Az 204 - Sheet1 (2) Flashcards

Question

You are a developer at your company. You need to edit the workflows for an existing Logic App. What should you use? A. the Enterprise Integration Pack (EIP) B. the Logic App Code View C. the API Connections D. the Logic Apps Designer

Answer 1

Answer: D For definitions use the Code View, for the Workflows use the Designer.

Answer 2

Answer: C Only C is mentioned both topic and subscription, which are two critical parts for event grid

Answer 3

Answer: B The answer (B) is correct. Because, the trick is in the "less than one minute" detail. You can read about "..10-minute delay in processing new blobs.." in "3-Minimizing latency" description. Microsoft says: ".....Use Event Grid instead of the Blob storage trigger for the following scenarios:" 1-Blob-only storage accounts: Blob-only storage accounts are supported for blob input and output bindings but not for blob triggers. 2-High-scale: High scale can be loosely defined as containers that have more than 100,000 blobs in them or storage accounts that have more than 100 blob updates per second. 3-Minimizing latency: If your function app is on the Consumption plan, there can be up to a ##10-minute delay in processing new blobs## if a function app has gone idle. To avoid this latency, you can switch to an App Service plan with Always On enabled. You can also use an Event Grid trigger with your Blob storage account. For an example, see the Event Grid tutorial.

Answer 4

Answer: B Correct answer must be B (applicationinitialization tag is way of implementing custom warm-up)

Answer 5

Answer: A I vote A, No, because for me the solution is updating the web.config file to include the applicationInitialization configuration element.

Answer 6

Answer: A Instead, use applicationInitialization

Answer 7

Answer: B Explanation: Not necessary to convert the account, instead move photo processing to an Azure Function triggered from the blob upload.

Answer 8

Answer: D Explanation: Windows Azure Web Sites (WAWS) offers 3 modes: Standard, Free, and Shared. Standard mode carries an enterprise-grade SLA (Service Level Agreement) of 99.9% monthly, even for sites with just one instance. Standard mode runs on dedicated instances, making it different from the other ways to buy Windows Azure Web Sites. Incorrect Answers: B: Shared and Free modes do not offer the scaling flexibility of Standard, and they have some important limits. Shared mode, just as the name states, also uses shared Compute resources, and also has a CPU limit. So, while neither Free nor Shared is likely to be the best choice for your production environment due to these limits.

Answer 9

Answer: A "230 seconds is the maximum amount of time[...] For longer processing times, consider using the DURABLE FUNCTIONS ASYNC PATTERN[...]"

Answer 10

Answer: A Yes, the solution meets the goal. By passing the HTTP trigger payload into an Azure Service Bus queue to be processed by a queue trigger function and returning an immediate HTTP success response, you can address the timeout issue and ensure that the blob data is processed without timing out.

Answer 11

Answer: B Explanation: Instead pass the HTTP trigger payload into an Azure Service Bus queue to be processed by a queue trigger function and return an immediate HTTP success response. Note: Large, long-running functions can cause unexpected timeout issues. General best practices include: Whenever possible, refactor large functions into smaller function sets that work together and return responses fast. For example, a webhook or HTTP trigger function might require an acknowledgment response within a certain time limit; it's common for webhooks to require an immediate response. You can pass the HTTP trigger payload into a queue to be processed by a queue trigger function. This approach lets you defer the actual work and return an immediate response.

Answer 12

Answer: B blob storage event doesn't guarantee an SLA. you cannot control the event arrival in less than a minute.

Answer 13

Answer: B Explanation: Change feed support in Azure Blob Storage The purpose of the change feed is to provide transaction logs of all the changes that occur to the blobs and the blob metadata in your storage account. The change feed provides ordered, guaranteed, durable, immutable, read-only log of these changes. Client applications can read these logs at any time, either in streaming or in batch mode. The change feed enables you to build efficient and scalable solutions that process change events that occur in your Blob Storage account at a low cost.

Answer 14

Answer: D The answer is D. Use an App Service plan. Configure the Function App to use an Azure Blob Storage trigger. Consumption plan can cause a 10-min delay in processing new blobs if a function app has gone idle. To avoid this latency, you can switch to an App Service plan with Always On enabled.

Answer 15

Answer: B,D Option B is correct because you can use the PreBuild target in the csproj file to execute a custom command or script before the project is built. This way, you can run the static content generation script and include the generated files in the project output. Option D is correct because you can use the .deployment file in the root of the repository to customize the deployment process and specify a custom deployment script. This way, you can run the static content generation script and deploy the website using the custom script.

Answer 16

Answer: B Answer should be "No". Consumption plan can take up to several minutes to trigger the function. "When your function app runs in the default Consumption plan, there may be a delay of up to several minutes between the blob being added or updated and the function being triggered. If you need low latency in your blob triggered functions, consider running your function app in an App Service plan."

Answer 17

Answer: B Should be YES? You can also customize the warm-up behavior with one or both of the following app settings: WEBSITE_SWAP_WARMUP_PING_PATH: The path to ping to warm up your site. Add this app setting by specifying a custom path that begins with a slash as the value. An example is /statuscheck. The default value is /. WEBSITE_SWAP_WARMUP_PING_STATUSES: Valid HTTP response codes for the warm-up operation. Add this app setting with a comma-separated list of HTTP codes. An example is 200,202 . If the returned status code isn't in the list, the warmup and swap operations are stopped. By default, all response codes are valid. WEBSITE_WARMUP_PATH: A relative path on the site that should be pinged whenever the site restarts (not only during slot swaps). Example values include /statuscheck or the root path, /.

Answer 18

Answer: AD Explanation: D: The ability to specify a host override is defined in the HTTP settings and can be applied to any back-end pool during rule creation. The ability to derive the host name from the IP or FQDN of the back-end pool members. HTTP settings also provide an option to dynamically pick the host name from a back-end pool member's FQDN if configured with the option to derive host name from an individual back-end pool member. A (not C): SSL termination and end to end SSL with multi-tenant services. In case of end to end SSL, trusted Azure services such as Azure App service web apps do not require whitelisting the backends in the application gateway. Therefore, there is no need to add any authentication certificates.

Answer 19

Answer: B Explanation: The change feed is a log of changes that are organized into hourly segments but appended to and updated every few minutes. These segments are created only when there are blob change events that occur in that hour. Instead catch the triggered event, so move the photo processing to an Azure Function triggered from the blob upload.

Answer 20

Answer: A "I would choose option A, Add the customer ID for the signed in user to the CorrelationContext in the web application. The CorrelationContext is a way to associate contextual information with a request as it flows through the system. It allows you to track a request as it passes through different components of the system, and to identify related log entries and telemetry data. By adding the customer ID to the CorrelationContext in the web application, you can ensure that it is associated with all operations throughout the overall system. This will allow you to track the request and identify related log entries and telemetry data for a specific customer.

Answer 21

Answer: B Explanation: Instead pass the HTTP trigger payload into an Azure Service Bus queue to be processed by a queue trigger function and return an immediate HTTP success response. Note: Large, long-running functions can cause unexpected timeout issues. General best practices include: Whenever possible, refactor large functions into smaller function sets that work together and return responses fast. For example, a webhook or HTTP trigger function might require an acknowledgment response within a certain time limit; it's common for webhooks to require an immediate response. You can pass the HTTP trigger payload into a queue to be processed by a queue trigger function. This approach lets you defer the actual work and return an immediate response.

Answer 22

Answer: A, D " Like orchestrator functions, entity functions are functions with a special trigger type, entity trigger." - u can not call Entity from Orchestrator... right answer is Orchestrator and Activity

Answer 23

Answer: A Explanation: Durable Functions is an extension of Azure Functions. You can use an orchestrator function to orchestrate the execution of other Durable functions within a function app. Orchestrator functions have the following characteristics: Orchestrator functions define function workflows using procedural code. No declarative schemas or designers are needed. Orchestrator functions can call other durable functions synchronously and asynchronously. Output from called functions can be reliably saved to local variables. Orchestrator functions are durable and reliable. Execution progress is automatically checkpointed when the function "awaits" or "yields". Local state is never lost when the process recycles or the VM reboots. Orchestrator functions can be long-running. The total lifespan of an orchestration instance can be seconds, days, months, or never-ending.

Answer 24

Answer: B,D I think it should B. CPU usage-based autoscaling D. Predictive autoscaling A. Recurrence profile is used to schedule the scaling of resources at specific times or dates, but it does not meet the requirement to scale up when divers are filling out the questionnaire and scale down after they are complete. It only triggers scaling based on a set schedule, not based on actual usage. C. Fixed date profile is used to specify the number of instances at a specific date and time, but it also does not meet the requirement to dynamically scale based on actual usage. It only sets a fixed number of instances and does not adjust based on changing workloads.

Answer 25

Answer: B Explanation: The archive access tier has the lowest storage cost. But it has higher data retrieval costs compared to the hot and cool tiers. Data in the archive tier can take several hours to retrieve depending on the priority of the rehydration. For small objects, a high priority rehydrate may retrieve the object from archive in under 1 hour.

Answer 26

Answer: A Partitions - 2000 per CU - Dedicated Plan - So we can have 2K+ partitions in Event Hub Size allowed - Yes

Answer 27

Answer: A Azure.Storage.Queues.QueueClient: .NET v12 Azure.Storage.Queues.CloudQueueClient: .NET v11 (Legacy) So, the question is really about what kind of queue message tool you should use. And the key word here is that "message must NOT persist after being processed". Azure.Storage.Queues.QueueClient supports "At-Most-Once" deliver mode, while Azure.Storage.Queues.CloudQueueClient doesn't.

Answer 28

Answer: C Explanation: Example: // Create a new instance of the Cosmos Client this.cosmosClient = new CosmosClient(EndpointUri, PrimaryKey) //ADD THIS PART TO YOUR CODE await this.CreateDatabaseAsync();

Answer 29

Answer: A Explanation: You can copy blobs, directories, and containers between storage accounts by using the AzCopy v10 command-line utility. The copy operation is synchronous so when the command returns, that indicates that all files have been copied.

Answer 30

Answer: D,E Explanation: You can form a partition key by concatenating multiple property values into a single artificial partitionKey property. These keys are referred to as synthetic keys. Another possible strategy to distribute the workload more evenly is to append a random number at the end of the partition key value. When you distribute items in this way, you can perform parallel write operations across partitions. Note: It's the best practice to have a partition key with many distinct values, such as hundreds or thousands. The goal is to distribute your data and workload evenly across the items associated with these partition key values. If such a property doesn’t exist in your data, you can construct a synthetic partition key.

Answer 31

Answer: A Explanation: To move a storage account, create a copy of your storage account in another region. Then, move your data to that account by using AzCopy, or another tool of your choice and finally, delete the resources in the source region. To get started, export, and then modify a Resource Manager template

Answer 32

Answer: D Explanation: Azure Cosmos DB supports two indexing modes: Consistent: The index is updated synchronously as you create, update or delete items. This means that the consistency of your read queries will be the consistency configured for the account. None: Indexing is disabled on the container.

Answer 33

Answer: A,C The goal is "You need to update the application to support multi-region writes", that is enable multi-region writes (bool, option C) and add the regions (option A) Then you have to apply the Conflict resolution policies.This can be LLW(default, not mentioned) or custom (option D). Hence : there is only ONE way to to support multi-region writes (both apply C AND A) and there are subsequently TWO ways to apply the Conflict resolution policies (@ SQL) to solve write, update and delete conflicts of which one is mentioned in the question (D). To support multi-region writes I would answer A and C , but they have to be set both, not one or the other.

Answer 34

Answer: A,D A. Configure a time-based retention policy for the storage account - A time-based retention policy stores blob data in a Write-Once, Read-Many (WORM) format for a specified interval. When a time-based retention policy is set, clients can create and read blobs, but can't modify or delete them. After the retention interval has expired, blobs can be deleted but not overwritten. D. Before you can apply a time-based retention policy to a blob version, you must enable support for version-level immutability.

Answer 35

Answer: CD Explanation: C: Multi-document transactions, Requirements Multi-document transactions are supported within an unsharded collection in API version 4.0. Multi-document transactions are not supported across collections or in sharded collections in 4.0. D: In Azure Cosmos DB for MongoDB, operations on a single document are atomic. Multidocument transactions enable applications to execute atomic operations across multiple documents. It offers "all-or-nothing" semantics to the operations. On commit, the changes made inside the transactions are persisted and if the transaction fails, all changes inside the transaction are discarded. Multi-document transactions follow ACID semantics: Atomicity: All operations treated as one Consistency: Data committed is valid Isolation: Isolated from other operations Durability: Transaction data is persisted when client is told so

Answer 36

Answer: B CosmosClient has to be created before you can do option A and C to create databases and execute requests. client = CosmosClient(endpoint, key) database_name = 'MyDatabase' database = client.create_database_if_not_exists(id=database_name) container_name = 'MyContainer' container = database.create_container_if_not_exists( id=container_name, partition_key=PartitionKey(path="/lastName"), offer_throughput=400 )

Answer 37

Answer: BD Explanation: The Append Block operation is permitted only for policies with the allowProtectedAppendWrites or allowProtectedAppendWritesAll property enabled. The AllowProtectedAppendWrites property setting allows for writing new blocks to an append blob while maintaining immutability protection and compliance. If this setting is enabled, you can create an append blob directly in the policy-protected container, and then continue to add new blocks of data to the end of the append blob with the Append Block operation. Only new blocks can be added; any existing blocks can't be modified or deleted. Enabling this setting doesn't affect the immutability behavior of block blobs or page blobs.

Answer 38

Answer: C Explanation: Azure Cosmos DB now provides a new RBAC role, Cosmos DB Operator. This new role lets you provision Azure Cosmos accounts, databases, and containers, but can’t access the keys that are required to access the data. This role is intended for use in scenarios where the ability to grant access to Azure Active Directory service principals to manage deployment operations for Cosmos DB is needed, including the account, database, and containers.

Answer 39

Answer: B Explanation: Instead in the Azure AD application’s manifest, set value of the groupMembershipClaims option to All. In the website, use the value of the groups claim from the JWT for the user to determine permissions.

Answer 40

Answer: A Explanation: To configure Manifest to include Group Claims in Auth Token 1. Go to Azure Active Directory to configure the Manifest. Click on Azure Active Directory, and go to App registrations to find your application: 2. Click on your application (or search for it if you have a lot of apps) and edit the Manifest by clicking on it. 3. Locate the “groupMembershipClaims” setting. Set its value to either “SecurityGroup” or “All”. To help you decide which:  “SecurityGroup” - groups claim will contain the identifiers of all security groups of which the user is a member.  “All” - groups claim will contain the identifiers of all security groups and all distribution lists of which the user is a member Now your application will include group claims in your manifest and you can use this fact in your code.

Answer 41

Answer:A The roles get assigned by AD groups, so the requirement "A user's Azure AD group membership must be used to determine the permission level" is met. This solution should be answered with "yes". This scenario has 2 solutions provided as the approach using the "groupMembershipClaims" is possible as well. That's OK as it says "Some question sets might have more than one correct solution, while others might not have a correct solution."

Answer 42

Answer: A,C As the API documentation only allows 3 options. It states: >>>> Authentication policies Authenticate with Basic - Authenticate with a backend service using Basic authentication. Authenticate with client certificate - Authenticate with a backend service using client certificates. Authenticate with managed identity - Authenticate with the managed identity for the API Management service.

Answer 43

Answer: A Because we have more than one App (Web App and other Function Apps) , So we agree it is going to be a managed identity but should I create one for each app or one for all apps? If I create system MI then there should be one for each App. If I create user MI then I can re-use it for any App I want with minimum change to AD

Answer 44

Answer: B Explanation: Instead use an Azure Key vault and public key encryption. Store the encrypted from in Azure Storage Blob storage.

Answer 45

Answer: C Explanation: Azure Active Directory Managed Service Identity (MSI) gives your code an automatically managed identity for authenticating to Azure services, so that you can keep credentials out of your code. Note: Use the authentication-managed-identity policy to authenticate with a backend service using the managed identity. This policy essentially uses the managed identity to obtain an access token from Azure Active Directory for accessing the specified resource. After successfully obtaining the token, the policy will set the value of the token in the Authorization header using the Bearer scheme. Incorrect Answers: A: Use the authentication-basic policy to authenticate with a backend service using Basic authentication. This policy effectively sets the HTTP Authorization header to the value corresponding to the credentials provided in the policy. B: Anonymous is no authentication at all. D: Your code needs credentials to authenticate to cloud services, but you want to limit the visibility of those credentials as much as possible. Ideally, they never appear on a developer’s workstation or get checked-in to source control. Azure Key Vault can store credentials securely so they aren’t in your code, but to retrieve them you need to authenticate to Azure Key Vault. To authenticate to Key Vault, you need a credential! A classic bootstrap problem.

Answer 46

Answer: B Explanation: Instead run the Invoke-RestMethod cmdlet to make a request to the local managed identity for Azure resources endpoint.

Answer 47

Answer: B Explanation: Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources. Instead in the Azure AD application’s manifest, set value of the groupMembershipClaims option to All. In the website, use the value of the groups claim from the JWT for the user to determine permissions.

Answer 48

Answer: A Explanation: Get an access token using the VM's system-assigned managed identity and use it to call Azure Resource Manager You will need to use PowerShell in this portion. 1. In the portal, navigate to Virtual Machines and go to your Windows virtual machine and in the Overview, click Connect. 2. Enter in your Username and Password for which you added when you created the Windows VM. 3. Now that you have created a Remote Desktop Connection with the virtual machine, open PowerShell in the remote session. 4. Using the Invoke-WebRequest cmdlet, make a request to the local managed identity for Azure resources endpoint to get an access token for Azure Resource Manager. Example: $response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02- 01&resource=https://management.azure.com/' -Method GET -Headers @{Metadata="true"}

Answer 49

Answer: B Explanation: The Start-AzureStorageBlobCopy cmdlet starts to copy a blob. Example 1: Copy a named blob C:\PS>Start-AzureStorageBlobCopy -SrcBlob "ContosoPlanning2015" -DestContainer "ContosoArchives" -SrcContainer "ContosoUploads" This command starts the copy operation of the blob named ContosoPlanning2015 from the container named ContosoUploads to the container named ContosoArchives.

Answer 50

Answer: A Explanation: These formats are supported in the lists of paths to purge:  Single path purge: Purge individual assets by specifying the full path of the asset (without the protocol and domain), with the file extension, for example, /pictures/strasbourg.png;  Wildcard purge: Asterisk (*) may be used as a wildcard. Purge all folders, subfolders, and files under an endpoint with /* in the path or purge all subfolders and files under a specific folder by specifying the folder followed by /*, for example, /pictures/*.  Root domain purge: Purge the root of the endpoint with "/" in the path.

Answer 51

Answer: C Explanation: Use the authentication-managed-identity policy to authenticate with a backend service using the managed identity of the API Management service. This policy essentially uses the managed identity to obtain an access token from Azure Active Directory for accessing the specified resource. After successfully obtaining the token, the policy will set the value of the token in the Authorization header using the Bearer scheme.

Answer 52

Answer: D Explanation: Add the validate-jwt policy to validate the OAuth token for every incoming request. Incorrect Answers: A: The jsonp policy adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients. JSONP is a method used in JavaScript programs to request data from a server in a different domain. JSONP bypasses the limitation enforced by most web browsers where access to web pages must be in the same domain. JSONP - Adds JSON with padding (JSONP) support to an operation or an API to allow crossdomain calls from JavaScript browser-based clients.

Answer 53

Answer: A,B To configure the Azure App Service REST API to retrieve and update user profile information stored in Azure Active Directory (Azure AD), you should use the following tools: A. Microsoft Graph API: The Microsoft Graph API allows you to interact with data in Azure AD, including retrieving and updating user profile information. B. Microsoft Authentication Library (MSAL): MSAL is used for handling authentication in your application. It helps you authenticate users and acquire access tokens, which are necessary when making requests to the Microsoft Graph API. Therefore, the correct answers are A (Microsoft Graph API) and B (Microsoft Authentication Library).

Answer 54

Answer: A,D There're two ways to create a SAS: (1). The "standard" way to generate a SAS token is to use the storage account key. (2). by using "managed identities" with a technique is called a "user delegation" SAS, and it allows you to sign the signature with Azure AD credentials instead of with the storage account key. This question is (2) hence A, D is correct

Answer 55

Answer: A Explanation: To give a managed identity access to an Azure resource, you need to add a role to the target resource for that identity. Note: To easily authenticate access to other resources that are protected by Azure Active Directory (Azure AD) without having to sign in and provide credentials or secrets, your logic app can use a managed identity (formerly known as Managed Service Identity or MSI). Azure manages this identity for you and helps secure your credentials because you don't have to provide or rotate secrets. If you set up your logic app to use the system-assigned identity or a manually created, userassigned identity, the function in your logic app can also use that same identity for authentication.

Answer 56

Answer: C,D C: "Because Azure Functions uses the change feed processor behind the scenes, it automatically parallelizes change processing across your container's partitions." D: "You can use the change feed pull model to consume the Azure Cosmos DB change feed at your own pace. Similar to the change feed processor, you can use the change feed pull model to parallelize the processing of changes across multiple change feed consumers."

Answer 57

Answer: B To validate the Azure AD request in the app code when using Twitter as the identity provider, you should validate the ID token signature (option B). The ID token is a JSON Web Token (JWT) that contains claims about the user. It is signed by Azure AD using a private key, and the signature can be verified using the corresponding public key. Validating the ID token signature ensures that the token was issued by a trusted source and that it has not been tampered with in transit. Option A, validating the ID token header, is not sufficient for validating the entire ID token. The header only contains metadata about the token, such as the algorithm used for signing. Option C, validating the HTTP response code, is unrelated to validating the ID token. Option D, validating the tenant ID, is important for ensuring that the app is only accepting tokens from a trusted Azure AD tenant, but it does not ensure the integrity of the token itself.

Answer 58

Answer: A A. Generate a shared access signature (SAS) for the Azure Blob storage account and provide the SAS to all developers. A shared access signature (SAS) is a secure token that can be used to grant temporary and revocable access to a blob container or individual blobs. You can specify an expiration time for the SAS, so it will automatically expire after the two-month time period, making the blob storage account no longer accessible to the developers. This approach allows you to grant the developers the necessary access to the Azure Blob storage account while still maintaining control over the access, and it also allows you to revoke access easily after the two-month time period.

Answer 59

Answer: B, C Explanation: B: MFA Enabled by conditional access policy. It is the most flexible means to enable two-step verification for your users. Enabling using conditional access policy only works for Azure MFA in the cloud and is a premium feature of Azure AD. C: Multi-Factor Authentication comes as part of the following offerings:  Azure Active Directory Premium licenses - Full featured use of Azure Multi-Factor Authentication Service (Cloud) or Azure Multi-Factor Authentication Server (Onpremises).  Multi-Factor Authentication for Office 365  Azure Active Directory Global Administrators

Answer 60

Answer: A Explanation: A service SAS is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files. Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. Incorrect Answers: B: Account SAS is specified at the account level. It is secured with the storage account key. C: A user delegation SAS applies to Blob storage only.

Answer 61

Answer: C Explanation: oid -The object identifier for the user in Azure AD. This value is the immutable and non-reusable identifier of the user. Use this value, not email, as a unique identifier for users; email addresses can change. If you use the Azure AD Graph API in your app, object ID is that value used to query profile information.

Answer 62

Answer: D Explanation: Add Key Vault secrets reference in the Function App configuration. Syntax: @Microsoft.KeyVault(SecretUri={copied identifier for the username secret})

Answer 63

Answer: A External collaboration settings let you specify what roles in your organization can invite external users for B2B collaboration. These settings also include options for allowing or blocking specific domains, and options for restricting what external guest users can see in your Azure AD directory. So, you use B2B external collaboration to invite guests into your Azure AD tenant. I vote for Custom Policies. Both Custom Policies and User Flows support external identity providers, but because of required custom in-house providers support, I'd choose Custom Policies over the User Flows

Answer 64

Answer: AE Explanation: A: Secure environment variables Another method (another than a secret volume) for providing sensitive information to containers (including Windows containers) is through the use of secure environment variables. E: Use a secret volume to supply sensitive information to the containers in a container group. The secret volume stores your secrets in files within the volume, accessible by the containers in the container group. By storing secrets in a secret volume, you can avoid adding sensitive data like SSH keys or database credentials to your application code.

Answer 65

Answer: A Explanation: Data Connect grants a more granular control and consent model: you can manage data, see who is accessing it, and request specific properties of an entity. This enhances the Microsoft Graph model, which grants or denies applications access to entire entities. Microsoft Graph Data Connect augments Microsoft Graph’s transactional model with an intelligent way to access rich data at scale. The data covers how workers communicate, collaborate, and manage their time across all the applications and services in Microsoft 365. Incorrect: Not B: The Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the Microsoft Graph API. A simplistic definition of a Graph API is an API that models the data in terms of nodes and edges (objects and relationships) and allows the client to interact with multiple nodes in a single request. Not C: Microsoft Graph connectors, your organization can index third-party data so that it appears in Microsoft Search results. With Microsoft Graph connectors, your organization can index third-party data so that it appears in Microsoft Search results.

Answer 66

Answer: E Explanation: Microsoft identity platform and OAuth 2.0 authorization code flow, Request an authorization code https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? The authorization code flow begins with the client directing the user to the /authorize endpoint. In this request, the client requests the openid, offline_access, and https://graph.microsoft.com/mail.read permissions from the user. Parameters include: * scope required A space-separated list of scopes that you want the user to consent to. For the /authorize leg of the request, this parameter can cover multiple resources. This value allows your app to get consent for multiple web APIs you want to call.

Answer 67

Answer: D Explanation: An Azure Function can be used with managed identity to rotate service principal keys. Then an app can use service principal keys to authenticate to Key Vault to check for new versions of the app secret. As long as it does so before the old secret expires it can successfully update its cache with the new secret allowing a smooth transition to the new version.

Answer 68

Answer: B Explanation: Encryption keys Customer-managed keys Before DEKs get stored in Azure Cosmos DB, they are wrapped by a customer-managed key (CMK). By controlling the wrapping and unwrapping of DEKs, CMKs effectively control the access to the data that's encrypted with their corresponding DEKs. CMK storage is designed as an extensible, with a default implementation that expects them to be stored in Azure Key Vault.

Answer 69

Answer: A,D You can use the Key Rotation Policy in Azure Key Vault combined with Event Grid to trigger sending notification when a secret in the key vault is about to expire.

Answer 70

Answer: B Explanation: Instead deploy and configure Azure Cache for Redis. Update the web applications.

Answer 71

Answer: B Share Session State Across Applications: While PostgreSQL can store session state, sharing session state across multiple ASP.NET applications is not its primary use case. It requires additional configuration and programming to handle session state management. Controlled, Concurrent Access for Multiple Readers and a Single Writer: PostgreSQL supports concurrent access, but managing this for session state data would require additional programming effort. Save Full HTTP Responses for Concurrent Requests: PostgreSQL is not designed for caching full HTTP responses. It is primarily a relational database for structured data, not a cache for HTTP responses.

Answer 72

Answer: A correct answer is A because it is the one that takes advantage of the swagger definition of the API

Answer 73

Answer: A, D Explanation: D: CorrelationId: Enables an application to specify a context for the message for the purposes of correlation; for example, reflecting the MessageId of a message that is being replied to. A: ReplyToSessionId: This value augments the ReplyTo information and specifies which SessionId should be set for the reply when sent to the reply entity. Incorrect Answers: B, E: DeliveryCount Number of deliveries that have been attempted for this message. The count is incremented when a message lock expires, or the message is explicitly abandoned by the receiver. This property is read-only. C, E: SequenceNumber The sequence number is a unique 64-bit integer assigned to a message as it is accepted and stored by the broker and functions as its true identifier. For partitioned entities, the topmost 16 bits reflect the partition identifier. Sequence numbers monotonically increase and are gapless. They roll over to 0 when the 48-64 bit range is exhausted. This property is read-only.

Answer 74

Answer: A The answer should be A. The error message shows that there is not enough connections, which means that the concurrency is too high. Too many instances are running parallel. So we have to reduce the concurrency of the app.

Answer 75

Answer: A Explanation: The session state provider for Azure Cache for Redis enables you to share session information between different instances of an ASP.NET web application. The same connection can be used by multiple concurrent threads. Redis supports both read and write operations. The output cache provider for Azure Cache for Redis enables you to save the HTTP responses generated by an ASP.NET web application.

Answer 76

Answer: B, C Explanation: There are three types of availability tests:  URL ping test: a simple test that you can create in the Azure portal.  Multi-step web test: A recording of a sequence of web requests, which can be played back to test more complex scenarios. Multi-step web tests are created in Visual Studio Enterprise and uploaded to the portal for execution.  Custom Track Availability Tests: If you decide to create a custom application to run availability tests, the TrackAvailability() method can be used to send the results to Application Insights.

Answer 77

Answer: B Explanation: You can create an Azure Function with TrackAvailability() that will run periodically according to the configuration given in TimerTrigger function with your own business logic. The results of this test will be sent to your Application Insights resource, where you will be able to query for and alert on the availability results data. This allows you to create customized tests similar to what you can do via Availability Monitoring in the portal. Customized tests will allow you to write more complex availability tests than is possible using the portal UI, monitor an app inside of your Azure VNET, change the endpoint address, or create an availability test even if this feature is not available in your region.

Answer 78

Answer: A,C Metrics will give you the uptime. Logs will give you the causes of the downtime. wrong B: Alerts are not required wrong D: Web tests has nothing to do with uptime.

Answer 79

Answer: BD Explanation: Example: public async Task Enqueue(string payload) { // StartOperation is a helper method that initializes the telemetry item // and allows correlation of this operation with its parent and children. var operation = telemetryClient.StartOperation("enqueue " + queueName); operation.Telemetry.Type = "Azure Service Bus"; operation.Telemetry.Data = "Enqueue " + queueName; var message = new BrokeredMessage(payload); // Service Bus queue allows the property bag to pass along with the message. // We will use them to pass our correlation identifiers (and other context) // to the consumer. message.Properties.Add("ParentId", operation.Telemetry.Id); message.Properties.Add("RootId", operation.Telemetry.Context.Operation.Id);

Answer 80

Answer: B, C Explanation: B: The allkeys-lru policy evict keys by trying to remove the less recently used (LRU) keys first, in order to make space for the new data added. Use the allkeys-lru policy when you expect a power-law distribution in the popularity of your requests, that is, you expect that a subset of elements will be accessed far more often than the rest. C: volatile-lru: evict keys by trying to remove the less recently used (LRU) keys first, but only among keys that have an expire set, in order to make space for the new data added. Note: The allkeys-lru policy is more memory efficient since there is no need to set an expire for the key to be evicted under memory pressure.

Answer 81

Answer: B Explanation: The log type AppServiceEnvironmentPlatformLogs handles the App Service Environment: scaling, configuration changes, and status logs. Incorrect: AppServiceAppLogs contains logs generated through your application. AppServiceAuditLogs logs generated when publishing users successfully log on via one of the App Service publishing protocols.

Answer 82

Answer: C Explanation: Live Metrics Stream Deploying the latest build can be an anxious experience. If there are any problems, you want to know about them right away, so that you can back out if necessary. Live Metrics Stream gives you key metrics with a latency of about one second. With Live Metrics Stream, you can: * Validate a fix while it's released, by watching performance and failure counts. * Etc.

Answer 83

Answer: A, C The key here is "In case of an Azure data center outage, metadata loss must be kept to a minimum." So the correct answer is AC.

Answer 84

Answer: A A. Add Azure Monitor alert processing rules to suppress notifications: Correct. This allows suppression of notifications during offline processing. B. Disable Azure Monitor Service Health Alerts during offline processing: Incorrect. This would stop all alerts, not just the ones related to offline processing. C. Create an Azure Monitor Metric Alert: Incorrect. This would still trigger alerts during offline processing. D. Build an Azure Monitor action group that suppresses the alerts: Incorrect. This requires additional configuration and may not specifically target the offline processing alerts.

Answer 85

Answer: B There must be a way to tell our redis that logged off users must not be prioritized. Sample: User A moves and then automatically logs-off. With allkeys-lru we can't distinguish this particularity. With volatile-lru we can tell our redis what are good candidates to be removed using different TTL values.

Answer 86

Answer: C Explanation: Exceptions in web applications can be reported with Application Insights. You can correlate failed requests with exceptions and other events on both the client and server so that you can quickly diagnose the causes. When an exception occurs, you can automatically collect a debug snapshot from your live web application. The debug snapshot shows the state of source code and variables at the moment the exception was thrown. The Snapshot Debugger in Azure Application Insights: Monitors system-generated logs from your web app. Collects snapshots on your top-throwing exceptions. Provides information you need to diagnose issues in production.

Answer 87

Answer: AB Explanation: The App Configuration .NET provider library supports updating configuration on demand without causing an application to restart. A: Request-driven configuration refresh The configuration refresh is triggered by the incoming requests to your web app. No refresh will occur if your app is idle. When your app is active, the App Configuration middleware monitors the sentinel key, or any other keys you registered for refreshing in the ConfigureRefresh call. The middleware is triggered upon every incoming request to your app. However, the middleware will only send requests to check the value in App Configuration when the cache expiration time you set has passed. B, not C: The SetCacheExpiration method specifies the minimum time that must elapse before a new request is made to App Configuration to check for any configuration changes. Default expiration time is 30 seconds. Adjust to a higher value if you need to reduce the number of requests made to your App Configuration store.

Answer 88

Answer: B, D, E Gotta enable App Insights. Always On can solve the performance issues. Profiler can help find performance issues. You can eliminate Premium upgrade because it says minimize costs, snapshot debugger is for debugging exceptions and has nothing to do with performance issues, restarting app impacts users and it says minimize impact.

Answer 89

Answer: A A. Authorization - Correct The Authorization header is used to authenticate the client/user in the application by including authorization credentials. It’s crucial for protecting the Azure function against misconfigured invocations. B. WebHook-Request-Callback - Incorrect The WebHook-Request-Callback is not a standard HTTP header and it’s not typically used for authorization or protection against misconfigured invocations. C. Resource - Incorrect The Resource is not a standard HTTP header and it’s not typically used for authorization or protection against misconfigured invocations. D. WebHook-Request-Origin - Incorrect The WebHook-Request-Origin is not a standard HTTP header and it’s not typically used for authorization or protection against misconfigured invocations.

Answer 90

Answer: B Explanation: - topics allows multiple subscribers, and here we need to process each event once - correlation filter is for subscriptions, not topics - even when assuming there is typo in the question and correlation filter is defined on the subscription level - it still is not a valid solution, because new stores can be opened in the future with many new device identifiers which you can't know in advance. Besides that filter make no sense in this scenario whatsoever, you just need to save data in storage account and basically partition it by device identifier.

Answer 91

Answer: B Sensors do not send events, they send messages containing specific data that has been gathered. This makes automatically the solution incorrect, because you need a Service Bus to collect them. Event Grids and Event Hubs won't do the job here.

Answer 92

Answer: B Azure Queue doesn't support FIFO!

Answer 93

Answer: A, B Queue Storage does not provide transactional support and Event Hub can't be configured to store events for infinite time.

Answer 94

Answer: AC Explanation: It is strongly recommended to use available messaging products and services that support a publish-subscribe model, rather than building your own. In Azure, consider using Service Bus or Event Grid. Other technologies that can be used for pub/sub messaging include Redis, RabbitMQ, and Apache Kafka

Answer 95

Answer: D Explanation: Using topic client, call RegisterMessageHandler which is used to receive messages continuously from the entity. It registers a message handler and begins a new thread to receive messages. This handler is waited on every time a new message is received by the receiver. subscriptionClient.RegisterMessageHandler(ReceiveMessagesAsync, messageHandlerOptions);

Answer 96

Answer: B Explanation: Don’t use a VM, instead create an Azure Function App that uses an Azure Service Bus Queue trigger.

Answer 97

Answer: B Queue size must not grow larger than 80 gigabytes (GB) - yes that's fine Use first-in-first-out (FIFO) ordering of messages. - yes, you can get it with service bus Minimize Azure costs & Create an Azure Windows VM that is triggered from Azure Service Bus Queue - Firstly there's nothing like an AzureVM triggering, but Azure Functions triggering instead. Secondly - using vm with queue is more expensive, but of course it depends on multiple factors.

Answer 98

Answer: C Explanation: For relational data you will need the SQL API Incorrect Answers: A: The MongoDB API is not used for relational data. B: The Table API only supports data in the key/value format D: The Cassandra API only supports OLTP (Online Transactional Processing) and not batch processing.

Answer 99

Answer: C Use Service Bus when your solution requires transactional behavior and atomicity when sending or receiving multiple messages from a queue.

Answer 100

Answer: A Explanation: You can create a function that is triggered when messages are submitted to an Azure Storage queue.

Answer 101

Answer: B Explanation: Instead use an Azure Service Bus, which is used order processing and financial transactions.

Answer 102

Answer: A Explanation: Event Hubs enables granular control over event publishers through publisher policies. Publisher policies are run-time features designed to facilitate large numbers of independent event publishers. With publisher policies, each publisher uses its own unique identifier when publishing events to an event hub. Incorrect: Not C: An Event Hubs namespace is a management container for event hubs (or topics, in Kafka parlance). It provides DNS-integrated network endpoints and a range of access control and network integration management features such as IP filtering, virtual network service endpoint, and Private Link.

Answer 103

Answer: BD

Answer 104

Answer: C,D,E The first and second case are fairly straight forward to handle. Try to open the connection again. When you succeed, the transient error has been mitigated by the system. You can use your Azure Database for MySQL again. We recommend having waits before retrying the connection. Back off if the initial retries fail. This way the system can use all resources available to overcome the error situation. A good pattern to follow is: Wait for 5 seconds before your first retry. For each following retry, the increase the wait exponentially, up to 60 seconds. Set a max number of retries at which point your application considers the operation failed.

Answer 105

Answer: A "When a user redeems a one-time passcode and later obtains an MSA, Azure AD account, or other federated account, they'll continue to be authenticated using a one-time passcode. If you want to update the user's authentication method, you can reset their redemption status."