook-Request-Callback - Incorrect The WebHook-Request-Callback is not a standard HTTP header and it’s not typically used for authorization or protection against misconfigured invocations.

C. Resource - Incorrect The Resource is not a standard HTTP header and it’s not typically used for authorization or protection against misconfigured invocations.

D. WebHook-Request-Origin - Incorrect The WebHook-Request-Origin is not a standard HTTP header and it’s not typically used for authorization or protection against misconfigured invocations.

Answer 115

A

Answer: B

Explanation:
- topics allows multiple subscribers, and here we need to process each event once
- correlation filter is for subscriptions, not topics
- even when assuming there is typo in the question and correlation filter is defined on the subscription level - it still is not a valid solution, because new stores can be opened in the future with many new device identifiers which you can’t know in advance. Besides that filter make no sense in this scenario whatsoever, you just need to save data in storage account and basically partition it by device identifier.

Answer 116

A

Answer: B
Sensors do not send events, they send messages containing specific data that has been gathered. This makes automatically the solution incorrect, because you need a Service Bus to collect them. Event Grids and Event Hubs won’t do the job here.

Answer 117

A

Answer: B
Azure Queue doesn’t support FIFO!

Answer 118

A

Answer: A, B
Queue Storage does not provide transactional support and Event Hub can’t be configured to store events for infinite time.

Answer 119

A

Answer: AC
Explanation:
It is strongly recommended to use available messaging products and services that support a
publish-subscribe model, rather than building your own. In Azure, consider using Service Bus or
Event Grid. Other technologies that can be used for pub/sub messaging include Redis,
RabbitMQ, and Apache Kafka

Answer 120

A

Answer: D
Explanation:
Using topic client, call RegisterMessageHandler which is used to receive messages continuously
from the entity. It registers a message handler and begins a new thread to receive messages. This
handler is waited on every time a new message is received by the receiver.
subscriptionClient.RegisterMessageHandler(ReceiveMessagesAsync, messageHandlerOptions);

Answer 121

A

Answer: B
Explanation:
Don’t use a VM, instead create an Azure Function App that uses an Azure Service Bus Queue
trigger.

Answer 122

A

Answer: B
Queue size must not grow larger than 80 gigabytes (GB) - yes that’s fine
Use first-in-first-out (FIFO) ordering of messages. - yes, you can get it with service bus
Minimize Azure costs & Create an Azure Windows VM that is triggered from Azure Service Bus Queue - Firstly there’s nothing like an AzureVM triggering, but Azure Functions triggering instead. Secondly - using vm with queue is more expensive, but of course it depends on multiple factors.

Answer 123

A

Answer: A

Answer 124

A

Answer: C
Explanation:
For relational data you will need the SQL API
Incorrect Answers:
A: The MongoDB API is not used for relational data.
B: The Table API only supports data in the key/value format
D: The Cassandra API only supports OLTP (Online Transactional Processing) and not batch
processing.

Answer 125

A

Answer: C
Use Service Bus when your solution requires transactional behavior and atomicity when sending or receiving multiple messages from a queue.

Answer 126

A

Answer: A
Explanation:
You can create a function that is triggered when messages are submitted to an Azure Storage
queue.

Answer 127

A

Answer: B
Explanation:
Instead use an Azure Service Bus, which is used order processing and financial transactions.

Answer 128

A

Answer: A
Explanation:
Event Hubs enables granular control over event publishers through publisher policies. Publisher
policies are run-time features designed to facilitate large numbers of independent event
publishers. With publisher policies, each publisher uses its own unique identifier when
publishing events to an event hub.
Incorrect:
Not C: An Event Hubs namespace is a management container for event hubs (or topics, in Kafka
parlance). It provides DNS-integrated network endpoints and a range of access control and
network integration management features such as IP filtering, virtual network service endpoint,
and Private Link.

Answer 129

A

Answer: BD

Answer 130

A

Answer: B

Answer 131

A

Answer: C,D,E
The first and second case are fairly straight forward to handle. Try to open the connection again. When you succeed, the transient error has been mitigated by the system. You can use your Azure Database for MySQL again. We recommend having waits before retrying the connection. Back off if the initial retries fail. This way the system can use all resources available to overcome the error situation. A good pattern to follow is:

Wait for 5 seconds before your first retry.
For each following retry, the increase the wait exponentially, up to 60 seconds.
Set a max number of retries at which point your application considers the operation failed.

Answer 132

A

Answer: A
“When a user redeems a one-time passcode and later obtains an MSA, Azure AD account, or other federated account, they’ll continue to be authenticated using a one-time passcode. If you want to update the user’s authentication method, you can reset their redemption status.”

Answer 133

A

HTTP, Custom handler, True are correct

Answer 134

A

Ans: Premium SSD and ZRS
They are asking for high performance workloads which is supported by Premium tier

Answer 135

A

Ans: Container group, EmptyDir

Container group is the only logical answer that can have shared lifecycle
Azure files need root permission
Secret is for secrets and read-only
EmtyDir can persist through crash and redeployed on stop and restart
Cloned Git Repo also does the job but it needs more details like Git URL and stuff which are not mentioned to be available in the question.

Answer 136

A

Box 1: 4
There are four customers that use this service, and each instance of the WebJob processes data for a single customer and must run as a singleton instance. So, the number of VM should be 4. WebJobs is a feature of Azure App Service that enables you to run a program or script in the same instance as a web app. Like running background tasks.

Box 2: Isolated
Azure resources must be located in an isolated network .
In the Isolated tier, the App Service Environment defines the number of isolated workers that run your apps, and each worker is charged. In addition, there’s a flat Stamp Fee for the running the App Service Environment itself. Isolated: This tier runs dedicated Azure VMs on dedicated Azure Virtual Networks. It provides network isolation on top of compute isolation to your apps. It provides the maximum scale-out capabilities.

Answer 137

A

Box 1: Deployment
To deploy Azure Functions to Kubernetes use the func kubernetes deploy command has several attributes that directly control how our app scales, once it is deployed to Kubernetes.

Box 2: ScaledObject
With –polling-interval, we can control the interval used by KEDA to check Azure Service Bus Queue for messages.

Box 3: Secret
Store connection strings in Kubernetes Secrets.

Answer 138

A

Box 1: HTTP request header
If you are using ASP.NET and configure your app to use client certificate authentication, the certificate will be available through the HttpRequest.ClientCertificate property.

Box 2: Base64
For other application stacks, the client cert will be available in your app through a base64 encoded value in the “X-ARR-ClientCert” request header. Your application can create a certificate from this value and then use it for authentication and authorization purposes in your application.

Answer 139

A

/bin/bash
az webpp create
~ config container set
~ config hostname add

Answer 140

A

create ~Premium plan Type (Consumption X)
create system-assigned ~ (user-assigned X)
create an access policy in Azure Key Vault~

Answer 141

A

getRequest
(!”tip” in i)
setBody

Answer 142

A

FROM
WORKDIR
COPY
RUN
CMD

Answer 143

A

Box 1: No
It logs the following:
- ExpirationTime - The time that the message expires.
- InsertionTime - The time that the message was added to the queue.

Box 2: Yes
maxDequeueCount: The number of times to try processing a message before moving it to the poison queue. Default value is 5.

Box 3: Yes
When there are multiple queue messages waiting, the queue trigger retrieves a batch of messages and invokes function instances concurrently to process them. By default, the batch size is 16. When the number being processed gets down to 8, the runtime gets another batch and starts processing those messages. So the maximum number of concurrent messages being processed per function on one virtual machine (VM) is 24.

Box 4: Yes
[Table(“Orders”)]ICollector<Order> table bindings
And in the code it adds the order:
tableBindings.Add(JsonConvert.DeserializeObject<object>(myQueueItem.AsString));</object></Order>

Answer 144

A

Run Command
Custom Script Extension

Answer 145

A

“IdentityId” should actually be “IdentityType”

Answer 146

A

Box 1: Custom handler
Custom handlers can be used to create functions in any language or runtime by running an HTTP server process, for example Go or Rust.

Box 2: extension bundles
is needed to support the bindings and triggers that you use

Answer 147

A

WEBSITES_ENABLE_APP_SERVICE_STORAGE=true
DIAGDATA=/home

Answer 148

A

> Code
Custom Handler
custom (only option when you pick Custom Handler)

Answer 149

A

–sku B1 –is-linux
–deployment-container-image-name images.azurecr.io/website:v1.0.0
– container set –docker-registry-server-url https://images.azurecr.io -u admin -p admin

Answer 150

A

The correct answers are
1) Service bus queue
2) Active message count
3) Average
4) Less than or equal to
5) Decrease count by

Answer 151

A

Since we’re talking about updating the metadata,
- first we need to fetch it, to populate blob’s properties and metadata (we want to update it - without fetching we would just set the new metadata):
FetchAttributesAsync
- second, we need to manipulate the metadatas to update them and the best fitting is
Metadata.Add
- third, we have to persist our changes. We can use a method that initiates an asynchronous operation to update the blob’s metadata, which is
SetMetadataAsync

Answer 152

A

Upgrade the existing one to GPv2
Create a new GPV2 standard account with default access level to cool
And then copy archive data to the GPV2 and delete the data from original storage account.

Answer 153

A

-Correlation Filter (with the not existing value of any filed to avoid getting any message)
-SQL filter (as we need to get all high priority AND international orders, but for Correlation filter: A match exists when an arriving message’s value for a property is equal to the value specified in the correlation filter and we need not equal)
-SQL filter
-SQL filter
-No Filter

Answer 154

A

“Core (SQL)” is “Api for NoSQL” now.

Answer 155

A

Solution is:
- No
- No
- Yes
- No
I guess, third statement (The policy rule tiers..) result is Yes.
Container name “transactions” is in prefixMatch.

Answer 156

A

- ETag - server returns this tag for a resource to ensure we operate on the same version of the resource in subsequent API calls
- If-Match - update is processed by the server only if the ETag provided matches the latest resource version ETag

The reason for that is we want to make sure we update the latest version of a resource:
“Update operations must use the latest data changes when writing”
So, when using Last-Modified with If-Modified-Since, the operation executes only when another client modifies the resource between our READ and WRITE operations.
If we wanted to use Last-Modified instead, we would need If-Unmodified-Since instead.

Answer 157

A

1. changeFeedClient.GetChanges(x).AsPages()
2. x = c.ContinuationToken;

box:
- GetChanges() - wrong - var c in the foreach would be BlobChangeFeedEvent which doesn’t contain Values property used in ProcessChanges(c.Values) line below
- GetChangesAsync - wrong - code won’t compile because it would require await foreach loop instead
- GetChanges(x).AsPages() - correct - it’s the only option to make this code even compile
- GetChanges(x).GetEnumerator() - wrong - you cannot use IEnumerator type as foreach source
box:
- x = c.ContinuationToken - right - variable x was used as continuationToken parameter in changeFeedClient.GetChanges(x).AsPages() above
- c.GetRawResponse().ReasonPhrase - wrong - that does not make sense to use this value as continuation token
- x = c.Values.Min - wrong - continuation token is a number not date
- x = c.Values.Max - wrong - as above

Answer 158

A

there is a chance that both are “constant prefix”

Answer 159

A

Box 1: companymedia
List Blobs
The List Blobs operation returns a list of the blobs under the specified container.
Request
You can construct the List Blobs request as follows. HTTPS is recommended. Replace
myaccount with the name of your storage account.
Method, Request URI
GET https://myaccount.blob.core.windows.net/mycontainer?restype=container&comp=list
Box 2: companyimages
Box 3: Status=’Final’

Answer 160

A

Box 1: Soft delete
When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.
This can be achieved with the help of the soft-delete feature of the key vault.

Box 2: Purge protection
Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled.
When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed.
This can be achieved with the help of the purge protection feature of the key vault.

Answer 161

A

Get-AzSubscription
Set-AzContext –SubscriptionId $subscriptionID
Get-AzKeyVaultSecret –VaultName $vaultName
Get-AzStorageAccountKey –ResourceGroupName $resGroup –Name $storAcct
$secretvalue = ConvertTo-SecureString $storAcctkey –AsPlainText –Force
Set-AzKeyVaultSecret –VaultName $vaultName –Name $secretName –SecretValue $secretvalue

Answer 162

A

red arrows mark correct answers

Answer 163

A

1) groupMembershipClaims
2) oauth2AllowImplicitFlow

Answer 164

A

Inbound
Inbound
Inbound
Outbound

Answer 165

A

Yes
Yes
Yes
No

Answer 166

A

1 Azure AD instance
2 In App Registration, select new registration
3 Create a new application and provide the name

Answer 167

A

1. N
- If you go to the login page, you redirect to Github, just like in the question.
- If the request got a 401 error (Unauthorized), it redirects the user to the login route (with 302 response), which then redirects to the GitHub login.

But in this question, if you check what happens when the request got a 401 error (Unauthorized), it redirects to the AAD route (with 302 response), not to Github. So this part of the question and the example are different.

2. Y
That part of the question seems the same as the example above.
A non-existent file in the /images/ folder -> A 404 error.

3. Y
That part of the question seems the same as the example above.
GET requests from authenticated users in the registeredusers role are sent to the API. Authenticated users not in the registeredusers role and unauthenticated users are served a 401 error.

4. N
It overrides the 401 error to the 302 and redirects the user to the AAD URL.

Answer 168

A

1) SecretClient
2) DefaultAzureCredential

Answer 169

A

1) Configure the web app to the Standard App Service Tier
2) Enable autoscaling on the web app
3) Add a Scale condition
4) Add a scale rule

people argue on the order of 3 and 4

Answer 170

A

1) IDatabase cache = Connection.GetDatabase();
2) cache.KeyDelete(“teams”)

Answer 171

A

1.Funnels
2.Impact
3.Retention
4.User flow

Answer 172

A

1) config
2) docker-container-logging
3) webapp
4) tail

Answer 173

A

1) External
2) Private
3) Authorization

Answer 174

A

Create Log Analytics workspace (in Azure Portal)
Create Application Insights resource (in Monitor, Application Insights with workspace attached)
3.Add VMInsights solution (== activate VMInsights in Monitor, choose VM’s, attach workspace).
4.Install agents on VM

Answer 175

A

1.Yes
2. No
3. Yes

Answer 176

A

I think the Service Bus has already been created and now they ask you to complete the configuration. The next step is creating the queue.
In fact, all the steps are shown:
B. Create group.
C. Create Service Bus.
A. Create Queue. <– Correct answer.
D. Get connectionstring.

Answer 177

A

Answer: C
Question is poorly worded. I think what is asked here is that service bus instance is already created and now you need to complete the configuration to start using the bus. In this case, you will need to create Queue and hence correct answer is C

Answer 178

A

Https(s) endpoint
Client cert

Answer 179

A

people are saying boxes may be switched on actual exam

Answer 180

A

Box 1: windows
Box 2: application/octet-stream

Answer 181

A

Source -> blob storage
Receiver -> event grid
Handler -> logic app

Answer 182

A

Inbound
Outbound
Backend

Answer 183

A

Box 1 Recurrence
Box 2 Condition
Box 3 Tier blob (item last modified < current date - 180 days)
Box 4 Put a message on a queue
Box 5 Insert Entity

people are saying Logic App is not part of 204 exam since some time ago

Answer 184

A

Answer: B
Explanation:
A service bus instance has already been created. Next is step 3, Create a Service Bus queue.

Answer 185

A

Answer: C
Explanation:
A service bus instance has already been created. Next is step 3, Create a Service Bus queue.

Answer 186

A

Answer: C
Explanation:
A service bus instance has already been created. Next is step 3, Create a Service
Bus queue.

Answer 187

A

Answer: BD
Explanation:
The Append Block operation is permitted only for policies with the
allowProtectedAppendWrites or allowProtectedAppendWritesAll property enabled.
The AllowProtectedAppendWrites property setting allows for writing new blocks to an append
blob while maintaining immutability protection and compliance. If this setting is enabled, you
can create an append blob directly in the policy-protected container, and then continue to add
new blocks of data to the end of the append blob with the Append Block operation. Only new
blocks can be added; any existing blocks can’t be modified or deleted. Enabling this setting
doesn’t affect the immutability behavior of block blobs or page blobs.

Answer 188

A

Answer: B
Explanation:
Instead run the Invoke-RestMethod cmdlet to make a request to the local managed identity for
Azure resources endpoin

Answer 189

A

Box 1: XREAD
Data is consumed from a stream using the XREAD command.
Box 2: BLOCK 0
Apart from the fact that XREAD can access multiple streams at once, and that we are able to
specify the last ID we own to just get newer messages, in this simple form the command is not
doing something so different compared to XRANGE. However, the interesting part is that we
can turn XREAD into a blocking command easily, by specifying the BLOCK argument:
> XREAD BLOCK 0 STREAMS mystream $
BLOCK 0 is a timeout of 0 milliseconds, which means to never timeout.
Box 3: $
The $ operator indicates to start reading the stream from the end. Effectively, this example will
only receive new entries instead of historical entries.
The special ID $ means that XREAD should use as last ID the maximum ID already stored in the
stream mystream, so that we will receive only new messages, starting from the time we started
listening.

Answer 190

A

Box 1: inbound
Include a fragment in a policy definition
Configure the include-fragment policy to insert a policy fragment in a policy definition.
You may include a fragment at any scope and in any policy section, as long as the underlying
policy or policies in the fragment support that usage.
You may include multiple policy fragments in a policy definition.
For example, insert the policy fragment named ForwardContext in the inbound policy section:

<policies>
<inbound>
<include-fragment></include-fragment>
<base></base>
</inbound>
[...]
**Box 2: include-fragment**
**Box 3: fragment-id**
**Box 4: inbound**

![!BS! ](https://s3.amazonaws.com/brainscape-prod/system/cm/525/160/838/a_image_ios.?1724608648 "eyJvcmlnaW5hbFVybCI6Imh0dHBzOi8vczMuYW1hem9uYXdzLmNvbS9icmFpbnNjYXBlLXByb2Qvc3lzdGVtL2NtLzUyNS8xNjAvODM4L2FfaW1hZ2Vfb3JpZ2luYWwuP2Y4NzhmNWY0YzE2MTQ5ZDMzOWY0MDZkYzU4ZDdjZDMwIn0=")
</policies>

Answer 191

A

Answer: A
Explanation:
To give a managed identity access to an Azure resource, you need to add a role to the target resource for that identity.
Note: To easily authenticate access to other resources that are protected by Azure Active Directory (Azure AD) without having to sign in and provide credentials or secrets, your logic app can use a managed identity (formerly known as Managed Service Identity or MSI). Azure manages this identity for you and helps secure your credentials because you don’t have to provide or rotate secrets.
If you set up your logic app to use the system-assigned identity or a manually created, userassigned identity, the function in your logic app can also use that same identity for authentication.

Answer 192

A

Answer: D
Explanation:
You can monitor a recorded sequence of URLs and interactions with a website via multi-step web tests.
Incorrect Answers:
A: Selenium is an umbrella project for a range of tools and libraries that enable and support the automation of web browsers.
It provides extensions to emulate user interaction with browsers, a distribution server for scaling browser allocation, and the infrastructure for implementations of the W3C WebDriver
specification that lets you write interchangeable code for all major web browsers.

Brainscape's Knowledge GenomeTM

AZ 204 questions Flashcards

Brainscape's Knowledge Genome^TM