AZ 204 questions Flashcards
You have two Hyper-V hosts named Host1 and Host2. Host1 has an Azure virtual machine
named VM1 that was deployed by using a custom Azure Resource Manager template.
You need to move VM1 to Host2.
What should you do?
A. From the Update management blade, click Enable.
B. From the Overview blade, move VM1 to a different subscription.
C. From the Redeploy blade, click Redeploy.
D. From the Profile blade, modify the usage location.
Answer: C
Explanation:
When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and
then powers it back on, retaining all your configuration options and associated resources.
Your company has an Azure Kubernetes Service (AKS) cluster that you manage from an Azure
AD-joined device. The cluster is located in a resource group.
Developers have created an application named MyApp. MyApp was packaged into a container image.
You need to deploy the YAML manifest file for the application.
Solution: You install the Azure CLI on the device and run the
kubectl apply –fmyapp.yaml command.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation:
kubectl apply -f myapp.yaml applies a configuration change to a resource from a file or stdin.
Your company has an Azure Kubernetes Service (AKS) cluster that you manage from an Azure
AD-joined device. The cluster is located in a resource group.
Developers have created an application named MyApp. MyApp was packaged into a container
image.
You need to deploy the YAML manifest file for the application.
Solution: You install the docker client on the device and run the docker run -it
microsoft/azure-cli:0.10.17 command.
Does this meet the goal?
A. Yes
B. No
Answer: B
Your company has a web app named WebApp1.
You use the WebJobs SDK to design a triggered App Service background task that automatically
invokes a function in the code every time new data is received in a queue.
You are preparing to configure the service processes a queue data item.
Which of the following is the service you should use?
A. Logic Apps
B. WebJobs
C. Flow
D. Functions
Answer: B
Usually you’ll host the WebJobs SDK in Azure WebJobs, but you can also run your jobs in a Worker Role. The Azure WebJobs feature of Azure Web Apps provides an easy way for you to run programs such as services or background tasks in a Web App…
Your company has an Azure subscription.
You need to deploy a number of Azure virtual machines to the subscription by using Azure
Resource Manager (ARM) templates. The virtual machines will be included in a single
availability set.
You need to ensure that the ARM template allows for as many virtual machines as possible to
remain accessible in the event of fabric failure or maintenance.
Which of the following is the value that you should configure for the
platformFaultDomainCount property?
A. 10
B. 30
C. Min Value
D. Max Value
Answer: D
2 or 3 is max for a region so answer should be Max.
Your company has an Azure subscription.
You need to deploy a number of Azure virtual machines to the subscription by using Azure
Resource Manager (ARM) templates. The virtual machines will be included in a single
availability set.
You need to ensure that the ARM template allows for as many virtual machines as possible to
remain accessible in the event of fabric failure or maintenance.
Which of the following is the value that you should configure for the
platformUpdateDomainCount property?
A. 10
B. 20
C. 30
D. 40
Answer: B
Each availability set can be configured with up to three fault domains and twenty update domains.
This question requires that you evaluate the underlined text to determine if it is correct.
You company has an on-premises deployment of MongoDB, and an Azure Cosmos DB account
that makes use of the MongoDB API.
You need to devise a strategy to migrate MongoDB to the Azure Cosmos DB account.
You include the Data Management Gateway tool in your migration strategy.
Instructions: Review the underlined text. If it makes the statement correct, select “No change required.”
If the statement is incorrect, select the answer choice that makes the statement correct.
A. No change required
B. mongorestore
C. Azure Storage Explorer
D. AzCopy
Answer: B
You are developing an e-Commerce Web App.
You want to use Azure Key Vault to ensure that sign-ins to the e-Commerce Web App are secured by using Azure App Service authentication and Azure Active Directory (AAD).
What should you do on the e-Commerce Web App?
A. Run the az keyvault secret command.
B. Enable Azure AD Connect.
C. Enable Managed Service Identity (MSI).
D. Create an Azure AD service principal.
Answer: C
Explanation:
A managed identity from Azure Active Directory allows your app to easily access other AADprotected resources such as Azure Key Vault.
This question requires that you evaluate the underlined text to determine if it is correct.
Your Azure Active Directory Azure (Azure AD) tenant has an Azure subscription linked to it.
Your developer has created a mobile application that obtains Azure AD access tokens using the OAuth 2 implicit grant type.
The mobile application must be registered in Azure AD.
You require a redirect URI from the developer for registration purposes.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed.”
If the statement is incorrect, select the answer choice that makes the statement correct.
A. No change required.
B. a secret
C. a login hint
D. a client ID
Answer: A
Explanation:
For Native Applications you need to provide a Redirect URI, which Azure AD will use to return token responses.
You are creating an Azure key vault using PowerShell. Objects deleted from the key vault must be kept for a set period of 90 days.
Which two of the following parameters must be used in conjunction to meet the requirement?
(Choose two.)
A. EnabledForDeployment
B. EnablePurgeProtection
C. EnabledForTemplateDeployment
D. EnableSoftDelete
Answer: BD
You’ll need to enable soft delete, and then purge protection to make sure that soft-deleted objects are not purged early.
You manage an Azure SQL database that allows for Azure AD authentication.
You need to make sure that database developers can connect to the SQL database via Microsoft SQL Server Management Studio (SSMS). You also need to make sure the developers use their on-premises Active Directory account for authentication.
Your strategy should allow for authentication prompts to be kept to a minimum.
Which of the following should you implement?
A. Azure AD token.
B. Azure Multi-Factor authentication.
C. Active Directory integrated authentication.
D. OATH software tokens.
Answer: C
Explanation:
Azure AD can be the initial Azure AD managed domain. Azure AD can also be an on-premises
Active Directory Domain Services that is federated with the Azure AD.
You are developing an application to transfer data between on-premises file servers and Azure
Blob storage. The application stores keys, secrets, and certificates in Azure Key Vault and makes
use of the Azure Key Vault APIs.
You want to configure the application to allow recovery of an accidental deletion of the key
vault or key vault objects for 90 days after deletion.
What should you do?
A. Run the Add-AzKeyVaultKey cmdlet.
B. Run the az keyvault update –enable-soft-delete true –enablepurge-protection true CLI.
C. Implement virtual network service endpoints for Azure Key Vault.
D. Run the az keyvault update –enable-soft-delete false CLI.
Answer: B
Explanation:
When soft-delete is enabled, resources marked as deleted resources are retained for a specified
period (90 days by default). The service further provides a mechanism for recovering the deleted
object, essentially undoing the deletion.
Purge protection is an optional Key Vault behavior and is not enabled by default. Purge
protection can only be enabled once soft-delete is enabled.
When purge protection is on, a vault or an object in the deleted state cannot be purged until the
retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that
the retention policy will be followed.
The default retention period is 90 days, but it is possible to set the retention policy interval to a
value from 7 to 90 days through the Azure portal. Once the retention policy interval is set and
saved it cannot be changed for that vault.
You are configuring a web app that delivers streaming video to users. The application makes use
of continuous integration and deployment.
You need to ensure that the application is highly available and that the users’ streaming
experience is constant. You also want to configure the application to store data in a geographic
location that is nearest to the user.
Solution: You include the use of Azure Redis Cache in your design.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
You are configuring a web app that delivers streaming video to users. The application makes use
of continuous integration and deployment.
You need to ensure that the application is highly available and that the users’ streaming
experience is constant. You also want to configure the application to store data in a geographic
location that is nearest to the user.
Solution: You include the use of an Azure Content Delivery Network (CDN) in your design.
Does the solution meet the goal?
A. Yes
B. No
Answer: A
You are configuring a web app that delivers streaming video to users. The application makes use
of continuous integration and deployment.
You need to ensure that the application is highly available and that the users’ streaming
experience is constant. You also want to configure the application to store data in a geographic
location that is nearest to the user.
Solution: You include the use of a Storage Area Network (SAN) in your design.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
You develop a Web App on a tier D1 app service plan.
You notice that page load times increase during periods of peak traffic.
You want to implement automatic scaling when CPU load is above 80 percent. Your solution
must minimize costs.
What should you do first?
A. Enable autoscaling on the Web App.
B. Switch to the Premium App Service tier plan.
C. Switch to the Standard App Service tier plan.
D. Switch to the Azure App Services consumption plan.
Answer: C
Explanation:
Configure the web app to the Standard App Service Tier. The Standard tier supports autoscaling, and we should minimize the cost. We can then enable autoscaling on the web app, add a
scale rule and add a Scale condition.
Your company’s Azure subscription includes an Azure Log Analytics workspace.
Your company has a hundred on-premises servers that run either Windows Server 2012 R2 or
Windows Server 2016, and is linked to the Azure Log Analytics workspace. The Azure Log
Analytics workspace is set up to gather performance counters associated with security from these
linked servers.
You must configure alerts based on the information gathered by the Azure Log Analytics
workspace.
You have to make sure that alert rules allow for dimensions, and that alert creation time should
be kept to a minimum. Furthermore, a single alert notification must be created when the alert is
created and when the alert is resolved.
You need to make use of the necessary signal type when creating the alert rules.
Which of the following is the option you should use?
A. The Activity log signal type.
B. The Application Log signal type.
C. The Metric signal type.
D. The Audit Log signal type.
Answer: C
Explanation:
Metric alerts in Azure Monitor provide a way to get notified when one of your metrics cross a
threshold. Metric alerts work on a range of multi-dimensional platform metrics, custom metrics,
Application Insights standard and custom metrics.
Note: Signals are emitted by the target resource and can be of several types. Metric, Activity log,
Application Insights, and Log
You are developing a .NET Core MVC application that allows customers to research
independent holiday accommodation providers.
You want to implement Azure Search to allow the application to search the index by using
various criteria to locate documents related to accommodation.
You want the application to allow customers to search the index by using regular expressions.
What should you do?
A. Configure the SearchMode property of the SearchParameters class.
B. Configure the QueryType property of the SearchParameters class.
C. Configure the Facets property of the SearchParameters class.
D. Configure the Filter property of the SearchParameters class.
Answer: B
Explanation:
The SearchParameters.QueryType Property gets or sets a value that specifies the syntax of the
search query. The default is ‘simple’. Use ‘full’ if your query uses the Lucene query syntax.
You can write queries against Azure Search based on the rich Lucene Query Parser syntax for
specialized query forms: wildcard, fuzzy search, proximity search, regular expressions are a few
examples.
You are a developer at your company.
You need to update the definitions for an existing Logic App.
What should you use?
A. the Enterprise Integration Pack (EIP)
B. the Logic App Code View
C. the API Connections
D. the Logic Apps Designer
Answer: B
Explanation:
Edit JSON - Azure portal
Sign in to the Azure portal.
From the left menu, choose All services. In the search box, find “logic apps”, and then from the
results, select your logic app.
On your logic app’s menu, under Development Tools, select Logic App Code View.
The Code View editor opens and shows your logic app definition in JSON format.
You are developing a solution for a public facing API.
The API back end is hosted in an Azure App Service instance. You have implemented a
RESTful service for the API back end.
You must configure back-end authentication for the API Management service instance.
Solution: You configure Basic gateway credentials for the Azure resource.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
Explanation:
API Management allows to secure access to the back-end service of an API using client
certificates.
You are developing a solution for a public facing API.
The API back end is hosted in an Azure App Service instance. You have implemented a
RESTful service for the API back end.
You must configure back-end authentication for the API Management service instance.
Solution: You configure Client cert gateway credentials for the HTTP(s) endpoint.
Does the solution meet the goal?
A. Yes
B. No
Answer: A
This is scenario questions.
If backend is accepts HTTP(S)
Then Basic AUTH or Certificate will work.
so Client Certificate + HTTP(s) YES
You are developing a solution for a public facing API.
The API back end is hosted in an Azure App Service instance. You have implemented a
RESTful service for the API back end.
You must configure back-end authentication for the API Management service instance.
Solution: You configure Basic gateway credentials for the HTTP(s) endpoint.
Does the solution meet the goal?
A. Yes
B. No
Answer: A
This is scenario questions.
If backend is accepts HTTP(S)
Then Basic AUTH or Certificate will work.
so Basic + HTTPS Yes
You are developing a solution for a public facing API.
The API back end is hosted in an Azure App Service instance. You have implemented a
RESTful service for the API back end.
You must configure back-end authentication for the API Management service instance.
Solution: You configure Client cert gateway credentials for the Azure resource.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
This is scenario questions.
If backend is accepts HTTP(S)
Then Basic AUTH or Certificate will work.
so Certificate + Azure Resource NO
You are developing a .NET Core MVC application that allows customers to research
independent holiday accommodation providers.
You want to implement Azure Search to allow the application to search the index by using
various criteria to locate documents related to accommodation venues.
You want the application to list holiday accommodation venues that fall within a specific price
range and are within a specified distance to an airport.
What should you do?
A. Configure the SearchMode property of the SearchParameters class.
B. Configure the QueryType property of the SearchParameters class.
C. Configure the Facets property of the SearchParameters class.
D. Configure the Filter property of the SearchParameters class.
Answer: D
Explanation:
The Filter property gets or sets the OData $filter expression to apply to the search query
You are a developer at your company.
You need to edit the workflows for an existing Logic App.
What should you use?
A. the Enterprise Integration Pack (EIP)
B. the Logic App Code View
C. the API Connections
D. the Logic Apps Designer
Answer: D
For definitions use the Code View, for the Workflows use the Designer.
You are developing an application that applies a set of governance policies for internal and
external services, as well as for applications.
You develop a stateful ASP.NET Core 2.1 web application named PolicyApp and deploy it to an
Azure App Service Web App. The PolicyApp reacts to events from Azure Event Grid and
performs policy actions based on those events.
You have the following requirements:
Authentication events must be used to monitor users when they sign in and sign out.
All authentication events must be processed by PolicyApp.
Sign outs must be processed as fast as possible.
What should you do?
A. Create a new Azure Event Grid subscription for all authentication events. Use the
subscription to process sign-out events.
B. Create a separate Azure Event Grid handler for sign-in and sign-out events.
C. Create separate Azure Event Grid topics and subscriptions for sign-in and sign-out events.
D. Add a subject prefix to sign-out events. Create an Azure Event Grid subscription. Configure
the subscription to use the subjectBeginsWith filter.
Answer: C
Only C is mentioned both topic and subscription, which are two critical parts for event grid
You develop a software as a service (SaaS) offering to manage photographs. Users upload
photos to a web service which then stores the photos in Azure Storage Blob storage. The storage
account type is General-purpose V2.
When photos are uploaded, they must be processed to produce and save a mobile-friendly
version of the image. The process to produce a mobile-friendly version of the image must start in
less than one minute.
You need to design the process that starts the photo processing.
Solution: Trigger the photo processing from Blob storage events.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
The answer (B) is correct. Because, the trick is in the “less than one minute” detail.
You can read about “..10-minute delay in processing new blobs..” in “3-Minimizing latency” description.
Microsoft says: “…..Use Event Grid instead of the Blob storage trigger for the following scenarios:”
1-Blob-only storage accounts: Blob-only storage accounts are supported for blob input and output bindings but not for blob triggers.
2-High-scale: High scale can be loosely defined as containers that have more than 100,000 blobs in them or storage accounts that have more than 100 blob updates per second.
3-Minimizing latency: If your function app is on the Consumption plan, there can be up to a ##10-minute delay in processing new blobs## if a function app has gone idle. To avoid this latency, you can switch to an App Service plan with Always On enabled. You can also use an Event Grid trigger with your Blob storage account. For an example, see the Event Grid tutorial.
You develop and deploy an Azure App Service API app to a Windows-hosted deployment slot
named Development. You create additional deployment slots named Testing and Production.
You enable auto swap on the Production deployment slot.
You need to ensure that scripts run and resources are available before a swap operation occurs.
Solution: Update the web.config file to include the applicationInitialization configuration
element. Specify custom initialization actions to run the scripts.
Does the solution meet the goal?
A. No
B. Yes
Answer: B
Correct answer must be B (applicationinitialization tag is way of implementing custom warm-up)
You develop and deploy an Azure App Service API app to a Windows-hosted deployment slot
named Development. You create additional deployment slots named Testing and Production.
You enable auto swap on the Production deployment slot.
You need to ensure that scripts run and resources are available before a swap operation occurs.
Solution: Enable auto swap for the Testing slot. Deploy the app to the Testing slot.
Does the solution meet the goal?
A. No
B. Yes
Answer: A
I vote A, No, because for me the solution is updating the web.config file to include the applicationInitialization configuration element.
You develop and deploy an Azure App Service API app to a Windows-hosted deployment slot
named Development. You create additional deployment slots named Testing and Production.
You enable auto swap on the Production deployment slot.
You need to ensure that scripts run and resources are available before a swap operation occurs.
Solution: Disable auto swap. Update the app with a method named statuscheck to run the scripts.
Re-enable auto swap and deploy the app to the Production slot.
Does the solution meet the goal?
A. No
B. Yes
Answer: A
Instead, use applicationInitialization
You develop a software as a service (SaaS) offering to manage photographs. Users upload
photos to a web service which then stores the photos in Azure Storage Blob storage. The storage
account type is General-purpose V2.
When photos are uploaded, they must be processed to produce and save a mobile-friendly
version of the image. The process to produce a mobile-friendly version of the image must start in
less than one minute.
You need to design the process that starts the photo processing.
Solution: Convert the Azure Storage account to a BlockBlobStorage storage account.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Not necessary to convert the account, instead move photo processing to an Azure Function
triggered from the blob upload.
You develop a website. You plan to host the website in Azure. You expect the website to
experience high traffic volumes after it is published.
You must ensure that the website remains available and responsive while minimizing cost.
You need to deploy the website.
What should you do?
A. Deploy the website to a virtual machine. Configure the virtual machine to automatically scale
when the CPU load is high.
B. Deploy the website to an App Service that uses the Shared service tier. Configure the App
Service plan to automatically scale when the CPU load is high.
C. Deploy the website to a virtual machine. Configure a Scale Set to increase the virtual machine
instance count when the CPU load is high.
D. Deploy the website to an App Service that uses the Standard service tier. Configure the App
Service plan to automatically scale when the CPU load is high.
Answer: D
Explanation:
Windows Azure Web Sites (WAWS) offers 3 modes: Standard, Free, and Shared.
Standard mode carries an enterprise-grade SLA (Service Level Agreement) of 99.9% monthly,
even for sites with just one instance.
Standard mode runs on dedicated instances, making it different from the other ways to buy
Windows Azure Web Sites.
Incorrect Answers:
B: Shared and Free modes do not offer the scaling flexibility of Standard, and they have some
important limits.
Shared mode, just as the name states, also uses shared Compute resources, and also has a CPU
limit. So, while neither Free nor Shared is likely to be the best choice for your production
environment due to these limits.
You develop an HTTP triggered Azure Function app to process Azure Storage blob data. The
app is triggered using an output binding on the blob.
The app continues to time out after four minutes. The app must process the blob data.
You need to ensure the app does not time out and processes the blob data.
Solution: Use the Durable Function async pattern to process the blob data.
Does the solution meet the goal?
A. Yes
B. No
Answer: A
“230 seconds is the maximum amount of time[…] For longer processing times, consider using the DURABLE FUNCTIONS ASYNC PATTERN[…]”
You develop an HTTP triggered Azure Function app to process Azure Storage blob data. The
app is triggered using an output binding on the blob.
The app continues to time out after four minutes. The app must process the blob data.
You need to ensure the app does not time out and processes the blob data.
Solution: Pass the HTTP trigger payload into an Azure Service Bus queue to be processed by a
queue trigger function and return an immediate HTTP success response.
Does the solution meet the goal?
A. Yes
B. No
Answer: A
Yes, the solution meets the goal. By passing the HTTP trigger payload into an Azure Service Bus queue to be processed by a queue trigger function and returning an immediate HTTP success response, you can address the timeout issue and ensure that the blob data is processed without timing out.
You develop an HTTP triggered Azure Function app to process Azure Storage blob data. The
app is triggered using an output binding on the blob.
The app continues to time out after four minutes. The app must process the blob data.
You need to ensure the app does not time out and processes the blob data.
Solution: Configure the app to use an App Service hosting plan and enable the Always On
setting.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Instead pass the HTTP trigger payload into an Azure Service Bus queue to be processed by a
queue trigger function and return an immediate HTTP success response.
Note: Large, long-running functions can cause unexpected timeout issues. General best practices
include:
Whenever possible, refactor large functions into smaller function sets that work together and
return responses fast. For example, a webhook or HTTP trigger function might require an
acknowledgment response within a certain time limit; it’s common for webhooks to require an
immediate response. You can pass the HTTP trigger payload into a queue to be processed by a
queue trigger function. This approach lets you defer the actual work and return an immediate
response.
You develop a software as a service (SaaS) offering to manage photographs. Users upload
photos to a web service which then stores the photos in Azure Storage Blob storage. The storage
account type is General-purpose V2.
When photos are uploaded, they must be processed to produce and save a mobile-friendly
version of the image. The process to produce a mobile-friendly version of the image must start in
less than one minute.
You need to design the process that starts the photo processing.
Solution: Move photo processing to an Azure Function triggered from the blob upload.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
blob storage event doesn’t guarantee an SLA.
you cannot control the event arrival in less than a minute.
You are developing an application that uses Azure Blob storage.
The application must read the transaction logs of all the changes that occur to the blobs and the
blob metadata in the storage account for auditing purposes. The changes must be in the order in
which they occurred, include only create, update, delete, and copy operations and be retained for
compliance reasons.
You need to process the transaction logs asynchronously.
What should you do?
A. Process all Azure Blob storage events by using Azure Event Grid with a subscriber Azure
Function app.
B. Enable the change feed on the storage account and process all changes for available events.
C. Process all Azure Storage Analytics logs for successful blob events.
D. Use the Azure Monitor HTTP Data Collector API and scan the request body for successful
blob events.
Answer: B
Explanation:
Change feed support in Azure Blob Storage
The purpose of the change feed is to provide transaction logs of all the changes that occur to the
blobs and the blob metadata in your storage account. The change feed provides ordered,
guaranteed, durable, immutable, read-only log of these changes. Client applications can read
these logs at any time, either in streaming or in batch mode. The change feed enables you to
build efficient and scalable solutions that process change events that occur in your Blob Storage
account at a low cost.
You are developing an Azure Function App that processes images that are uploaded to an Azure
Blob container.
Images must be processed as quickly as possible after they are uploaded, and the solution must
minimize latency. You create code to process images when the Function App is triggered.
You need to configure the Function App.
What should you do?
A. Use an App Service plan. Configure the Function App to use an Azure Blob Storage input
trigger.
B. Use a Consumption plan. Configure the Function App to use an Azure Blob Storage trigger.
C. Use a Consumption plan. Configure the Function App to use a Timer trigger.
D. Use an App Service plan. Configure the Function App to use an Azure Blob Storage trigger.
E. Use a Consumption plan. Configure the Function App to use an Azure Blob Storage input
trigger.
Answer: D
The answer is D. Use an App Service plan. Configure the Function App to use an Azure Blob Storage trigger.
Consumption plan can cause a 10-min delay in processing new blobs if a function app has gone idle. To avoid this latency, you can switch to an App Service plan with Always On enabled.
You are preparing to deploy a website to an Azure Web App from a GitHub repository. The
website includes static content generated by a script.
You plan to use the Azure Web App continuous deployment feature.
You need to run the static generation script before the website starts serving traffic.
What are two possible ways to achieve this goal? Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.
A. Add the path to the static content generation tool to WEBSITE_RUN_FROM_PACKAGE
setting in the host.json file.
B. Add a PreBuild target in the websites csproj project file that runs the static content generation
script.
C. Create a file named run.cmd in the folder /run that calls a script which generates the static
content and deploys the website.
D. Create a file named .deployment in the root of the repository that calls a script which
generates the static content and deploys the website.
Answer: B,D
Option B is correct because you can use the PreBuild target in the csproj file to execute a custom command or script before the project is built. This way, you can run the static content generation script and include the generated files in the project output.
Option D is correct because you can use the .deployment file in the root of the repository to customize the deployment process and specify a custom deployment script. This way, you can run the static content generation script and deploy the website using the custom script.
You develop a software as a service (SaaS) offering to manage photographs. Users upload
photos to a web service which then stores the photos in Azure Storage Blob storage. The storage
account type is General-purpose V2.
When photos are uploaded, they must be processed to produce and save a mobile-friendly
version of the image. The process to produce a mobile-friendly version of the image must start in
less than one minute.
You need to design the process that starts the photo processing.
Solution: Create an Azure Function app that uses the Consumption hosting model and that is
triggered from the blob upload.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
Answer should be “No”. Consumption plan can take up to several minutes to trigger the function.
“When your function app runs in the default Consumption plan, there may be a delay of up to several minutes between the blob being added or updated and the function being triggered. If you need low latency in your blob triggered functions, consider running your function app in an App Service plan.”
You develop and deploy an Azure App Service API app to a Windows-hosted deployment slot
named Development. You create additional deployment slots named Testing and Production.
You enable auto swap on the Production deployment slot.
You need to ensure that scripts run and resources are available before a swap operation occurs.
Solution: Update the app with a method named statuscheck to run the scripts. Update the app
settings for the app. Set the WEBSITE_SWAP_WARMUP_PING_PATH and
WEBSITE_SWAP_WARMUP_PING_STATUSES with a path to the new method and
appropriate response codes.
Does the solution meet the goal?
A. No
B. Yes
Answer: B
Should be YES?
You can also customize the warm-up behavior with one or both of the following app settings:
WEBSITE_SWAP_WARMUP_PING_PATH: The path to ping to warm up your site. Add this app setting by specifying a custom path that begins with a slash as the value. An example is /statuscheck. The default value is /.
WEBSITE_SWAP_WARMUP_PING_STATUSES: Valid HTTP response codes for the warm-up operation. Add this app setting with a comma-separated list of HTTP codes. An example is 200,202 . If the returned status code isn’t in the list, the warmup and swap operations are stopped. By default, all response codes are valid.
WEBSITE_WARMUP_PATH: A relative path on the site that should be pinged whenever the site restarts (not only during slot swaps). Example values include /statuscheck or the root path, /.
You are developing a web app that is protected by Azure Web Application Firewall (WAF). All
traffic to the web app is routed through an Azure Application Gateway instance that is used by
multiple web apps. The web app address is contoso.azurewebsites.net.
All traffic must be secured with SSL. The Azure Application Gateway instance is used by
multiple web apps.
You need to configure the Azure Application Gateway for the web app.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. In the Azure Application Gateway’s HTTP setting, enable the Use for App service setting.
B. Convert the web app to run in an Azure App service environment (ASE).
C. Add an authentication certificate for contoso.azurewebsites.net to the Azure Application
Gateway.
D. In the Azure Application Gateway’s HTTP setting, set the value of the Override backend path
option to contoso22.azurewebsites.net.
Answer: AD
Explanation:
D: The ability to specify a host override is defined in the HTTP settings and can be applied to
any back-end pool during rule creation.
The ability to derive the host name from the IP or FQDN of the back-end pool members. HTTP
settings also provide an option to dynamically pick the host name from a back-end pool
member’s FQDN if configured with the option to derive host name from an individual back-end
pool member.
A (not C): SSL termination and end to end SSL with multi-tenant services.
In case of end to end SSL, trusted Azure services such as Azure App service web apps do not
require whitelisting the backends in the application gateway. Therefore, there is no need to add
any authentication certificates.
You develop a software as a service (SaaS) offering to manage photographs. Users upload
photos to a web service which then stores the photos in Azure Storage Blob storage. The storage
account type is General-purpose V2.
When photos are uploaded, they must be processed to produce and save a mobile-friendly
version of the image. The process to produce a mobile-friendly version of the image must start in
less than one minute.
You need to design the process that starts the photo processing.
Solution: Use the Azure Blob Storage change feed to trigger photo processing.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
Explanation:
The change feed is a log of changes that are organized into hourly segments but appended to and
updated every few minutes. These segments are created only when there are blob change events
that occur in that hour.
Instead catch the triggered event, so move the photo processing to an Azure Function triggered
from the blob upload.
You are developing a web application that runs as an Azure Web App. The web application
stores data in Azure SQL Database and stores files in an Azure Storage account. The web
application makes HTTP requests to external services as part of normal operations.
The web application is instrumented with Application Insights. The external services are
OpenTelemetry compliant.
You need to ensure that the customer ID of the signed in user is associated with all operations
throughout the overall system.
What should you do?
A. Add the customer ID for the signed in user to the CorrelationContext in the web application
B. On the current SpanContext, set the TraceId to the customer ID for the signed in user
C. Set the header Ocp-Apim-Trace to the customer ID for the signed in user
D. Create a new SpanContext with the TraceFlags value set to the customer ID for the signed in
user
Answer: A
“I would choose option A, Add the customer ID for the signed in user to the CorrelationContext in the web application.
The CorrelationContext is a way to associate contextual information with a request as it flows through the system. It allows you to track a request as it passes through different components of the system, and to identify related log entries and telemetry data. By adding the customer ID to the CorrelationContext in the web application, you can ensure that it is associated with all operations throughout the overall system. This will allow you to track the request and identify related log entries and telemetry data for a specific customer.
You develop an HTTP triggered Azure Function app to process Azure Storage blob data. The
app is triggered using an output binding on the blob.
The app continues to time out after four minutes. The app must process the blob data.
You need to ensure the app does not time out and processes the blob data.
Solution: Update the functionTimeout property of the host.json project file to 10 minutes.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Instead pass the HTTP trigger payload into an Azure Service Bus queue to be processed by a
queue trigger function and return an immediate HTTP success response.
Note: Large, long-running functions can cause unexpected timeout issues. General best practices
include:
Whenever possible, refactor large functions into smaller function sets that work together and
return responses fast. For example, a webhook or HTTP trigger function might require an
acknowledgment response within a certain time limit; it’s common for webhooks to require an
immediate response. You can pass the HTTP trigger payload into a queue to be processed by a
queue trigger function. This approach lets you defer the actual work and return an immediate
response.
You are developing an Azure Durable Function to manage an online ordering process.
The process must call an external API to gather product discount information.
You need to implement the Azure Durable Function.
Which Azure Durable Function types should you use? Each correct answer presents part of the
solution.
NOTE: Each correct selection is worth one point.
A. Orchestrator
B. Entity
C. Client
D. Activity
Answer: A, D
“ Like orchestrator functions, entity functions are functions with a special trigger type, entity trigger.” - u can not call Entity from Orchestrator… right answer is Orchestrator and Activity
You develop Azure Durable Functions to manage vehicle loans.
The loan process includes multiple actions that must be run in a specified order. One of the
actions includes a customer credit check process, which may require multiple days to process.
You need to implement Azure Durable Functions for the loan process.
Which Azure Durable Functions type should you use?
A. orchestrator
B. client
C. entity
D. activity
Answer: A
Explanation:
Durable Functions is an extension of Azure Functions. You can use an orchestrator function to
orchestrate the execution of other Durable functions within a function app. Orchestrator
functions have the following characteristics:
Orchestrator functions define function workflows using procedural code. No declarative schemas
or designers are needed.
Orchestrator functions can call other durable functions synchronously and asynchronously.
Output from called functions can be reliably saved to local variables.
Orchestrator functions are durable and reliable. Execution progress is automatically
checkpointed when the function “awaits” or “yields”. Local state is never lost when the process
recycles or the VM reboots.
Orchestrator functions can be long-running. The total lifespan of an orchestration instance can be
seconds, days, months, or never-ending.
You develop Azure Web Apps for a commercial diving company. Regulations require that all
divers fill out a health questionnaire every 15 days after each diving job starts.
You need to configure the Azure Web Apps so that the instance count scales up when divers are
filling out the questionnaire and scales down after they are complete.
You need to configure autoscaling.
What are two possible auto scaling configurations to achieve this goal? Each correct answer
presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Recurrence profile
B. CPU usage-based autoscaling
C. Fixed date profile
D. Predictive autoscaling
Answer: B,D
I think it should
B. CPU usage-based autoscaling
D. Predictive autoscaling
A. Recurrence profile is used to schedule the scaling of resources at specific times or dates, but it does not meet the requirement to scale up when divers are filling out the questionnaire and scale down after they are complete. It only triggers scaling based on a set schedule, not based on actual usage.
C. Fixed date profile is used to specify the number of instances at a specific date and time, but it also does not meet the requirement to dynamically scale based on actual usage. It only sets a fixed number of instances and does not adjust based on changing workloads.
You are building a website that uses Azure Blob storage for data storage. You configure Azure
Blob storage lifecycle to move all blobs to the archive tier after 30 days.
Customers have requested a service-level agreement (SLA) for viewing data older than 30 days.
You need to document the minimum SLA for data recovery.
Which SLA should you use?
A. at least two days
B. between one and 15 hours
C. at least one day
D. between zero and 60 minutes
Answer: B
Explanation:
The archive access tier has the lowest storage cost. But it has higher data retrieval costs
compared to the hot and cool tiers. Data in the archive tier can take several hours to retrieve
depending on the priority of the rehydration. For small objects, a high priority rehydrate may
retrieve the object from archive in under 1 hour.
You are developing an Azure solution to collect point-of-sale (POS) device data from
2,000 stores located throughout the world. A single device can produce 2 megabytes (MB) of
data every 24 hours. Each store location has one to five devices that send data.
You must store the device data in Azure Blob storage. Device data must be correlated based on a
device identifier. Additional stores are expected to open in the future.
You need to implement a solution to receive the device data.
Solution: Provision an Azure Event Grid. Configure the machine identifier as the partition key
and enable capture.
Does the solution meet the goal?
A. Yes
B. No
Answer: A
Partitions - 2000 per CU - Dedicated Plan - So we can have 2K+ partitions in Event Hub
Size allowed - Yes
You develop Azure solutions.
A .NET application needs to receive a message each time an Azure virtual machine finishes
processing data. The messages must NOT persist after being processed by the receiving
application.
You need to implement the .NET object that will receive the messages.
Which object should you use?
A. QueueClient
B. SubscriptionClient
C. TopicClient
D. CloudQueueClient
Answer: A
Azure.Storage.Queues.QueueClient: .NET v12
Azure.Storage.Queues.CloudQueueClient: .NET v11 (Legacy)
So, the question is really about what kind of queue message tool you should use. And the key word here is that “message must NOT persist after being processed”.
Azure.Storage.Queues.QueueClient supports “At-Most-Once” deliver mode, while Azure.Storage.Queues.CloudQueueClient doesn’t.
You develop Azure solutions.
You must connect to a No-SQL globally-distributed database by using the .NET API.
You need to create an object to configure and execute requests in the database.
Which code segment should you use?
A. new Container(EndpointUri, PrimaryKey);
B. new Database(EndpointUri, PrimaryKey);
C. new CosmosClient(EndpointUri, PrimaryKey);
Answer: C
Explanation:
Example:
// Create a new instance of the Cosmos Client
this.cosmosClient = new CosmosClient(EndpointUri, PrimaryKey)
//ADD THIS PART TO YOUR CODE
await this.CreateDatabaseAsync();
You have an existing Azure storage account that stores large volumes of data across multiple
containers.
You need to copy all data from the existing storage account to a new storage account. The copy
process must meet the following requirements:
Automate data movement.
Minimize user input required to perform the operation.
Ensure that the data movement process is recoverable.
What should you use?
A. AzCopy
B. Azure Storage Explorer
C. Azure portal
D. .NET Storage Client Library
Answer: A
Explanation:
You can copy blobs, directories, and containers between storage accounts by using the AzCopy
v10 command-line utility.
The copy operation is synchronous so when the command returns, that indicates that all files
have been copied.
You are developing an Azure Cosmos DB solution by using the Azure Cosmos DB SQL API.
The data includes millions of documents. Each document may contain hundreds of properties.
The properties of the documents do not contain distinct values for partitioning. Azure Cosmos
DB must scale individual containers in the database to meet the performance needs of the
application by spreading the workload evenly across all partitions over time.
You need to select a partition key.
Which two partition keys can you use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. a single property value that does not appear frequently in the documents
B. a value containing the collection name
C. a single property value that appears frequently in the documents
D. a concatenation of multiple property values with a random suffix appended
E. a hash suffix appended to a property value
Answer: D,E
Explanation:
You can form a partition key by concatenating multiple property values into a single artificial
partitionKey property. These keys are referred to as synthetic keys.
Another possible strategy to distribute the workload more evenly is to append a random number
at the end of the partition key value. When you distribute items in this way, you can perform
parallel write operations across partitions.
Note: It’s the best practice to have a partition key with many distinct values, such as hundreds or
thousands. The goal is to distribute your data and workload evenly across the items associated
with these partition key values. If such a property doesn’t exist in your data, you can construct a
synthetic partition key.
You develop and deploy a web application to Azure App Service. The application accesses data
stored in an Azure Storage account. The account contains several containers with several blobs
with large amounts of data. You deploy all Azure resources to a single region.
You need to move the Azure Storage account to the new region. You must copy all data to the
new region.
What should you do first?
A. Export the Azure Storage account Azure Resource Manager template
B. Initiate a storage account failover
C. Configure object replication for all blobs
D. Use the AzCopy command line tool
E. Create a new Azure Storage account in the current region
F. Create a new subscription in the current region
Answer: A
Explanation:
To move a storage account, create a copy of your storage account in another region. Then, move
your data to that account by using AzCopy, or another tool of your choice and finally, delete the
resources in the source region.
To get started, export, and then modify a Resource Manager template
An organization deploys Azure Cosmos DB.
You need to ensure that the index is updated as items are created, updated, or deleted.
What should you do?
A. Set the indexing mode to Lazy.
B. Set the value of the automatic property of the indexing policy to False.
C. Set the value of the EnableScanInQuery option to True.
D. Set the indexing mode to Consistent.
Answer: D
Explanation:
Azure Cosmos DB supports two indexing modes:
Consistent: The index is updated synchronously as you create, update or delete items. This
means that the consistency of your read queries will be the consistency configured for the
account.
None: Indexing is disabled on the container.
You are developing a .Net web application that stores data in Azure Cosmos DB. The application
must use the Core API and allow millions of reads and writes. The Azure Cosmos DB account
has been created with multiple write regions enabled. The application has been deployed to the
East US2 and Central US regions.
You need to update the application to support multi-region writes.
What are two possible ways to achieve this goal? Each correct answer presents part of the
solution.
NOTE: Each correct selection is worth one point.
A. Update the ConnectionPolicy class for the Cosmos client and populate the PreferredLocations
property based on the geo-proximity of the application.
B. Update Azure Cosmos DB to use the Strong consistency level. Add indexed properties to the
container to indicate region.
C. Update the ConnectionPolicy class for the Cosmos client and set the
UseMultipleWriteLocations property to true.
D. Create and deploy a custom conflict resolution policy.
E. Update Azure Cosmos DB to use the Session consistency level. Send the SessionToken
property value from the FeedResponse object of the write action to the end-user by using a
cookie.
Answer: A,C
The goal is
“You need to update the application to support multi-region writes”,
that is enable multi-region writes (bool, option C) and add the regions (option A)
Then you have to apply the Conflict resolution policies.This can be LLW(default, not mentioned) or custom (option D).
Hence : there is only ONE way to to support multi-region writes (both apply C AND A) and there are subsequently TWO ways to apply the Conflict resolution policies (@ SQL) to solve write, update and delete conflicts of which one is mentioned in the question (D).
To support multi-region writes I would answer A and C , but they have to be set both, not one or the other.
You are developing an application to store business-critical data in Azure Blob storage.
The application must meet the following requirements:
Data must not be modified or deleted for a user-specified interval.
Data must be protected from overwrites and deletes.
Data must be written once and allowed to be read many times.
You need to protect the data in the Azure Blob storage account.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Configure a time-based retention policy for the storage account.
B. Create an account shared-access signature (SAS).
C. Enable the blob change feed for the storage account.
D. Enable version-level immutability support for the storage account.
E. Enable point-in-time restore for containers in the storage account.
F. Create a service shared-access signature (SAS).
Answer: A,D
A. Configure a time-based retention policy for the storage account
- A time-based retention policy stores blob data in a Write-Once, Read-Many (WORM) format for a specified interval. When a time-based retention policy is set, clients can create and read blobs, but can’t modify or delete them. After the retention interval has expired, blobs can be deleted but not overwritten.
D. Before you can apply a time-based retention policy to a blob version, you must enable support for version-level immutability.
You are updating an application that stores data on Azure and uses Azure Cosmos DB for
storage. The application stores data in multiple documents associated with a single username.
The application requires the ability to update multiple documents for a username in a single
ACID operation.
You need to configure Azure Cosmos DB.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Create a collection sharded on username to store documents.
B. Configure Azure Cosmos DB to use the Gremlin API.
C. Create an unsharded collection to store documents.
D. Configure Azure Cosmos DB to use the MongoDB API.
Answer: CD
Explanation:
C: Multi-document transactions, Requirements
Multi-document transactions are supported within an unsharded collection in API version 4.0.
Multi-document transactions are not supported across collections or in sharded collections in 4.0.
D: In Azure Cosmos DB for MongoDB, operations on a single document are atomic. Multidocument transactions enable applications to execute atomic operations across multiple
documents. It offers “all-or-nothing” semantics to the operations. On commit, the changes made
inside the transactions are persisted and if the transaction fails, all changes inside the transaction
are discarded.
Multi-document transactions follow ACID semantics:
Atomicity: All operations treated as one
Consistency: Data committed is valid
Isolation: Isolated from other operations
Durability: Transaction data is persisted when client is told so
You develop Azure solutions.
You must connect to a No-SQL globally-distributed database by using the .NET API.
You need to create an object to configure and execute requests in the database.
Which code segment should you use?
A.
database_name = ‘MyDatabase’
database =
client.create_database_if_not_exists(id=database_name)
B.
client = CosmosClient(endpoint, key)
C.
container_name = ‘MyContainer’
container = database.create_container_if_not_exists(
id=container_name, partition_key=PartitionKey(path=”/lastName”),
offer_throughput=400 )
Answer: B
CosmosClient has to be created before you can do option A and C to create databases and execute requests.
client = CosmosClient(endpoint, key)
database_name = ‘MyDatabase’
database = client.create_database_if_not_exists(id=database_name)
container_name = ‘MyContainer’
container = database.create_container_if_not_exists(
id=container_name, partition_key=PartitionKey(path=”/lastName”), offer_throughput=400 )
You develop a web application that provides access to legal documents that are stored on Azure
Blob Storage with version-level immutability policies. Documents are protected with both timebased policies and legal hold policies. All time-based retention policies have the
AllowProtectedAppendWrites property enabled.
You have a requirement to prevent the user from attempting to perform operations that would
fail only when a legal hold is in effect and when all other policies are expired.
You need to meet the requirement.
Which two operations should you prevent? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. adding data to documents
B. deleting documents
C. creating documents
D. overwriting existing documents
Answer: BD
Explanation:
The Append Block operation is permitted only for policies with the
allowProtectedAppendWrites or allowProtectedAppendWritesAll property enabled.
The AllowProtectedAppendWrites property setting allows for writing new blocks to an append
blob while maintaining immutability protection and compliance. If this setting is enabled, you
can create an append blob directly in the policy-protected container, and then continue to add
new blocks of data to the end of the append blob with the Append Block operation. Only new
blocks can be added; any existing blocks can’t be modified or deleted. Enabling this setting
doesn’t affect the immutability behavior of block blobs or page blobs.
You are developing a Java application that uses Cassandra to store key and value data. You plan
to use a new Azure Cosmos DB resource and the Cassandra API in the application. You create
an Azure Active Directory (Azure AD) group named Cosmos DB Creators to enable
provisioning of Azure Cosmos accounts, databases, and containers.
The Azure AD group must not be able to access the keys that are required to access the data.
You need to restrict access to the Azure AD group.
Which role-based access control should you use?
A. DocumentDB Accounts Contributor
B. Cosmos Backup Operator
C. Cosmos DB Operator
D. Cosmos DB Account Reader
Answer: C
Explanation:
Azure Cosmos DB now provides a new RBAC role, Cosmos DB Operator. This new role lets
you provision Azure Cosmos accounts, databases, and containers, but can’t access the keys that
are required to access the data. This role is intended for use in scenarios where the ability to
grant access to Azure Active Directory service principals to manage deployment operations for
Cosmos DB is needed, including the account, database, and containers.
You are developing a website that will run as an Azure Web App. Users will authenticate by
using their Azure Active Directory (Azure AD) credentials.
You plan to assign users one of the following permission levels for the website: admin, normal,
and reader. A user’s Azure AD group membership must be used to determine the permission
level.
You need to configure authorization.
Solution: Configure the Azure Web App for the website to allow only authenticated requests and
require Azure AD log on.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Instead in the Azure AD application’s manifest, set value of the groupMembershipClaims option
to All. In the website, use the value of the groups claim from the JWT for the user to determine
permissions.
You are developing a website that will run as an Azure Web App. Users will authenticate by
using their Azure Active Directory (Azure AD) credentials.
You plan to assign users one of the following permission levels for the website: admin, normal,
and reader. A user’s Azure AD group membership must be used to determine the permission
level.
You need to configure authorization.
Solution:
Create a new Azure AD application. In the application’s manifest, set value of the
groupMembershipClaims option to All.
In the website, use the value of the groups claim from the JWT for the user to determine
permissions.
Does the solution meet the goal?
A. Yes
B. No
Answer: A
Explanation:
To configure Manifest to include Group Claims in Auth Token
1. Go to Azure Active Directory to configure the Manifest. Click on Azure Active
Directory, and go to App registrations to find your application:
2. Click on your application (or search for it if you have a lot of apps) and edit the Manifest
by clicking on it.
3. Locate the “groupMembershipClaims” setting. Set its value to either “SecurityGroup” or
“All”. To help you decide which:
“SecurityGroup” - groups claim will contain the identifiers of all security groups
of which the user is a member.
“All” - groups claim will contain the identifiers of all security groups and all
distribution lists of which the user is a member
Now your application will include group claims in your manifest and you can use this fact in
your code.
You are developing a website that will run as an Azure Web App. Users will authenticate by
using their Azure Active Directory (Azure AD) credentials.
You plan to assign users one of the following permission levels for the website: admin, normal,
and reader. A user’s Azure AD group membership must be used to determine the permission
level.
You need to configure authorization.
Solution:
Create a new Azure AD application. In the application’s manifest, define application
roles that match the required permission levels for the application.
Assign the appropriate Azure AD group to each role. In the website, use the value of the
roles claim from the JWT for the user to determine permissions.
Does the solution meet the goal?
A. Yes
B. No
Answer:A
The roles get assigned by AD groups, so the requirement “A user’s Azure AD group membership must be used to determine the permission level” is met.
This solution should be answered with “yes”.
This scenario has 2 solutions provided as the approach using the “groupMembershipClaims” is possible as well.
That’s OK as it says “Some question sets might have more than one correct solution, while others might not have a correct solution.”
You provide an Azure API Management managed web service to clients. The back-end web
service implements HTTP Strict Transport Security (HSTS).
Every request to the backend service must include a valid HTTP authorization header.
You need to configure the Azure API Management instance with an authentication policy.
Which two policies can you use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Basic Authentication
B. Digest Authentication
C. Certificate Authentication
D. OAuth Client Credential Grant
Answer: A,C
As the API documentation only allows 3 options. It states:»_space;»
Authentication policies
Authenticate with Basic - Authenticate with a backend service using Basic authentication.
Authenticate with client certificate - Authenticate with a backend service using client certificates.
Authenticate with managed identity - Authenticate with the managed identity for the API Management service.
You have an application that includes an Azure Web app and several Azure Function apps.
Application secrets including connection strings and certificates are stored in Azure Key Vault.
Secrets must not be stored in the application or application runtime environment. Changes to
Azure Active Directory (Azure AD) must be minimized.
You need to design the approach to loading application secrets.
What should you do?
A. Create a single user-assigned Managed Identity with permission to access Key Vault and
configure each App Service to use that Managed Identity.
B. Create a single Azure AD Service Principal with permission to access Key Vault and use a
client secret from within the App Services to access Key Vault.
C. Create a system assigned Managed Identity in each App Service with permission to access
Key Vault.
D. Create an Azure AD Service Principal with Permissions to access Key Vault for each App
Service and use a certificate from within the App Services to access Key Vault.
Answer: A
Because we have more than one App (Web App and other Function Apps) , So we agree it is going to be a managed identity but should I create one for each app or one for all apps?
If I create system MI then there should be one for each App.
If I create user MI then I can re-use it for any App I want with minimum change to AD
You are developing a medical records document management website. The website is used to
store scanned copies of patient intake forms.
If the stored intake forms are downloaded from storage by a third party, the contents of the forms
must not be compromised.
You need to store the intake forms according to the requirements.
Solution:
1. Create an Azure Key Vault key named skey.
2. Encrypt the intake forms using the public key portion of skey.
3. Store the encrypted data in Azure Blob storage.
Does the solution meet the goal?
A. Yes
B. No
Answer: A
You are developing a medical records document management website. The website is used to
store scanned copies of patient intake forms.
If the stored intake forms are downloaded from storage by a third party, the contents of the forms
must not be compromised.
You need to store the intake forms according to the requirements.
Solution:
1. Create an Azure Cosmos DB database with Storage Service Encryption enabled.
2. Store the intake forms in the Azure Cosmos DB database.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Instead use an Azure Key vault and public key encryption. Store the encrypted from in Azure
Storage Blob storage.
Your company is developing an Azure API hosted in Azure.
You need to implement authentication for the Azure API to access other Azure resources. You
have the following requirements:
All API calls must be authenticated.
Callers to the API must not send credentials to the API.
Which authentication mechanism should you use?
A. Basic
B. Anonymous
C. Managed identity
D. Client certificate
Answer: C
Explanation:
Azure Active Directory Managed Service Identity (MSI) gives your code an automatically
managed identity for authenticating to Azure services, so that you can keep credentials out of
your code.
Note: Use the authentication-managed-identity policy to authenticate with a backend service
using the managed identity. This policy essentially uses the managed identity to obtain an access
token from Azure Active Directory for accessing the specified resource. After successfully
obtaining the token, the policy will set the value of the token in the Authorization header using
the Bearer scheme.
Incorrect Answers:
A: Use the authentication-basic policy to authenticate with a backend service using Basic
authentication. This policy effectively sets the HTTP Authorization header to the value
corresponding to the credentials provided in the policy.
B: Anonymous is no authentication at all.
D: Your code needs credentials to authenticate to cloud services, but you want to limit the
visibility of those credentials as much as possible. Ideally, they never appear on a developer’s
workstation or get checked-in to source control. Azure Key Vault can store credentials securely
so they aren’t in your code, but to retrieve them you need to authenticate to Azure Key Vault. To
authenticate to Key Vault, you need a credential! A classic bootstrap problem.
You develop Azure solutions.
You must grant a virtual machine (VM) access to specific resource groups in Azure Resource
Manager.
You need to obtain an Azure Resource Manager access token.
Solution: Use an X.509 certificate to authenticate the VM with Azure Resource Manager.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Instead run the Invoke-RestMethod cmdlet to make a request to the local managed identity for
Azure resources endpoint.
You are developing a website that will run as an Azure Web App. Users will authenticate by
using their Azure Active Directory (Azure AD) credentials.
You plan to assign users one of the following permission levels for the website: admin, normal,
and reader. A user’s Azure AD group membership must be used to determine the permission
level.
You need to configure authorization.
Solution:
Configure and use Integrated Windows Authentication in the website.
In the website, query Microsoft Graph API to load the groups to which the user is a
member.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service
resources.
Instead in the Azure AD application’s manifest, set value of the groupMembershipClaims option
to All. In the website, use the value of the groups claim from the JWT for the user to determine
permissions.
You develop Azure solutions.
You must grant a virtual machine (VM) access to specific resource groups in Azure Resource
Manager.
You need to obtain an Azure Resource Manager access token.
Solution: Run the Invoke-RestMethod cmdlet to make a request to the local managed identity for
Azure resources endpoint.
Does the solution meet the goal?
A. Yes
B. No
Answer: A
Explanation:
Get an access token using the VM’s system-assigned managed identity and use it to call Azure
Resource Manager
You will need to use PowerShell in this portion.
1. In the portal, navigate to Virtual Machines and go to your Windows virtual machine and
in the Overview, click Connect.
2. Enter in your Username and Password for which you added when you created the
Windows VM.
3. Now that you have created a Remote Desktop Connection with the virtual machine, open
PowerShell in the remote session.
4. Using the Invoke-WebRequest cmdlet, make a request to the local managed identity for
Azure resources endpoint to get an access token for Azure Resource Manager.
Example:
$response = Invoke-WebRequest -Uri
‘http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-
01&resource=https://management.azure.com/’ -Method GET -Headers @{Metadata=”true”}
You develop an app that allows users to upload photos and videos to Azure storage. The app
uses a storage REST API call to upload the media to a blob storage account named Account1.
You have blob storage containers named Container1 and Container2.
Uploading of videos occurs on an irregular basis.
You need to copy specific blobs from Container1 to Container2 when a new video is uploaded.
What should you do?
A. Copy blobs to Container2 by using the Put Blob operation of the Blob Service REST API
B. Create an Event Grid topic that uses the Start-AzureStorageBlobCopy cmdlet
C. Use AzCopy with the Snapshot switch to copy blobs to Container2
D. Download the blob to a virtual machine and then upload the blob to Container2
Answer: B
Explanation:
The Start-AzureStorageBlobCopy cmdlet starts to copy a blob.
Example 1: Copy a named blob
C:\PS>Start-AzureStorageBlobCopy -SrcBlob “ContosoPlanning2015” -DestContainer
“ContosoArchives” -SrcContainer “ContosoUploads”
This command starts the copy operation of the blob named ContosoPlanning2015 from the
container named ContosoUploads to the container named ContosoArchives.
You are developing an ASP.NET Core website that uses Azure FrontDoor. The website is used
to build custom weather data sets for researchers. Data sets are downloaded by users as Comma
Separated Value (CSV) files. The data is refreshed every 10 hours.
Specific files must be purged from the FrontDoor cache based upon Response Header values.
You need to purge individual assets from the Front Door cache.
Which type of cache purge should you use?
A. single path
B. wildcard
C. root domain
Answer: A
Explanation:
These formats are supported in the lists of paths to purge:
Single path purge: Purge individual assets by specifying the full path of the asset (without
the protocol and domain), with the file extension, for example, /pictures/strasbourg.png;
Wildcard purge: Asterisk () may be used as a wildcard. Purge all folders, subfolders,
and files under an endpoint with / in the path or purge all subfolders and files under a
specific folder by specifying the folder followed by /, for example, /pictures/.
Root domain purge: Purge the root of the endpoint with “/” in the path.
Your company is developing an Azure API.
You need to implement authentication for the Azure API. You have the following requirements:
All API calls must be secure.
Callers to the API must not send credentials to the API.
Which authentication mechanism should you use?
A. Basic
B. Anonymous
C. Managed identity
D. Client certificate
Answer: C
Explanation:
Use the authentication-managed-identity policy to authenticate with a backend service using the
managed identity of the API Management service. This policy essentially uses the managed
identity to obtain an access token from Azure Active Directory for accessing the specified
resource. After successfully obtaining the token, the policy will set the value of the token in the
Authorization header using the Bearer scheme.
You are a developer for a SaaS company that offers many web services.
All web services for the company must meet the following requirements:
Use API Management to access the services
Use OpenID Connect for authentication
Prevent anonymous usage
A recent security audit found that several web services can be called without any authentication.
Which API Management policy should you implement?
A. jsonp
B. authentication-certificate
C. check-header
D. validate-jwt
Answer: D
Explanation:
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Incorrect Answers:
A: The jsonp policy adds JSON with padding (JSONP) support to an operation or an API to
allow cross-domain calls from JavaScript browser-based clients. JSONP is a method used in
JavaScript programs to request data from a server in a different domain. JSONP bypasses the
limitation enforced by most web browsers where access to web pages must be in the same
domain.
JSONP - Adds JSON with padding (JSONP) support to an operation or an API to allow crossdomain calls from JavaScript browser-based clients.
You are developing an Azure App Service REST API.
The API must be called by an Azure App Service web app. The API must retrieve and update
user profile information stored in Azure Active Directory (Azure AD).
You need to configure the API to make the updates.
Which two tools should you use? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Microsoft Graph API
B. Microsoft Authentication Library (MSAL)
C. Azure API Management
D. Microsoft Azure Security Center
E. Microsoft Azure Key Vault SDK
Answer: A,B
To configure the Azure App Service REST API to retrieve and update user profile information stored in Azure Active Directory (Azure AD), you should use the following tools:
A. Microsoft Graph API: The Microsoft Graph API allows you to interact with data in Azure AD, including retrieving and updating user profile information.
B. Microsoft Authentication Library (MSAL): MSAL is used for handling authentication in your application. It helps you authenticate users and acquire access tokens, which are necessary when making requests to the Microsoft Graph API.
Therefore, the correct answers are A (Microsoft Graph API) and B (Microsoft Authentication Library).
You develop a REST API. You implement a user delegation SAS token to communicate with
Azure Blob storage.
The token is compromised.
You need to revoke the token.
What are two possible ways to achieve this goal? Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.
A. Revoke the delegation key.
B. Delete the stored access policy.
C. Regenerate the account key.
D. Remove the role assignment for the security principle.
Answer: A,D
There’re two ways to create a SAS:
(1). The “standard” way to generate a SAS token is to use the storage account key.
(2). by using “managed identities” with a technique is called a “user delegation” SAS, and it allows you to sign the signature with Azure AD credentials instead of with the storage account key.
This question is (2) hence A, D is correct
You develop and deploy an Azure Logic app that calls an Azure Function app. The Azure
Function app includes an OpenAPI (Swagger) definition and uses an Azure Blob storage
account. All resources are secured by using Azure Active Directory (Azure AD).
The Azure Logic app must securely access the Azure Blob storage account. Azure AD resources
must remain if the Azure Logic app is deleted.
You need to secure the Azure Logic app.
What should you do?
A. Create a user-assigned managed identity and assign role-based access controls.
B. Create an Azure AD custom role and assign the role to the Azure Blob storage account.
C. Create an Azure Key Vault and issue a client certificate.
D. Create a system-assigned managed identity and issue a client certificate.
E. Create an Azure AD custom role and assign role-based access controls.
Answer: A
Explanation:
To give a managed identity access to an Azure resource, you need to add a role to the target
resource for that identity.
Note: To easily authenticate access to other resources that are protected by Azure Active
Directory (Azure AD) without having to sign in and provide credentials or secrets, your logic
app can use a managed identity (formerly known as Managed Service Identity or MSI). Azure
manages this identity for you and helps secure your credentials because you don’t have to
provide or rotate secrets.
If you set up your logic app to use the system-assigned identity or a manually created, userassigned identity, the function in your logic app can also use that same identity for
authentication.
You are developing a solution that will use a multi-partitioned Azure Cosmos DB database. You
plan to use the latest Azure Cosmos DB SDK for development.
The solution must meet the following requirements:
Send insert and update operations to an Azure Blob storage account.
Process changes to all partitions immediately.
Allow parallelization of change processing.
You need to process the Azure Cosmos DB operations.
What are two possible ways to achieve this goal? Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.
A. Create an Azure App Service API and implement the change feed estimator of the SDK.
Scale the API by using multiple Azure App Service instances.
B. Create a background job in an Azure Kubernetes Service and implement the change feed
feature of the SDK.
C. Create an Azure Function to use a trigger for Azure Cosmos DB. Configure the trigger to
connect to the container.
D. Create an Azure Function that uses a FeedIterator object that processes the change feed by
using the pull model on the container. Use a FeedRange object to parallelize the processing of
the change feed across multiple functions.
Answer: C,D
C: “Because Azure Functions uses the change feed processor behind the scenes, it automatically parallelizes change processing across your container’s partitions.”
D: “You can use the change feed pull model to consume the Azure Cosmos DB change feed at your own pace. Similar to the change feed processor, you can use the change feed pull model to parallelize the processing of changes across multiple change feed consumers.”
You deploy an Azure App Service web app. You create an app registration for the app in Azure
Active Directory (Azure AD) and Twitter.
The app must authenticate users and must use SSL for all communications. The app must use
Twitter as the identity provider.
You need to validate the Azure AD request in the app code.
What should you validate?
A. ID token header
B. ID token signature
C. HTTP response code
D. Tenant ID
Answer: B
To validate the Azure AD request in the app code when using Twitter as the identity provider, you should validate the ID token signature (option B).
The ID token is a JSON Web Token (JWT) that contains claims about the user. It is signed by Azure AD using a private key, and the signature can be verified using the corresponding public key. Validating the ID token signature ensures that the token was issued by a trusted source and that it has not been tampered with in transit.
Option A, validating the ID token header, is not sufficient for validating the entire ID token. The header only contains metadata about the token, such as the algorithm used for signing.
Option C, validating the HTTP response code, is unrelated to validating the ID token.
Option D, validating the tenant ID, is important for ensuring that the app is only accepting tokens from a trusted Azure AD tenant, but it does not ensure the integrity of the token itself.
A development team is creating a new REST API. The API will store data in Azure Blob
storage. You plan to deploy the API to Azure App Service.
Developers must access the Azure Blob storage account to develop the API for the next two
months. The Azure Blob storage account must not be accessible by the developers after the twomonth time period.
You need to grant developers access to the Azure Blob storage account.
What should you do?
A. Generate a shared access signature (SAS) for the Azure Blob storage account and provide the
SAS to all developers.
B. Create and apply a new lifecycle management policy to include a last accessed date value.
Apply the policy to the Azure Blob storage account.
C. Provide all developers with the access key for the Azure Blob storage account. Update the
API to include the Coordinated Universal Time (UTC) timestamp for the request header.
D. Grant all developers access to the Azure Blob storage account by assigning role-based access
control (RBAC) roles
Answer: A
A. Generate a shared access signature (SAS) for the Azure Blob storage account and provide the SAS to all developers.
A shared access signature (SAS) is a secure token that can be used to grant temporary and revocable access to a blob container or individual blobs. You can specify an expiration time for the SAS, so it will automatically expire after the two-month time period, making the blob storage account no longer accessible to the developers.
This approach allows you to grant the developers the necessary access to the Azure Blob storage account while still maintaining control over the access, and it also allows you to revoke access easily after the two-month time period.
You have a new Azure subscription. You are developing an internal website for employees to
view sensitive data. The website uses Azure Active Directory (Azure AD) for authentication.
You need to implement multifactor authentication for the website.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Configure the website to use Azure AD B2C.
B. In Azure AD, create a new conditional access policy.
C. Upgrade to Azure AD Premium.
D. In Azure AD, enable application proxy.
E. In Azure AD conditional access, enable the baseline policy.
Answer: B, C
Explanation:
B: MFA Enabled by conditional access policy. It is the most flexible means to enable two-step
verification for your users. Enabling using conditional access policy only works for Azure MFA
in the cloud and is a premium feature of Azure AD.
C: Multi-Factor Authentication comes as part of the following offerings:
Azure Active Directory Premium licenses - Full featured use of Azure Multi-Factor
Authentication Service (Cloud) or Azure Multi-Factor Authentication Server (Onpremises).
Multi-Factor Authentication for Office 365
Azure Active Directory Global Administrators
You manage a data processing application that receives requests from an Azure Storage queue.
You need to manage access to the queue. You have the following requirements:
Provide other applications access to the Azure queue.
Ensure that you can revoke access to the queue without having to regenerate the storage
account keys.
Specify access at the queue level and not at the storage account level.
Which type of shared access signature (SAS) should you use?
A. Service SAS with a stored access policy
B. Account SAS
C. User Delegation SAS
D. Service SAS with ad hoc SAS
Answer: A
Explanation:
A service SAS is secured with the storage account key. A service SAS delegates access to a
resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage,
or Azure Files.
Stored access policies give you the option to revoke permissions for a service SAS without
having to regenerate the storage account keys.
Incorrect Answers:
B: Account SAS is specified at the account level. It is secured with the storage account key.
C: A user delegation SAS applies to Blob storage only.
You are building a web application that uses the Microsoft identity platform for user
authentication.
You are implementing user identification for the web application.
You need to retrieve a claim to uniquely identify a user.
Which claim type should you use?
A. aud
B. nonce
C. oid
D. idp
Answer: C
Explanation:
oid -The object identifier for the user in Azure AD. This value is the immutable and non-reusable
identifier of the user. Use this value, not email, as a unique identifier for users; email addresses
can change. If you use the Azure AD Graph API in your app, object ID is that value used to
query profile information.
You are developing an Azure Function that calls external APIs by providing an access token for
the API. The access token is stored in a secret named token in an Azure Key Vault named
mykeyvault.
You need to ensure the Azure Function can access to the token. Which value should you store in
the Azure Function App configuration?
A. KeyVault:mykeyvault;Secret:token
B. App:Settings:Secret:mykeyvault:token
C. AZUREKVCONNSTR_
https://mykeyveult.vault.ezure.net/secrets/token/
D.
@Microsoft.KeyVault(SecretUri=https://mykeyvault.vault.azure.net
/secrets/token/)
Answer: D
Explanation:
Add Key Vault secrets reference in the Function App configuration.
Syntax: @Microsoft.KeyVault(SecretUri={copied identifier for the username secret})
A company maintains multiple web and mobile applications. Each application uses custom inhouse identity providers as well as social identity providers.
You need to implement single sign-on (SSO) for all the applications.
What should you do?
A. Use Azure Active Directory B2C (Azure AD B2C) with custom policies.
B. Use Azure Active Directory B2B (Azure AD B2B) and enable external collaboration.
C. Use Azure Active Directory B2C (Azure AD B2C) with user flows.
D. Use Azure Active Directory B2B (Azure AD B2B).
Answer: A
External collaboration settings let you specify what roles in your organization can invite external users for B2B collaboration. These settings also include options for allowing or blocking specific domains, and options for restricting what external guest users can see in your Azure AD directory.
So, you use B2B external collaboration to invite guests into your Azure AD tenant.
I vote for Custom Policies. Both Custom Policies and User Flows support external identity providers, but because of required custom in-house providers support, I’d choose Custom Policies over the User Flows
You develop a Python application for image rendering that uses GPU resources to optimize
rendering processes. You deploy the application to an Azure Container Instances (ACI) Linux
container.
The application requires a secret value to be passed when the container is started. The value must
only be accessed from within the container.
You need to pass the secret value.
What are two possible ways to achieve this goal? Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.
A. Create an environment variable Set the secureValue property to the secret value.
B. Add the secret value to the container image. Use a managed identity.
C. Add the secret value to the application code Set the container startup command.
D. Add the secret value to an Azure Blob storage account. Generate a SAS token.
E. Mount a secret volume containing the secret value in a secrets file.
Answer: AE
Explanation:
A: Secure environment variables
Another method (another than a secret volume) for providing sensitive information to containers
(including Windows containers) is through the use of secure environment variables.
E: Use a secret volume to supply sensitive information to the containers in a container group.
The secret volume stores your secrets in files within the volume, accessible by the containers in
the container group. By storing secrets in a secret volume, you can avoid adding sensitive data
like SSH keys or database credentials to your application code.
You are developing a user portal for a company.
You need to create a report for the portal that lists information about employees who are subject
matter experts for a specific topic. You must ensure that administrators have full control and
consent over the data.
Which technology should you use?
A. Microsoft Graph data connect
B. Microsoft Graph API
C. Microsoft Graph connectors
Answer: A
Explanation:
Data Connect grants a more granular control and consent model: you can manage data, see who
is accessing it, and request specific properties of an entity. This enhances the Microsoft Graph
model, which grants or denies applications access to entire entities.
Microsoft Graph Data Connect augments Microsoft Graph’s transactional model with an
intelligent way to access rich data at scale. The data covers how workers communicate,
collaborate, and manage their time across all the applications and services in Microsoft 365.
Incorrect:
Not B: The Microsoft Graph API is a RESTful web API that enables you to access Microsoft
Cloud service resources. After you register your app and get authentication tokens for a user or
service, you can make requests to the Microsoft Graph API.
A simplistic definition of a Graph API is an API that models the data in terms of nodes and
edges (objects and relationships) and allows the client to interact with multiple nodes in a single
request.
Not C: Microsoft Graph connectors, your organization can index third-party data so that it
appears in Microsoft Search results.
With Microsoft Graph connectors, your organization can index third-party data so that it appears
in Microsoft Search results.
You are developing a web application that uses the Microsoft identity platform for user and
resource authentication. The web application calls several REST APIs.
A REST API call must read the user’s calendar. The web application requires permission to send
an email as the user.
You need to authorize the web application and the API.
Which parameter should you use?
A. tenant
B. code_challenge
C. state
D. client_id
E. scope
Answer: E
Explanation:
Microsoft identity platform and OAuth 2.0 authorization code flow, Request an authorization
code
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
The authorization code flow begins with the client directing the user to the /authorize endpoint.
In this request, the client requests the openid, offline_access, and
https://graph.microsoft.com/mail.read permissions from the user.
Parameters include:
* scope required
A space-separated list of scopes that you want the user to consent to. For the /authorize leg of the
request, this parameter can cover multiple resources. This value allows your app to get consent
for multiple web APIs you want to call.
You develop and deploy an Azure App Service web app named App1. You create a new Azure
Key Vault named Vault1. You import several API keys, passwords, certificates, and
cryptographic keys into Vault1.
You need to grant App1 access to Vault1 and automatically rotate credentials. Credentials must
not be stored in code.
What should you do?
A. Enable App Service authentication for Appl. Assign a custom RBAC role to Vault1.
B. Add a TLS/SSL binding to App1.
C. Upload a self-signed client certificate to Vault1. Update App1 to use the client certificate.
D. Assign a managed identity to App1.
Answer: D Explanation: An Azure Function can be used with managed identity to rotate service principal keys. Then an app can use service principal keys to authenticate to Key Vault to check for new versions of the app secret. As long as it does so before the old secret expires it can successfully update its cache with the new secret allowing a smooth transition to the new version.
You are developing a Java application to be deployed in Azure. The application stores sensitive
data in Azure Cosmos DB.
You need to configure Always Encrypted to encrypt the sensitive data inside the application.
What should you do first?
A. Create a new container to include an encryption policy with the JSON properties to be
encrypted.
B. Create a customer-managed key (CMK) and store the key in a new Azure Key Vault instance.
C. Create a data encryption key (DEK) by using the Azure Cosmos DB SDK and store the key in
Azure Cosmos DB.
D. Create an Azure AD managed identity and assign the identity to a new Azure Key Vault
instance.
Answer: B
Explanation:
Encryption keys
Customer-managed keys
Before DEKs get stored in Azure Cosmos DB, they are wrapped by a customer-managed key
(CMK). By controlling the wrapping and unwrapping of DEKs, CMKs effectively control the
access to the data that’s encrypted with their corresponding DEKs. CMK storage is designed as
an extensible, with a default implementation that expects them to be stored in Azure Key Vault.
You are developing several microservices to deploy to a new Azure Kubernetes Service cluster.
The microservices manage data stored in Azure Cosmos DB and Azure Blob storage. The data is
secured by using customer-managed keys stored in Azure Key Vault.
You must automate key rotation for all Azure Key Vault keys and allow for manual key rotation.
Keys must rotate every three months. Notifications of expiring keys must be sent before key
expiry.
You need to configure key rotation and enable key expiry notifications.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Create and configure a new Azure Event Grid instance.
B. Configure Azure Key Vault alerts.
C. Create and assign an Azure Key Vault access policy.
D. Create and configure a key rotation policy during key creation
Answer: A,D
You can use the Key Rotation Policy in Azure Key Vault combined with Event Grid to trigger sending notification when a secret in the key vault is about to expire.
You are developing and deploying several ASP.NET web applications to Azure App Service.
You plan to save session state information and HTML output.
You must use a storage mechanism with the following requirements:
Share session state across all ASP.NET web applications.
Support controlled, concurrent access to the same session state data for multiple readers
and a single writer.
Save full HTTP responses for concurrent requests.
You need to store the information.
Proposed Solution: Enable Application Request Routing (ARR).
Does the solution meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Instead deploy and configure Azure Cache for Redis. Update the web applications.
You are developing and deploying several ASP.NET web applications to Azure App Service.
You plan to save session state information and HTML output.
You must use a storage mechanism with the following requirements:
Share session state across all ASP.NET web applications.
Support controlled, concurrent access to the same session state data for multiple readers
and a single writer.
Save full HTTP responses for concurrent requests.
You need to store the information.
Proposed Solution: Deploy and configure an Azure Database for PostgreSQL. Update the web
applications.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
Share Session State Across Applications: While PostgreSQL can store session state, sharing session state across multiple ASP.NET applications is not its primary use case. It requires additional configuration and programming to handle session state management.
Controlled, Concurrent Access for Multiple Readers and a Single Writer: PostgreSQL supports concurrent access, but managing this for session state data would require additional programming effort.
Save Full HTTP Responses for Concurrent Requests: PostgreSQL is not designed for caching full HTTP responses. It is primarily a relational database for structured data, not a cache for HTTP responses.
You develop a gateway solution for a public facing news API. The news API back end is
implemented as a RESTful service and uses an OpenAPI specification.
You need to ensure that you can access the news API by using an Azure API Management
service instance.
Which Azure PowerShell command should you run?
A. Import-AzureRmApiManagementApi -Context $ApiMgmtContext
-SpecificationFormat “Swagger” -SpecificationPath $SwaggerPath
-Path $Path
B. New-AzureRmApiManagementBackend -Context $ApiMgmtContext -Url
$Url -Protocol http
C. New-AzureRmApiManagement -ResourceGroupName $ResourceGroup
-Name $Name –Location $Location -Organization $Org
-AdminEmail $AdminEmail
D. New-AzureRmApiManagementBackendProxy -Url $ApiUrl
Answer: A
correct answer is A because it is the one that takes advantage of the swagger definition of the API
You are creating a hazard notification system that has a single signaling server which triggers
audio and visual alarms to start and stop.
You implement Azure Service Bus to publish alarms. Each alarm controller uses Azure Service
Bus to receive alarm signals as part of a transaction. Alarm events must be recorded for audit
purposes. Each transaction record must include information about the alarm type that was
activated.
You need to implement a reply trail auditing solution.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Assign the value of the hazard message SessionID property to the ReplyToSessionId
property.
B. Assign the value of the hazard message MessageId property to the DevileryCount property.
C. Assign the value of the hazard message SessionID property to the SequenceNumber property.
D. Assign the value of the hazard message MessageId property to the CorrelationId property.
E. Assign the value of the hazard message SequenceNumber property to the DeliveryCount
property.
F. Assign the value of the hazard message MessageId property to the SequenceNumber property.
Answer: A, D
Explanation:
D: CorrelationId: Enables an application to specify a context for the message for the purposes of
correlation; for example, reflecting the MessageId of a message that is being replied to.
A: ReplyToSessionId: This value augments the ReplyTo information and specifies which
SessionId should be set for the reply when sent to the reply entity.
Incorrect Answers:
B, E: DeliveryCount
Number of deliveries that have been attempted for this message. The count is incremented when
a message lock expires, or the message is explicitly abandoned by the receiver. This property is
read-only.
C, E: SequenceNumber
The sequence number is a unique 64-bit integer assigned to a message as it is accepted and
stored by the broker and functions as its true identifier. For partitioned entities, the topmost 16
bits reflect the partition identifier. Sequence numbers monotonically increase and are gapless.
They roll over to 0 when the 48-64 bit range is exhausted. This property is read-only.
You are developing an Azure function that connects to an Azure SQL Database instance. The
function is triggered by an Azure Storage queue.
You receive reports of numerous System.InvalidOperationExceptions with the following
message:
“Timeout expired. The timeout period elapsed prior to obtaining a connection from the pool.
This may have occurred because all pooled connections were in use and max pool size was
reached.”
You need to prevent the exception.
What should you do?
A. In the host.json file, decrease the value of the batchSize option
B. Convert the trigger to Azure Event Hub
C. Convert the Azure Function to the Premium plan
D. In the function.json file, change the value of the type option to queueScaling
Answer: A
The answer should be A.
The error message shows that there is not enough connections, which means that the concurrency is too high. Too many instances are running parallel. So we have to reduce the concurrency of the app.
You are developing and deploying several ASP.NET web applications to Azure App Service.
You plan to save session state information and HTML output.
You must use a storage mechanism with the following requirements:
Share session state across all ASP.NET web applications.
Support controlled, concurrent access to the same session state data for multiple readers
and a single writer.
Save full HTTP responses for concurrent requests.
You need to store the information.
Proposed Solution: Deploy and configure Azure Cache for Redis. Update the web applications.
Does the solution meet the goal?
A. Yes
B. No
Answer: A
Explanation:
The session state provider for Azure Cache for Redis enables you to share session information
between different instances of an ASP.NET web application.
The same connection can be used by multiple concurrent threads.
Redis supports both read and write operations.
The output cache provider for Azure Cache for Redis enables you to save the HTTP responses
generated by an ASP.NET web application.
You develop and deploy an ASP.NET web app to Azure App Service. You use Application
Insights telemetry to monitor the app.
You must test the app to ensure that the app is available and responsive from various points
around the world and at regular intervals. If the app is not responding, you must send an alert to
support staff.
You need to configure a test for the web app.
Which two test types can you use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. integration
B. multi-step web
C. URL ping
D. unit
E. load
Answer: B, C
Explanation:
There are three types of availability tests:
URL ping test: a simple test that you can create in the Azure portal.
Multi-step web test: A recording of a sequence of web requests, which can be played
back to test more complex scenarios. Multi-step web tests are created in Visual Studio
Enterprise and uploaded to the portal for execution.
Custom Track Availability Tests: If you decide to create a custom application to run
availability tests, the TrackAvailability() method can be used to send the results to
Application Insights.
You develop and add several functions to an Azure Function app that uses the latest runtime
host. The functions contain several REST API endpoints secured by using SSL. The Azure
Function app runs in a Consumption plan.
You must send an alert when any of the function endpoints are unavailable or responding too
slowly.
You need to monitor the availability and responsiveness of the functions.
What should you do?
A. Create a URL ping test.
B. Create a timer triggered function that calls TrackAvailability() and send the results to
Application Insights.
C. Create a timer triggered function that calls GetMetric(“Request Size”) and send the
results to Application Insights.
D. Add a new diagnostic setting to the Azure Function app. Enable the FunctionAppLogs and
Send to Log Analytics options.
Answer: B
Explanation:
You can create an Azure Function with TrackAvailability() that will run periodically according
to the configuration given in TimerTrigger function with your own business logic. The results of
this test will be sent to your Application Insights resource, where you will be able to query for
and alert on the availability results data. This allows you to create customized tests similar to
what you can do via Availability Monitoring in the portal. Customized tests will allow you to
write more complex availability tests than is possible using the portal UI, monitor an app inside
of your Azure VNET, change the endpoint address, or create an availability test even if this
feature is not available in your region.
You develop and deploy an Azure App Service web app. The app is deployed to multiple regions
and uses Azure Traffic Manager. Application Insights is enabled for the app.
You need to analyze app uptime for each month.
Which two solutions will achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Azure Monitor logs
B. Application Insights alerts
C. Azure Monitor metrics
D. Application Insights web tests
Answer: A,C
Metrics will give you the uptime. Logs will give you the causes of the downtime.
wrong B: Alerts are not required
wrong D: Web tests has nothing to do with uptime.
You are developing an ASP.NET Core Web API web service. The web service uses Azure
Application Insights for all telemetry and dependency tracking. The web service reads and writes
data to a database other than Microsoft SQL Server.
You need to ensure that dependency tracking works for calls to the third-party database.
Which two dependency telemetry properties should you use? Each correct answer presents part
of the solution.
NOTE: Each correct selection is worth one point.
A. Telemetry.Context.Cloud.RoleInstance
B. Telemetry.Id
C. Telemetry.Name
D. Telemetry.Context.Operation.Id
E. Telemetry.Context.Session.Id
Answer: BD
Explanation:
Example:
public async Task Enqueue(string payload)
{
// StartOperation is a helper method that initializes the telemetry item
// and allows correlation of this operation with its parent and children.
var operation = telemetryClient.StartOperation(“enqueue “ +
queueName);
operation.Telemetry.Type = “Azure Service Bus”;
operation.Telemetry.Data = “Enqueue “ + queueName;
var message = new BrokeredMessage(payload);
// Service Bus queue allows the property bag to pass along with the message.
// We will use them to pass our correlation identifiers (and other context)
// to the consumer.
message.Properties.Add(“ParentId”, operation.Telemetry.Id);
message.Properties.Add(“RootId”, operation.Telemetry.Context.Operation.Id);
You are developing a web application that uses Azure Cache for Redis. You anticipate that the
cache will frequently fill and that you will need to evict keys.
You must configure Azure Cache for Redis based on the following predicted usage pattern: A
small subset of elements will be accessed much more often than the rest.
You need to configure the Azure Cache for Redis to optimize performance for the predicted
usage pattern.
Which two eviction policies will achieve the goal?
NOTE: Each correct selection is worth one point.
A. noeviction
B. allkeys-lru
C. volatile-lru
D. allkeys-random
E. volatile-ttl
F. volatile-random
Answer: B, C
Explanation:
B: The allkeys-lru policy evict keys by trying to remove the less recently used (LRU) keys first,
in order to make space for the new data added. Use the allkeys-lru policy when you expect a
power-law distribution in the popularity of your requests, that is, you expect that a subset of
elements will be accessed far more often than the rest.
C: volatile-lru: evict keys by trying to remove the less recently used (LRU) keys first, but only
among keys that have an expire set, in order to make space for the new data added.
Note: The allkeys-lru policy is more memory efficient since there is no need to set an expire for
the key to be evicted under memory pressure.
An organization hosts web apps in Azure. The organization uses Azure Monitor.
You discover that configuration changes were made to some of the web apps.
You need to identify the configuration changes.
Which Azure Monitor log should you review?
A. AppServiceAppLogs
B. AppServiceEnvironmentPlatformlogs
C. AppServiceConsoleLogs
D. AppServiceAuditLogs
Answer: B
Explanation:
The log type AppServiceEnvironmentPlatformLogs handles the App Service Environment:
scaling, configuration changes, and status logs.
Incorrect:
AppServiceAppLogs contains logs generated through your application.
AppServiceAuditLogs logs generated when publishing users successfully log on via one of the
App Service publishing protocols.
You develop and deploy an Azure App Service web app to a production environment. You
enable the Always On setting and the Application Insights site extensions.
You deploy a code update and receive multiple failed requests and exceptions in the web app.
You need to validate the performance and failure counts of the web app in near real time.
Which Application Insights tool should you use?
A. Profiler
B. Smart Detection
C. Live Metrics Stream
D. Application Map
E. Snapshot Debugger
Answer: C
Explanation:
Live Metrics Stream
Deploying the latest build can be an anxious experience. If there are any problems, you want to
know about them right away, so that you can back out if necessary. Live Metrics Stream gives
you key metrics with a latency of about one second.
With Live Metrics Stream, you can:
* Validate a fix while it’s released, by watching performance and failure counts.
* Etc.
You are building a web application that performs image analysis on user photos and returns
metadata containing objects identified. The image analysis is very costly in terms of time and
compute resources. You are planning to use Azure Redis Cache so duplicate uploads do not need
to be reprocessed.
In case of an Azure data center outage, metadata loss must be kept to a minimum.
You need to configure the Azure Redis cache instance.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Configure Azure Redis with AOF persistence.
B. Configure Azure Redis with RDB persistence.
C. Configure second storage account for persistence.
D. Set backup frequency to the minimum value.
Answer: A, C
The key here is “In case of an Azure data center outage, metadata loss must be kept to a minimum.”
So the correct answer is AC.
You are developing an Azure-based web application. The application goes offline periodically to
perform offline data processing. While the application is offline, numerous Azure Monitor alerts
fire which result in the on-call developer being paged.
The application must always log when the application is offline for any reason.
You need to ensure that the on-call developer is not paged during offline processing.
What should you do?
A. Add Azure Monitor alert processing rules to suppress notifications.
B. Disable Azure Monitor Service Health Alerts during offline processing.
C. Create an Azure Monitor Metric Alert.
D. Build an Azure Monitor action group that suppresses the alerts.
Answer: A
A. Add Azure Monitor alert processing rules to suppress notifications: Correct. This allows suppression of notifications during offline processing.
B. Disable Azure Monitor Service Health Alerts during offline processing: Incorrect. This would stop all alerts, not just the ones related to offline processing.
C. Create an Azure Monitor Metric Alert: Incorrect. This would still trigger alerts during offline processing.
D. Build an Azure Monitor action group that suppresses the alerts: Incorrect. This requires additional configuration and may not specifically target the offline processing alerts.
You are developing an online game that includes a feature that allows players to interact with
other players on the same team within a certain distance. The calculation to determine the
players in range occurs when players move and are cached in an Azure Cache for Redis instance.
The system should prioritize players based on how recently they have moved and should not
prioritize players who have logged out of the game.
You need to select an eviction policy.
Which eviction policy should you use?
A. allkeys-lru
B. volatile-lru
C. allkeys-lfu
D. volatile-ttl
Answer: B
There must be a way to tell our redis that logged off users must not be prioritized.
Sample: User A moves and then automatically logs-off. With allkeys-lru we can’t distinguish this particularity. With volatile-lru we can tell our redis what are good candidates to be removed using different TTL values.
You develop an Azure App Service web app and deploy to a production environment. You
enable Application Insights for the web app.
The web app is throwing multiple exceptions in the environment.
You need to examine the state of the source code and variables when the exceptions are thrown.
Which Application Insights feature should you configure?
A. Smart detection
B. Profiler
C. Snapshot Debugger
D. Standard test
Answer: C
Explanation:
Exceptions in web applications can be reported with Application Insights. You can correlate
failed requests with exceptions and other events on both the client and server so that you can
quickly diagnose the causes.
When an exception occurs, you can automatically collect a debug snapshot from your live web
application. The debug snapshot shows the state of source code and variables at the moment the
exception was thrown. The Snapshot Debugger in Azure Application Insights:
Monitors system-generated logs from your web app.
Collects snapshots on your top-throwing exceptions.
Provides information you need to diagnose issues in production.